RSFirewall malware results Topic is solved

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Post Reply
nigelj
Joomla! Intern
Joomla! Intern
Posts: 78
Joined: Tue May 29, 2007 1:42 pm
Location: Cheddington, UK

RSFirewall malware results

Post by nigelj » Tue Feb 04, 2020 8:45 am

I have RSFirewall installed on my site, and the scanner has come back with 2 warnings about files containing malware. See attached screenshot...
malware_scan.PNG
Please can I ask for any comments about the second item. Obviously it might be a false positive (answers in layman's terms please...I'm not a developer or web security guy)...

- 1st item in sceenshot - I've scanned the file and RSJoomla people have inspected the code and report it's a false positive

- jhackguard - this is really odd. In the extension manager on my site this isn't listed - I haven't installed it. I don't understand where the folder/files have come from? Are there other extensions that install this? If it's not installed can I just delete the folder/files?

Thanks
You do not have the required permissions to view the files attached to this post.

 
User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3801
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: RSFirewall malware results

Post by abernyte » Tue Feb 04, 2020 10:03 am

Jhackguard was/is a Siteground extension from 2015 initially. If you use their hosting and Joomla installation I think they install it as standard.
What we obtain too cheap, we esteem too lightly…Thomas Paine

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 38285
Joined: Sat Apr 05, 2008 9:58 pm

Re: RSFirewall malware results

Post by Webdongle » Tue Feb 04, 2020 10:19 am

Make sure that you have the latest versions
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

nigelj
Joomla! Intern
Joomla! Intern
Posts: 78
Joined: Tue May 29, 2007 1:42 pm
Location: Cheddington, UK

Re: RSFirewall malware results

Post by nigelj » Tue Feb 04, 2020 10:19 am

abernyte wrote:
Tue Feb 04, 2020 10:03 am
Jhackguard was/is a Siteground extension from 2015 initially. If you use their hosting and Joomla installation I think they install it as standard.
I'm not using Siteground hosting!

nigelj
Joomla! Intern
Joomla! Intern
Posts: 78
Joined: Tue May 29, 2007 1:42 pm
Location: Cheddington, UK

Re: RSFirewall malware results

Post by nigelj » Tue Feb 04, 2020 10:21 am

Webdongle wrote:
Tue Feb 04, 2020 10:19 am
Make sure that you have the latest versions
Everything in my site is up to date (I checked this morning).

The issue is I have folders/files for JHackGuard but I've never installed it and it's not listed in the extension manager.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 38285
Joined: Sat Apr 05, 2008 9:58 pm

Re: RSFirewall malware results

Post by Webdongle » Tue Feb 04, 2020 10:35 am

Extensions >>> Manage >>> Manage ... show all ... and double check it is not listed please.

Then https://forumpostassistant.github.io/docs/
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

nigelj
Joomla! Intern
Joomla! Intern
Posts: 78
Joined: Tue May 29, 2007 1:42 pm
Location: Cheddington, UK

Re: RSFirewall malware results

Post by nigelj » Tue Feb 04, 2020 10:40 am

Webdongle wrote:
Tue Feb 04, 2020 10:35 am
Extensions >>> Manage >>> Manage ... show all ... and double check it is not listed please.

Then https://forumpostassistant.github.io/docs/
Thanks Webdongle.

When you say show all, I take it you mean set the number of items in the list to 'All'. I've done that, searched the list manually, and searched for the word Hack...can't find anything!

Will download and run the FPA now.

nigelj
Joomla! Intern
Joomla! Intern
Posts: 78
Joined: Tue May 29, 2007 1:42 pm
Location: Cheddington, UK

Re: RSFirewall malware results

Post by nigelj » Tue Feb 04, 2020 10:55 am

nigelj wrote:
Tue Feb 04, 2020 10:40 am
Webdongle wrote:
Tue Feb 04, 2020 10:35 am
Extensions >>> Manage >>> Manage ... show all ... and double check it is not listed please.

Then https://forumpostassistant.github.io/docs/
Thanks Webdongle.

