Phishing Attack after installing Joomla 3.10

[G Shelemy1+]

I run a very secure, and sanitary network. But within hours of installing the Joomla 3.10 Update, I have started to receive phishing emails from my own website to update to Joomla 3.10.1

This email looks identical to the standard Joomla Update everyone is used to receiving.

BUT the Update Link within the email is:

https://chinhphuquocgia.com/administrat ... omlaupdate

The email says 'It is sent automatically by your own site'
But in the Email Header is the website:

https://chinhphuquocgia.com

THIS IS NOT MY CLIENTS WEBSITE.

I have had a second IT look at the problem and he has told me it appears to be a php mail originating from the Joomla CMS. This problem appears to have originated from the Joomla software update and he has advised me to notify the Joomla Forum.

Within the past few hours I have started receiving security alerts that several critical files have been modified within the Joomla Template. I did a php scan with my Akeeba Admin Tools Pro, and 53 files seem to have been modified.

Please look into this matter and advise me,
thanks so much,
Guy Shelemy

[Pavel-ww]

Hi.
This is not a typical Joomla problem. In my opinion there are two options.
1) Your site was hacked.
2) Your mail server was hacked (which is more likely). A number of mail servers were found vulnerabilities and my hosting provider warned about it and recommended to install security update for this.

If you just change the settings, the Akeeba Admin Tools will warn about changing files. In my opinion, all these protective extension simply pumping money from the user and the deterioration of the performance of the site.

[leolam]

This is not a Joomla problem. You have been hacked. Go to https://mysites.guru/ and subscribe. First scan is free. Phil will be able to get your site back quickly. He is a Pro

Leo

[JAVesey]

I run a very secure, and sanitary network.

At least, you thought you did

Hope you get this sorted out.

[darb]

@ G Shelemy1+ the update to Joomla 3.10.2 have nothing to pishing attacts its more likley your site was server/site was hacked and as Pavel told you. And as JAVesey said it was not a secure and sanitized network bcs then you would not have this problem in the first place.

Hope you get it sorted in the end and trust people that can really help you get a secure and sanitized network too.

But I dont agree that Admin Tools Pro for example "pumping money from the user and the deterioration of the performance of the site" ( free and pro versions )

Its actually opposite if you cant for one example doing your own htaccess master file optimised for better performance, security and SEO purposes then its better for novell average Jooomla Joes to use that tool as you better, easier can control your website optimisation in every aspects hasselfree that is important.

Cheers!

[PhilTaylor-Prazgod]

What evidence do you have that its even coming from your server? What are the exact headers of the Email and the routing the email took to get to you?

For example, daily at the moment I am getting emails from CloudAccess, but the server name in the emails is an ipv6 IP Address and not a domain name at all.

The domain name you mention is https://www.chinhphuquocgia.com - this is not a Joomla site and therefore that site is NOT sending you this email. That site is a hosted CMS from https://www.simplesite.com and not a Joomla based site.

The way Joomla determines the sites URL is like this:

https://github.com/joomla/joomla-cms/bl ... n.php#L187

This can mean that a spammer can use host header manipulation on a server that is incorrectly set up, to fake the correct domain name, to entice you to click a link to another domain name. IIRC Joomla recently also fixed a security issue around being able to inject invalid host headers. The most common set up that can be exploited like this is a custom server, Ubuntu with Apache out of the box and not set up right, where any domain pointed at the server will load the one site hosted on it. Its not normally a problem on real web hosts that have 1000s of sites on the same server. Again, pretending to know how to configure servers is one of the things that will get you hacked quicker than using a reliable webhost (which are hard to find anyway)

[darb]

This is a phising attach on Joomla project and community.

How can you install Joomla 3.10.1 if you not even have Joomla on your promoted site there as you showcase?

This bogus tactic is normally coming from Wordpress tribe sent out people trying to discourage to use Joomla instead of Wordpress...

[leolam]

Unless I am dumb (and that will be confirmed for sure) The original post is not read well. OP posts that he receives emails from the site mentioned and everybody in this thread is responding to this link (which is a WP-site) as posted but OP states that that particular site is Not his client site (assuming that is a Joomla site)

@G Shelemy1+ please confirm what is your website?

Leo

[PhilTaylor-Prazgod]

I have seen this happen on CloudAccess.net free Joomla sites recently - I have been receiving emails with different hostnames in the URL

The emails ARE COMING from "my cloudaccess.net hosted site", but the "domain name", in my recent case, an ipv6 IP address, is not the correct host for my site.

This has been reported here: https://github.com/joomla/joomla-cms/issues/35600

[leolam]

I have seen this happen on CloudAccess.net free Joomla sites recently - I have been receiving emails with different hostnames in the URL

I can confirm that. We have similar reports on our hosting platform as well from tickets

Leo