I'm getting constant php injections

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
alsunna
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Sat Nov 03, 2007 4:37 pm

I'm getting constant php injections

Post by alsunna » Wed Apr 24, 2019 8:05 pm

Constant

Despite installing security pro and RSFirewall and cleaning all injected php files I'm getting same sql injectiosn into the PHP files like this (see attached):

/9f961/

@include "\057ho\155e3\057al\163un\156a/\160ub\154ic\137ht\155l/\142ec\157me\155us\154im\057pl\165gi\156s/\146ie\154ds\057in\164eg\145r/\05670\14601\061c1\056ic\157";

/9f961/

When I decode this msg, it comes to injecting .ico file:
@include "/home/sneakers/public_html/wp-content/plugins/[youtube]-embed-plus/.484229fd.ico";

Does any of you know how we can block php injections?
I have same issue as this guy http://www.webhostingtalk.com/showthread.php?t=1642283


In server error log to find hole: too many errors of :
[08-May-2017 02:09:21 America/Chicago] PHP Deprecated: Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php://input stream instead. in Unknown on line 0
[11-May-2017 21:29:42 America/Chicago] PHP Deprecated: Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php://input stream instead. in Unknown on line 0
You do not have the required permissions to view the files attached to this post.

User avatar
Giraffex
Joomla! Intern
Joomla! Intern
Posts: 72
Joined: Fri Jan 21, 2011 3:51 pm
Location: Guben
Contact:

Re: I'm getting constant php injections

Post by Giraffex » Thu Apr 25, 2019 4:09 am

The best way to protect yourself is through the current Joomla system. But this will not help when poor quality components are installed on the website. Often they are the ones that cause hackers to break into websites.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14774
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: I'm getting constant php injections

Post by mandville » Thu Apr 25, 2019 4:49 am

Please run post the results of the fpa
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

Tpy
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Fri Feb 26, 2010 10:08 am
Contact:

Re: I'm getting constant php injections

Post by Tpy » Thu Apr 25, 2019 9:25 am

Have you tried a security component? Try to install RSFirewall and make a scan of your website.

alsunna
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Sat Nov 03, 2007 4:37 pm

Re: I'm getting constant php injections

Post by alsunna » Thu Apr 25, 2019 5:51 pm

We tried to install RSFirewall, and it shows me the infected files.
We clean them, a week later they come back. We have a hosting with 10 sites with Joomla and one WP that are injected weekly.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14774
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: I'm getting constant php injections

Post by mandville » Thu Apr 25, 2019 6:57 pm

HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 25662
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: I'm getting constant php injections

Post by Per Yngve Berg » Thu Apr 25, 2019 7:03 pm

Is this hosted on a VPS?

You have to isolate the sites by installing with a separate OS user for each site to prevent cross site contamination.

It also looks like the vulnerably is in the WP site.

alsunna
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Sat Nov 03, 2007 4:37 pm

Re: I'm getting constant php injections

Post by alsunna » Tue Apr 30, 2019 9:50 pm

It's on shared hostgator account. VPS is too costly for 12 sites. They are all Joomla sites.

We tried WP to see if it helps but then WP php files got injected too.

I still get codes in PHP like this:
/9f961/

@include "\057ho\155e3\057al\163un\156a/\160ub\154ic\137ht\155l/\142ec\157me\155us\154im\057pl\165gi\156s/\146ie\154ds\057in\164eg\145r/\05670\14601\061c1\056ic\157";

/9f961/

When I decode this msg, it comes to injecting .ico file:
@include "/home/sneakers/public_html/wp-content/plugins/[[youtube]]-embed-plus/.484229fd.ico";

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 25662
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: I'm getting constant php injections

Post by Per Yngve Berg » Wed May 01, 2019 7:48 am

We are still waiting for the FPA report as requested several times.

alsunna
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Sat Nov 03, 2007 4:37 pm

Re: I'm getting constant php injections

Post by alsunna » Wed May 01, 2019 4:03 pm

Forum Post Assistant (v1.4.8 (koine)) : 1st May 2019 wrote:
Last PHP Error(s) Reported :: wrote:[30-Apr-2019 17:02:10 America/Chicago] PHP Parse error: syntax error, unexpected end of file, expecting variable (T_VARIABLE) or '{' or '$' in /fpa-en.php on line 2327
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.9.5-Stable (Amani) 9-April-2019
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.9
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: true | .htaccess/web.config: Yes | GZip: true | Cache: false | CacheTime: 30 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: false | SSL: 0 | Error Reporting: none | Site Debug: false | Language Debug: false | Default Access: 1 | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 3.9.5: Yes | Database Supports J! 3.9.5: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 3.10.0-693.17.1.2.ELK.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 122.64 GiB |

