Joomla 3.9.5 hacked and mail sending

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
mlubbertsen
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Wed May 29, 2019 7:25 am

Joomla 3.9.5 hacked and mail sending

Post by mlubbertsen » Wed May 29, 2019 8:21 am

There was 1 record add to contacts.
I deleted that one
website was sending spam
I cannot find any file that was changed.

Site was Joomla 3.9.5
and is now updated to 3.9.6
Forum Post Assistant (v1.4.8 (koine)) : 29th May 2019 wrote:
Problem Description :: wrote:PHPmailers sends spam
Actions Taken To Resolve wrote:rename phpmailer.php and update site from 3.9.5 to 3.9.6
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.9.6-Stable (Amani) 7-May-2019
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: /gid: ) | Group: --protected-- (gid: ) | Valid For: 3.9
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: true | .htaccess/web.config: Yes | GZip: true | Cache: true | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: true | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: false | SSL: 2 | Error Reporting: default | Site Debug: false | Language Debug: false | Default Access: 1 | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 3.9.6: Yes | Database Supports J! 3.9.6: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 4.9.0-9-amd64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 250.83 GiB |

PHP Configuration :: Version: 7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98 | PHP API: apache2handler | Session Path Writable: No | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: /var/log/php-errors.log | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /usr/home/ws/beachpull/www.beachpull.nl/www/:/tmp | Uploads: 1 | Max. Upload Size: 50000000 | Max. POST Size: 120000000 | Max. Input Time: -1 | Max. Execution Time: 300 | Memory Limit: 256M

Database Configuration :: Version: 5.5.5-10.0.38-MariaDB-0+deb8u1 (Client:mysqlnd 5.0.12-dev - 20150407 - $Id: 38fea24f2847fa7519001be390c98ae0acafe387 $) | Host: --protected-- (--protected--) | default Collation: latin1_swedish_ci (default Character Set: latin1) | Database Size: 26.71 MiB | #of Tables:  220
Detailed Environment :: wrote:PHP Extensions :: Core (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | date (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | libxml (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | openssl (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | pcre (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | zlib (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | filter (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | hash (1.0) | Reflection (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | SPL (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | session (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | standard (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | apache2handler () | mysqlnd (mysqlnd 5.0.12-dev - 20150407 - $Id: 38fea24f2847fa7519001be390c98ae0acafe387 $) | PDO (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | xml (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | bcmath (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | calendar (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | ctype (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | curl (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | dom (20031129) | mbstring (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | fileinfo (1.0.5) | ftp (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | gd (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | gettext (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | iconv (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | imap (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | intl (1.1.0) | json (1.5.0) | exif (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | mcrypt (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | mysqli (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | pdo_mysql (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | pdo_sqlite (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | Phar (2.0.2) | posix (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | readline (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | shmop (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | SimpleXML (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | sockets (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | sqlite3 (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | sysvmsg (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | sysvsem (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | sysvshm (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | tokenizer (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | wddx (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | xmlreader (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | xmlwriter (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | xsl (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | zip (1.13.5) | ionCube Loader () | Zend OPcache (7.1.29-1+0~20190503101539.18+stretch~1.gbp946c98) | Zend Engine (3.1.0) |
Potential Missing Extensions ::
Disabled Functions :: apache_note | apache_setenv | chgrp | closelog | debugger_off | debugger_on | define_sys | define_syslog_variables | diskfreespace | dl | escapeshellarg | escapeshellcmd | exec | getmypid | getmyuid | ini_restore | leak | listen | openlog | passthru | pclose | pcntl_alarm | pcntl_exec | pcntl_fork | pcntl_getpriority | pcntl_get_last_error | pcntl_setpriority | pcntl_signal | pcntl_signal_dispatch | pcntl_sigprocmask | pcntl_sigtimedwait | pcntl_sigwaitinfo | pcntl_strerror | pcntl_wait | pcntl_waitpid | pcntl_wexitstatus | pcntl_wifexited | pcntl_wifsignaled | pcntl_wifstopped | pcntl_wstopsig | pcntl_wtermsig | popen | posix | posix_ctermid | posix_getcwd | posix_getegid | posix_geteuid | posix_getgid | posix_getgrgid | posix_getgrnam | posix_getgroups | posix_getlogin | posix_getpgid | posix_getpgrp | posix_getpid | posix_getpwnam | posix_getpwuid | posix_getrlimit | posix_getsid | posix_getuid | posix_isatty | posix_kill | posix_mkfifo | posix_setegid | posix_seteuid | posix_setgid | posix_setpgid | posix_setsid | posix_setuid | posix_times | posix_ttyname | posix_uname | proc_close | proc_get_status | proc_nice | proc_open | proc_terminate | shell_exec | show_source | syslog | system | url_exec | _getppid |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe

Apache Modules :: core | mod_so | mod_watchdog | http_core | mod_log_config | mod_logio | mod_version | mod_unixd | mod_access_compat | mod_actions | mod_alias | mod_auth_basic | mod_authn_core | mod_authn_file | mod_authz_core | mod_authz_groupfile | mod_authz_host | mod_authz_user | mod_autoindex | mod_deflate | mod_dir | mod_env | mod_expires | mod_filter | mod_headers | mod_http2 | mod_mime | prefork | mod_negotiation | mod_php7 | mod_reqtimeout | mod_rewrite | mod_setenvif | mod_socache_shmcb | mod_ssl | mod_status | Apache |
Potential Missing Modules :: mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (755) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 8911280 | Threads: 42 | Questions: 6390498998 | Slow queries: 24102 | Opens: 24690275 | Flush tables: 1 | Open tables: 10240 | Queries per second avg: 717.124 |
Extensions Discovered :: wrote:Components :: SITE ::
Core :: com_mailto (3.0.0) 1 | com_wrapper (3.0.0) 1 |
3rd Party::

Components :: ADMIN ::
Core :: com_actionlogs (3.9.0) 1 | com_admin (3.0.0) 1 | com_ajax (3.2.0) 1 | com_associations (3.7.0) 1 | com_banners (3.0.0) 1 | com_cache (3.0.0) 1 | com_categories (3.0.0) 1 | com_checkin (3.0.0) 1 | com_config (3.0.0) 1 | com_content (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_cpanel (3.0.0) 1 | com_fields (3.7.0) 1 | com_finder (3.0.0) 1 | com_installer (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_languages (3.0.0) 1 | com_login (3.0.0) 1 | com_media (3.0.0) 1 | com_menus (3.0.0) 1 | com_messages (3.0.0) 1 | com_modules (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_plugins (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_privacy (3.9.0) 1 | com_redirect (3.0.0) 1 | com_search (3.0.0) 1 | com_tags (3.1.0) 1 | com_templates (3.0.0) 1 | com_users (3.0.0) 1 | com_weblinks (3.6.0) 1 |
3rd Party:: JCH Optimize (5.4.2) 1 | COM_SIGPRO (3.0.0) 1 | Tabulizer (6.2.2) 1 | COM_YENDIFVIDEOSHARE (1.2.6) 1 |

Modules :: SITE ::
Core :: mod_articles_archive (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_search (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_tags_similar (3.1.0) 1 | mod_users_latest (3.0.0) 1 | mod_weblinks (3.6.0) 1 | mod_whosonline (3.0.0) 1 | mod_wrapper (3.0.0) 1 |
3rd Party:: S5 Accordion Menu (2.2.0) 1 | S5 Box (6.1.2) 1 | S5 Image and Content Fader v4 (4.3.0) 1 | Shape 5 Live Search (3.0) 1 | S5 MailChimp Signup (1.0.0) 1 | S5 Register (3.2.0) 1 | S5 Tab Show (3.2.0) 1 | Yendif Video Share - Categories (1.2.6) 1 | Yendif Video Share - Player (1.2.6) 1 | Yendif Video Share - Playlist (1.2.6) 1 | Yendif Video Share - Search (1.2.6) 1 | Yendif Video Share - Videos (1.2.6) 1 |

