Joomla files automatically updated

[brianlucas]

Hi folks,

Does anyone know of any automated processes that could have updated files on my Joomla sites in the last 2 days?

Over the last 2 days, I've had two sets of my Joomla files updated. From the dates, it looks like a script ran (all files changed in the same second). But... I didn't upgrade anything, although I was in and out of the back-end during the second wave. There is nothing in my FTP or web logs, but I went ahead and changed all of my passwords anyway. And ALL of my folders changed, including back-up folders. It looks like something scanned my files and updated the same files in all of the folders. At first, I thought my site was hacked - but then I started looking...

I do have Akeeba backup installed, but nothing ran. Also a little odd that it happened twice over 2 days. I only found it because I got an error trying to log on: 0 - Call to a member function get() on null. I posted a response to someone else's POST about the same thing (there are two related posts in the last few days). I noticed it right around the time the second wave hit.

I also noticed this in the security forum: [20180602] - Core - XSS vulnerability in language switcher module. It could be related, because the residual updates look like they might fix this issue.

Here are the files that were updated:
administrator\components\com_admin\models\forms profile.xml 6/28/18 11:29:30
administrator\components\com_login\models login.php 6/29/18 10:24:21
components\com_users\controllers user.php 6/29/18 10:24:21
components\com_users\models login.php 6/29/18 10:24:21
components\com_users\models\forms frontend.xml 6/29/18 10:24:21
libraries loader.php 6/29/18 10:24:21
libraries\joomla\form\fields plugins.php 6/28/18 11:29:30
libraries\vendor\joomla\input\src Input.php 6/29/18 10:24:21
modules\mod_languages\tmpl default.php 6/28/18 11:29:30
modules\mod_random_image\tmpl default.php 6/28/18 11:29:30

These files changed, but a compare against the backups shows only line-end differences (which makes me think somebody goofed, then corrected it.)
administrator\components\com_login\models\login.php
components\com_users\controllers\user.php
components\com_users\models\login.php
libraries\vendor\joomla\input\src\Input.php
libraries\loader.php


My site is back up, but if anyone can help me figure out the mystery, I'd appreciate it.

Brian

[toivo]

Joomla updates are not run automatically unless you have a third party extension that would do that, or if your host provides an auto update service.

Have you compared the contents of those files to the versions in the 3.8.10 release?

You audit the Joomla files by signing up with myJoomla.com, where the first software audit is free.

[sozzled]

Always puzzling, isn't it, when things go bump in the night and there's no earthly rational, scientific explanation for the cause.

Joomla (of and by itself) doesn't do anything automatically without something (or someone) triggering the event. Even email notifications that there's a Joomla CMS update available (or an update for an installed extension) doesn't happen magically without some kind of trigger.

This leaves us with a few possibilities:

1) The website wasn't updated at all; some files were changed but those changes were the result of a rogue process outside the control of the website owner.

2) The webhosting provider may have changed the software underpinning the website.

3) "Someone" logged in to the backend and initiated the Joomla! Update process (or updated some extension(s)).

4) No-one logged in to the website but they had FTP or other access to the file system and made some changes.

5) "Someone" has access via a remote update service (e.g. Watchful.li) to initiate a J! (or extension) update.

In any case, not knowing (a) what J! version you were using before the problems started, (b) what J! version you are now using, and (c) a complete list of all the extensions that you've installed (the FPA report is always a good place to start), I'm just guessing.

[brianlucas]

Thank you for helping! I've narrowed it down to (1) or (2) - something outside my control but inside the hosting environment ran. There are no FTP or HTTP log traces of any activity at these times. But just in case someone can spot something obvious, here is my FPA output (part 1 of 2):

Joomla! Instance :: Joomla! 3.6.5-Stable (Noether) 1-December-2016
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Writable (640) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.6
Configuration Options :: Offline: 1 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: 0 | FTP Layer: 0 | Proxy: 0 | LiveSite: | Session lifetime: 30 | Session handler: database | Shared sessions: N/A | SSL: 0 | Error Reporting: none | Site Debug: 0 | Language Debug: 0 | Default Access: 21 | Unicode Slugs: 0 | dbConnection Type: mysqli | PHP Supports J! 3.6.5: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 3.10.0-714.10.2.lve1.5.17.1.el7.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 491.12 GiB |

PHP Configuration :: Version: 7.0.29 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: /dev/null | Last Known Error: 21st June 2018 06:24:18. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 128M | Max. POST Size: 128M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 512M

