FPA after updating and removing malicious files

Discussion regarding Joomla! 3.x security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
empneysis
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Wed Feb 20, 2019 7:07 pm

FPA after updating and removing malicious files

Post by empneysis » Wed Feb 20, 2019 7:14 pm

Forum Post Assistant (v1.4.8 (koine)) : 20th February 2019 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.9.3-Stable (Amani) 12-February-2019
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.9
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: true | .htaccess/web.config: Yes | GZip: true | Cache: true | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: N/A | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: N/A | SSL: 0 | Error Reporting: simple | Site Debug: false | Language Debug: false | Default Access: 1 | Unicode Slugs: false | dbConnection Type: mysql | PHP Supports J! 3.9.3: Yes | Database Supports J! 3.9.3: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 3.10.0-962.3.2.lve1.5.24.8.el7.x86_64 | Technology: x86_64 | Web Server: LiteSpeed | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 696.22 GiB |

PHP Configuration :: Version: 5.6.40 | PHP API: litespeed | Session Path Writable: No | Display Errors: | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /var/www/vhosts/tentosystems.com/:/tmp/ | Uploads: 1 | Max. Upload Size: 64M | Max. POST Size: 64M | Max. Input Time: 60 | Max. Execution Time: 60 | Memory Limit: 256M

Database Configuration :: Version: 10.2.22-MariaDB (Client:10.2.22) | Host: --protected-- (--protected--) | default Collation: utf8_general_ci (default Character Set: utf8) | Database Size: 14.78 MiB | #of Tables:  158
Detailed Environment :: wrote:PHP Extensions :: Core (5.6.40) | date (5.6.40) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (2.0) | bz2 () | calendar () | ctype () | curl () | hash (1.0) | filter (0.11.0) | ftp () | gettext () | gmp () | SPL (0.2) | iconv () | pcntl () | readline (5.6.40) | Reflection ($Id: 5f15287237d5f78d75b19c26915aa7bd83dee8b8 $) | session () | standard (5.6.40) | shmop () | SimpleXML (0.1) | mbstring () | tokenizer (0.1) | xml () | litespeed () | mysqlnd (mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | bcmath () | dba () | dom (20031129) | enchant (1.1.0) | fileinfo (1.0.5) | gd () | imagick (3.4.3) | imap () | intl (1.1.0) | json (1.2.1) | ldap () | exif (1.4 $Id: cad29b729548e4206f0697710cc9e177f26fdff3 $) | mcrypt () | mysqli (0.1) | mysql (1.0) | odbc (1.0) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | PDO_ODBC (1.0.1) | pdo_sqlite (1.0.1) | Phar (2.0.2) | posix () | pspell () | redis (4.2.0) | snmp (0.1) | soap () | sysvmsg () | sysvsem () | sysvshm () | tidy (2.0) | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.12.5) | igbinary (1.2.1) | mhash () | ionCube Loader () | Zend OPcache (7.0.4-devFE) | Zend Guard Loader () | xdebug (2.5.0) | Zend Engine (2.6.0) |
Potential Missing Extensions ::
Disabled Functions :: opcache_get_status |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 35546 | Threads: 28 | Questions: 86581464 | Slow queries: 0 | Opens: 1031921 | Flush tables: 1 | Open tables: 2000 | Queries per second avg: 2435.758 |
Extensions Discovered :: wrote:Components :: SITE ::
Core :: com_mailto (3.0.0) 1 | com_wrapper (3.0.0) 1 |
3rd Party::

