A file named sitelogo.php.png was in the images folder. Is that bad?

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, PhilD, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
andy fev
Joomla! Apprentice
Joomla! Apprentice
Posts: 41
Joined: Mon Jun 12, 2017 4:09 am

A file named sitelogo.php.png was in the images folder. Is that bad?

Postby andy fev » Wed Oct 25, 2017 8:09 pm

One of my sites had a file named sitelogo.php.png in the images and that looks evil. Should I be concerned? I inherited the joomla site from someone and the file is dated Jan 16 2012, so I am not sure if they used it for something special. I have placed it in the trash for now. Should I get the entire site scanned for malware?

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3079
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: A file named sitelogo.php.png was in the images folder. Is that bad?

Postby ribo » Wed Oct 25, 2017 8:19 pm

It seems that your joomla is hacked so the better solution for you is in this post viewtopic.php?t=946026
chat room spontes : http://www.spontes.com

User avatar
sozzled
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3606
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: A file named sitelogo.php.png was in the images folder. Is that bad?

Postby sozzled » Wed Oct 25, 2017 8:30 pm

I disagree with @ribo and I would not be suspicious of discovering a file with a name like "sitelogo.php.png" wherever it was located. Of itself, the filename suggests that an image file in PNG format. If you have concerns about the file then you could move it to your PC and scan it with one or more AV tools.

Because, as you say, the site was "inherited" from someone else, it may be that the file was used at some time by the previous site owner and (for reasons best known only to the previous owner) it no longer has any usefulness on the website but the previous owner did not delete it. I would not be too concerned.

Deciding whether or not to scan the entire website for malware is a decision that only you can make; I neither encourage nor discourage you from doing that. Scanning a website for malware provides some insurance against the risk of site infection but it never provides any guarantees.

The most likely indication that a website is at risk is whether the owner has maintained the site over time so that the software is kept up-to-date with the latest version(s) of Joomla and Joomla extensions software. If the site has not been maintained then the risks are increased. As a rough guide, website administrators should (in my opinion) visit the administration site at least once a month and create a backup that they store offline in the event that some unforeseen event or problem materialises.
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1372
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: A file named sitelogo.php.png was in the images folder. Is that bad?

Postby fcoulter » Wed Oct 25, 2017 9:36 pm

Unfortunately I do have to disagree with this, unfortunately a file called sitelogo.php.png can be dangerous, there is a thing called PHP double extensions which means that such files can be executable as PHP code under some conditions. You can read more about this here: https://www.acunetix.com/websitesecurity/upload-forms-threat/

Whether it is actually executable in this case depends on the server configuration, but this is undoubtedly what the person who uploaded the file intended, it will be some kind of shell script. They likely did this using a media uploader that did not check for double extensions. The Joomla media manager does this now, but it would not have done in early versions of Joomla. I suggest you check the media manager settings and restrict uploads as much as you can.

I suggest that you do take this seriously, and treat the site as being hacked.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator
VEL team member
"Wearing my tin foil hat with pride"

User avatar
sozzled
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3606
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: A file named sitelogo.php.png was in the images folder. Is that bad?

Postby sozzled » Wed Oct 25, 2017 9:50 pm

Fair call. I'm pleased to read that the Media Manager now checks for double extensions and prevents this situation occurring. This revelation notwithstanding, it's inconclusive whether or not the site has been hacked; however, to err on the side of caution, I too would be suspicious of any website that I "inherited" from someone else and it would be worthwhile to quarantine it (isolate it from other sites that I maintain) while I checked things out.

What we don't know in this case is how well the site had been maintained by the previous owner until now and I think my observations on that matter are worthy of consideration. Utimately, I am not of the view that any one antivirus or malware checking tool or service is a guarantee that a website is risk-free. Site security is a matter of continuing vigilance and, if a site owner only visits their creations once in a blue moon, then they really only have themselves to blame.
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

andy fev
Joomla! Apprentice
Joomla! Apprentice
Posts: 41
Joined: Mon Jun 12, 2017 4:09 am

Re: A file named sitelogo.php.png was in the images folder. Is that bad?

Postby andy fev » Thu Oct 26, 2017 1:39 am

fcoulter wrote:Unfortunately I do have to disagree with this, unfortunately a file called sitelogo.php.png can be dangerous, there is a thing called PHP double extensions which means that such files can be executable as PHP code under some conditions. You can read more about this here: https://www.acunetix.com/websitesecurity/upload-forms-threat/

Whether it is actually executable in this case depends on the server configuration, but this is undoubtedly what the person who uploaded the file intended, it will be some kind of shell script. They likely did this using a media uploader that did not check for double extensions. The Joomla media manager does this now, but it would not have done in early versions of Joomla. I suggest you check the media manager settings and restrict uploads as much as you can.

I suggest that you do take this seriously, and treat the site as being hacked.
You seem quite wise about this issue so I am certainly going to proceed with a scan and cleaning. The site had good SEO value so my employer bought it for that reason, and security is quite important, but we can't set it offline for any moment. Thanks for the advice.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 18466
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: A file named sitelogo.php.png was in the images folder. Is that bad?

Postby leolam » Thu Oct 26, 2017 2:25 am

@andy fev You can scan the site with the help of myjoomla.com which will do a complete audit of your site, provides reporting and solutions (All automated) We use this if we need to repair someone's hacked site for instance and the tool is awesome. You will install a little plugin which caters for the handshake between myjoomla and your site and the script will audit your complete site and will tell you what is dirt and needs removal.

The first scan is completely free of any charges

Leo 8)
Celebrating 12-Years of Professional Joomla Support Services
- Joomla Professional Support:https://gws-desk.com -
- Joomla Specialized Hosting Solutions:https://gws-host.com -
- Member Joomla Bug Squad & J-CMS Release Team


Return to “Security in Joomla! 3.x”

Who is online

Users browsing this forum: No registered users and 7 guests