Support

Admin Tools

#35616 Hacking message but nothing seems to have changed.

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by guillenphoto on Thursday, 12 August 2021 12:16 CDT

Wednesday, 11 August 2021 16:31 CDT

guillenphoto

Hello,

Our website is under hacking attempts since this morning.
This site like all the others is protected with Admin Tools. With Admin Tools, I use all the security tools offered.
I use an administrator password to access the URLs, I have a custom administration URL, the password is changed regularly.

Here is the message that Admin Tools sends me:

We would like to notify you that one or more critical files have been modified on your site, Isabelle Guillen Portraits - LP. The list of files modified on your site is as follows:

  • configuration.php
  • index.php
  • administrator/index.php
  • templates/beez3/index.php
  • templates/beez3/error.php
  • templates/beez3/component.php
  • templates/gk_creativity/index.php
  • templates/gk_creativity/error.php
  • templates/gk_creativity/component.php
  • templates/protostar/index.php
  • templates/protostar/error.php
  • templates/protostar/component.php
  • templates/system/index.php
  • templates/system/error.php
  • templates/system/component.php

All these files are in 444 (Read Read Read).
I compared their contents with an old backup made with Akeeba Backup. Nothing has changed.
The site works properly (it is a landing pages site).

What I do not understand is that the files are only read and I receive these messages. Also, they have not changed.

Could someone please help me because I am a bit lost?

Thank you in advance for your help.

Sincerely,
Amar Guillen

Thursday, 12 August 2021 01:38 CDT

nicholas

Admin Tools keeps a record of the following properties of each critical file"

  • File size, accurate to a byte
  • Last modification time, accurate to the second
  • MD5 hash of its contents
  • SHA-1 hash of its contents

If any of these properties change it will report the file as changed.

It's possible that the last modification time changes without any of the other properties changing if the file is restored from a backup or if it's opened and saved without any changes. This could also happen if your host was doing any kind of maintenance work on their servers which required them to restore files out of a backup of their own.

Since you compared the contents and, I presume, the sizes of the files and found no change I would believe this is what happened.

However, once Admin Tools detects that the file has been modified it stores the new properties of the file in the database. The fact that you keep receiving this email tells me that either the database recored is not being updated or something is changing the file modification time of your files all the time.

Find the #__admintools_storage table in your site's database, where #__ is to be replaced by the table name prefix you use on your site (it's the $prefix value in your site's configuration.php).

Find the record where the key column is set to criticalfiles. Delete it. This re-initialises the critical files feature.

If you keep receiving emails about critical files having changed please check their file modification date every time you receive an email and compare it with the previous one. If it keeps changing something weird is going on with your site; try restoring from a backup. If the problem persists contact your host. The file modification time should only change when the file is being written to and there is no reason for these files to be written to if you're not updating Joomla or its templates.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 12 August 2021 12:16 CDT

guillenphoto

Hello Nicholas,

 

thank you for the quick reply.

Your solution does work perfectly. I deleted the record you mentioned. I do not receive any message from AdminTools.

I have contacted my host provider to ask why some files have changed.

Anyway, thanks for all.

All my best
Amar Guillen

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!