PHP Configuration :: Version: 7.1.14 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 32759 | Log Errors To: error_log | Last Known Error: 30th April 2019 17:02:10. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /home3/alsunna/public_html:/tmp:/home3/alsunna/public_html/info/tmp:/home3/alsunna/public_html/info/logs | Uploads: 1 | Max. Upload Size: 64M | Max. POST Size: 64M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 256M

Database Configuration :: Version: 5.6.41-84.1 (Client:5.6.41-84.1) | Host: --protected-- (--protected--) | default Collation: utf8_general_ci (default Character Set: utf8) | Database Size: 201.67 MiB | #of Tables:  206
Detailed Environment :: wrote:PHP Extensions :: Core (7.1.14) | date (7.1.14) | libxml (7.1.14) | openssl (7.1.14) | pcre (7.1.14) | sqlite3 (7.1.14) | zlib (7.1.14) | bcmath (7.1.14) | bz2 (7.1.14) | calendar (7.1.14) | ctype (7.1.14) | curl (7.1.14) | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (7.1.14) | ftp (7.1.14) | gd (7.1.14) | gettext (7.1.14) | gmp (7.1.14) | SPL (7.1.14) | iconv (7.1.14) | session (7.1.14) | intl (1.1.0) | json (1.5.0) | mbstring (7.1.14) | mcrypt (7.1.14) | mysqli (7.1.14) | odbc (7.1.14) | standard (7.1.14) | PDO (7.1.14) | pdo_mysql (7.1.14) | pdo_sqlite (7.1.14) | Phar (2.0.2) | posix (7.1.14) | pspell (7.1.14) | Reflection (7.1.14) | imap (7.1.14) | SimpleXML (7.1.14) | soap (7.1.14) | sockets (7.1.14) | exif (7.1.14) | tidy (7.1.14) | tokenizer (7.1.14) | wddx (7.1.14) | xml (7.1.14) | xmlreader (7.1.14) | xmlrpc (7.1.14) | xmlwriter (7.1.14) | xsl (7.1.14) | zip (1.13.5) | cgi-fcgi () | SourceGuardian (11.1.5) | ionCube Loader () | Zend Engine (3.1.0) |
Potential Missing Extensions ::
Disabled Functions :: system | shell_exec | passthru | exec | popen | proc_open |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 1844993 | Threads: 18 | Questions: 1689456911 | Slow queries: 22725 | Opens: 19266941 | Flush tables: 1 | Open tables: 16800 | Queries per second avg: 915.698 |
Extensions Discovered :: wrote:Components :: SITE ::
Core :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 |
3rd Party:: WF_FILESYSTEM_JOOMLA_TITLE (2.6.11) ? | WF_AGGREGATOR_VIMEO_TITLE (2.6.11) ? | WF_AGGREGATOR_[youtube]_TITLE (2.6.11) ? | WF_AGGREGATOR_DAILYMOTION_TITLE (2.6.11) ? | WF_AGGREGATOR_VINE_TITLE (2.6.11) ? | WF_POPUPS_WINDOW_TITLE (2.6.11) ? | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.11) ? | FLEXIcontent Links (2.3.0-rc) ? | WF_LINKS_JOOMLALINKS_TITLE (2.6.11) ? | WF_LINK_SEARCH_TITLE (2.6.11) ? | WF_CLEANUP_TITLE (2.6.11) ? | WF_LINK_TITLE (2.6.11) ? | WF_ANCHOR_TITLE (2.6.11) ? | WF_FULLSCREEN_TITLE (2.6.11) ? | WF_CHARMAP_TITLE (2.6.11) ? | WF_KITCHENSINK_TITLE (2.6.11) ? | WF_VISUALBLOCKS_TITLE (2.6.11) ? | WF_IMGMANAGER_TITLE (2.6.11) ? | WF_SEARCHREPLACE_TITLE (2.6.11) ? | WF_TEXTCASE_TITLE (2.6.11) ? | WF_HR_TITLE (2.6.11) ? | WF_FONTCOLOR_TITLE (2.6.11) ? | WF_VISUALCHARS_TITLE (2.6.11) ? | WF_NONBREAKING_TITLE (2.6.11) ? | WF_SOURCE_TITLE (2.6.11) ? | WF_INLINEPOPUPS_TITLE (2.6.11) ? | WF_CLIPBOARD_TITLE (2.6.11) ? | WF_SPELLCHECKER_TITLE (2.6.11) ? | WF_BROWSER_TITLE (2.6.11) ? | WF_CONTEXTMENU_TITLE (2.6.11) ? | WF_XHTMLXTRAS_TITLE (2.6.11) ? | WF_STYLESELECT_TITLE (2.6.11) ? | WF_TABLE_TITLE (2.6.11) ? | WF_DIRECTIONALITY_TITLE (2.6.11) ? | WF_PREVIEW_TITLE (2.6.11) ? | WF_EMOTIONS_TITLE (2.6.11) ? | WF_FONTSELECT_TITLE (2.6.11) ? | WF_LISTS_TITLE (2.6.11) ? | WF_MEDIA_TITLE (2.6.11) ? | WF_PRINT_TITLE (2.6.11) ? | WF_FORMATSELECT_TITLE (2.6.11) ? | WF_ARTICLE_TITLE (2.6.11) ? | WF_AUTOSAVE_TITLE (2.6.11) ? | WF_FONTSIZESELECT_TITLE (2.6.11) ? | WF_STYLE_TITLE (2.6.11) ? | WF_LAYER_TITLE (2.6.11) ? |

