Phishing Attack after installing Joomla 3.10

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Post Reply
G Shelemy1+
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue May 09, 2017 5:26 am

Phishing Attack after installing Joomla 3.10

Post by G Shelemy1+ » Thu Aug 26, 2021 3:57 am

I run a very secure, and sanitary network. But within hours of installing the Joomla 3.10 Update, I have started to receive phishing emails from my own website to update to Joomla 3.10.1

This email looks identical to the standard Joomla Update everyone is used to receiving.

BUT the Update Link within the email is:
The email says 'It is sent automatically by your own site'
But in the Email Header is the website:
THIS IS NOT MY CLIENTS WEBSITE.

I have had a second IT look at the problem and he has told me it appears to be a php mail originating from the Joomla CMS. This problem appears to have originated from the Joomla software update and he has advised me to notify the Joomla Forum.

Within the past few hours I have started receiving security alerts that several critical files have been modified within the Joomla Template. I did a php scan with my Akeeba Admin Tools Pro, and 53 files seem to have been modified.

Please look into this matter and advise me,
thanks so much,
Guy Shelemy :(

User avatar
Pavel-ww
Joomla! Guru
Joomla! Guru
Posts: 540
Joined: Tue Jun 30, 2020 12:17 pm

Re: Phishing Attack after installing Joomla 3.10

Post by Pavel-ww » Thu Aug 26, 2021 7:47 am

Hi.
This is not a typical Joomla problem. In my opinion there are two options.
1) Your site was hacked.
2) Your mail server was hacked (which is more likely). A number of mail servers were found vulnerabilities and my hosting provider warned about it and recommended to install security update for this.

If you just change the settings, the Akeeba Admin Tools will warn about changing files. In my opinion, all these protective extension simply pumping money from the user and the deterioration of the performance of the site.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20400
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Phishing Attack after installing Joomla 3.10

Post by leolam » Thu Aug 26, 2021 3:55 pm

This is not a Joomla problem. You have been hacked. Go to https://mysites.guru/ and subscribe. First scan is free. Phil will be able to get your site back quickly. He is a Pro

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

User avatar
JAVesey
Joomla! Hero
Joomla! Hero
Posts: 2373
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Phishing Attack after installing Joomla 3.10

Post by JAVesey » Fri Aug 27, 2021 1:44 pm

G Shelemy1+ wrote:
Thu Aug 26, 2021 3:57 am
I run a very secure, and sanitary network.
At least, you thought you did :(

Hope you get this sorted out.
John V
Cardiff, Wales, UK
Uses Joomla 3.10.3 and PHP8.0.13

User avatar
darb
Joomla! Ace
Joomla! Ace
Posts: 1850
Joined: Thu Jul 06, 2006 12:57 pm
Location: Stockholm Sweden
Contact:

Re: Phishing Attack after installing Joomla 3.10

Post by darb » Fri Sep 17, 2021 7:57 am

@ G Shelemy1+ the update to Joomla 3.10.2 have nothing to pishing attacts its more likley your site was server/site was hacked and as Pavel told you. And as JAVesey said it was not a secure and sanitized network bcs then you would not have this problem in the first place.

Hope you get it sorted in the end and trust people that can really help you get a secure and sanitized network too.

But I dont agree that Admin Tools Pro for example "pumping money from the user and the deterioration of the performance of the site" ( free and pro versions )

Its actually opposite if you cant for one example doing your own htaccess master file optimised for better performance, security and SEO purposes then its better for novell average Jooomla Joes to use that tool as you better, easier can control your website optimisation in every aspects hasselfree that is important.

Cheers!

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1278
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: Phishing Attack after installing Joomla 3.10

Post by PhilTaylor-Prazgod » Fri Sep 17, 2021 10:38 am

What evidence do you have that its even coming from your server? What are the exact headers of the Email and the routing the email took to get to you?

For example, daily at the moment I am getting emails from CloudAccess, but the server name in the emails is an ipv6 IP Address and not a domain name at all.

The domain name you mention is https://www.chinhphuquocgia.com - this is not a Joomla site and therefore that site is NOT sending you this email. That site is a hosted CMS from https://www.simplesite.com and not a Joomla based site.

The way Joomla determines the sites URL is like this:

https://github.com/joomla/joomla-cms/bl ... n.php#L187

This can mean that a spammer can use host header manipulation on a server that is incorrectly set up, to fake the correct domain name, to entice you to click a link to another domain name. IIRC Joomla recently also fixed a security issue around being able to inject invalid host headers. The most common set up that can be exploited like this is a custom server, Ubuntu with Apache out of the box and not set up right, where any domain pointed at the server will load the one site hosted on it. Its not normally a problem on real web hosts that have 1000s of sites on the same server. Again, pretending to know how to configure servers is one of the things that will get you hacked quicker than using a reliable webhost (which are hard to find anyway)
Phil Taylor
Founder, Lead Developer, Idiot.
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

User avatar
darb
Joomla! Ace
Joomla! Ace
Posts: 1850
Joined: Thu Jul 06, 2006 12:57 pm
Location: Stockholm Sweden
Contact:

Re: Phishing Attack after installing Joomla 3.10

Post by darb » Fri Sep 17, 2021 11:50 am

This is a phising attach on Joomla project and community.

How can you install Joomla 3.10.1 if you not even have Joomla on your promoted site there as you showcase?

This bogus tactic is normally coming from Wordpress tribe sent out people trying to discourage to use Joomla instead of Wordpress...

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20400
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Phishing Attack after installing Joomla 3.10

Post by leolam » Thu Oct 21, 2021 6:02 pm

Unless I am dumb (and that will be confirmed for sure) The original post is not read well. OP posts that he receives emails from the site mentioned and everybody in this thread is responding to this link (which is a WP-site) as posted but OP states that that particular site is Not his client site (assuming that is a Joomla site)

@G Shelemy1+ please confirm what is your website?

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1278
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: Phishing Attack after installing Joomla 3.10

Post by PhilTaylor-Prazgod » Thu Oct 21, 2021 6:28 pm

I have seen this happen on CloudAccess.net free Joomla sites recently - I have been receiving emails with different hostnames in the URL

The emails ARE COMING from "my cloudaccess.net hosted site", but the "domain name", in my recent case, an ipv6 IP address, is not the correct host for my site.

This has been reported here: https://github.com/joomla/joomla-cms/issues/35600
Phil Taylor
Founder, Lead Developer, Idiot.
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20400
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Phishing Attack after installing Joomla 3.10

Post by leolam » Thu Oct 21, 2021 6:39 pm

PhilTaylor-Prazgod wrote:
Thu Oct 21, 2021 6:28 pm
I have seen this happen on CloudAccess.net free Joomla sites recently - I have been receiving emails with different hostnames in the URL
I can confirm that. We have similar reports on our hosting platform as well from tickets

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services


Post Reply

Return to “Security in Joomla! 3.x”