ClamAV Scan found the virus Html.Exploit.CVE_2016_0108

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
f_vincent
Joomla! Intern
Joomla! Intern
Posts: 58
Joined: Tue May 08, 2007 12:00 pm

ClamAV Scan found the virus Html.Exploit.CVE_2016_0108

Postby f_vincent » Thu Mar 10, 2016 9:20 am

Hi,
ClamAV Scan found the virus Html.Exploit.CVE_2016_0108 on a template.css file of my site. What are the risks? How do I identify and remove the code from the file? Cannot delete the file because it is required.
How can I know in case this scan result is a false positive?
Thanks for any help.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 32692
Joined: Sat Apr 05, 2008 9:58 pm

Re: ClamAV Scan found the virus Html.Exploit.CVE_2016_0108

Postby Webdongle » Thu Mar 10, 2016 10:55 am

Depends on where you downloaded the file from. If it is a genuine Template that contains code for it's own purpose then (imho) just unistall it. If you downloaded from a warez site then treat your site as hacked. Also please viewtopic.php?f=621&t=582860

f_vincent
Joomla! Intern
Joomla! Intern
Posts: 58
Joined: Tue May 08, 2007 12:00 pm

Re: ClamAV Scan found the virus Html.Exploit.CVE_2016_0108

Postby f_vincent » Thu Mar 10, 2016 11:17 am

Thanks for your reply. The file is a custom .css developed by my developer when he customized the site style.
it´s not obtained from dubious sources.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14174
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: ClamAV Scan found the virus Html.Exploit.CVE_2016_0108

Postby mandville » Thu Mar 10, 2016 11:29 am

sounds very odd. what has your developer installed into the css file that would trigger the alert.raise it with your developer. perhaps put your css file here so that others can look at it
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

f_vincent
Joomla! Intern
Joomla! Intern
Posts: 58
Joined: Tue May 08, 2007 12:00 pm

Re: ClamAV Scan found the virus Html.Exploit.CVE_2016_0108

Postby f_vincent » Thu Mar 10, 2016 11:36 am

It's been 18 months since the .css file was put in Place to customize the site style. only yesterday was the virus detected. I do scans with ClamAV twice weekly.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 32692
Joined: Sat Apr 05, 2008 9:58 pm

Re: ClamAV Scan found the virus Html.Exploit.CVE_2016_0108

Postby Webdongle » Thu Mar 10, 2016 1:55 pm

It could be a 'false positive' but if it isn't then treat the as hacked. Use the Host's cp to password protect the site while the file is examined. If it has been hacked then
  1. Run the fpa and post on here
  2. Uninstall any untrusted 3rd party extensions and Templates https://vel.joomla.org/live-vel
  3. Delete all the files on the server
  4. Scan your computer and all computers that have server or Joomla admin access
  5. Change Passwords
  6. Install Joomla (of the same version) to a new database. Install up to date 3rd party extensions (that are not on the VEL) then edit the configuration.php to connect to the original database. Update Joomla if you have and old version
  7. Change your Joomla SU/Admin Passwords and check the users/groups/access levels are correct and not been tampered with. Update your Joomla And run the fpa again
Full instructions viewtopic.php?f=714&t=757645 .
Step #f can be done on localhost

f_vincent
Joomla! Intern
Joomla! Intern
Posts: 58
Joined: Tue May 08, 2007 12:00 pm

Re: ClamAV Scan found the virus Html.Exploit.CVE_2016_0108

Postby f_vincent » Thu Mar 10, 2016 3:04 pm

Thank you for your recommendations. I will consider all your points. Appreciate your help.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 32692
Joined: Sat Apr 05, 2008 9:58 pm

Re: ClamAV Scan found the virus Html.Exploit.CVE_2016_0108

Postby Webdongle » Thu Mar 10, 2016 3:59 pm

My gut feeling is that it's a 'false positive' ... but you will need to examine the file. You may like to try viewtopic.php?f=714&t=778692 it will hi-light where else to look. Use with discretion and read the whole post before use.


Return to “Security in Joomla! 3.x”

Who is online

Users browsing this forum: aszona, fcoulter and 10 guests