Components :: ADMIN ::
Core :: com_search (3.0.0) 1 | com_messages (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_postinstall (3.2.0) 1 | com_templates (3.0.0) 1 | com_modules (3.0.0) 1 | com_content (3.0.0) 1 | com_checkin (3.0.0) 1 | com_tags (3.1.0) 1 | com_users (3.0.0) 1 | com_admin (3.0.0) 1 | com_languages (3.0.0) 1 | com_media (3.0.0) 1 | com_ajax (3.2.0) 1 | com_categories (3.0.0) 1 | com_finder (3.0.0) 1 | com_fields (3.7.0) 1 | com_associations (3.7.0) 1 | com_config (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_plugins (3.0.0) 1 | com_weblinks (3.5.0) 1 | com_cpanel (3.0.0) 1 | com_redirect (3.0.0) 1 | com_menus (3.0.0) 1 | com_banners (3.0.0) 1 | com_cache (3.0.0) 1 | com_actionlogs (3.9.0) 1 | com_installer (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_privacy (3.9.0) 1 | com_login (3.0.0) 1 |
3rd Party:: COM_JCE (2.6.11) 1 | Akeeba (6.4.2.1) 1 | COM_GANTRY (4.1.40) 1 | Securitycheck Pro (3.1.5) 1 | Facebook Recommendations bar (1.0) ? | Linkedin company profile (1.0) ? | Social share button (1.0) ? | Facebook Activity Feed (1.0) ? | Twitter feed (1.0) ? | Linkedin member profile (1.0) ? | Linkedin Build a Jobs (1.0) ? | Facebook Embedded Posts (1.0) ? | Facebook Commend (1.0) ? | Google Interactive posts (1.0) ? | Facebook Like Box (1.0) ? | Google Comment (1.0) ? | Linkedin Apply button (1.0) ? | Google Badge (1.0) ? | Facebook Recommendations box (1.0) ? | Linkedin company Insider (1.0) ? | Facebook Facepile (1.0) ? | Login button (1.0) ? | BT_SocialConnect (1.2.1) 1 | Facebook Profile (1.0) ? | Google page (1.0) ? | Facebook Page (1.0) ? | Linkedin Companies (1.0) ? | Facebook Groups (1.0) ? | Linkedin Groups (1.0) ? | Twitter Profile (1.0) ? | Linkedin Profile (1.0) ? | Mailing (1.0) ? | EasySlider (2.1.4) 0 | sh404SEF (4.4.4.1791) 1 | plg_installer_sh404sef (4.4.4.1791) 1 | sh404sef - Default component suppor (4.4.4.1791) ? | sh404sef - Offline code plugin (4.4.4.1791) 1 | sh404sef - Similar urls plugin (4.4.4.1791) 1 | PLG_SH404SEFCORE_SH404SEFSOCIAL (4.4.4.1791) 1 | sh404sef - Analytics plugin (4.4.4.1791) 1 | plg_system_shlib (0.2.9.370) 1 | sh404sef - System plugin (4.4.4.1791) 1 | sh404sef - System mobile template s (4.4.4.1791) ? | sh404sef control panel icon (4.4.4.1791) 1 | com_jhackguard (2.0.2) 1 | RokSprocket (2.1.23) 1 | JMap (2.0.2) 1 | com_gantry5 (5.0.0-rc.1) 1 | COM_SPUPGRADE (4.1.1) 1 | Mailster (1.5.1) 1 | RSFirewall! (2.11.25) 1 | SP Simple Portfolio (1.3) ? | com_uniterevolution2 (4.3.8 b5) 1 | com_djimageslider (3.2.1) 1 | Bt_Portfolio (3.0.9) 1 | SP Page Builder (2.4.1) 1 |