Database Configuration :: Version: 5.5.5-10.2.14-MariaDB-log (Client:mysqlnd 5.0.12-dev - 20150407 - $Id: b5c5906d452ec590732a93b051f3827e02749b83 $) | Host: --protected-- (--protected--) | Localhost: Yes | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 25.00 MiB | #of Tables: 189

PHP Extensions :: Core (7.0.29) | date (7.0.29) | libxml (7.0.29) | openssl (7.0.29) | pcre (7.0.29) | zlib (7.0.29) | bcmath (7.0.29) | bz2 (7.0.29) | calendar (7.0.29) | ctype (7.0.29) | curl (7.0.29) | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (7.0.29) | ftp (7.0.29) | gd (7.0.29) | gettext (7.0.29) | SPL (7.0.29) | iconv (7.0.29) | session (7.0.29) | intl (1.1.0) | json (1.4.0) | mbstring (7.0.29) | mcrypt (7.0.29) | standard (7.0.29) | mysqlnd (mysqlnd 5.0.12-dev - 20150407 - $Id: b5c5906d452ec590732a93b051f3827e02749b83 $) | mysqli (7.0.29) | PDO (7.0.29) | pdo_mysql (7.0.29) | pdo_pgsql (7.0.29) | pgsql (7.0.29) | Phar (2.0.2) | posix (7.0.29) | pspell (7.0.29) | Reflection (7.0.29) | imap (7.0.29) | SimpleXML (7.0.29) | soap (7.0.29) | sockets (7.0.29) | exif (7.0.29) | tidy (7.0.29) | tokenizer (7.0.29) | xml (7.0.29) | xmlreader (7.0.29) | xmlrpc (7.0.29) | xmlwriter (7.0.29) | xsl (7.0.29) | zip (1.13.5) | cgi-fcgi () | sqlite3 (7.0.29) | pdo_sqlite (7.0.29) | ionCube Loader () | Zend Engine (3.0.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) ::

Database statistics :: Uptime: 751666 | Threads: 387 | Questions: 1868964873 | Slow queries: 78156 | Opens: 21604902 | Flush tables: 1 | Open tables: 16384 | Queries per second avg: 2486.429 |

Components :: SITE ::
Core :: com_mailto (3.0.0) 1 | com_wrapper (3.0.0) 1 |
3rd Party:: os_authnet (2.7.1) 1 | os_offline (2.7.1) 1 | os_paypal (2.7.1) 1 | os_stripe (2.8.0) 1 | os_eway (2.7.1) 1 | WF_SOURCE_TITLE (2.6.7.1) 1 | WF_HR_TITLE (2.6.7.1) 1 | WF_VISUALCHARS_TITLE (2.6.7.1) 1 | WF_IMGMANAGER_TITLE (2.6.7.1) 1 | WF_FORMATSELECT_TITLE (2.6.7.1) 1 | WF_CLIPBOARD_TITLE (2.6.7.1) 1 | WF_TEXTCASE_TITLE (2.6.7.1) 1 | WF_FONTCOLOR_TITLE (2.6.7.1) 1 | WF_LINK_TITLE (2.6.7.1) 1 | WF_ARTICLE_TITLE (2.6.7.1) 1 | WF_FONTSIZESELECT_TITLE (2.6.7.1) 1 | WF_AUTOSAVE_TITLE (2.6.7.1) 1 | WF_STYLE_TITLE (2.6.7.1) 1 | WF_LAYER_TITLE (2.6.7.1) 1 | WF_LISTS_TITLE (2.6.7.1) 1 | WF_KITCHENSINK_TITLE (2.6.7.1) 1 | WF_SPELLCHECKER_TITLE (2.6.7.1) 1 | WF_STYLESELECT_TITLE (2.6.7.1) 1 | WF_PREVIEW_TITLE (2.6.7.1) 1 | WF_MEDIA_TITLE (2.6.7.1) 1 | WF_CHARMAP_TITLE (2.6.7.1) 1 | WF_SEARCHREPLACE_TITLE (2.6.7.1) 1 | WF_VISUALBLOCKS_TITLE (2.6.7.1) 1 | WF_CONTEXTMENU_TITLE (2.6.7.1) 1 | WF_NONBREAKING_TITLE (2.6.7.1) 1 | WF_PRINT_TITLE (2.6.7.1) 1 | WF_ANCHOR_TITLE (2.6.7.1) 1 | WF_TABLE_TITLE (2.6.7.1) 1 | WF_BROWSER_TITLE (2.6.7.1) 1 | WF_EMOTIONS_TITLE (2.6.7.1) 1 | WF_DIRECTIONALITY_TITLE (2.6.7.1) 1 | WF_FONTSELECT_TITLE (2.6.7.1) 1 | WF_CLEANUP_TITLE (2.6.7.1) 1 | WF_FULLSCREEN_TITLE (2.6.7.1) 1 | WF_INLINEPOPUPS_TITLE (2.6.7.1) 1 | WF_XHTMLXTRAS_TITLE (2.6.7.1) 1 | WF_POPUPS_WINDOW_TITLE (2.6.7.1) 1 | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.7.1) 1 | WF_AGGREGATOR_DAILYMOTION_TITL (2.6.7.1) 1 | WF_AGGREGATOR_VINE_TITLE (2.6.7.1) 1 | WF_AGGREGATOR_VIMEO_TITLE (2.6.7.1) 1 | WF_AGGREGATOR_[youtube]_TITLE (2.6.7.1) 1 | WF_LINK_SEARCH_TITLE (2.6.7.1) 1 | WF_FILESYSTEM_JOOMLA_TITLE (2.6.7.1) 1 | WF_LINKS_JOOMLALINKS_TITLE (2.6.7.1) 1 |

