Page 1 of 1

Joomla 3.9.5 hacked and mail sending

Posted: Wed May 29, 2019 8:21 am
by mlubbertsen
There was 1 record add to contacts.
I deleted that one
website was sending spam
I cannot find any file that was changed.

Site was Joomla 3.9.5
and is now updated to 3.9.6
Forum Post Assistant (v1.4.8 (koine)) : 29th May 2019 wrote:
Problem Description :: wrote:PHPmailers sends spam
Actions Taken To Resolve wrote:rename phpmailer.php and update site from 3.9.5 to 3.9.6
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.9.6-Stable (Amani) 7-May-2019
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: /gid: ) | Group: --protected-- (gid: ) | Valid For: 3.9
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: true | .htaccess/web.config: Yes | GZip: true | Cache: true | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: true | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: false | SSL: 2 | Error Reporting: default | Site Debug: false | Language Debug: false | Default Access: 1 | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 3.9.6: Yes | Database Supports J! 3.9.6: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 4.9.0-9-amd64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 250.83 GiB |

PHP Configuration :: Version: 7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98 | PHP API: apache2handler | Session Path Writable: No | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: /var/log/php-errors.log | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /usr/home/ws/beachpull/www.beachpull.nl/www/:/tmp | Uploads: 1 | Max. Upload Size: 50000000 | Max. POST Size: 120000000 | Max. Input Time: -1 | Max. Execution Time: 300 | Memory Limit: 256M

Database Configuration :: Version: 5.5.5-10.0.38-MariaDB-0+deb8u1 (Client:mysqlnd 5.0.12-dev - 20150407 - $Id: 38fea24f2847fa7519001be390c98ae0acafe387 $) | Host: --protected-- (--protected--) | default Collation: latin1_swedish_ci (default Character Set: latin1) | Database Size: 26.71 MiB | #of Tables:  220
Detailed Environment :: wrote:PHP Extensions :: Core (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | date (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | libxml (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | openssl (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | pcre (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | zlib (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | filter (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | hash (1.0) | Reflection (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | SPL (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | session (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | standard (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | apache2handler () | mysqlnd (mysqlnd 5.0.12-dev - 20150407 - $Id: 38fea24f2847fa7519001be390c98ae0acafe387 $) | PDO (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | xml (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | bcmath (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | calendar (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | ctype (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | curl (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | dom (20031129) | mbstring (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | fileinfo (1.0.5) | ftp (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | gd (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | gettext (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | iconv (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | imap (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | intl (1.1.0) | json (1.5.0) | exif (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | mcrypt (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | mysqli (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | pdo_mysql (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | pdo_sqlite (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | Phar (2.0.2) | posix (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | readline (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | shmop (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | SimpleXML (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | sockets (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | sqlite3 (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | sysvmsg (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | sysvsem (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | sysvshm (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | tokenizer (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | wddx (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | xmlreader (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | xmlwriter (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | xsl (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | zip (1.13.5) | ionCube Loader () | Zend OPcache (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | Zend Engine (3.1.0) |
Potential Missing Extensions ::
Disabled Functions :: apache_note | apache_setenv | chgrp | closelog | debugger_off | debugger_on | define_sys | define_syslog_variables | diskfreespace | dl | escapeshellarg | escapeshellcmd | exec | getmypid | getmyuid | ini_restore | leak | listen | openlog | passthru | pclose | pcntl_alarm | pcntl_exec | pcntl_fork | pcntl_getpriority | pcntl_get_last_error | pcntl_setpriority | pcntl_signal | pcntl_signal_dispatch | pcntl_sigprocmask | pcntl_sigtimedwait | pcntl_sigwaitinfo | pcntl_strerror | pcntl_wait | pcntl_waitpid | pcntl_wexitstatus | pcntl_wifexited | pcntl_wifsignaled | pcntl_wifstopped | pcntl_wstopsig | pcntl_wtermsig | popen | posix | posix_ctermid | posix_getcwd | posix_getegid | posix_geteuid | posix_getgid | posix_getgrgid | posix_getgrnam | posix_getgroups | posix_getlogin | posix_getpgid | posix_getpgrp | posix_getpid | posix_getpwnam | posix_getpwuid | posix_getrlimit | posix_getsid | posix_getuid | posix_isatty | posix_kill | posix_mkfifo | posix_setegid | posix_seteuid | posix_setgid | posix_setpgid | posix_setsid | posix_setuid | posix_times | posix_ttyname | posix_uname | proc_close | proc_get_status | proc_nice | proc_open | proc_terminate | shell_exec | show_source | syslog | system | url_exec | _getppid |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe

