Malware detected in scans

[hostking]

I would recommend better modsecurity ruleset aswell as implementing captchas on registration, upload and login pages may help. Then remonitor and see if that resolves the issues.

[stuffdone]

I have deleted it all including the database.

Totally clean install.

I did use an XML export to reinstall the text content however.

All quiet for two weeks then the same kind of .ico files started to reappear.

Also in .tmp the index.html placeholder was renamed index.bak.bak and an index.php with code and an inclued pulled the original index file in.

I edited the index.php file but left it there with a nasty message! LOL but if it's a bot no person will ever see it anyway.

I am going to try Joomla 4 just for grins since this is not a commercial site.

[stuffdone]

Where did you download the .ico files from?

I did not download the .ico files. Scanner quarantines them out of my reach. I do have a sample of the code sent by host. I hesitate to paste any known malware in a post for obvious reasons. All I have is the index.pho file that keeps recurring that includes those .ico files.

I assume as long as scanner is quick and removes the .ico then the PHP is useless without that code to reference.

[stuffdone]

After the aforementioned clean install the infection continues. This is the only site that is being infected on my server.

I wiped out the whole public_html and deleted the database and did clean install. Changed passwords on everything including FTP but next day they are back.

The two directories targeted (again over night) with the index.php files are:

/tmp
[obviously this could be changed in configuration. I did that once but they found that too so they are viewing config or otherwise getting info from the Joomla installation as those are the only two places that directory is identified. .htaccess prevents web viewing configuration.php]

/layouts

The index.html file is renamed index.bak.bak and an index.php file is installed.

Also if I did not note I keep a .htaccess file in /administrator that blocks all access until I log in FTP and temporarily rename to allow me to log in back end. I do that on all of my sites.

//

/////////

[stuffdone]

From your comments it is clear that you have NOT deleted ALL the files on the server. You have just deleted the files that you think are the problem.

First. Thank you for your offer I really appreciate it.

I doubt a Skype meet would be useful as this does not occur in real time and what it leaves behind I can save and share anytime.

Yes I did a total removal including database and downloaded fresh Joomla full and reinstalled including new DB.

I also installed in a sub directory a new copy of Joomla 4 Beta just to test it. No content, no extensions except Akeeba. Today that was also infected. The URL is not published to the world unless you know the URL. This indicates something running in the installation doing this that just scans for /tmp, /layouts, /bin, /cli and doing it's thing.

Malware scan runs early morning. I did ask host to check for any time stamp on the quarantined .ico files as a point of reference. I also asked host about a temporary host via an IP address on a totally different server just to test to see if the infection continues.

I have a couple of unused domain names that I could also try to use for that purpose with a copy from backup just to see if the infection moves along with it. I would clean everything I can find first then see if it resurfaces in the test environment.

Trying to run a Joomla site in a windows environment locally would be a major chore requiring Apache, MySQL, PHP etc to me installed. And since talking about a malware, I would only consider that in a virtual machine perhaps with CentOS that I could leave running 24 hours.

Two additional thoughts.

cPanel infiltration?
A chron job running to reinstall malware on a schedule?

Another thought just popped into my head.

I downloaded a recent backup then removed the identifiable infections. Scanner removes .ico files that contain the actual code. I think I will use a utility to compare that downladed installation against an extracted original joomla installation to see if any "original" joomla files are different than what they should be.

I can be patient. This is not a customer site.
-----------

[sozzled]

At the risk of repeating myself and I don't want to increase my forum post count by repeating anything I may have written before, if you keep doing what you've been doing then you'll keep getting what you've been getting. Whether or not teleconferencing, via Skype, is a "doubtful" approach to resolving a problem, how do you know until you try it?

When someone throws a lifeline to a person who is floundering in the water, it's up to the person who's floundering to take the lifeline or to leave it. The life-saver isn't necessarily going to throw themselves into unchartered waters and drown in an attempt to save someone. If throwing a lifeline (e.g. offering to teleconference/workshop the problem in real-time) then it's a choice whether to accept it or reject it.

I know that analogies are sometimes unhelpful—especially with literal-minded people—but think of it this way: if a patient knows they're sick but doesn't know the cause, and they do hours/days of research to discover the cause of their sickness (but fail to isolate the specific cause of their sickness), they can choose one of three things: live with the sickness (and "hope"—or pray to the gods—that it doesn't lead to anything worse), self-medicate or treat themselves, or see the doctor. The outcome(s) may all be the same; there may be different outcomes but only time will tell. Historically, however, the outcome(s) from self-medication/treatment or allowing "nature to take its course", have been failures.

I have no idea how the infection infiltrated this website. No-one knows because no-one knows the website better than the person who developed it ... and we had nothing to do with that. I have no further suggestions; anything further that I may suggest would be guesswork and probably a "wild goose chase", going down "rabbit holes", that may lead nowhere.

Is it "possible" that cPanel (or a "chron job" or something) may be an issue? Who knows? Anything's possible. Is it probable? Again, who knows?

Without investing our time, in real-time with your assistance, we're stuck where we are and it's not going to change anything. So, "if you've always done what you always did, you'll always get what you've always got", and that's just stating the obvious.

You may be patient and, while we're trying to be patient, we have our virtuous pursuits, too, but you may have to consider that everyone's patience is finite.

Best of luck but you may be on your own here.

[stuffdone]

I guess it is just too complex without a boat load of cash to throw at it which I don't have.

I will just keep stomping out the fire.

Scans find the actual code and remove it so it is not actually doing anything to the site. It is just a mystery and an annoyance now.

Since a total reinstall did nothing I doubt it actually has anything to do with Joomla ( unless there is an exploit not yet identified) so the forum, kind as you have been won't be able to provide me any additional insights.

But thank you all.

[stuffdone]

I created a static site to repace Joomla. No database. I recreated the directories that had been getting infected just as a test but not actually part of the new static site. Those began to be infected again. Having no database etc. the infection would have been no actual problem other than annoyance.

The only way I could get rid of this was to totally remove the site from hosting. Delete the account and create a new account. It would appear either that the site was hacked without any relationship to the Joomla or that some how it had placed malware in a directory ABOVE public_html which no scan seemed able to find.

Having deleted the entire account and creating new there has not been any new infection of the static site.

I am going to chalk this one up to "oh well" and move on as I have no hair left to pull out.

Thanks all !