Components :: ADMIN ::
Core :: com_finder (3.0.0) 1 | com_plugins (3.0.0) 1 | com_content (3.0.0) 1 | com_admin (3.0.0) 1 | com_templates (3.0.0) 1 | com_media (3.0.0) 1 | com_installer (3.0.0) 1 | com_config (3.0.0) 1 | com_modules (3.0.0) 1 | com_login (3.0.0) 1 | com_menus (3.0.0) 1 | com_checkin (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_categories (3.0.0) 1 | com_redirect (3.0.0) 1 | com_search (3.0.0) 1 | com_messages (3.0.0) 1 | com_banners (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_users (3.0.0) 1 | com_tags (3.1.0) 1 | com_newsfeeds (3.0.0) 1 | com_cpanel (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_languages (3.0.0) 1 | com_ajax (3.2.0) 1 | com_cache (3.0.0) 1 |
3rd Party:: AcyMailing (5.6.1) 0 | AcyMailing Module (3.7.0) 0 | AcyMailing Template Class Repl (5.6.1) 1 | AcyMailing Tag : Joomla User I (5.6.1) 1 | AcyMailing : share on social n (1.0.0) 1 | AcyMailing Tag : Subscriber in (5.6.1) 1 | AcyMailing Tag : Manage the Su (5.6.1) 1 | AcyMailing table of contents g (1.0.0) 1 | AcyMailing Editor (5.6.1) 0 | AcyMailing Tag : content inser (3.7.0) 1 | AcyMailing Tag : Date / Time (5.6.1) 0 | AcyMailing Manage text (1.0.0) 0 | AcyMailing Tag : Website links (3.7.0) 0 | AcyMailing : (auto)Subscribe d (5.6.1) 1 | AcyMailing : Statistics Plugin (3.7.0) 0 | AcyMailing : trigger Joomla Co (3.7.0) 1 | AcyMailing Tag and filter : Co (3.7.2) 1 | AcyMailing Tag and filter : Co (3.7.2) 1 | AcyMailing (4.9.4) 0 | com_osmembership (2.7.1) 1 | HikaShop (2.6.4) 0 | HikaShop Product TAG insertion (2.6.4) 1 | Hikashop - Redshop Fallback Re (2.6.4) 1 | System - Hikashop Social Plugi (2.6.4) 1 | Hikashop WorldPay Business Gat (2.6.4) 1 | Ogone Payment Plugin (2.6.4) 1 | Hikashop Currency Switcher Mod (2.6.4) 1 | Hikashop Western Union Payment (2.6.4) 1 | Hikashop - VirtueMart Fallback (2.6.4) 1 | Hikashop Massaction Address Pl (2.6.4) 1 | Hikashop Innovative Gateway Pa (2.6.4) 1 | HikaShop Product TAG translati (2.6.4) 1 | Hikashop Postfinance Payment P (2.6.4) 1 | Hikashop Registration Redirect (2.6.4) 1 | Hikashop Amazon Payment Plugin (2.6.4) 1 | Hikashop - Kashflow invoice sy (2.6.4) 1 | Hikashop CANPAR Shipping Plugi (1.0.0) 1 | HikaShop tax calculations over (2.6.4) 1 | Hikashop ATOS SIPS 2.0 Payment (2.6.4) 1 | Hikashop Paypal Advanced payme (2.6.4) 1 | Hikashop TaxCloud Plugin (2.6.4) 0 | Hikashop Virtual Merchant (Ela (2.6.4) 1 | Hikashop Paypal Payment Plugin (2.6.4) 1 | Hikashop Cart Module (2.6.4) 1 | Hikashop Nets NETAXEPT Payment (2.6.4) 1 | Hikashop Massaction Category P (2.6.4) 1 | Hikashop Payza Payment Plugin (2.6.4) 1 | Hikashop CardSave Payment Plug (2.6.4) 1 | Hikashop Manual Shipping Plugi (2.6.4) 1 | Hikashop Paypal Website Paymen (2.6.4) 1 | Hikashop Authorize.net Payment (2.6.4) 1 | Hikashop Check Payment Plugin (2.6.4) 1 | Hikashop Product Tag (2.6.4) 1 | Hikashop Purchase Order Paymen (2.6.4) 1 | Hikashop PaymentExpress (PxPay (2.6.4) 1 | Hikashop User account Plugin (2.6.4) 1 | Hikashop SagePay Payment Plugi (2.6.4) 1 | Hikashop