Support

Akeeba Backup for Joomla!

#12479 Security Vulnerbility notification from Google (j1.5, and not well protected)

Posted in ‘Akeeba Backup for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Akeeba Backup version
n/a

Latest post by nicholas on Thursday, 31 May 2012 14:33 CDT

UglyEoin
This probably has more to do with my inadequacies with regards to security than Akeeba, but as it is mentioned I thought I would let you know so that you can check that it's not a vulnerability somehow (I can't see how it could be but I wouldn't really know).

Dear site owner or webmaster of ********.com,
We recently discovered that some pages on your site look like a possible phishing attack, in which users are encouraged to give up sensitive information such as login credentials or banking information. We have removed the suspicious URLs from Google.com search results and have begun showing a warning page to users who visit these URLs in certain browsers that receive anti-phishing data from Google.
Below are one or more example URLs on your site which may be part of a phishing attack:
http://********.com/images/smilies/hotmail/
http://******** .com/media/com_akeeba/js/fb/
Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A//fullerscourtmanagement.com/images/smilies/hotmail/
We strongly encourage you to investigate this immediately to protect users who are being directed to a suspected phishing attack being hosted on your web site. Although some sites intentionally host such attacks, in many cases the webmaster is unaware because:
1) the site was compromised
2) the site doesn't monitor for malicious user-contributed content
If your site was compromised, it's important to not only remove the content involved in the phishing attack, but to also identify and fix the vulnerability that enabled such content to be placed on your site. We suggest contacting your hosting provider if you are unsure of how to proceed.
Once you've secured your site, and removed the content involved in the suspected phishing attack, or if you believe we have made an error and this is not actually a phishing attack, you can request that the warning be removed by visiting
http://www.google.com/safebrowsing/report_error/?tpl=emailer
and reporting an "incorrect forgery alert." We will review this request and take the appropriate actions.
Sincerely,
Google Search Quality Team
Note: if you have an account in Google's Webmaster Tools, you can verify the authenticity of this message by logging into https://www.google.com/webmasters/tools/siteoverview and going to the Message Center, where a warning will appear shortly.

nicholas
Akeeba Staff
Manager
Sorry for the late reply, for some reason the email notification for this thread ended up in my spambox.

Basically, you've been hacked. Our component does have a directory named media/com_akeeba/js but there is no subdirectory fb inside it. This directory was added there as part of a hack to your site. Akeeba Backup is not the entry point of the hack. After the hacker got access to your site they simply added an extra directory inside Akeeba Backup's directory with malicious content.

For information regarding unhacking and securing your site please consult our Unhacking Your Site walkthrough.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

UglyEoin
I figured as much, but I thought it was worth mentioning just in case. I have deleted the files anyway, and will be looking at implementing better security in the future. Cheers for the response.

nicholas
Akeeba Staff
Manager
You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!