When you say show all, I take it you mean set the number of items in the list to 'All'. I've done that, searched the list manually, and searched for the word Hack...can't find anything!

Will download and run the FPA now.
OK...I've failed at the first step...can't download the FPA...
githuberror.PNG
Can I get this anywhere else?
You do not have the required permissions to view the files attached to this post.

User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3801
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: RSFirewall malware results

Post by abernyte » Tue Feb 04, 2020 11:04 am

The file is safe. If you click learn more it should give you a link to continue.
What we obtain too cheap, we esteem too lightly…Thomas Paine

nigelj
Joomla! Intern
Joomla! Intern
Posts: 78
Joined: Tue May 29, 2007 1:42 pm
Location: Cheddington, UK

Re: RSFirewall malware results

Post by nigelj » Tue Feb 04, 2020 11:10 am

abernyte wrote:
Tue Feb 04, 2020 11:04 am
The file is safe. If you click learn more it should give you a link to continue.
Sorry? That error is because the connection is not working, it's nothing to do with the file?

Clicking learn more just takes me to a Mozilla help page https://support.mozilla.org/en-US/kb/se ... =inproduct

I've tried with Firefox, Chrome and Edge, none can make a connection. I've tried the download link on the FPA page itself, and the file links on the Github page, and the links in this post...viewtopic.php?f=714&t=793531. All fail. Not helpful for a confused beginner!

So...same question again...can I download the FPA somewhere else?

User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3801
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: RSFirewall malware results

Post by abernyte » Tue Feb 04, 2020 11:16 am

No, only from Github.
I have just downloaded it with Firefox, Brave and Waterfox and it is working. It must be your browser settings.
What we obtain too cheap, we esteem too lightly…Thomas Paine

nigelj
Joomla! Intern
Joomla! Intern
Posts: 78
Joined: Tue May 29, 2007 1:42 pm
Location: Cheddington, UK

Re: RSFirewall malware results

Post by nigelj » Tue Feb 04, 2020 11:25 am

Don't know what settings it could be as it's on 3 browsers! Anyway, I've downloaded it on my phone and emailed it to myself!

User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3801
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: RSFirewall malware results

Post by abernyte » Tue Feb 04, 2020 11:30 am

There is always a way!
What we obtain too cheap, we esteem too lightly…Thomas Paine

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 12073
Joined: Thu Feb 15, 2007 5:48 am
Location: Suzhou, China

Re: RSFirewall malware results

Post by toivo » Tue Feb 04, 2020 11:30 am

nigelj wrote:Please can I ask for any comments about the second item.
That is definitely a false positive.

The string starting with 'eval($_POST' is picked from the second line of the code below, a comment, assuming that you use the latest version of jHackguard. Comment lines are included as documentation only and never executed. Slack programming by the developers of RSFirewall.

Code: Select all

   private function rule_2($l){
      // Search for eval($_POST or eval($_GET) or request/cookie/etc
      if(preg_match('/\beval\b\s*(.*)\(\s*(\$_GET|\$_POST|\$_REQUEST|\$_COOKIE|\$_SERVER)/i',$l)){
         //This is critical.
         $this->score += 100;
         $this->explain[] = "Found eval+POST/GET on the same line.";
      }
   }
Toivo Talikka, Global Moderator

nigelj
Joomla! Intern
Joomla! Intern
Posts: 78
Joined: Tue May 29, 2007 1:42 pm
Location: Cheddington, UK

Re: RSFirewall malware results

Post by nigelj » Tue Feb 04, 2020 11:36 am

toivo wrote:
Tue Feb 04, 2020 11:30 am
nigelj wrote:Please can I ask for any comments about the second item.
That is definitely a false positive.

The string starting with 'eval($_POST' is picked from the second line of the code below, a comment, assuming that you use the latest version of jHackguard. Comment lines are included as documentation only and never executed. Slack programming by the developers of RSFirewall.

