Go Daddy says this File looks Suspicious

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
superflyguywhy
Joomla! Apprentice
Joomla! Apprentice
Posts: 25
Joined: Wed Oct 07, 2015 1:19 am

Go Daddy says this File looks Suspicious

Postby superflyguywhy » Mon Mar 20, 2017 5:10 pm

Hi there was just speaking to GO Daddy Hosting the guy pointed out a File that he said looks suspicious.

Located in my Root. My site is using Joomla 3.6.5 the guys says it looks like a word press type of file?



Suspicious-File.png
You do not have the required permissions to view the files attached to this post.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14229
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Go Daddy says this File looks Suspicious

Postby mandville » Mon Mar 20, 2017 5:13 pm

it would do, especially in the root of your server. looking at the date, its sat unnoticed for 2 years. whats the contents??
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
cybersalt
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 116
Joined: Thu Aug 25, 2005 10:36 pm
Location: Victoria, Canada
Contact:

Re: Go Daddy says this File looks Suspicious

Postby cybersalt » Mon Mar 20, 2017 5:22 pm

That is a config file for Wordpress (http://www.wpbeginner.com/glossary/wp-config-php/).

From your screen shot it looks to me like you have it in a folder above public_html - which if true is an odd place for it to be.

If you do not use wordpress you can delete that file.
Tim Davis
Basic Joomla Tutorials | Cybersalt Consulting and Communications
https://www.cybersalt.com

itoctopus
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3883
Joined: Mon Nov 25, 2013 4:35 pm
Location: Montreal, Canada
Contact:

Re: Go Daddy says this File looks Suspicious

Postby itoctopus » Mon Mar 20, 2017 5:59 pm

The wp-config.php file is merely about 2 KB in size, and it's actually wp-config.php not wp-conf.php - your website is hacked, please proceed accordingly.
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter

User avatar
cybersalt
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 116
Joined: Thu Aug 25, 2005 10:36 pm
Location: Victoria, Canada
Contact:

Re: Go Daddy says this File looks Suspicious

Postby cybersalt » Mon Mar 20, 2017 6:07 pm

itoctopus - good catch on the file size!

I thought it was probably an old housekeeping problem - but of course it came up in a scan. My doh!
Tim Davis
Basic Joomla Tutorials | Cybersalt Consulting and Communications
https://www.cybersalt.com

superflyguywhy
Joomla! Apprentice
Joomla! Apprentice
Posts: 25
Joined: Wed Oct 07, 2015 1:19 am

Re: Go Daddy says this File looks Suspicious

Postby superflyguywhy » Mon Mar 20, 2017 8:08 pm

itoctopus wrote:The wp-config.php file is merely about 2 KB in size, and it's actually wp-config.php not wp-conf.php - your website is hacked, please proceed accordingly.


Thanks I removed the File. Any steps next I should take next?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14229
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Go Daddy says this File looks Suspicious

Postby mandville » Mon Mar 20, 2017 8:16 pm

superflyguywhy wrote:


Thanks I removed the File. Any steps next I should take next?[/quote]
Webdongle wrote:Your database is your site ... first and foremost make a backup of your database.

All the files do is put/get data to/from the database and display the data on the screen.

Cleaning the site is easy ... just delete all the folders/files. Rebuilding the site is easy ... just install a fresh Joomla to a empty database and install 3rd party extensions then edit the configuration.php.

Before you ask what other users ask. No there is no real alternative ... you need to delete all folders/files.

Here is a summary of what you need to do


  1. Run the fpa and post the results in this forum
  2. Uninstall any untrusted 3rd party extensions and Templates https://vel.joomla.org/live-vel
  3. Delete all the files on the server
  4. Scan your computer and all computers that have server or Joomla admin access
  5. Change Passwords
  6. Install Joomla (of the same version) to a new database. Install up to date 3rd party extensions (that are not on the VEL) then edit the configuration.php to connect to the original database. Update Joomla if you have and old version
  7. Change your Joomla SU/Admin Passwords and check the users/groups/access levels are correct and not been tampered with. Update your Joomla and run the fpa again

Step #f is simply installing Joomla and 3rd party extensions to an empty database so you get fresh files. Then connect the files to the database that has your data. That gives you your site back. The rest cleans the site and helps keep it secure.

Full details http://forum.joomla.org/viewtopic.php?f=714&t=757645
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
cybersalt
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 116
Joined: Thu Aug 25, 2005 10:36 pm
Location: Victoria, Canada
Contact:

Re: Go Daddy says this File looks Suspicious

Postby cybersalt » Mon Mar 20, 2017 10:29 pm

Superflyguy

The way to proceed is to assault the learning curve of finding out where your Joomla install is infected and a how to clean it. Like anything in Joomla you can put sweat equity into learning how or hire someone to attempt to fix it for you.

I believe rsfirewall is a good place to start on the learning. It's a for pay extension, but will scan your install and report back on its findings, giving you a direction to move in.

Afterwards it will act as a defense against the next hack attempt.
Tim Davis
Basic Joomla Tutorials | Cybersalt Consulting and Communications
https://www.cybersalt.com

User avatar
ribo
Joomla! Hero
Joomla! Hero
Posts: 2914
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: Go Daddy says this File looks Suspicious

Postby ribo » Mon Mar 20, 2017 10:40 pm

superflyguywhy wrote:
Thanks I removed the File. Any steps next I should take next?

With only to remove this file you are not solve your issue. Also only a scanner will not solve your issue too.
@mandville was just gave the guide to clean your joomla for sure without be infected again.
chat room spontes : http://www.spontes.com

User avatar
cybersalt
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 116
Joined: Thu Aug 25, 2005 10:36 pm
Location: Victoria, Canada
Contact:

Re: Go Daddy says this File looks Suspicious

Postby cybersalt » Mon Mar 20, 2017 11:15 pm

ribo wrote:Also only a scanner will not solve your issue too.


That is true, which is why I said run a scan to get a direction to move in.

Razing and rebuilding sites to get rid of infections is not always an option for complex sites. Sure, in the end it may be the only solution after many, many tries, but it's possible to recover a site more surgically once you know what you are looking for.
Tim Davis
Basic Joomla Tutorials | Cybersalt Consulting and Communications
https://www.cybersalt.com

User avatar
ribo
Joomla! Hero
Joomla! Hero
Posts: 2914
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: Go Daddy says this File looks Suspicious

Postby ribo » Mon Mar 20, 2017 11:41 pm

cybersalt wrote:
ribo wrote:Also only a scanner will not solve your issue too.


That is true, which is why I said run a scan to get a direction to move in.


Let s give you an example. If the issue comes from the server, a scan gives you a direction to move in? The guide is with many steps to do and check many things. About rebuilding, if you read exactly the guide, it s not exactly rebuilding and the using of original database can help the user to recover the hacked site faster, even if it is a complex site. And at the end, the most important thing is that the guide helps better a non experienced user who asks" Thanks I removed the File. Any steps next I should take next? " than a scanner or a third party extension.
chat room spontes : http://www.spontes.com


Return to “Security in Joomla! 3.x”

Who is online

Users browsing this forum: No registered users and 27 guests