Components :: ADMIN ::
Core :: com_cache (3.0.0) 1 | com_messages (3.0.0) 1 | com_admin (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_fields (3.7.0) 1 | com_associations (3.7.0) 1 | com_actionlogs (3.9.0) 1 | com_finder (3.0.0) 1 | com_templates (3.0.0) 1 | com_languages (3.0.0) 1 | com_config (3.0.0) 1 | com_installer (3.0.0) 1 | com_privacy (3.9.0) 1 | com_plugins (3.0.0) 1 | com_login (3.0.0) 1 | com_modules (3.0.0) 1 | com_banners (3.0.0) 1 | com_redirect (3.0.0) 1 | com_categories (3.0.0) 1 | com_media (3.0.0) 1 | com_content (3.0.0) 1 | com_search (3.0.0) 1 | com_users (3.0.0) 1 | com_cpanel (3.0.0) 1 | com_tags (3.1.0) 1 | com_postinstall (3.2.0) 1 | com_checkin (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_ajax (3.2.0) 1 | com_weblinks (3.0.0) 1 | com_menus (3.0.0) 1 | com_contenthistory (3.2.0) 1 |
3rd Party:: com_kunena (3.0.6) 0 | plg_kunena_finder (3.0.6) ? | plg_kunena_joomla (3.0.6) 0 | plg_kunena_kunena (3.0.6) 0 | plg_kunena_uddeim (3.0.6) 0 | plg_finder_kunena (3.0.6) ? | plg_kunena_comprofiler (3.0.6) 0 | plg_kunena_gravatar (3.0.6) 0 | plg_kunena_alphauserpoints (3.0.6) 0 | plg_kunena_community (3.0.6) 0 | mod_kunenamenu (3.0.6) ? | com_komento (1.8.3) 0 | mod_joomimg (3.3.0) 1 | JoomGallery (3.3.3) 1 | AcyMailing (5.2.0) 1 | AcyMailing Tag : Manage the Subscri (5.6.1) ? | AcyMailing Tag : Website links (3.7.0) 1 | AcyMailing : share on social networ (1.0.0) ? | AcyMailing : (auto)Subscribe during (5.6.1) ? | AcyMailing table of contents genera (1.0.0) ? | AcyMailing Tag : Date / Time (5.6.1) 1 | AcyMailing Tag : Joomla User Inform (5.6.1) ? | AcyMailing : trigger Joomla Content (3.7.0) ? | AcyMailing Tag : Subscriber informa (5.6.1) ? | AcyMailing : Statistics Plugin (3.7.0) 1 | AcyMailing Template Class Replacer (5.6.1) 1 | AcyMailing Tag : content insertion (3.7.0) 1 | AcyMailing Tag and filter : Communi (3.7.2) ? | AcyMailing Tag and filter : Communi (3.7.2) ? | AcyMailing Manage text (1.0.0) 1 | AcyMailing Editor (5.6.1) 1 | AcyMailing Module (3.7.0) 1 | AcyMailing (5.6.1) 1 | Social Login And Social Share (4.0) ? |

Modules :: SITE ::
Core :: mod_languages (3.5.0) 1 | mod_articles_news_adv (1.5.4) 1 | mod_login (3.0.0) 1 | mod_twitter_widget (2.5.0) 1 | mod_related_items (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_syndicate (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_users_latest (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_search (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_weblinks (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_feed (3.0.0) 1 |
3rd Party:: mod_articles_single (1.2.2) 1 | mod_caroufredsel (1.2.3) 1 | Social Login (4.0) 0 | TM Ajax Contact Form (1.0.0) 1 | SW Facebook Display (1.1) 1 | SW Pinterest Display (1.0) 1 | mod_image_swoop (1.2.4) 1 | IceMegaMenu Module (3.0.1) 1 | mod_joomimg (3.3.0) 1 | Komento Activities (1.0.4) 0 | Komento Comments (1.0.7) 0 | TM Instagram (1.0.1) 1 | AcyMailing Module (3.7.0) 1 |

Modules :: ADMIN ::
Core :: mod_status (3.0.0) 1 | mod_title (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_login (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_latestactions (3.9.0) 1 | mod_stats_admin (3.0.0) 1 | mod_version (3.0.0) 1 | mod_privacy_dashboard (3.9.0) 1 | mod_tm_templates (1.0.0) 1 | mod_custom (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_feed (3.0.0) 1 |
3rd Party::

Libraries :: SITE ::
Core ::
3rd Party::