Code: Select all

   private function rule_2($l){
      // Search for eval($_POST or eval($_GET) or request/cookie/etc
      if(preg_match('/\beval\b\s*(.*)\(\s*(\$_GET|\$_POST|\$_REQUEST|\$_COOKIE|\$_SERVER)/i',$l)){
         //This is critical.
         $this->score += 100;
         $this->explain[] = "Found eval+POST/GET on the same line.";
      }
   }
Thank you toivo. That's the first thing sorted! Next is why I have JHackGuard folders and files when I haven't installed it, and it wasn't installed in the site I've migrated from. I'm just getting the FPA output to post...I can see references to JHackGuard in there, but again, have no idea how they have got there!?

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 12073
Joined: Thu Feb 15, 2007 5:48 am
Location: Suzhou, China

Re: RSFirewall malware results

Post by toivo » Tue Feb 04, 2020 11:40 am

Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
- see the red banner at the top.
Toivo Talikka, Global Moderator

nigelj
Joomla! Intern
Joomla! Intern
Posts: 78
Joined: Tue May 29, 2007 1:42 pm
Location: Cheddington, UK

Re: RSFirewall malware results

Post by nigelj » Tue Feb 04, 2020 11:43 am

Here's the FPA output. As I mentioned above I can see JHackGuard mentioned but have no clue how it's got there, and I can't see it in extension manager. The instances below have a question mark after, so there's obviously an issue detected (yeah...it's not installed!)

The main question...can I just delete the JHackGuard folders/files. Or I could actually install it, then uninstall it properly?...
Forum Post Assistant (v1.4.9 (lambrusca) : 4th February 2020 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.9.15-Stable (Amani) 27-January-2020
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.9
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: false | .htaccess/web.config: Yes | GZip: true | Cache: true | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: none | Shared sessions: false | SSL: 0 | Error Reporting: none | Site Debug: false | Language Debug: false | Default Access: 2 | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 3.9.15: Yes | Database Supports J! 3.9.15: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 3.12.18-clouder0 | Technology: x86_64 | Web Server: Apache/2.4.39 (Unix) mod_hive/6.27 OpenSSL/1.0.1e-fips mod_fastcgi/2.4.6 | Encoding: gzip, deflate, br | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 25.83 GiB |

PHP Configuration :: Version: 7.3.14 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 30709 | Log Errors To: php_errorlog | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: 1 | Open Base: | Uploads: 1 | Max. Upload Size: 128M | Max. POST Size: 128M | Max. Input Time: 120 | Max. Execution Time: 120 | Memory Limit: 768M

Database Configuration :: Version: 5.6.36-82.1-log (Client:mysqlnd 5.0.12-dev - 20150407 - $Id: 7cc7cc96e675f6d72e5cf0f267f48e167c2abb23 $) | Host: --protected-- (--protected--) | default Collation: utf8_general_ci (default Character Set: utf8) | Database Size: 9.99 MiB | #of Tables: 171
Detailed Environment :: wrote:PHP Extensions :: Core (7.3.14) | date (7.3.14) | libxml (7.3.14) | openssl (7.3.14) | pcre (7.3.14) | sqlite3 (7.3.14) | zlib (7.3.14) | bcmath (7.3.14) | bz2 (7.3.14) | calendar (7.3.14) | ctype (7.3.14) | curl (7.3.14) | dba (7.3.14) | dom (20031129) | enchant (7.3.14) | hash (7.3.14) | fileinfo (7.3.14) | filter (7.3.14) | ftp (7.3.14) | gd (7.3.14) | gettext (7.3.14) | gmp (7.3.14) | SPL (7.3.14) | iconv (7.3.14) | session (7.3.14) | intl (7.3.14) | json (1.7.0) | mbstring (7.3.14) | standard (7.3.14) | mysqlnd (mysqlnd 5.0.12-dev - 20150407 - $Id: 7cc7cc96e675f6d72e5cf0f267f48e167c2abb23 $) | pcntl (7.3.14) | mysqli (7.3.14) | PDO (7.3.14) | pdo_mysql (7.3.14) | pdo_pgsql (7.3.14) | pdo_sqlite (7.3.14) | pgsql (7.3.14) | Phar (7.3.14) | posix (7.3.14) | pspell (7.3.14) | readline (7.3.14) | Reflection (7.3.14) | imap (7.3.14) | shmop (7.3.14) | SimpleXML (7.3.14) | soap (7.3.14) | sockets (7.3.14) | sodium (7.3.14) | exif (7.3.14) | sysvmsg (7.3.14) | sysvsem (7.3.14) | tidy (7.3.14) | tokenizer (7.3.14) | wddx (7.3.14) | xml (7.3.14) | xmlreader (7.3.14) | xmlrpc (7.3.14) | xmlwriter (7.3.14) | xsl (7.3.14) | zip (1.15.4) | cgi-fcgi () | memcached (3.1.0-dev) | ionCube Loader (10.3.9) | Zend OPcache (7.3.14) | Zend Engine (3.3.14) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (755) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 40741498 | Threads: 1 | Questions: 1934640164 | Slow queries: 8516 | Opens: 34251613 | Flush tables: 1 | Open tables: 2048 | Queries per second avg: 47.485 |
Extensions Discovered :: wrote:Components :: SITE ::
Core :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 |
3rd Party::

