Support

Admin Tools

#26332 Fix after Malware attack!?!

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by tampe125 on Tuesday, 18 October 2016 08:10 CDT

Tuesday, 18 October 2016 03:16 CDT

paurray
 Hello Akeeba

As luck would have it I became the victim of Malware during my holidays.
I put my site into emergency mode and am just getting o top of things 2 weeks later.
This is where Siteground say the problem is:

Scanning [/home/finalbug/public_html] ... Please wait...
[GEN]PHP_backdoor_2 [18/04/16] /home/finalbug/public_html/administrator/modules/mod_version/proxy.php
-----------------------------------------
Scanned Files : 158148
Scanner Hits : 1

I have downloaded the latest full package of Joomla and compared the folders:
/public_html/administrator/modules/mod_version/

the above path in my Joomla install contains the following files:

helper.php
language (contains: en-GB which contains en-GB.mod_version.ini & en-GB.mod_version.sys.ini)
mod_version.php
mod_version.xml
tmpl

The above path on my infected installed Joomla Site contains the following files any thing with a star is different to the Joomla installation!

helper.php
***index.html***

language/***index.html*** file
language/***.listing*** file

language/en-GB/en-GB.mod_version.ini
language/en-GB/en-GB.mod_version.sys.ini
language/en-GB/***index.html*** file
language/en-GB/***.listing*** file


mod_version.php
mod_version.xml

***proxy.php***

tmpl/default.php
tmpl/***index.html***
tmpl/***.listing***

What is happening is that I currently have pushing 10,000 mails in my Mail Spam OUT folder!!!

These are the usually mails for Viagra & Co which I definitely did not send.

Here are my questions.

Any ideas where the malware is getting my email details from?
I guess that I need to change the password for my email account right?

What is the best way to proceed.

I am a verified of breaking something.
As of now I have compared the infected folder:/public_html/administrator/modules/mod_version/
(Downloaded on my computer)
and the clean Joomla install version of the same folder i.e:
/public_html/administrator/modules/mod_version/
(Downloaded from the Joomla Site)

I am guessing that the best thing to do is replace the whole /public_html/administrator/modules/mod_version/ folder?

Am I missing some thing?
Thinking wrongly?
Need to check something else?

thanks

Paul

Helping you learn beyond your finalBUG

Tuesday, 18 October 2016 04:11 CDT

tampe125
Hello,

first of all you should take a look at the following guide, so you can safely un-hack your site:
https://www.akeebabackup.com/documentation/walkthroughs/unhacking-your-site.html

Regarding your questions:
Any ideas where the malware is getting my email details from?
Most likely they are getting them from your Joomla Global Configuration or using the PHPMail functions, which needs no authentication.
I guess that I need to change the password for my email account right?
That's a wise idea, yes.

Please remember that you have to scan your whole site for infected sites, since you have to delete the backdoor used to upload files, otherwise you'll find hacked files again and again.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 18 October 2016 05:26 CDT

paurray
hi Davide

Emergency offline is not working.
I get a message saying:

Message
Your site is now in Emergency Off-Line mode

And do not see a screen as illustrated here:

https://www.akeebabackup.com/documentation/admin-tools/emergency-offline.html

I tried renaming the .htaccess file to .htaccessX and the site did not break so I think there is something strange going on. Is it possible that the .htaccess Maker file is kicking in?

I have no idea how to proceed?

Site still online here:

finalbug.net

thanks

Paul

Helping you learn beyond your finalBUG

Edited by paurray on 2016-10-18 05:29 CDT

Tuesday, 18 October 2016 05:43 CDT

tampe125
Your site is currently offline:
https://www.dropbox.com/s/2lkdlay5pcbah93/Screenshot%202016-10-18%2012.42.26.png?dl=0

Please remember that the file created by Admin Tools will let your IP access to the original site.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 18 October 2016 07:34 CDT

paurray
thanks

I am going through the steps now

best

Paul

Helping you learn beyond your finalBUG

Tuesday, 18 October 2016 08:10 CDT

tampe125
You're welcome!

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!