Critical file modified
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
- dagroupinc
- Joomla! Intern
- Posts: 72
- Joined: Tue Apr 06, 2010 6:09 pm
Critical file modified
I periodically get a Joomla generated "Critical file modified..." email — this across almost all of the sites I've developed and/or manage. It says the config, index, admin, and various templates 'have been modified when in fact I haven't even logged in as an admin or made any changes.
Can anyone provide some insight? Could this be a result of something happening on the server as opposed to the Joomla install?
Thanks in advance!
Can anyone provide some insight? Could this be a result of something happening on the server as opposed to the Joomla install?
Thanks in advance!
-
- Joomla! Champion
- Posts: 5837
- Joined: Tue Aug 23, 2005 1:56 pm
- Location: South coast, UK
- Contact:
Re: Critical file modified
Are the emails coming from Admin tools?
It is possible you have been hacked...
It is possible you have been hacked...
https://gadsolutions.biz Electrical services
https://electrical-testing-safety.co.uk Testing services
https://electrical-testing-safety.co.uk Testing services
- toivo
- Joomla! Master
- Posts: 17321
- Joined: Thu Feb 15, 2007 5:48 am
- Location: Sydney, Australia
Re: Critical file modified
Go to Users - User Actions Log and check if any actions and users logged-in against those actions explain what happened.
Toivo Talikka, Global Moderator
- dagroupinc
- Joomla! Intern
- Posts: 72
- Joined: Tue Apr 06, 2010 6:09 pm
Re: Critical file modified
Toivo—
I checked User Action Log and only see my own activity, and none of the date stamps correlate to the notice I received.
I checked User Action Log and only see my own activity, and none of the date stamps correlate to the notice I received.
- dagroupinc
- Joomla! Intern
- Posts: 72
- Joined: Tue Apr 06, 2010 6:09 pm
Re: Critical file modified
GWS—
Actually, the 'from' email is one of the websites' email (ie: info@) accounts and is being sent to the admin email account (ie: webmaster@). Before this Admin Tools sent me a 404 Shield notice, the IP is from France.
Actually, the 'from' email is one of the websites' email (ie: info@) accounts and is being sent to the admin email account (ie: webmaster@). Before this Admin Tools sent me a 404 Shield notice, the IP is from France.
- toivo
- Joomla! Master
- Posts: 17321
- Joined: Thu Feb 15, 2007 5:48 am
- Location: Sydney, Australia
Re: Critical file modified
Has this website been updated regularly and is it now using the latest version, 3.9.24?
If that is not the case, it would be important to audit the site and find out if it has been hacked. Check out the online MySites.guru service, where the first audit is free. Phil Taylor also cleans hacked sites for a fixed fee.
If that is not the case, it would be important to audit the site and find out if it has been hacked. Check out the online MySites.guru service, where the first audit is free. Phil Taylor also cleans hacked sites for a fixed fee.
Toivo Talikka, Global Moderator
- dagroupinc
- Joomla! Intern
- Posts: 72
- Joined: Tue Apr 06, 2010 6:09 pm
Re: Critical file modified
Toivo—
Yes, Joomla and all extensions are updated and backed up weekly for all these sites.
Yes, Joomla and all extensions are updated and backed up weekly for all these sites.
- toivo
- Joomla! Master
- Posts: 17321
- Joined: Thu Feb 15, 2007 5:48 am
- Location: Sydney, Australia
Re: Critical file modified
It would still be useful to run a full backup of the site, restore the Joomla folder a workstation and compare the contents to the expanded installation package of Joomla 3.9.24. Depending on the operating system of the workstation, you could use diff, grepWin or a number of other development tools and check which files were modified and how.
Do not post any hacked code here because it will be redacted.
Do not post any hacked code here because it will be redacted.
Toivo Talikka, Global Moderator
- dagroupinc
- Joomla! Intern
- Posts: 72
- Joined: Tue Apr 06, 2010 6:09 pm
Re: Critical file modified
Seems like this is a general notice as I get these across most of the Joomla sites we developed/manage. Still haven't figured out where they come from
- brian
- Joomla! Master
- Posts: 12781
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: Critical file modified
The email is generated by the admin tools component.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
- PhilTaylor-Prazgod
- Joomla! Ace
- Posts: 1402
- Joined: Sat Aug 20, 2005 12:32 pm
- Location: Jersey, Channel Islands
- Contact:
Re: Critical file modified
cPanel also modifies .htaccess during SSL renewal.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/