Funky Joomla! update emails

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, PhilD, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
User avatar
michele654
Joomla! Intern
Joomla! Intern
Posts: 51
Joined: Mon Apr 21, 2008 3:56 pm
Location: North Carolina

Funky Joomla! update emails

Postby michele654 » Fri Aug 05, 2016 3:29 pm

With the latest Joomla update notices, I received notices that weren't quite right.

Essentially, I received the correct notice, and I also received a notice with an incorrect domain name and link.

Looking at the mail headers, it does appear that these emails came from my server. They came at the same time my server sent the correct email message. They came to both email addresses that are set as administrator emails, on my servers.

This happened on two different hosting providers, and one server I manage myself.

The subject looks like:

Joomla! Update available for (mydomain).com – http://www.h khk11.com/

The body looks correct, except for the link to perform the update goes to the hkhk11.com domain:

Update link: http://www.hk hk11.com/administrator/index.php?option=com_joomlaupdate

Obviously I don't have anything to do with the hkhk 11.com domain, which is in Beijing.

Another came from mail.(mydomain).info, which I own, so that was weird too.

Ideas?
Last edited by mandville on Fri Aug 05, 2016 6:14 pm, edited 2 times in total.
Reason: Broke links leading to NSFW site
-Michele

Dear God, I have a problem. It's me.

User avatar
mjparadac
Joomla! Ace
Joomla! Ace
Posts: 1392
Joined: Mon Oct 29, 2012 3:58 pm

Re: Funky Joomla! update emails

Postby mjparadac » Fri Aug 05, 2016 3:55 pm

Hello Michele

That is so weird.
Do you use any extension for emails or SEO?

Regards,
Joomla Community Ambassador for A2 Hosting | A2 Hosting - Our speed, your success | https://www.a2hosting.com/joomla-hosting?utm_campaign=grassroots&utm_medium=forum&utm_source=joomla.org

User avatar
michele654
Joomla! Intern
Joomla! Intern
Posts: 51
Joined: Mon Apr 21, 2008 3:56 pm
Location: North Carolina

Re: Funky Joomla! update emails

Postby michele654 » Fri Aug 05, 2016 5:20 pm

No extensions for mail or SEO. The one site that sent the .info email has:
JCE
YooTheme
WidgetKit

The other domains have other extensions as well, but those three above are common among them.

-Michele
-Michele

Dear God, I have a problem. It's me.

wordpresser
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sat Aug 06, 2016 7:28 pm

Re: Funky Joomla! update emails

Postby wordpresser » Sat Aug 06, 2016 8:02 pm

I would search the database with phpmyadmin and look for any field containing that domain. This should give you a clue to where it is coming from.

Judging by the content of that domain I would suspect you have been hacked at one point. You may have a user with this email so look in your users as well.

tinadevi
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sun Aug 07, 2016 2:15 am

Re: Funky Joomla! update emails

Postby tinadevi » Sun Aug 07, 2016 3:18 am

I received this email as well. Haven't been able to find any *hkhk* strings in the database or on the server. Nevertheless I did a whole bunch of security updates.

Heres a screen cap of the email:
joomla-update-phishing-email.JPG
You do not have the required permissions to view the files attached to this post.

User avatar
sozzled
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3420
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Funky Joomla! update emails

Postby sozzled » Sun Aug 07, 2016 5:41 am

I looked at the source code for the Joomla update notification emails (the relevant lines for the determining the update link start at around line 146 of /administrator/plugins/system/updatenotification/updatenotification.php

Code: Select all

      // If we're here, we have updates. First, get a link to the Joomla! Update component.
      $baseURL  = JUri::base();
      $baseURL  = rtrim($baseURL, '/');
      $baseURL .= (substr($baseURL, -13) != 'administrator') ? '/administrator/' : '/';
      $baseURL .= 'index.php?option=com_joomlaupdate';
      $uri      = new JUri($baseURL);

What this, in effect, does is to create the text that will later be the link in the email. So where does Joomla get the "base" URL from?

I would suggest that you search for all .htaccess files starting from the root folder and see if any of them are rewriting the base address of the website.
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

tinadevi
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sun Aug 07, 2016 2:15 am

Re: Funky Joomla! update emails

Postby tinadevi » Sun Aug 07, 2016 5:36 pm

Hi sozzled,

Thank you for your suggestion.

Unfortunately that path does not exist for me. However I did find the updatenotification folder in the root directory instead of the administrator folder.

Corrected path: public_html/plugins/system/updatenotification/updatenotification.php

There are a gazillion results for the keyword: updatenotification in the joomla file system so I'm not going to start with the code itself.

I found the entry in the server's mail log and I have posted it to my admins to see if they can determine whether or not the email came from the joomla site or from outside the server.

Oh, I haven't enabled the htaccess file in the root yet.

User avatar
sozzled
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3420
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Funky Joomla! update emails

Postby sozzled » Sun Aug 07, 2016 7:15 pm

Thanks for correcting the location of the updatenotification.php file. Good luck with your further investigation. My instinct tells me that the base_dir has been changed somewhere (but where, I don't know).
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

User avatar
michele654
Joomla! Intern
Joomla! Intern
Posts: 51
Joined: Mon Apr 21, 2008 3:56 pm
Location: North Carolina

Re: Funky Joomla! update emails

Postby michele654 » Mon Aug 08, 2016 12:06 pm

I'm still receiving the emails daily, even though I updated Friday to 3.6.2 The emails are saying 3.6.0 to 3.6.1 Since I updated the site, the emails have come with no base_url at all, the subject said:

Joomla! Update available for (mydomain).com – /

And the update link was:
Update link: /administrator/index.php?option=com_joomlaupdate

Note that I also received the correct emails last week, so these are additional emails that came in along with the correct one, and keep coming even after the update to 3.6.2 has been performed. Assuming base_url is defined and used in one place, from one site I've received emails with 3 different base_url links now.

I would suggest it's just spam, but email headers say the emails came from my servers/domain... And the administrator email is not obvious for the domains.

One domain the link was the .info domain of my .com, which I also own the .info, and it just forwards to .com. I didn't hack myself.

Mostly I wanted to report it in case someone else was seeing it, I'm glad it's not only me, although I'm sorry we haven't figured it out yet!

-Michele
-Michele

Dear God, I have a problem. It's me.

User avatar
sozzled
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3420
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Funky Joomla! update emails

Postby sozzled » Mon Aug 08, 2016 7:36 pm

https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

SarahC
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Wed Jul 02, 2008 5:50 am

Re: Funky Joomla! update emails

Postby SarahC » Thu Aug 25, 2016 7:13 am

There is definately something funky going on. I am experiencing the same thing. I have received multiple email notifications to update my Joomla site from 3.6.0 to 3.6.1 when my site has already been updated to 3.6.2. They are being sent with all sorts of domain names and links, which Firefox blocks. Coming from site email address. We need to work out what is going on here.

ncy
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Sun Nov 22, 2015 8:15 pm

Re: Funky Joomla! update emails

Postby ncy » Thu Oct 12, 2017 12:18 am

I've been experiencing this same problem now as well. Got emails for my domain listed as an IP address, as ftp.mydomain.com, and as a completely random unrelated www. hxjqnj888 .com. I was using Joomla 3.7.5 and the update notification was about updating to 3.8.0.

Have there been any updates regarding finding out what's going on with this?

I'm mostly concerned about security and whether my site has been compromised in anyway :P.

Thanks,


Return to “Security in Joomla! 3.x”

Who is online

Users browsing this forum: No registered users and 4 guests