googlewallet Payment (1.0) 1 | Hikashop Massaction Product Pl (2.6.4) 1 | Hikashop Alipay Payment Plugin (2.6.4) 1 | Hikashop Platron Payment Plugi (2.6.0) 1 | Hikashop USPS Shipping Plugin (2.6.4) 1 | HikaShop Shipping Manual - Pri (2.6.4) 1 | Hikashop Paybox Plugin (2.6.4) 1 | Hikashop Australia Post eDeliv (2.6.4) 1 | Hikashop OKPay Payment Plugin (2.6.0) 1 | Hikashop Borgun payment plugin (2.6.4) 1 | Hikashop Module (2.6.4) 1 | HikaShop Payment Notification (2.6.4) 1 | Hikashop PayU India Payment Pl (2.6.4) 1 | Hikashop CyberMuth CIC Payment (2.6.4) 1 | HikaShop: Date Picker Custom F (2.6.4) 1 | Hikashop PayJunction Payment P (2.6.4) 1 | Hikashop Credit Card Payment P (2.6.4) 1 | Hikashop Validate free order P (2.6.4) 1 | Hikashop Be2Bill Payment Plugi (2.6.4) 1 | Search - Hikashop Products (2.6.4) 1 | Hikashop Google Checkout Payme (2.6.4) 1 | Search - Hikashop Categories/M (2.6.4) 1 | Hikashop Servired Payment Plug (2.6.4) 1 | Hikashop westpacapi Payment Pl (1.0) 1 | Hikashop FirstData Payment Plu (2.6.4) 1 | Hikashop Collect On Delivery P (2.6.4) 1 | User - HikaShop (2.6.4) 1 | Hikashop iVeri Payment Plugin (2.6.4) 1 | Hikashop CECA Payment Plugin (2.6.0) 1 | Hikashop SIPS ATOS Payment Plu (2.6.4) 1 | Hikashop no SSL outside checko (2.6.4) 1 | Hikashop MasterCard Internet G (2.6.4) 1 | HikaShop Google Dynamic Remark (2.6.4) 1 | Hikashop Beanstream Payment Pl (2.6.4) 1 | Hikashop SOFORT Payment Plugin (2.6.0) 1 | HikaShop Netgiro payment plugi (2.6.0) 1 | Hikashop payfast Payment Plugi (2.6.4) 1 | Hikashop Massaction Order Plug (2.6.4) 1 | Hikashop Australia Post eDeliv (2.6.4) 1 | Hikashop iPayDNA Payment Plugi (2.6.4) 1 | Hikashop Bluepaid Payment Plug (2.6.4) 1 | Hikashop HSBC Payment Plugin (2.6.4) 1 | Hikashop UPS Shipping Plugin (2.6.4) 1 | Hikashop Paypal Express Checko (1.0.0) 1 | Hikashop Paypal Pro Payment Pl (2.6.4) 1 | Hikashop Moneybookers Payment (2.6.4) 1 | HikaShop Quick Icon (2.6.4) 1 | Hikashop - Mijoshop Fallback R (2.6.4) 1 | Hikashop BitCoin Payment Plugi (1.0.0) 1 | Hikashop WorldNetTPS Payment P (2.6.4) 1 | Hikashop ePay Payment Plugin (2.6.4) 1 | Hikashop Stripe Payment Plugin (2.6.0) 1 | Hikashop eWAY Payment Plugin (2.6.4) 1 | Hikashop Envoimoinscher Shippi (2.6.0) 1 | System - HikaShop Mass Action (2.6.4) 1 | Hikashop Worldpay Global Gatew (2.6.4) 1 | Hikashop PayPlug payment plugi (2.6.4) 1 | Hikashop Massaction User Plugi (2.6.4) 1 | Hikashop CANADA POST Shipping (2.6.4) 1 | Hikashop Bank Transfer Payment (2.6.4) 1 | Hikashop adyen Payment Plugin (2.6.4) 1 | Hikashop FedEx Shipping Plugin (2.6.4) 1 | Hikashop History Plugin (2.6.4) 1 | Hikashop Paygate Payment Plugi (2.6.4) 1 | Hikashop eSelect Payment Plugi (2.6.4) 1 | Hikashop Payment Express Payme (2.6.4) 1 | Hikashop Common Joomla Payment (2.6.4) 1 | COM_JCE (2.6.7.1) 1 | Virtual Domains (1.3.1) 1 | Akeeba (5.2.5) 1 | Quick Logout (1.9.3) 1 | COM_K2 (2.7.1) 1 | com_layer_slider (5.1.1.048) 1 | COM_REDIRECTONLOGIN (4.0.2) 0 | System - Redirect On Login (3.0.0) 1 | User - Redirect On Login (3.0.0) 1 |

