Critical file modified

Discussion regarding Joomla! 3.x security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
User avatar
dagroupinc
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Tue Apr 06, 2010 6:09 pm

Critical file modified

Post by dagroupinc » Thu Feb 25, 2021 4:00 pm

I periodically get a Joomla generated "Critical file modified..." email — this across almost all of the sites I've developed and/or manage. It says the config, index, admin, and various templates 'have been modified when in fact I haven't even logged in as an admin or made any changes.

Can anyone provide some insight? Could this be a result of something happening on the server as opposed to the Joomla install?

Thanks in advance!

gws
Joomla! Champion
Joomla! Champion
Posts: 5837
Joined: Tue Aug 23, 2005 1:56 pm
Location: South coast, UK
Contact:

Re: Critical file modified

Post by gws » Thu Feb 25, 2021 4:37 pm

Are the emails coming from Admin tools?
It is possible you have been hacked...

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17321
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: Critical file modified

Post by toivo » Thu Feb 25, 2021 4:51 pm

Go to Users - User Actions Log and check if any actions and users logged-in against those actions explain what happened.
Toivo Talikka, Global Moderator

User avatar
dagroupinc
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Tue Apr 06, 2010 6:09 pm

Re: Critical file modified

Post by dagroupinc » Thu Feb 25, 2021 9:17 pm

Toivo—

I checked User Action Log and only see my own activity, and none of the date stamps correlate to the notice I received.

User avatar
dagroupinc
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Tue Apr 06, 2010 6:09 pm

Re: Critical file modified

Post by dagroupinc » Thu Feb 25, 2021 9:22 pm

GWS—

Actually, the 'from' email is one of the websites' email (ie: info@) accounts and is being sent to the admin email account (ie: webmaster@). Before this Admin Tools sent me a 404 Shield notice, the IP is from France.

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17321
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: Critical file modified

Post by toivo » Thu Feb 25, 2021 9:44 pm

Has this website been updated regularly and is it now using the latest version, 3.9.24?

If that is not the case, it would be important to audit the site and find out if it has been hacked. Check out the online MySites.guru service, where the first audit is free. Phil Taylor also cleans hacked sites for a fixed fee.
Toivo Talikka, Global Moderator

User avatar
dagroupinc
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Tue Apr 06, 2010 6:09 pm

Re: Critical file modified

Post by dagroupinc » Thu Feb 25, 2021 10:26 pm

Toivo—

Yes, Joomla and all extensions are updated and backed up weekly for all these sites.

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17321
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: Critical file modified

Post by toivo » Thu Feb 25, 2021 10:48 pm

It would still be useful to run a full backup of the site, restore the Joomla folder a workstation and compare the contents to the expanded installation package of Joomla 3.9.24. Depending on the operating system of the workstation, you could use diff, grepWin or a number of other development tools and check which files were modified and how.

Do not post any hacked code here because it will be redacted.
Toivo Talikka, Global Moderator

User avatar
dagroupinc
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Tue Apr 06, 2010 6:09 pm

Re: Critical file modified

Post by dagroupinc » Tue Oct 05, 2021 3:02 pm

Seems like this is a general notice as I get these across most of the Joomla sites we developed/manage. Still haven't figured out where they come from

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12781
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Critical file modified

Post by brian » Tue Oct 05, 2021 4:41 pm

The email is generated by the admin tools component.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: Critical file modified

Post by PhilTaylor-Prazgod » Tue Oct 05, 2021 8:23 pm

cPanel also modifies .htaccess during SSL renewal.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/


Locked

Return to “Security in Joomla! 3.x”