Components :: ADMIN ::
Core :: com_admin (3.0.0) 1 | com_cache (3.0.0) 1 | com_modules (3.0.0) 1 | com_search (3.0.0) 1 | com_fields (3.7.0) 1 | com_actionlogs (3.9.0) 1 | com_ajax (3.2.0) 1 | com_postinstall (3.2.0) 1 | com_users (3.0.0) 1 | com_categories (3.0.0) 1 | com_privacy (3.9.0) 1 | com_tags (3.1.0) 1 | com_banners (3.0.0) 1 | com_config (3.0.0) 1 | com_installer (3.0.0) 1 | com_messages (3.0.0) 1 | com_login (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_languages (3.0.0) 1 | com_menus (3.0.0) 1 | com_finder (3.0.0) 1 | com_checkin (3.0.0) 1 | com_content (3.0.0) 1 | com_plugins (3.0.0) 1 | com_redirect (3.0.0) 1 | com_weblinks (3.7.0) 1 | com_templates (3.0.0) 1 | com_cpanel (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_associations (3.7.0) 1 | com_media (3.0.0) 1 |
3rd Party:: com_jhackguard (2.0.2) ? | com_j2xml (3.7.202) 1 | Versions (1.1034) ? | JCH Optimize (5.4.3) 1 | RSFirewall! (2.12.4) 1 | com_rsform (2.3.6) 1 | com_phocadownload (3.1.9) 1 | Akeeba (7.0.1) 1 | com_rsticketspro (2.3.5) 1 | COM_RSTBOX (3.5.4) 1 |

Modules :: SITE ::
Core :: mod_whosonline (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_users_latest (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_articles_latest (3.0.0) 1 | mod_login (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_weblinks (3.7.0) 1 | mod_articles_popular (3.0.0) 1 | mod_search (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_menu (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_articles_category (3.0.0) 1 |
3rd Party:: mod_phocadownload_tree (3.1.7) 1 | mod_rsticketspro_latest (2.0.1) 1 | Maximenu CK (6.2.11) ? | RSForm! Pro Module (2.0.0) 1 | SCLogin (8.0.5) ? | RSForm! Pro Module List (2.0.4) 1 |

Modules :: ADMIN ::
Core :: mod_multilangstatus (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_title (3.0.0) 1 | mod_privacy_dashboard (3.9.0) 1 | mod_feed (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_login (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_status (3.0.0) 1 | mod_latestactions (3.9.0) 1 | mod_sampledata (3.8.0) 1 | mod_version (3.0.0) 1 |
3rd Party:: RSFirewall! Control Panel Module (1.4.0) 1 |