Modules :: SITE ::
Core :: mod_tags_popular (3.1.0) 1 | mod_login (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_weblinks (3.5.0) 1 | mod_syndicate (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_related_items (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_search (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_articles_archive (3.0.0) 1 |
3rd Party:: BT Login (2.5.6) 1 | SP Simple Portfolio Module (1.3) ? | JSN EasySlider (2.1.4) 1 | BT Twitter Feeds (2.2) 1 | MOD_RANDOM_IMAGE_EXTENDED (3.3.0) 1 | BT Content Showcase (2.4.2) 1 | Hyper News Ticker (1.0) 1 | RokNavMenu (2.0.9) ? | ThemeHippo Pricing Table (1.0) 1 | CT Random Article (1.0.0) 1 | News Show SP2 (2.2) 1 | SP Page Builder (1.1) 1 | mod_news_pro_gk4 (GK4 3.4.0) 1 | BT Slideshow Pro (2.1.8) 1 | RokAjaxSearch (2.0.6) 1 | DJ-ImageSlider (3.2.1) 1 | Latest News + (2.1.3) 1 | Random Article (1.4.1.78) 1 | SP Facebook (1.4) 1 | BT Simple Slideshow (1.0.2) 1 | Custom Inline HTML (1.0) 1 | BT Google Maps (2.0.8) 1 | Mailster Subscriber (1.5.1) 1 | Hijri Date (1.0.1) 1 | Sj K2 Mega News (2.5) 1 | MOD_LATESTNEWSENHANCED (3.0.4) 1 | RokSprocket Module (2.1.6) ? | AP Smart LayerSlider (3.4) ? | SP Tweet (2.2.0) 1 | JA Image Hotspot (1.1.4) 1 |

Modules :: ADMIN ::
Core :: mod_title (3.0.0) 1 | mod_latestactions (3.9.0) 1 | mod_login (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_privacy_dashboard (3.9.0) 1 | mod_custom (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_sampledata (3.8.0) ? | mod_popular (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_version (3.0.0) 1 | mod_status (3.0.0) 1 |
3rd Party:: RSFirewall! Control Panel Module (1.4.0) 1 | sh404sef control panel icon (4.4.4.1791) 1 | mod_sppagebuilder_admin_menu (1.1) ? | mod_sppagebuilder_icons (1.0.2) ? | Securitycheck Pro Info Module (3.1.5) 1 |

Libraries :: SITE ::
Core ::
3rd Party:: RokCommon (3.2.0) 1 | file_fof30 (3.4.2) ? |

