malicious malware Topic is solved

[talsadmin2]

Hi
I have just received the following message from my host:

Our malware scanner has detected malware contained in your mysite.com hosting account.

You'll need to clean/remove/reinstall the files listed below (as applicable) and then take additional steps to secure your CMS.

The infected files are as follows:

mysite.com/api/includes/zdhlmt.php
mysite.com/components/com_ajax/nwmwyz.php
mysite.com/media/com_acym/images/thumbnails/thumbnail_199.png?.php
mysite.com/media/com_ipakojyx/zgrjyt.php

Please be aware that should any service or reputational impact occur due to the malicious content held in your account, we may have to resort to account suspension.

I have no idea what these files are and if anyone can help me sort this out I will be very grateful

Regards

[gws]

There were reports of acymailing being hacked and creating files like thumbnail_199.png?.php

[talsadmin2]

Hi gws
Thanks for the reply. Yes I do use acymailing on my site. What if I uninstall acymailing would this solve the problem?

Regards

[AMurray]

I would remove acymailing (until they release a patched version) and get your host to then rerun their malware scan but also run an audit over your entire site using the mysites.guru service.

There is a VEL report concerning acymmailing from August : https://extensions.joomla.org/vulnerabl ... ing-other/ and acymailing announcement (https://www.acymailing.com/acymailing-r ... s-updates/) about that particular problem but I don't know if it's related to that you have reported on this thread.

Perhaps report it to the developer - email or on their own forum and post it as a Vulnerable Extension on https://extensions.joomla.org/vulnerabl ... ons/about/ ?

[pe7er]

The link to the AcyMailing announcement https://www.acymailing.com/acymailing-r ... s-updates/ seems to no longer work.
I cannot find the "Critical security patch v8.5.0" news article anywhere anymore at the AcyMailing website.

edit: the article is available at https://www.acymailing.com/acymailing-s ... 90-v8-5-0/

There's a Google cache snapshot from 2 Oct 2023 06:09:44 GMT:

Critical security patch v8.5.0 – check your websites now
August 25, 2023 - Jeremy

Maintaining a safe environment for your website and campaigns is of critical importance, and the security of your email marketing tool is our first priority. We’ve proactively addressed a crucial concern regarding the templates thumbnail generator. This vulnerability, present since version 6.7.0 and up to version 8.4.6, has been effectively mitigated in version 8.5.0, ensuring the integrity of your email campaigns tool. We encourage prompt updates to benefit from this protection.

We have received the help of David Jardin, head of the Joomla security team and Sigrid Gramlinger, Joomla release team lead.

Vulnerability Addressed:
Unauthorized file creation: This vulnerability could allow the creation of malicious PHP files through our templates thumbnail generator. Once created, these files can provide an attacker full access to your website including all Joomla files, database credentials in the configuration.php file and your database content including user rows. This issue has been addressed to prevent the use of this vulnerability.

How to update?
To update to the latest version of AcyMailing and benefit from this security patch, you can use the extensions update page on Joomla websites. You can also manually download the latest version from your account page (click the “Download” button once logged in on our website to be taken to your download area) then install this new version like any new extension: it will update AcyMailing if it is already installed on your website.

Are you impacted?
Once you’ve updated AcyMailing to its latest version, we urge you to look for files named thumbnail_*.php (i.e. thumbnail_999.png?.php) on your websites. Common attack patterns have written those files to media/com_acym/images/thumbnails, however these files could have been created in other folders.
If you come across a similar named file, don’t open it and use FTP or SSH to remove it.

• The most common locations (XXX are random letters – the date of that files might be older than May) may be:
  /media/com_acym/images/thumbnails/thumbnail_*.php
  /api/includes/xxx.php
  /components/com_ajax/xxx.php
  /layouts/joomla/icon/xxx.php
  /media/com_XXX/xxx.php
  /media/com_tags/js/xxx.php
  /templates/system/xxx.php
• We are preparing a script to scan your site files and automatically detect the ones created through the vulnerability. It can be found on this forum thread for now.
• If you find an infected file, note its creation date and check the files having the same creation date
• Look for files containing “$_COOKIE” as common attack patterns have used it to try to get cookie values.
• If you find malicious files, it is best to change your database password and FTP/SMTP accounts passwords (if they are configured in the global Joomla configuration page).

Our Security Pledge:
Rest assured that your security and the dependability of AcyMailing constitute our steadfast commitment. We encourage you to remain vigilant by consistently updating your AcyMailing installation to the latest security advancements and features.

[talsadmin2]

I managed to update AcyMailing with the latest critical security patch v8.5.0 and then deleted the infected files that had “$_COOKIE” in them, it now seems to be OK. However I may uninstall AcyMailing and opt for another component.

Regards

[Webdongle]

If you have been hacked then the hackers probably have access to the server by now. Deleting the files that you see probably won't be enough.