Libraries ::
Core ::
3rd Party:: file_fof30 (3.5.1) ? |

Plugins ::
Core :: plg_content_confirmconsent (3.9.0) 0 | plg_content_loadmodule (3.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_finder (3.0.0) 0 | plg_content_fields (3.7.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_geshi (2.5.0) 0 | PLG_ACTIONLOG_JOOMLA (3.9.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_weblink (3.7.0) 0 | plg_finder_content (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_weblinks (3.7.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_privacy_content (3.9.0) 1 | plg_privacy_user (3.9.0) 1 | plg_privacy_consents (3.9.0) 1 | plg_privacy_message (3.9.0) 1 | plg_privacy_actionlogs (3.9.0) 1 | plg_captcha_recaptcha_invisible (3.8) 0 | plg_captcha_recaptcha (3.4.0) 0 | plg_system_p3p (3.0.0) 1 | plg_system_log (3.0.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_languagecode (3.0.0) 0 | plg_system_highlight (3.0.0) 1 | plg_system_cache (3.0.0) 0 | plg_system_logout (3.0.0) 1 | plg_system_fields (3.7.0) 1 | plg_system_privacyconsent (3.9.0) 0 | plg_system_weblinks (3.7.0) 0 | plg_system_logrotation (3.9.0) 1 | plg_system_sessiongc (3.8.6) 1 | plg_system_stats (3.5.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_remember (3.0.0) 0 | plg_system_debug (3.0.0) 1 | plg_system_redirect (3.0.0) 1 | PLG_SYSTEM_ACTIONLOGS (3.9.0) 0 | plg_system_languagefilter (3.0.0) 0 | plg_user_profile (3.0.0) 0 | plg_user_terms (3.9.0) 0 | plg_user_contactcreator (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_repeatable (3.9.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_privacycheck (3.9.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_weblinks (3.7.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_tags (3.0.0) 0 | plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_cookie (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 |
3rd Party:: plg_editors_codemirror (5.40.0) 1 | plg_editors_tinymce (4.5.11) 1 | Content - Version (Version:1.103) ? | Content - Workflow (Version:1.103) ? | plg_content_phocadownload (3.1.7) 0 | Content - RSForm! Pro (1.51.1) 0 | PLG_ACTIONLOG_AKEEBABACKUP (7.0.1) 0 | plg_installer_rsticketspro (1.0.0) 1 | plg_installer_rsfirewall (1.0.0) 1 | plg_installer_rsform (1.0.0) 1 | Button - Versioning (Version:1.103) ? | PLG_EDITORS-XTD_ENGAGEBOX (1.0) 1 | Button - Workflow (Version:1.103) ? | plg_privacy_rsticketspro (1.0.0) 1 | PLG_SYSTEM_BACKUPONUPDATE (7.0.1) 1 | System - RSForm! Pro Delete Submiss (1.0.0) ? | plg_system_tgeoip (0.1) 1 | PLG_SYSTEM_AKEEBAUPDATECHECK (7.0.1) 0 | plg_system_rsticketsproreports (2.0.3) 0 | plg_system_rsvario (1.0.0) 1 | System - Maximenu_CK params (2.1.5) ? | JHackGuard Plugin (2.0.4) ? | plg_system_j2xml (3.7.46) 1 | PLG_SYSTEM_RSTBOX (3.0) 1 | PLG_SYSTEM_JCH_OPTIMIZE (5.4.3) 0 | plg_system_rsticketspro (1.0.0) 1 | System - RSFirewall! Active Scanner (1.4.0) 1 | plg_system_nrframework (4.3.4) 1 | System - RSForm! Pro Advanced Form (1.0.12) ? | System - RSForm! Pro - RSTickets! P (1.0.0) ? | System - jSGCache (1.3.2) ? | User - RSTickets! Pro Staff (1.0.0) 1 | PLG_J2XML_ATTACHMENTS (3.7.0) 0 | PLG_J2XML_USERS (3.7.10.95) 1 | plg_quickicon_akeebabackup (7.0.1) 1 | plg_search_rsticketsprocontent (1.0.0) 1 | PLG_ENGAGEBOX_IFRAME (1.0) 1 | PLG_ENGAGEBOX_IMAGE (1.0) 1 | PLG_ENGAGEBOX_EMAILFORM (1.0) 1 | PLG_ENGAGEBOX_MODULE (1.0) 1 | PLG_ENGAGEBOX_SOCIAL (1.0) 1 | PLG_ENGAGEBOX_SMARTTAGS (1.0) 1 | PLG_ENGAGEBOX_CUSTOM (1.0) 1 | PLG_ENGAGEBOX_YESNO (1.0) 1 |
Templates Discovered :: wrote:Templates :: SITE :: beez3 (3.1.0) 0 | RSVario! (1.0.32) 1 | Unknown (templates/rsvario/classes/parser/sampledata/data-simple-slider-no-rsmg/categories.xml) (-) ? | Unknown (templates/rsvario/classes/parser/sampledata/data-simple-slider/categories.xml) (-) ? | Unknown (templates/rsvario/classes/parser/sampledata/data-form-slider/categories.xml) (-) ? | Unknown (templates/rsvario/classes/parser/sampledata/data-form-slider-no-rsmg/categories.xml) (-) ? | beez_20 (2.5.0) 0 | beez5 (2.5.0) 0 | atomic (2.5.0) 0 | vision (01.05.2014/3.) 1 | protostar (1.0) 0 |
Templates :: ADMIN :: isis (1.0) 1 | hathor (3.0.0) 0 | bluestork (2.5.0) 0 |
Last edited by nigelj on Tue Feb 04, 2020 11:52 am, edited 1 time in total.

