Support

Admin Tools

#24215 Site compromised, Joomla file modified

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by Sigitas on Monday, 18 January 2016 01:51 CST

Monday, 18 January 2016 00:45 CST

Sigitas
Hello,
On Saturday my site was attacked and code was injected into Joomla index file (website root). From logs it looks like some JCE vulnerability. Strange thing that when scanning, Admin tools PHP file change scanner didn't see it as containing malicious code (showed only that this is a modified file). I'm sending you the file for analysis, maybe it will help to further improve the scanner.

Monday, 18 January 2016 01:35 CST

nicholas
It couldn't tell you it's compromised (i.e. have a non-zero threat score) because the code in that file doesn't use any suspicious patterns. It's some very standard PHP code, just like what you'd normally see on regular PHP software. Pattern-wise, there's a big base64-encoded block but this is still not a tell-tale sign of a hacked file. This kind of Base64 encoded blocks can be found in legitimate software, including our own PHP File Change Scanner.

However, you've missed how Admin Tools already told you very loud and clear that something's going wrong: the file was marked as Modified. That's the entire point of PHP File Change Scanner. That's why we call it a PHP file change scanner, not a PHP file hacked file scanner. The intention is to give you a heads up "hey, these executable PHP files were modified, added or deleted since the last time you ran me, you sure this ain't a hack?". Please do remember that the Threat Score is there only as an additional indicator. There is no such thing as a foolproof algorithmic scanner of source code. Even a well trained, resourceful (by nature – unlike machines we have creativity) human developer could overlook this kind of compromised files.

Bottom line: When the PHP File Change Scanner reports a file as Added or Modified you must question whether this change is expected. If not, review the file manually. Do NOT blindly trust the threat score, it's only yet another indicator.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 18 January 2016 01:51 CST

Sigitas
Hi Nicholas,
thanks for quick response. I believe I missed it because between the scans I've applied Joomla update and there were quite a lot of files marked as modified. Anyway, thanks for the tips.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!