Hacking attempt?

Discussion regarding Joomla! 3.x security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
MarkRS
Joomla! Explorer
Joomla! Explorer
Posts: 321
Joined: Thu Oct 29, 2009 8:28 am
Location: UK

Hacking attempt?

Post by MarkRS » Fri Nov 27, 2020 3:00 pm

I have half a dozen or so instances of the error below in my hosting error log. It says

Code: Select all

[cgi:error] [pid 13091:tid 140044698371840] [client 66.249.64.47:37176] AH01215: Use of uninitialized value in pattern match (m//) at /usr/share/perl5/Email/Simple/Header.pm line 66, line 1.: <homedir>/public_html/index.php
This is a J! 3.9.22 / 23 site. It was at .22 when the first error was logged and was updated to .23 before the last error.

Firstly I'm surprised that index.php should be the referrer, I thought it was protected from calling anything like this, and secondly, even though I have root access on the server I can't see the file that apparently is raising the error.

Is the cause of this error something to be concerned about?

TIA
It's a community, the more we all contribute, the better it will be.

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17350
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: Hacking attempt?

Post by toivo » Fri Nov 27, 2020 3:24 pm

MarkRS wrote:
Fri Nov 27, 2020 3:00 pm
Firstly I'm surprised that index.php should be the referrer
It is also strange that a client from an IP address range registered to Google LLC attempts to run a Perl module from /usr/share/perl5. The IP address can of course be spoofed and the site compromised to become a spam bot.

Compare the contents of the file index.php in the main Joomla folder to the file index.php in the installation package. Please do not post any hack code here.
Toivo Talikka, Global Moderator

MarkRS
Joomla! Explorer
Joomla! Explorer
Posts: 321
Joined: Thu Oct 29, 2009 8:28 am
Location: UK

Re: Hacking attempt?

Post by MarkRS » Fri Nov 27, 2020 6:48 pm

Thanks for that Toivo.

I've (eyeball) checked index.php, as well as defines.php and framework.php in the includes directory, they're all the same as those in the full download package (I downloaded that to check, although the site had been updated from the update package).

My (not particularly Joomla aware) hosting company says
We have looked into this there doesn't look to be evidence of a hack and the errors themselves are coming from the sendmail wrapper on the hosting server when the site is sending mail, likely due to something wrong with the email being sent, for example a missing header or bad formatting.
I don't know how the site could be sending email with something wrong unless something malicious was happening. Its only sending function is currently the "contact us" page. We haven't received any mail. The site is set to use phpMail. I don't know enough to know if that uses the file that's complaining, but sending a test message succeeds easily enough.

The times of the errors are a little suspicious, broadly similar over three days.
It's a community, the more we all contribute, the better it will be.


Locked

Return to “Security in Joomla! 3.x”