Plugins :: SITE ::
Core :: plg_fields_repeatable (3.9.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_privacy_user (3.9.0) 1 | plg_privacy_message (3.9.0) 1 | plg_privacy_actionlogs (3.9.0) 1 | plg_privacy_content (3.9.0) 1 | plg_privacy_consents (3.9.0) 1 | plg_user_profile (3.0.0) ? | plg_user_terms (3.9.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_contactcreator (3.0.0) ? | plg_twofactorauth_yubikey (3.2.0) 1 | plg_twofactorauth_totp (3.2.0) 1 | plg_authentication_gmail (3.0.0) ? | plg_authentication_ldap (3.0.0) ? | plg_authentication_cookie (3.0.0) 1 | plg_authentication_joomla (3.0.0) 1 | plg_extension_joomla (3.0.0) 1 | PLG_ACTIONLOG_JOOMLA (3.9.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_webinstaller (2.0.1) 1 | plg_captcha_recaptcha_invisible (3.8) 0 | plg_captcha_recaptcha (3.4.0) ? | plg_quickicon_privacycheck (3.9.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_finder_weblinks (3.5.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_confirmconsent (3.9.0) 0 | plg_content_pagebreak (3.0.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_finder (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_system_fields (3.7.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_debug (3.0.0) 1 | plg_system_p3p (3.0.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_stats (3.5.0) ? | plg_system_log (3.0.0) 1 | plg_system_sessiongc (3.8.6) 1 | plg_system_highlight (3.0.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_cache (3.0.0) 1 | plg_system_remember (3.0.0) 1 | plg_system_languagecode (3.0.0) ? | plg_system_privacyconsent (3.9.0) 0 | PLG_SYSTEM_ACTIONLOGS (3.9.0) 0 | plg_system_logrotation (3.9.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_search_weblinks (3.5.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_tags (3.0.0) 1 | plg_search_categories (3.0.0) 1 |
3rd Party:: RokPad (2.1.10) 1 | plg_editors_tinymce (4.5.9) 1 | plg_editors_jce (2.6.11) 1 | plg_editors_codemirror (5.40.0) 1 | BT AutoSubmit - Registration (1.0.0) 1 | plg_gantry5_preset (5.0.0-rc.1) 1 | plg_extension_jce (2.6.11) 1 | Extension - Inline editing Plugin H (1.0) ? | plg_installer_rsfirewall (1.0.0) 1 | plg_installer_jce (2.6.11) 1 | plg_installer_sh404sef (4.4.4.1791) 1 | Installer - Securitycheck Pro (3.1.5) 1 | Ajax - Inline content editing (1.0.2b) 1 | Ajax - Inline Mode State listener (1.0) 1 | Helix3 - Ajax (1.9) 1 | Ajax - TreeLink (1.0) 1 | sh404sef - Default component suppor (4.4.4.1791) ? | sh404sef - Offline code plugin (4.4.4.1791) 1 | sh404sef - Similar urls plugin (4.4.4.1791) 1 | PLG_SH404SEFCORE_SH404SEFSOCIAL (4.4.4.1791) 1 | sh404sef - Analytics plugin (4.4.4.1791) 1 | plg_quickicon_gantry5 (5.0.0-rc.1) 1 | plg_quickicon_jce (2.6.0-pro-bet) 1 | plg_quickicon_akeebabackup (6.4.2.1) 1 | Smart Search - mp3 Browser Fork (0.3.1) 1 | Editors-xtd - BT Shortcode (1.0.0) 1 | Button - RokBox (2.0.15) 1 | BT Widget - Button (1.0.0) 1 | JSN_EASYSLIDER_PLUGIN_BUTTON_TITLE (2.1.4) 0 | PLG_MP3BROWSER_SYS_NAME (0.3.1) 1 | Content - Inline content editing fi (1.0) ? | Content - Facebook Like And Share (5.5) 1 | Content - Rapid1Pixelout (3.5) 1 | Content - RokInjectModule (1.6) 1 | RokBox (2.0.15) 1 | Content - Inline content editing (1.0) 1 | plg_content_jce (2.6.11) 1 | JSN_EASYSLIDER_PLUGIN_CONTENT_TITLE (2.1.4) 0 | Mailster Subscriber (1.5.1) 1 | Content - BT Shortcode (1.0.0) 1 | BT AutoSubmit - Content (1.0.0) 1 | T3 Framework (2.7.4) 1 | System - Inline content editing (1.0) 1 | PLG_SYSTEM_AKEEBAACTIONLOG (6.4.2.1) 0 | JHackGuard Plugin (2.0.4) 1 | System - url Inspector (3.1.5) 0 | System - Securitycheck Pro Update D (1.0.2) ? | System - SP PageBuilder (1.1) ? | System - RokBox (2.0.15) 1 | System - RokCommon (3.2.5) 1 | System - Inline History (1.0) 1 | System - Reset SEF Base (3.0) 1 | plg_system_ef4_jmframework (4.8.4) 1 | plg_system_jmframework (3.12) 1 | System - RokExtender (2.0.0) ? | plg_system_gantry5 (5.0.0-rc.1) 1 | System - RokBooster (1.1.18) 0 | System - Securitycheck Pro (3.1.5) 1 | PLG_SYSTEM_BACKUPONUPDATE (6.4.2.1) 0 | plg_system_djjquerymonster (1.2.0) 1 | System - Joomla Media Manager Exten (1.0) ? | System - SP Page Builder Pro Update (1.0) ? | System - RokSprocket (2.1.6) 1 | manage.myJoomla.com Secure Plugin (n/a) ? | Mailster Email Forwarder (1.5.1) 1 | System - Helix3 Framework (1.9) 1 | System - RSFirewall! Active Scanner (1.4.0) 1 | plg_system_jce (2.6.11) 1 | System - Yjsg Framework (2.3.6) 1 | System - Securitycheck Pro Cron (3.1.5) 1 | plg_system_jsnframework (2.0.2) 1 | plg_system_shlib (0.2.9.370) 1 | PLG_SYSTEM_JCH_OPTIMIZE (5.0.5) ? | sh404sef - System plugin (4.4.4.1791) 1 | BT Social Connect - System (1.0.0) 1 | PLG_SYSTEM_JSNEASYSLIDER (2.1.4) 0 | System - Inline HTML Module Version (1.0) ? | PLG_SYSTEM_AKEEBAUPDATECHECK (6.4.2.1) 0 | sh404sef - System mobile template s (4.4.4.1791) ? | System - BT Shortcode (1.0.1) 1 | System - Gantry 4 (4.1.40) 1 | Mailster Profile (1.5.1) 1 | plg_search_sppagebuilder (1.2) ? |
Templates Discovered :: wrote:Templates :: SITE :: Flex (2.4) 1 | jm-wedding06 (1.02) 1 | protostar (1.0) 1 | beez3 (3.1.0) ? | rt_callisto (1.0.0) 1 |
Templates :: ADMIN :: hathor (3.0.0) 1 | isis (1.0) 1 |

