Malicious files have been uploaded

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
Drrakken
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Sat Aug 25, 2012 12:58 pm
Location: Doaktown, New Brunswick, Canada
Contact:

Malicious files have been uploaded

Post by Drrakken » Sun Nov 30, 2014 5:51 pm

A few minutes ago, our anti-virus scanner reported that malicious files have been uploaded to your 1&1 webspace.

Name of the files:

./administrator/components/com_admin/index.php
./administrator/components/com_joomlaupdate/config.php
./components/com_banners/banners.html.php
./includes/index.php
./libraries/simplepie/idn/OpenIDOpenID.php
./plugins/editors-xtd/mosimage.php
./templates/index.php

I believe the Joomal version to be 2.5.27 but am not 100% sure. I uploaded the fpa-en.php to the root directory but all that came up was:

Forum Post Assistant

1.2.4-Beta (Branch en-GB Language en-GB)
FPA last updated on: 01/01/2014

Hang on while we run some tests...

** SECURITY NOTICE **


Due to the highly sensitive nature of the information displayed by the FPA script,

it should be removed from the server immediately after use.

If the script is left on the site, it can be used to gather enough information to hack your site.

After use, Click Here to delete this script.

Array ( [0] => apache_child_terminate [1] => apache_request_headers [2] => apache_response_headers [3] => getallheaders )



Also at this time I can't login to the Joomla backend although I do have access to 1&1 control panel. Url is anglicanministry.com.

Where do I go from here?

Thanks

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1001
Joined: Sat Aug 13, 2011 6:27 am

Re: Malicious files have been uploaded

Post by Slackervaara » Sun Nov 30, 2014 7:50 pm

You can try to upload fresh files of those reported by the antivirus scanner. JHackGuard have the option to disable file upload by guests.

Drrakken
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Sat Aug 25, 2012 12:58 pm
Location: Doaktown, New Brunswick, Canada
Contact:

Re: Malicious files have been uploaded

Post by Drrakken » Mon Dec 01, 2014 3:44 pm

Why am I getting this notice at the top of post?

FORUM RULES

Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.

I did try to use the FPA tool and posted the results which from what I can determine seemed to fail.

Also, I tried what was suggested and right now the host provider is informing me that the infected files are now gone, but I still can't get on the Joomla backend. Every time I try to login I either get
500 - An error has occurred.
Return to Control Panel

or

Service Temporarily Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Please help.

Thank you

User avatar
dhuelsmann
Joomla! Master
Joomla! Master
Posts: 19658
Joined: Sun Oct 02, 2005 12:50 am
Location: Omaha, NE
Contact:

Re: Malicious files have been uploaded

Post by dhuelsmann » Mon Dec 01, 2014 5:50 pm

Drrakken wrote:Why am I getting this notice at the top of post?

FORUM RULES

Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Everyone sees that - its just part of this forums announcements.
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org

Drrakken
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Sat Aug 25, 2012 12:58 pm
Location: Doaktown, New Brunswick, Canada
Contact:

Re: Malicious files have been uploaded

Post by Drrakken » Mon Dec 01, 2014 5:57 pm

Oh good, was worried I was breaking the rules and was going to be refused help. Which I'm still looking for by the way :-).

Thanks

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14791
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Malicious files have been uploaded

Post by mandville » Tue Dec 02, 2014 12:26 am

the fpa can throw some errors with some versions of php but your host removing the files can cause the new 500 errors.
go to security checklist 7 and follow the procedures for safe route to recovery. link is in the forum sticky. "before you post/...."
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}


Locked

Return to “Security in Joomla! 2.5”