nigelj
Joomla! Intern
Joomla! Intern
Posts: 78
Joined: Tue May 29, 2007 1:42 pm
Location: Cheddington, UK

Re: RSFirewall malware results

Post by nigelj » Tue Feb 04, 2020 11:49 am

toivo wrote:
Tue Feb 04, 2020 11:40 am
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
- see the red banner at the top.
Thanks, but I have no red banner and don't use Windows Defender anyway...it was all turned off. I've now disabled it, but that has made no difference...still can't download the FPA.

Anyway, don't worry about this, I've downloaded it through my phone, emailed it to myself, installed and run it!

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 38285
Joined: Sat Apr 05, 2008 9:58 pm

Re: RSFirewall malware results

Post by Webdongle » Tue Feb 04, 2020 12:36 pm

Extensions >>> Manage >>> Discover ... install anything that is discovered.
Extensions >>> Manage >>> Update ... update anything that needs updating.

If you still can't see jhackguard in Extensions >>> Manage >>> Manage ... then download the latest version and install it.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

nigelj
Joomla! Intern
Joomla! Intern
Posts: 78
Joined: Tue May 29, 2007 1:42 pm
Location: Cheddington, UK

Re: RSFirewall malware results

Post by nigelj » Tue Feb 04, 2020 12:50 pm

Webdongle wrote:
Tue Feb 04, 2020 12:36 pm
Extensions >>> Manage >>> Discover ... install anything that is discovered.
Extensions >>> Manage >>> Update ... update anything that needs updating.

If you still can't see jhackguard in Extensions >>> Manage >>> Manage ... then download the latest version and install it.
jhackguard was found, along with other extensions. I've installed it from Discover, then uninstalled it...all gone now...thank you!

What exactly does Discover do...where does it find what it finds from? it's found some other items that I will install/uninstall as I don't want them.

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 12073
Joined: Thu Feb 15, 2007 5:48 am
Location: Suzhou, China

Re: RSFirewall malware results

Post by toivo » Tue Feb 04, 2020 1:09 pm

The Discover function reads the manifest XML files from the folders, where extensions are stored (components, modules, plugins and templates) and reconciles that information with the extensions already in the extensions table in the database.
Toivo Talikka, Global Moderator

User avatar
AMurray
Joomla! Champion
Joomla! Champion
Posts: 5515
Joined: Sat Feb 13, 2010 7:35 am
Location: Australia

Re: RSFirewall malware results

Post by AMurray » Sat Feb 22, 2020 11:04 pm

Don't know if this has been resolved but you also need to tidy up those Joomla 2.5 extensions - uninstall any not used, only retain the default Joomla 3.x ones and any that is your primary (3rd-party) template.
Regards,
--------------------------------------------------------------
A Murray
Millennium Falcon - it's the ship that made the Kessel run in less than 12 parsecs! The fastest hunk of junk in the galaxy.

nigelj
Joomla! Intern
Joomla! Intern
Posts: 78
Joined: Tue May 29, 2007 1:42 pm
Location: Cheddington, UK

Re: RSFirewall malware results

Post by nigelj » Sat Feb 22, 2020 11:37 pm

Both were false positives, so all resolved.