Plugins :: SITE ::
Core :: plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_image (3.0.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_installer_webinstaller (1.1.1) 1 | PLG_ACTIONLOG_JOOMLA (3.9.0) 1 | plg_captcha_recaptcha_invisible (3.8) 0 | plg_captcha_recaptcha (3.4.0) 0 | plg_system_debug (3.0.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_log (3.0.0) 1 | PLG_SYSTEM_ACTIONLOGS (3.9.0) 0 | plg_system_languagefilter (3.0.0) 0 | plg_system_stats (3.5.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_fields (3.7.0) 1 | plg_system_highlight (3.0.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_p3p (3.0.0) 1 | plg_system_privacyconsent (3.9.0) 0 | plg_system_languagecode (3.0.0) 0 | plg_system_remember (3.0.0) 1 | plg_system_logrotation (3.9.0) 1 | plg_system_cache (3.0.0) 0 | plg_system_sessiongc (3.8.6) 1 | plg_system_updatenotification (3.5.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_privacycheck (3.9.0) 1 | plg_search_weblinks (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_tags (3.0.0) 0 | plg_search_newsfeeds (3.0.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_content_pagebreak (3.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_content_confirmconsent (3.9.0) 0 | plg_content_emailcloak (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_finder (3.0.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_repeatable (3.9.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_cookie (3.0.0) 1 | plg_authentication_joomla (3.0.0) 1 | plg_user_contactcreator (3.0.0) 0 | plg_user_profile (3.0.0) 1 | plg_user_terms (3.9.0) 0 | plg_user_joomla (3.0.0) 1 | plg_privacy_message (3.9.0) 1 | plg_privacy_actionlogs (3.9.0) 1 | plg_privacy_content (3.9.0) 1 | plg_privacy_user (3.9.0) 1 | plg_privacy_consents (3.9.0) 1 | plg_finder_weblinks (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_content (3.0.0) 1 |
3rd Party:: AcyMailing Editor (5.2.0) 1 | plg_editors_tinymce (4.5.9) 1 | plg_editors_codemirror (5.40.0) 1 | system - EUCookieDirectiveLite (1.1.1) 1 | System - Social Login And Social Sh (4.0) ? | plg_system_kunena (3.0.6) 0 | IceMegaMenu Plugin (3.0.0) 1 | System - Google Maps (3.2) 1 | System - Komento (1.0) 0 | TM Lazy Load (1.1.5) 1 | AcyMailing : (auto)Subscribe during (5.2.0) ? | plg_quickicon_kunena (3.0.6) 0 | Content - Social Share (4.0) 1 | AL Plugin Facebook Comments for Joo (3.0.1) ? | Content - Komento (1.0) 0 | Content - TM AddThis (1.0.7) 1 | plg_kunena_gravatar (3.0.6) 0 | plg_kunena_comprofiler (3.0.6) 0 | plg_kunena_alphauserpoints (3.0.6) 0 | plg_kunena_kunena (3.0.6) 0 | plg_kunena_uddeim (3.0.6) 0 | plg_kunena_community (3.0.6) 0 | plg_kunena_joomla (3.0.6) 0 | User - Komento Users (1.0.0) 0 | AcyMailing table of contents genera (1.0.0) ? | AcyMailing Manage text (1.0.0) 1 | AcyMailing Tag : Subscriber informa (5.2.0) ? | AcyMailing Tag : Manage the Subscri (5.2.0) ? | AcyMailing Template Class Replacer (5.2.0) 1 | AcyMailing : Statistics Plugin (3.7.0) 1 | AcyMailing Tag : Joomla User Inform (5.2.0) ? | AcyMailing : share on social networ (1.0.0) ? | AcyMailing Tag : CB User informatio (3.7.1) ? | AcyMailing Tag : Date / Time (5.2.0) 1 | AcyMailing Tag : content insertion (3.7.0) 1 | AcyMailing Tag : Website links (3.7.0) 1 | AcyMailing : trigger Joomla Content (3.7.0) ? | PLG_JOOMGALLERY_JOOMADDITIONALCATEG (1.1) ? | PLG_JOOMGALLERY_JOOMADDITIONALIMAGE (1.1) ? | PLG_JOOMGALLERY_JOOMFANCYBOX (1.1) 1 |
Templates Discovered :: wrote:Templates :: SITE :: Hellenic (3.3.3.1) ? | theme3016 (3.0) 1 | protostar (1.0) 1 | beez3 (3.1.0) 1 |
Templates :: ADMIN :: isis (1.0) 1 | hathor (3.0.0) 1 |

sozzled
I've been banned!
Posts: 13639
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: FPA after updating and removing malicious files

Post by sozzled » Wed Feb 20, 2019 8:05 pm

Do you have a question or do you want some comments about your website?

Why is this topic in the Security in Joomla! 3.x forum category?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44020
Joined: Sat Apr 05, 2008 9:58 pm

Re: FPA after updating and removing malicious files

Post by Webdongle » Wed Feb 20, 2019 8:24 pm

1. How did you remove the malicious files ?
2. What was the point of entry of the hack ?
3. What version was your Joomla when your site was hacked ?
4. Have you have not downloaded fresh versions of all the 3rd party extensions.

You have a vulnerable version of Kunena. You have a vulnerable version of AcyMailing ....

Please see viewtopic.php?f=714&t=946026
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

sozzled
I've been banned!
Posts: 13639
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: FPA after updating and removing malicious files

Post by sozzled » Wed Feb 20, 2019 8:36 pm

I agree with @Webdongle that the outdated version of Kunena is not a good thing to have. But, more importantly, why are we discussing an obsolete version of PHP used with a J! 3.9.3 website?

Over 90% of all J! websites are using outdated and unsupported versions of PHP. I think that should be a matter of grave concern to people who think that these outdated, unsupported versions of PHP are "safe". Look at the following table:

Image

It's commonsense, really: outdated software causes problems. What else would you like us to say?


Locked

Return to “Security in Joomla! 3.x”