Apache Modules :: core | mod_so | mod_watchdog | http_core | mod_log_config | mod_logio | mod_version | mod_unixd | mod_access_compat | mod_actions | mod_alias | mod_auth_basic | mod_authn_core | mod_authn_file | mod_authz_core | mod_authz_groupfile | mod_authz_host | mod_authz_user | mod_autoindex | mod_deflate | mod_dir | mod_env | mod_expires | mod_filter | mod_headers | mod_http2 | mod_mime | prefork | mod_negotiation | mod_php7 | mod_reqtimeout | mod_rewrite | mod_setenvif | mod_socache_shmcb | mod_ssl | mod_status | Apache |
Potential Missing Modules :: mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (755) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 8911280 | Threads: 42 | Questions: 6390498998 | Slow queries: 24102 | Opens: 24690275 | Flush tables: 1 | Open tables: 10240 | Queries per second avg: 717.124 |
Extensions Discovered :: wrote:Components :: SITE ::
Core :: com_mailto (3.0.0) 1 | com_wrapper (3.0.0) 1 |
3rd Party::

Components :: ADMIN ::
Core :: com_actionlogs (3.9.0) 1 | com_admin (3.0.0) 1 | com_ajax (3.2.0) 1 | com_associations (3.7.0) 1 | com_banners (3.0.0) 1 | com_cache (3.0.0) 1 | com_categories (3.0.0) 1 | com_checkin (3.0.0) 1 | com_config (3.0.0) 1 | com_content (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_cpanel (3.0.0) 1 | com_fields (3.7.0) 1 | com_finder (3.0.0) 1 | com_installer (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_languages (3.0.0) 1 | com_login (3.0.0) 1 | com_media (3.0.0) 1 | com_menus (3.0.0) 1 | com_messages (3.0.0) 1 | com_modules (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_plugins (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_privacy (3.9.0) 1 | com_redirect (3.0.0) 1 | com_search (3.0.0) 1 | com_tags (3.1.0) 1 | com_templates (3.0.0) 1 | com_users (3.0.0) 1 | com_weblinks (3.6.0) 1 |
3rd Party:: JCH Optimize (5.4.2) 1 | COM_SIGPRO (3.0.0) 1 | Tabulizer (6.2.2) 1 | COM_YENDIFVIDEOSHARE (1.2.6) 1 |

Modules :: SITE ::
Core :: mod_articles_archive (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_search (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_tags_similar (3.1.0) 1 | mod_users_latest (3.0.0) 1 | mod_weblinks (3.6.0) 1 | mod_whosonline (3.0.0) 1 | mod_wrapper (3.0.0) 1 |
3rd Party:: S5 Accordion Menu (2.2.0) 1 | S5 Box (6.1.2) 1 | S5 Image and Content Fader v4 (4.3.0) 1 | Shape 5 Live Search (3.0) 1 | S5 MailChimp Signup (1.0.0) 1 | S5 Register (3.2.0) 1 | S5 Tab Show (3.2.0) 1 | Yendif Video Share - Categories (1.2.6) 1 | Yendif Video Share - Player (1.2.6) 1 | Yendif Video Share - Playlist (1.2.6) 1 | Yendif Video Share - Search (1.2.6) 1 | Yendif Video Share - Videos (1.2.6) 1 |