Modules :: SITE ::
Core :: mod_articles_latest (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_login (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_custom (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_tags_similar (3.1.0) 1 | mod_search (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_syndicate (3.0.0) 1 |
3rd Party:: AcyMailing Module (3.7.0) 0 | K2 Users (2.7.1) 1 | Hikashop Currency Switcher Mod (2.6.4) 1 | Membership Plans (2.7.1) 1 | Hikashop Cart Module (2.6.4) 1 | Blue Design (1.0) 0 | Hikashop Module (2.6.4) 1 | K2 Content (2.7.1) 1 | Membership Status (2.7.1) 1 | Membership Pro View (2.7.1) 1 | K2 User (2.7.1) 1 | Layer Slider (5.1.1.048) 1 | K2 Comments (2.7.1) 1 | mod_vdlanguage (1.1.0) 1 | K2 Tools (2.7.1) 1 |

Modules :: ADMIN ::
Core :: mod_quickicon (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_login (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_title (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_version (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_status (3.0.0) 1 |
3rd Party:: K2 Quick Icons (admin) (2.7.1) 1 | K2 Stats (admin) (2.7.1) 1 |

[brianlucas]

FPA Output, part 2 of 2:

Plugins :: SITE ::
Core :: plg_captcha_recaptcha (3.4.0) 0 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_cache (3.0.0) 0 | plg_system_sef (3.0.0) 1 | plg_system_debug (3.0.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_remember (3.0.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_log (3.0.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_highlight (3.0.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_p3p (3.0.0) 0 | plg_system_languagecode (3.0.0) 0 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_webinstaller (1.1.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_tags (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_content_emailcloak (3.0.0) 0 | plg_content_loadmodule (3.0.0) 1 | plg_content_finder (3.0.0) 0 | plg_content_joomla (3.0.0) 1 | plg_user_profile (3.0.0) 1 | plg_user_contactcreator (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_cookie (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_content (3.0.0) 1 |
3rd Party:: HikaShop Product TAG insertion (2.6.4) 1 | plg_editors-xtd_sourcerer (6.3.7) 1 | Layer Slider editor extend (1.0.0) 1 | Hikashop CyberMuth CIC Payment (2.6.4) 1 | Hikashop Bank Transfer Payment (2.6.4) 1 | Hikashop Paybox Plugin (2.6.4) 1 | Hikashop Innovative Gateway Pa (2.6.4) 1 | Hikashop CardSave Payment Plug (2.6.4) 1 | Hikashop FirstData Payment Plu (2.6.4) 1 | Hikashop PaymentExpress (PxPay (2.6.4) 1 | Hikashop Worldpay Global Gatew (2.6.4) 1 | Hikashop Authorize.net Payment (2.6.4) 1 | Hikashop Credit Card Payment P (2.6.4) 1 | Hikashop PayU India Payment Pl (2.6.4) 1 | Hikashop payfast Payment Plugi (2.6.4) 1 | Hikashop Servired Payment Plug (2.6.4) 1 | Hikashop adyen Payment Plugin (2.6.4) 1 | Hikashop Nets NETAXEPT Payment (2.6.4) 1 | Hikashop WorldNetTPS Payment P (2.6.4) 1 | Hikashop WorldPay Business Gat (2.6.4) 1 | Hikashop Virtual Merchant (Ela (2.6.4) 1 | Ogone Payment Plugin (2.6.4) 1 | Hikashop Moneybookers Payment (2.6.4) 1 | Hikashop OKPay Payment Plugin (2.6.0) 1 | Hikashop Western Union Payment (2.6.4) 1 | Hikashop SIPS ATOS Payment Plu (2.6.4) 1 | Hikashop Payza Payment Plugin (2.6.4) 1 | Hikashop BitCoin Payment Plugi (1.0.0) 1 | Hikashop Platron Payment Plugi (2.6.0) 1 | Hikashop westpacapi Payment Pl (1.0) 1 | Hikashop ePay Payment Plugin (2.6.4) 1 | Hikashop PayJunction Payment P (2.6.4) 1 | Hikashop Google Checkout Payme (2.6.4) 1 | Hikashop Paypal Pro Payment Pl (2.6.4) 1 | Hikashop Paypal Advanced payme (2.6.4) 1 | Hikashop HSBC Payment Plugin (2.6.4) 1 | Hikashop MasterCard Internet G (2.6.4) 1 | Hikashop Check Payment Plugin (2.6.4) 1 | Hikashop Purchase Order Paymen (2.6.4) 1 | HikaShop Netgiro payment plugi (2.6.0) 1 | Hikashop Amazon Payment Plugin (2.6.4) 1 | Hikashop Be2Bill Payment Plugi (2.6.4) 1 | Hikashop Bluepaid Payment Plug (2.6.4) 1 | Hikashop Paypal Express Checko (1.0.0) 1 | Hikashop CECA Payment Plugin (2.6.0) 1 | Hikashop Paypal Payment Plugin (2.6.4) 1 | Hikashop Alipay Payment Plugin (2.6.4) 1 | Hikashop iVeri Payment Plugin (2.6.4) 1 | Hikashop eWAY Payment Plugin (2.6.4) 1 | Hikashop Collect On Delivery P (2.6.4) 1 | Hikashop ATOS SIPS 2.0 Payment (2.6.4) 1 | Hikashop Payment Express Payme (2.6.4) 1 | Hikashop iPayDNA Payment Plugi (2.6.4) 1 | Hikashop Paypal Website Paymen (2.6.4) 1 | Hikashop PayPlug payment plugi (2.6.4) 1 | Hikashop eSelect Payment Plugi (2.6.4) 1 | Hikashop Borgun payment plugin (2.6.4) 1 | Hikashop Beanstream Payment Pl (2.6.4) 1 | Hikashop googlewallet Payment (1.0) 1 | Hikashop Postfinance Payment P (2.6.4) 1 | Hikashop SOFORT Payment Plugin (2.6.0) 1 | Hikashop Common Joomla Payment (2.6.4) 1 | Hikashop Paygate Payment Plugi (2.6.4) 1 | Hikashop Stripe Payment Plugin (2.6.0) 1 | Hikashop SagePay Payment Plugi (2.6.4) 1 | Hikashop Australia Post eDeliv (2.6.4) 1 | Hikashop CANADA POST Shipping (2.6.4) 1 | Hikashop USPS Shipping Plugin (2.6.4) 1 | Hikashop FedEx Shipping Plugin (2.6.4) 1 | Hikashop Australia Post eDeliv (2.6.4) 1 | Hikashop Envoimoinscher Shippi (2.6.0) 1 | Hikashop Manual Shipping Plugi (2.6.4) 1 | Hikashop UPS Shipping Plugin (2.6.4) 1 | Hikashop CANPAR Shipping Plugi (1.0.0) 1 | Membership Pro - Documents plu (2.7.1) 1 | Membership Pro - Easysocial pl (2.7.1) 1 | Membership Pro - CB plugin (2.7.1) 0 | Membership Pro - Joomla Groups (2.7.1) 1 | Membership Pro PHP Script (2.7.1) 0 | Membership Pro - Limit Subscri (2.7.1) 1 | Membership Pro - K2 Groups plu (2.7.1) 1 | Membership Pro - Acymailing pl (2.7.1) 1 | Membership Pro - Group Members (2.7.1) 1 | Membership Pro - Easy Profile (2.7.1) 1 | Membership Pro - Joomsocial pl (2.7.1) 1 | Membership Pro - Mailchimp plu (2.7.1) 1 | Membership Pro - Userprofile p (2.7.1) 1 | plg_extension_jce (2.6.7.1) 1 | PLG_SYSTEM_BACKUPONUPDATE_TITL (3.7) 1 | PLG_SYSTEM_AKEEBAUPDATECHECK_T (1.1) 1 | Membership Pro Registration Re (2.7.1) 1 | System - Redirect On Login (3.0.0) 1 | Hikashop - Mijoshop Fallback R (2.6.4) 