Please help: ESET Scan shows all saved Joomla backups have a trojan - is this fale positive?

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, PhilD, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
lastevns
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 165
Joined: Sat Aug 09, 2014 3:50 am

Please help: ESET Scan shows all saved Joomla backups have a trojan - is this fale positive?

Postby lastevns » Tue Sep 12, 2017 8:46 pm

I just did an ESET Scan of my computer backups and all of my saved Joomla sites (and saved databases) show as having files that read as:

    PHP/PhpShell.NBD trojan


These files include:

    array_1.php
    reverse-ddd.php

And some are contained within .zipped backups of sites.

This seems odd as I keep all of my sites up to date (at least on my host).

I wonder if this could be a false positive on the scan? And, if not, should I be having my host run a virus scan on all of our sites? Of course, this will mean they all get shut down until we pay more to have the site cleaned. Still...

I would seriously appreciate some feedback. I'm very concerned about this.

Thanks!
Last edited by toivo on Tue Sep 12, 2017 10:49 pm, edited 1 time in total.
Reason: mod note: moved to 3.x Security
I'm seriously grateful for the help offered here. It's amazing how willing people are to help. To those who are more negative... please understand, I'm just here trying to learn.

User avatar
toivo
Joomla! Exemplar
Joomla! Exemplar
Posts: 8746
Joined: Thu Feb 15, 2007 5:48 am
Location: Nottingham, UK
Contact:

Re: Please help: ESET Scan shows all saved Joomla backups have a trojan - is this fale positive?

Postby toivo » Tue Sep 12, 2017 11:00 pm

Those two files are not included in the Joomla core. They may belong to some third party extension, but if they both contain a trojan, those files were uploaded by hackers.

Follow the instructions in the sticky posts at the top of this forum to clean and secure your site:
viewtopic.php?f=714&t=757645
viewtopic.php?f=714&t=946026
Toivo Talikka, Global Moderator
my first programs were assembled and run in 16KB :)
http://archive.computerhistory.org/resources/text/GE/GE.GE-115SystemSoftware.1967.102646096.pdf#zoom=100

lastevns
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 165
Joined: Sat Aug 09, 2014 3:50 am

Re: Please help: ESET Scan shows all saved Joomla backups have a trojan - is this fale positive?

Postby lastevns » Wed Sep 13, 2017 1:04 am

To quote the beloved Douglass Adams, "Oh!" ... "Ah..."

This could be bad. I will have to look at my backed up files and see if those files are in them. If not, do you feel it would work to restore a save version?


toivo wrote:Those two files are not included in the Joomla core. They may belong to some third party extension, but if they both contain a trojan, those files were uploaded by hackers.

Follow the instructions in the sticky posts at the top of this forum to clean and secure your site:
viewtopic.php?f=714&t=757645
viewtopic.php?f=714&t=946026
I'm seriously grateful for the help offered here. It's amazing how willing people are to help. To those who are more negative... please understand, I'm just here trying to learn.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 18387
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Please help: ESET Scan shows all saved Joomla backups have a trojan - is this fale positive?

Postby leolam » Wed Sep 13, 2017 4:47 am

I am not sure that this is a false positive or not but Virustotal and Securinet show no issues with your site so I see no need to restore anything and never restore any (possible) infected .jpa or zip. I suggest to upload your backup https://www.virustotal.com/#/home/upload and run again. YOu might also run a scan at myjoomla.com which will discover all dirt for sure. First scan is free

Leo 8)
Celebrating 12-Years of Professional Joomla Support Services
- Joomla Professional Support:https://gws-desk.com -
- Joomla Specialized Hosting Solutions:https://gws-host.com -
- Member Joomla Bug Squad & J-CMS Release Team

User avatar
toivo
Joomla! Exemplar
Joomla! Exemplar
Posts: 8746
Joined: Thu Feb 15, 2007 5:48 am
Location: Nottingham, UK
Contact:

Re: Please help: ESET Scan shows all saved Joomla backups have a trojan - is this fale positive?

Postby toivo » Wed Sep 13, 2017 6:57 am

Check the contents of those files and you will surely recognise hack code if you compare the file to some legitimate Joomla scripts. Do not post the code here.
Toivo Talikka, Global Moderator
my first programs were assembled and run in 16KB :)
http://archive.computerhistory.org/resources/text/GE/GE.GE-115SystemSoftware.1967.102646096.pdf#zoom=100


Return to “Security in Joomla! 3.x”

Who is online

Users browsing this forum: No registered users and 2 guests