Modules :: ADMIN ::
Core :: mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_latestactions (3.9.0) 1 | mod_logged (3.0.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_privacy_dashboard (3.9.0) 1 | mod_quickicon (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_stats_admin (3.0.0) 1 | mod_status (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_title (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_version (3.0.0) 1 |
3rd Party::

Libraries :: SITE ::
Core ::
3rd Party:: Free Mono (-) ? | Helvetica (-) ? | TCPDF (5.9.144) ? |

Plugins :: SITE ::
Core :: PLG_ACTIONLOG_JOOMLA (3.9.0) 1 | plg_authentication_cookie (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_captcha_recaptcha (3.4.0) 1 | plg_captcha_recaptcha_invisible (3.8) 0 | plg_content_confirmconsent (3.9.0) 0 | plg_content_emailcloak (3.0.0) 0 | plg_content_fields (3.7.0) 1 | plg_content_finder (3.0.0) 0 | plg_content_geshi (2.5.0) 0 | plg_content_joomla (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_repeatable (3.9.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_weblinks (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_installer_webinstaller (1.0.5) 1 | plg_privacy_actionlogs (3.9.0) 1 | plg_privacy_consents (3.9.0) 1 | plg_privacy_content (3.9.0) 1 | plg_privacy_message (3.9.0) 1 | plg_privacy_user (3.9.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_privacycheck (3.9.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_tags (3.0.0) 0 | plg_search_weblinks (3.6.0) 1 | PLG_SYSTEM_ACTIONLOGS (3.9.0) 0 | plg_system_cache (3.0.0) 0 | plg_system_debug (3.0.0) 1 | plg_system_fields (3.7.0) 1 | plg_system_highlight (3.0.0) 1 | plg_system_languagecode (3.0.0) 1 | plg_system_languagefilter (3.0.0) 1 | plg_system_log (3.0.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_logrotation (3.9.0) 1 | plg_system_p3p (3.0.0) 1 | plg_system_privacyconsent (3.9.0) 0 | plg_system_redirect (3.0.0) 1 | plg_system_remember (3.0.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_sessiongc (3.8.6) 1 | plg_system_stats (3.5.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_user_contactcreator (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_profile (3.0.0) 0 | plg_user_terms (3.9.0) 0 |
3rd Party:: PLG_EMBED_GOOGLE_MAP (2.1.0) 1 | Content - Simple Image Gallery Pro (3.0.0) ? | S5 Disqus Comments (1.1.0) 1 | Content - Tabulizer CSS (6.2.2) 1 | Yendif Video Share - Player (1.2.6) 1 | Button - Simple Image Gallery Pro (3.0.0) 1 | Button - ReTabulizer (6.2.2) 1 | Button - Tabulizer (6.2.2) 1 | Button - Tabulizer Data Source (6.2.2) 1 | plg_editors_codemirror (5.40.0) 1 | plg_editors_tinymce (4.5.9) 1 | K2 - Simple Image Gallery Pro (3.0.0) 1 | plg_search_tabulizerds (6.2.2) 0 | Yendif Video Share - Search (1.2.6) 1 | System - S5 Flex Menu (1.0) 1 | PLG_SYSTEM_JCH_OPTIMIZE (5.4.2) 1 | System - Tabulizer CSS (6.2.2) 1 | System - Tabulizer CSS Legacy (6.2.2) 1 |
Templates Discovered :: wrote:Templates :: SITE :: atomic (2.5.0) 1 | beez3 (3.1.0) 1 | beez5 (2.5.0) 1 | beez_20 (2.5.0) 1 | outdoor_life (1.0) 1 | protostar (1.0) 1 |
Templates :: ADMIN :: bluestork (2.5.0) 1 | hathor (3.0.0) 1 | isis (1.0) 1 |
Last edited by toivo on Sun Jun 02, 2019 4:41 pm, edited 1 time in total.
Reason: mod note: disabled smilies in post Options for readability

mlubbertsen
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Wed May 29, 2019 7:25 am

Re: Joomla 3.9.5 hacked and mail sending

Post by mlubbertsen » Wed May 29, 2019 8:22 am

mail log from provider:

[28-May-2019 07:54:41 Europe/Amsterdam] mail() on
[/usr/home/lsw_data_ws_dro/beachpull/www.beachpull.nl/www/libraries/vendor/p ... er.php:700]:
To: email@email.com -- Headers: Date: Tue, 28 May 2019 07:54:41 +0200 From: Beachpull Reply-To: editak Message-ID:
<93e4ffae414eb65c4a95c46fb5121fe1@beachpull.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit -- Subject: =?utf-8?B?VG90YWwgQWdyaSBCZWFjaHB1bGw6IOG1guG1g+KBseG1l+KBsQ==?=
=?utf-8?B?4oG/4bWNIOG2oOG1ksqzIMq44bWS4bWYyrMgyrPhtYnhtZbLocq4?=
[28-May-2019 07:54:41 Europe/Amsterdam] mail() on
[/usr/home/lsw_data_ws_dro/beachpull/www.beachpull.nl/www/libraries/vendor/p ... er.php:700]:
To: editak@gmx.ch -- Headers: Date: Tue, 28 May 2019 07:54:41 +0200 From: Beachpull Reply-To: editak Message-ID:
<4b7d689e77c141f36abb514e55d2c945@beachpull.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit -- Subject: =?utf-8?B?S29waWUgdmFuOiDhtYLhtYPigbHhtZfigbHigb/htY0g4bag4bWSyrMg?=
=?utf-8?B?yrjhtZLhtZjKsyDKs+G1ieG1lsuhyrg=?=

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19666
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Joomla 3.9.5 hacked and mail sending

Post by leolam » Sun Jun 02, 2019 3:48 pm

I do not believe your site is hacked. You are being spoofed me belief. See more on this https://help.hover.com/hc/en-us/article ... mpromised-

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
-> Joomla Webmaster Services: gws-webmaster.services

mlubbertsen
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Wed May 29, 2019 7:25 am

Re: Joomla 3.9.5 hacked and mail sending

Post by mlubbertsen » Thu Jun 06, 2019 6:09 am

The log file is from webserver and after disabling this website by the provider email stops.
at this moment I renamed the file phpmailer directory and it is not possible to send mail from the site.

There is 1 record add in the contacts tabel off Joomla.
can you explain how anyone can add this without database access?

I have not any contact form on the site to send email not in menu not in site.
can anyone acces to contact form without existing contact form in menu off the site?

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 25971
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Joomla 3.9.5 hacked and mail sending

Post by Per Yngve Berg » Thu Jun 06, 2019 4:13 pm

mlubbertsen wrote:
Thu Jun 06, 2019 6:09 am
I have not any contact form on the site to send email not in menu not in site.
can anyone acces to contact form without existing contact form in menu off the site?
Yes.

There is an option in User Manager to have a contact automatically created when a user is created.

Is user registration enabled in user manager?

mlubbertsen
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Wed May 29, 2019 7:25 am

Re: Joomla 3.9.5 hacked and mail sending

Post by mlubbertsen » Thu Jun 06, 2019 7:06 pm

User registration is disabled at the site.
There is not any new user at the site.

jgarvas
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Fri Nov 04, 2011 2:24 am

Re: Joomla 3.9.5 hacked and mail sending

Post by jgarvas » Mon Jun 10, 2019 3:57 pm

Have you found anything mlubbertsen? I just had a site start doing this and I shut down apache trying to find the culprit. It's a mix of spam sending and occasional malware/ransomware attempts when the main page is loaded, intermixed with it just acting normally. Poking around the logs and the file system I can't find anything that was done. It must be hidden well so I'm looking for any success you had?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14802
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla 3.9.5 hacked and mail sending

Post by mandville » Mon Jun 10, 2019 6:12 pm

looking at your fpa, you have s5 register module thats very out of date, could that be your entry point?
S5 Register Module module 16 Aug 2018 4.0.2
Tabulizer - several versions behind, please check all extensions
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}


Post Reply

Return to “Security in Joomla! 3.x”