1 | HikaShop Payment Notification (2.6.4) 1 | plg_system_jce (2.6.7.1) 1 | Hikashop Product Tag (2.6.4) 1 | System - Hikashop Social Plugi (2.6.4) 1 | Hikashop Registration Redirect (2.6.4) 1 | System - K2 (2.7.1) 1 | System Shortcodes (2.1.4) 0 | System Membership Pro Cleaner (2.7.1) 0 | HikaShop Google Dynamic Remark (2.6.4) 1 | T3 Framework (2.6.2) 1 | User - HikaShop (2.6.4) 1 | HikaShop Product TAG translati (2.6.4) 1 | Membership Pro K2 items Restri (2.7.1) 1 | HikaShop tax calculations over (2.6.4) 1 | Hikashop - VirtueMart Fallback (2.6.4) 1 | Membership Pro Update Subscrib (2.7.1) 1 | Membership Pro Articles Restri (2.7.1) 1 | Membership Pro Reminder (2.7.1) 1 | System - virtualdomains (1.2.3-mccoy) 1 | System - HikaShop Mass Action (2.6.4) 1 | plg_system_modals (8.2.2) 0 | System - Membership Pro (2.7.1) 1 | plg_system_regularlabs (16.11.23782) 1 | Membership Pro URLs Restrictio (2.7.1) 1 | Hikashop no SSL outside checko (2.6.4) 1 | Hikashop - Redshop Fallback Re (2.6.4) 1 | plg_system_sourcerer (6.3.7) 1 | AcyMailing : (auto)Subscribe d (4.9.4) 1 | System - Membership Schedule C (2.7.1) 1 | AcyMailing Tag : Joomla User I (4.9.4) 1 | AcyMailing Manage text (1.0.0) 0 | AcyMailing : trigger Joomla Co (3.7.0) 1 | AcyMailing Tag : Website links (3.7.0) 0 | AcyMailing Tag : Manage the Su (4.9.4) 1 | AcyMailing : Statistics Plugin (3.7.0) 0 | AcyMailing table of contents g (1.0.0) 1 | AcyMailing Tag : Date / Time (4.9.4) 0 | AcyMailing Tag : Subscriber in (4.9.4) 1 | AcyMailing Tag : content inser (3.7.0) 1 | AcyMailing Tag : CB User infor (3.7.1) 1 | AcyMailing Template Class Repl (4.9.4) 1 | AcyMailing : share on social n (1.0.0) 1 | plg_quickicon_jce (2.6.0-pro-bet) 1 | plg_quickicon_akeebabackup (1.0) 1 | HikaShop Quick Icon (2.6.4) 1 | Hikashop - Kashflow invoice sy (2.6.4) 1 | HikaShop: Date Picker Custom F (2.6.4) 1 | Hikashop History Plugin (2.6.4) 1 | Hikashop Massaction Order Plug (2.6.4) 1 | Hikashop Massaction Category P (2.6.4) 1 | HikaShop Shipping Manual - Pri (2.6.4) 1 | Hikashop TaxCloud Plugin (2.6.4) 0 | Hikashop Massaction User Plugi (2.6.4) 1 | Hikashop Massaction Product Pl (2.6.4) 1 | Hikashop Massaction Address Pl (2.6.4) 1 | Hikashop Validate free order P (2.6.4) 1 | Hikashop User account Plugin (2.6.4) 1 | plg_installer_jce (2.6.7.1) 1 | Installer - Membership Pro (2.7.1) 1 | Search - K2 (2.7.1) 1 | Search - Hikashop Products (2.6.4) 1 | Search - Hikashop Categories/M (2.6.4) 1 | Josetta - K2 Categories (2.6.9) 1 | Josetta - K2 Items (2.6.9) 1 | Layer slider content plugin (1.0.0) 1 | Content - Membership Restricti (2.7.1) 1 | plg_content_jce (2.6.7.1) 1 | Content - Membership Pro Conte (2.7.1) 1 | Membership Plans content plugi (2.7.1) 1 | AllVideos (by JoomlaWorks) (4.7.0) 0 | AllVideos (by JoomlaWorks) (4.7.0) 0 | User - Redirect On Login (3.0.0) 1 | User - K2 (2.7.1) 1 | User - Membership Pro (2.7.1) 0 | plg_finder_k2 (2.7.1) 0 | plg_editors_jce (2.6.7.1) 1 | plg_editors_codemirror (5.18.0) 1 | AcyMailing Editor (4.9.4) 0 | plg_editors_tinymce (4.4.3) 1 |

