Support

Admin Tools

#12958 is this a standard file in joomla?

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Monday, 16 July 2012 02:13 CDT

Saturday, 14 July 2012 17:38 CDT

neltek
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: 1.5.26
PHP version: 5.3.13
MySQL version: 5.5.24-cll
Host: www.cyberhostpro.com
Admin Tools version: latest today pro 2.2.9

Description of my issue:
Have been hacked and found files and access logs for one domain
However this domain was hit too
Have found a strange file "session_mm_cgi-fcgi1060.sem"
says it is 0 bytes

Can I delete it?

Sunday, 15 July 2012 01:57 CDT

nicholas
This is related neither to Joomla! nor a hacking attempt. It's created by PHP's CGI or FastCGI binary when run from the command line, e.g. mistakenly using it instead of the CLI binary in a CRON script. You can safely delete it but I am pretty sure you'll see it reappearing in a few hours, when the CRON which triggered its creation fires again.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 15 July 2012 04:12 CDT

neltek
Nicholas you are ace
Thanks for replying

Now... if there are no cron jobs set?...

Sunday, 15 July 2012 05:06 CDT

nicholas
If there are no CRON jobs set you'll only see that file again if someone uses the command line to run PHP from your user account.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 15 July 2012 15:12 CDT

neltek
Thanks

So I think it is realted to the hack as the access logs on one of my sites showed him running cpsess... to open a php file and insert index.html

And doing that would create this file if I have understood you correctly

cheers

Ian

Monday, 16 July 2012 02:13 CDT

nicholas
As far as I can tell from your description, the attacker was able to log in to cPanel. That's what the cpsess* in the URL implies, as it's the cPanel security token used to authenticate URLs and prevent Cross Site Request Forgery (CSRF). However this does not indicate that PHP was accessed from the command line and I still can't link the PHP mmap session file with this activity.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!