Modules :: ADMIN ::
Core :: mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_latestactions (3.9.0) 1 | mod_logged (3.0.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_privacy_dashboard (3.9.0) 1 | mod_quickicon (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_stats_admin (3.0.0) 1 | mod_status (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_title (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_version (3.0.0) 1 |
3rd Party::

Libraries :: SITE ::
Core ::
3rd Party:: Free Mono (-) ? | Helvetica (-) ? | TCPDF (5.9.144) ? |

Plugins :: SITE ::
Core :: PLG_ACTIONLOG_JOOMLA (3.9.0) 1 | plg_authentication_cookie (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_captcha_recaptcha (3.4.0) 1 | plg_captcha_recaptcha_invisible (3.8) 0 | plg_content_confirmconsent (3.9.0) 0 | plg_content_emailcloak (3.0.0) 0 | plg_content_fields (3.7.0) 1 | plg_content_finder (3.0.0) 0 | plg_content_geshi (2.5.0) 0 | plg_content_joomla (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_repeatable (3.9.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_weblinks (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_installer_webinstaller (1.0.5) 1 | plg_privacy_actionlogs (3.9.0) 1 | plg_privacy_consents (3.9.0) 1 | plg_privacy_content (3.9.0) 1 | plg_privacy_message (3.9.0) 1 | plg_privacy_user (3.9.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_privacycheck (3.9.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_tags (3.0.0) 0 | plg_search_weblinks (3.6.0) 1 | PLG_SYSTEM_ACTIONLOGS (3.9.0) 0 | plg_system_cache (3.0.0) 0 | plg_system_debug (3.0.0) 1 | plg_system_fields (3.7.0) 1 | plg_system_highlight (3.0.0) 1 | plg_system_languagecode (3.0.0) 1 | plg_system_languagefilter (3.0.0) 1 | plg_system_log (3.0.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_logrotation (3.9.0) 1 | plg_system_p3p (3.0.0) 1 | plg_system_privacyconsent (3.9.0) 0 | plg_system_redirect (3.0.0) 1 | plg_system_remember (3.0.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_sessiongc (3.8.6) 1 | plg_system_stats (3.5.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_user_contactcreator (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_profile (3.0.0) 0 | plg_user_terms (3.9.0) 0 |
3rd Party:: PLG_EMBED_GOOGLE_MAP (2.1.0) 1 | Content - Simple Image Gallery Pro (3.0.0) ? | S5 Disqus Comments (1.1.0) 1 | Content - Tabulizer CSS (6.2.2) 1 | Yendif Video Share - Player (1.2.6) 1 | Button - Simple Image Gallery Pro (3.0.0) 1 | Button - ReTabulizer (6.2.2) 1 | Button - Tabulizer (6.2.2) 1 | Button - Tabulizer Data Source (6.2.2) 1 | plg_editors_codemirror (5.40.0) 1 | plg_editors_tinymce (4.5.9) 1 | K2 - Simple Image Gallery Pro (3.0.0) 1 | plg_search_tabulizerds (6.2.2) 0 | Yendif Video Share - Search (1.2.6) 1 | System - S5 Flex Menu (1.0) 1 | PLG_SYSTEM_JCH_OPTIMIZE (5.4.2) 1 | System - Tabulizer CSS (6.2.2) 1 | System - Tabulizer CSS Legacy (6.2.2) 1 |
Templates Discovered :: wrote:Templates :: SITE :: atomic (2.5.0) 1 | beez3 (3.1.0) 1 | beez5 (2.5.0) 1 | beez_20 (2.5.0) 1 | outdoor_life (1.0) 1 | protostar (1.0) 1 |
Templates :: ADMIN :: bluestork (2.5.0) 1 | hathor (3.0.0) 1 | isis (1.0) 1 |