I've got rid of the 2.5 templates that were left after migration. Jhackguard is something to with the host but I've installed then uninstalled it. The other one should never have been picked up by the rsfirewall scanner.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 38285
Joined: Sat Apr 05, 2008 9:58 pm

Re: RSFirewall malware results

Post by Webdongle » Sun Feb 23, 2020 12:11 am

nigelj wrote:
Sat Feb 22, 2020 11:37 pm
... Jhackguard is something to with the host but I've installed then uninstalled it. ...
Did you use a quckstart Joomla install?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

nigelj
Joomla! Intern
Joomla! Intern
Posts: 78
Joined: Tue May 29, 2007 1:42 pm
Location: Cheddington, UK

Re: RSFirewall malware results

Post by nigelj » Sun Feb 23, 2020 10:03 am

Webdongle wrote:
Sun Feb 23, 2020 12:11 am
nigelj wrote:
Sat Feb 22, 2020 11:37 pm
... Jhackguard is something to with the host but I've installed then uninstalled it. ...
Did you use a quckstart Joomla install?
Nope. I used the clean 3.9.14 package, and also checked the old 2.5.? site...it wasn't installed on there. Very very odd, but it's gone now!

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 38285
Joined: Sat Apr 05, 2008 9:58 pm

Re: RSFirewall malware results

Post by Webdongle » Sun Feb 23, 2020 10:55 am

nigelj wrote:
Sun Feb 23, 2020 10:03 am
...
Nope. I used the clean 3.9.14 package, and also checked the old 2.5.? site...it wasn't installed on there. Very very odd, but it's gone now!
I don't understand ... if you used a 3.9.14 Joomla install package ... how does an old 2.5 site come into it?

A hacked site that you updated and tried to clean?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

nigelj
Joomla! Intern
Joomla! Intern
Posts: 78
Joined: Tue May 29, 2007 1:42 pm
Location: Cheddington, UK

Re: RSFirewall malware results

Post by nigelj » Sun Feb 23, 2020 10:56 am

I migrated from a 2.5 site

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 38285
Joined: Sat Apr 05, 2008 9:58 pm

Re: RSFirewall malware results

Post by Webdongle » Sun Feb 23, 2020 11:01 am

nigelj wrote:
Sat Feb 22, 2020 11:37 pm
... Jhackguard is something to with the host but I've installed then uninstalled it. ...
So was that site a Host's quickstart install?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

nigelj
Joomla! Intern
Joomla! Intern
Posts: 78
Joined: Tue May 29, 2007 1:42 pm
Location: Cheddington, UK

Re: RSFirewall malware results

Post by nigelj » Tue Mar 10, 2020 10:28 am

I really don't know. Have tried to get some answers but no-one seems able to give me any info. I did a migration on my local machine from an old 2.5 site using the 3.9.14 clean install package (the old site didn't have jhackguard installed). I then backed up the new migrated site using Akeeba and restored it on the new host server - there wasn't a joomla installation there before I did this. Everything running fine so far!

Then, at some stage over the following 3-4 weeks, I ran an RSFirewall system check, and jhackguard appeared in the results. After some investigation I established that it's a false positive so not a problem, but how the extension got onto my site I've not been able to establish. I've checked the security, changed the password etc. so am happy that it's as secure as it can be.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 38285
Joined: Sat Apr 05, 2008 9:58 pm

Re: RSFirewall malware results

Post by Webdongle » Tue Mar 10, 2020 1:30 pm

To be absolutely sure
1. Update Joomla
2. Install the latest Joomla on localhost
3. Install your 3rd party extensions to the fresh install
That will make sure there are no unwanted files.
4. Delete the files from the server and replace with the fresh ones that you just recreated. And edit the configuration.php.(Or delete/transfer all except the configuration.php).
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

 

Post Reply

Return to “Security in Joomla! 3.x”