alsunna
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Sat Nov 03, 2007 4:37 pm

Re: I'm getting constant php injections

Post by alsunna » Thu May 02, 2019 8:24 pm

Please advise.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37022
Joined: Sat Apr 05, 2008 9:58 pm

Re: I'm getting constant php injections

Post by Webdongle » Thu May 02, 2019 11:32 pm

alsunna wrote:
Wed Apr 24, 2019 8:05 pm
...
Despite installing security pro and RSFirewall and cleaning all injected php files...
You have no real option except to delete your files and rebuild them. Please see viewtopic.php?f=714&t=946026

You have a lot of out of date extensions. Following the instructions of viewtopic.php?f=714&t=946026 (and the thread it links to) will clean your site and rebuild you files with fresh up to date ones. If you are unable to follow the instructions then perhaps consider professional help.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
darb
Joomla! Ace
Joomla! Ace
Posts: 1345
Joined: Thu Jul 06, 2006 12:57 pm
Location: Stockholm Sweden
Contact:

Re: I'm getting constant php injections

Post by darb » Sun May 05, 2019 6:19 am

First you can also then check so you dont have a local trojan on your own computer infecting your ftp client bcs it seems its an issue with two different kind of cms sites and I dont belive you could have timing of getting this problem at same time with Hostgator on several cms sites.

Never heard that Wordpress can spread virus to Joomla by a same hoster :pop
Success in the long run Its not about the code its about the people and community that's make it!
Its not what you say its what you do that matters!

Darb - aka ssnobben

alsunna
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Sat Nov 03, 2007 4:37 pm

Re: I'm getting constant php injections

Post by alsunna » Thu May 09, 2019 5:18 pm

We have several sites under that hosting to delete all of them and re-install will take so much time and work.. my question is how do we block PHP injections? how to prevent it after we clean it?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37022
Joined: Sat Apr 05, 2008 9:58 pm

Re: I'm getting constant php injections

Post by Webdongle » Thu May 09, 2019 6:33 pm

Yep a lot of work but you have little choice. Following the process viewtopic.php?f=714&t=946026 will remove the hack files and make sure your extensions are up to date and that you don't have vulnerable ones. You can start by performing it on the folders for the hacked site. That may be enough. But if you get hacked after that then you will need to do it for all the sites. Other than that hire a professional.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein


Post Reply

Return to “Security in Joomla! 3.x”