Re: Joomla 3.9.5 hacked and mail sending

Posted: Wed May 29, 2019 8:22 am
by mlubbertsen
mail log from provider:

[28-May-2019 07:54:41 Europe/Amsterdam] mail() on
[/usr/home/lsw_data_ws_dro/beachpull/www.beachpull.nl/www/libraries/vendor/p ... er.php:700]:
To: email@email.com -- Headers: Date: Tue, 28 May 2019 07:54:41 +0200 From: Beachpull Reply-To: editak Message-ID:
<93e4ffae414eb65c4a95c46fb5121fe1@beachpull.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit -- Subject: =?utf-8?B?VG90YWwgQWdyaSBCZWFjaHB1bGw6IOG1guG1g+KBseG1l+KBsQ==?=
=?utf-8?B?4oG/4bWNIOG2oOG1ksqzIMq44bWS4bWYyrMgyrPhtYnhtZbLocq4?=
[28-May-2019 07:54:41 Europe/Amsterdam] mail() on
[/usr/home/lsw_data_ws_dro/beachpull/www.beachpull.nl/www/libraries/vendor/p ... er.php:700]:
To: editak@gmx.ch -- Headers: Date: Tue, 28 May 2019 07:54:41 +0200 From: Beachpull Reply-To: editak Message-ID:
<4b7d689e77c141f36abb514e55d2c945@beachpull.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit -- Subject: =?utf-8?B?S29waWUgdmFuOiDhtYLhtYPigbHhtZfigbHigb/htY0g4bag4bWSyrMg?=
=?utf-8?B?yrjhtZLhtZjKsyDKs+G1ieG1lsuhyrg=?=

Re: Joomla 3.9.5 hacked and mail sending

Posted: Sun Jun 02, 2019 3:48 pm
by leolam
I do not believe your site is hacked. You are being spoofed me belief. See more on this https://help.hover.com/hc/en-us/article ... mpromised-

Leo 8)

Re: Joomla 3.9.5 hacked and mail sending

Posted: Thu Jun 06, 2019 6:09 am
by mlubbertsen
The log file is from webserver and after disabling this website by the provider email stops.
at this moment I renamed the file phpmailer directory and it is not possible to send mail from the site.

There is 1 record add in the contacts tabel off Joomla.
can you explain how anyone can add this without database access?

I have not any contact form on the site to send email not in menu not in site.
can anyone acces to contact form without existing contact form in menu off the site?

Re: Joomla 3.9.5 hacked and mail sending

Posted: Thu Jun 06, 2019 4:13 pm
by Per Yngve Berg
mlubbertsen wrote:
Thu Jun 06, 2019 6:09 am
I have not any contact form on the site to send email not in menu not in site.
can anyone acces to contact form without existing contact form in menu off the site?
Yes.

There is an option in User Manager to have a contact automatically created when a user is created.

Is user registration enabled in user manager?

Re: Joomla 3.9.5 hacked and mail sending

Posted: Thu Jun 06, 2019 7:06 pm
by mlubbertsen
User registration is disabled at the site.
There is not any new user at the site.

Re: Joomla 3.9.5 hacked and mail sending

Posted: Mon Jun 10, 2019 3:57 pm
by jgarvas
Have you found anything mlubbertsen? I just had a site start doing this and I shut down apache trying to find the culprit. It's a mix of spam sending and occasional malware/ransomware attempts when the main page is loaded, intermixed with it just acting normally. Poking around the logs and the file system I can't find anything that was done. It must be hidden well so I'm looking for any success you had?

Re: Joomla 3.9.5 hacked and mail sending

Posted: Mon Jun 10, 2019 6:12 pm
by mandville
looking at your fpa, you have s5 register module thats very out of date, could that be your entry point?
S5 Register Module module 16 Aug 2018 4.0.2
Tabulizer - several versions behind, please check all extensions