Templates :: SITE :: purity_III (1.1.8) 1 | CMSBlueTheme Goodnex (1.1) 0 | protostar (1.0) 0 | beez3 (3.1.0) 0 |
Templates :: ADMIN :: hathor (3.0.0) 0 | isis (1.0) 1 |

[toivo]

The obvious, most likely reason is that Joomla 3.6.5 was replaced by Joomla 3.7.0 in April 2017 and it has therefore been out of support for 14 months. Several critical security updates have been published during that time.

Is there a reason, perhaps an incompatible third party extension or template, to justify using an out-of-date and vulnerable version?

[brianlucas]

toivo wrote:
The obvious, most likely reason is that Joomla 3.6.5 was replaced by Joomla 3.7.0 in April 2017 and it has therefore been out of support for 14 months.

I don't understand how that helps me at all. I actually find it neither obvious nor likely. After another day of research, I find no FTP/SSH/HTTP access in the logs that could explain the modified files. No CRON jobs, no records in the provider's patch logs - no trace of outside activity at all. My hosting provider even checked the bash scripts. I've pretty much concluded that this attack came from inside the hosting provider somehow, because it spanned multiple folders that are not accessible from the outside. Can anyone explain how a Joomla vulnerability can be used without HTTP, FTP or SSH, and affect other folders other than the one Joomla is running in? That would give me some clues where to look next. The only access within a few days back was a POST to the index page - but I have no way of knowing what was posted, and how that could have injected code. AND, on wave two, the files were actually replaced with what looks like a more recent patched 3.6.5 version than the one I am running - which sounds to me like someone covering their tracks (since the first attempt disabled logins with a coding error).

If anyone has any useful, specific advice about what other attack vectors may have been used, please continue to post. Not to be too direct, but posts with "the latest Joomla version would have prevented it" are neither useful nor specific for helping to find the actual cause of the attack. Rather than assuming that the latest version of Joomla would fix it, I'm the kind of person that likes to know things like that for sure - and not have a false sense of security.

p.s.
I'm not the only one affected, and I saw at least one system impacted after a 3.8.10 upgrade. That leads me to believe that it is either outside of Joomla - or the vulnerability is still in the most recent Joomla version.

[deleted user]

Can anyone explain how a Joomla vulnerability can be used without HTTP, FTP or SSH, and affect other folders other than the one Joomla is running in?

Clearly something is modifying files. Someone or something is doing it. Your log files aren't giving that answer. Nothing we can say or do is going to magically give it either. The fact of the matter is Joomla on its own does not arbitrarily modify files, every file modification the application can make is the direct result of an explicit user action (extension install/update, core update, modify global configuration, modify template files). The files in your lists would only be updated in a core update (even the two files in `tmpl` folders, using the template manager interface it would create an override placed in your templates directory so you wouldn't actually directly modify the original template files). As for modifying files outside the Joomla installation, Joomla isn't sandboxed and restricted to only working with known files and folders. This level of sandboxing needs additional PHP configuration you'd have to apply at the server level. If you can manage to trigger a PHP script in any way, it's going to have whatever permission the user account has (which is why things such as proper permission levels and user ownership are important, files with 777 permissions can be modified by any account on the server so if another account is compromised they'd potentially be able to mess with your stuff).

I'm not the only one affected, and I saw at least one system impacted after a 3.8.10 upgrade. That leads me to believe that it is either outside of Joomla - or the vulnerability is still in the most recent Joomla version.

There is no vulnerability with any capability like this in Joomla core. If you have evidence of one existing that can be consistently reproduced (as in we would need a very detailed list of steps to take), the security team should be contacted with that information to be investigated.

[mandville]

what tivo is trying to say is
your joomla is out of date and listed as vulnerable (hence why there have been updates)
your extensions - hikashop, acymailing, stripe, hikashop, eshop (why have so many different stores?) etc etc etc to the Nth power reoccouring are out of date and may be exploitable causing your current situation.
did your host check for jailshell?
is it something like fantastio or that other nightmare autoinstaller script?

Where exactly is this post you mention which has the same symptoms of your site?
looking for the point of attack is almost pointless in the current situation. if it had been an up to date version of joomla with up to date extensions you could have a case for crying foul. in the current situation all we can really do is sympathise, point out your weaknesses (there are many) like not logging into the back end of joomla and updating/securing and suggest clean ups.