Mandatory information about my setup:
Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: (different sites - 2.5.14 and 3.1.5.)
PHP version: (5.3.13.)
MySQL version: (5.1.66 )
Host: (DreamHost)
Admin Tools version: (unknown)
Description of my issue:
I have AdminTools Pro on all of my sites. My hosting service (DreamHost) has just reported that a bunch of my sites have been hacked. One of the files that was hacked on every site was:
administrator/components/com_admintools/akeeba/platform/jfscan/engines/archiver/jfscan.php
Any thought or ideas about this? Below is the full report from DH.
Thanks for any help you can offer,
Matt
During a recent security scan we have identified that one or more of your hosted sites show signs of being compromised as they are hosting known, malicious web-based backdoors. Specifically, the following file(s) have been accessed by intruders and have been associated with unsolicited bulk email, denial of service or other abusive activity:
We have identified the following known backdoors under your account:
site1/administrator/components/com_admintools/akeeba/platform/jfscan/engines/archiver/jfscan.php
site1/administrator/components/com_admintools/akeeba/platform/jfscan/engines/archiver/jfscan.php
site2/includes/inbex.php
site2/includes/index.php
site2/plugins/content/rtl.php
site2/tmp/wsearch.php
site3/administrator/components/com_admintools/akeeba/platform/jfscan/engines/archiver/jfscan.php
site4/administrator/components/com_admintools/akeeba/platform/jfscan/engines/archiver/jfscan.php
site5/includes/index.php
site5/plugins/content/loadmodule/rtl.php
site6/administrator/components/com_admintools/akeeba/platform/jfscan/engines/archiver/jfscan.php
site7/administrator/components/com_admintools/akeeba/platform/jfscan/engines/archiver/jfscan.php
site8/administrator/components/com_admintools/akeeba/platform/jfscan/engines/archiver/jfscan.php
site9/administrator/components/com_admintools/akeeba/platform/jfscan/engines/archiver/jfscan.php
We have disabled the page(s) in question (via adjusting permissions on the files, e.g. chmod, or backing up the file first renaming it to "filename.INFECTED" and cleaning up the injected code) until you are able to address this matter.
The existence of these pages on your website(s) is likely a sign you have been compromised.
Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: (different sites - 2.5.14 and 3.1.5.)
PHP version: (5.3.13.)
MySQL version: (5.1.66 )
Host: (DreamHost)
Admin Tools version: (unknown)
Description of my issue:
I have AdminTools Pro on all of my sites. My hosting service (DreamHost) has just reported that a bunch of my sites have been hacked. One of the files that was hacked on every site was:
administrator/components/com_admintools/akeeba/platform/jfscan/engines/archiver/jfscan.php
Any thought or ideas about this? Below is the full report from DH.
Thanks for any help you can offer,
Matt
During a recent security scan we have identified that one or more of your hosted sites show signs of being compromised as they are hosting known, malicious web-based backdoors. Specifically, the following file(s) have been accessed by intruders and have been associated with unsolicited bulk email, denial of service or other abusive activity:
We have identified the following known backdoors under your account:
site1/administrator/components/com_admintools/akeeba/platform/jfscan/engines/archiver/jfscan.php
site1/administrator/components/com_admintools/akeeba/platform/jfscan/engines/archiver/jfscan.php
site2/includes/inbex.php
site2/includes/index.php
site2/plugins/content/rtl.php
site2/tmp/wsearch.php
site3/administrator/components/com_admintools/akeeba/platform/jfscan/engines/archiver/jfscan.php
site4/administrator/components/com_admintools/akeeba/platform/jfscan/engines/archiver/jfscan.php
site5/includes/index.php
site5/plugins/content/loadmodule/rtl.php
site6/administrator/components/com_admintools/akeeba/platform/jfscan/engines/archiver/jfscan.php
site7/administrator/components/com_admintools/akeeba/platform/jfscan/engines/archiver/jfscan.php
site8/administrator/components/com_admintools/akeeba/platform/jfscan/engines/archiver/jfscan.php
site9/administrator/components/com_admintools/akeeba/platform/jfscan/engines/archiver/jfscan.php
We have disabled the page(s) in question (via adjusting permissions on the files, e.g. chmod, or backing up the file first renaming it to "filename.INFECTED" and cleaning up the injected code) until you are able to address this matter.
The existence of these pages on your website(s) is likely a sign you have been compromised.
