Support

Akeeba Backup for Joomla!

#26545 GET error in frontend amazonaws.com

Posted in ‘Akeeba Backup for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Akeeba Backup version
n/a

Latest post by on Thursday, 15 December 2016 17:17 CST

Monday, 14 November 2016 08:14 CST

WI_UMOS
Hello,

I have strange 403 error in console which points to: http://s3.eu-central-1.amazonaws.com/forton/cbp/cmps/50_c211e.js
I have searched the URL in code and as I understand it's from Akeeba component.

You can see the error here: http://www.um.ostrowiec.pl/pl/

This file currently contains something like this:
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Code>AllAccessDisabled</Code>
<Message>All access to this object has been disabled</Message>
<RequestId>C080AB97593D63B1</RequestId>
<HostId>
6yWagw1Rw9ync2nG8hFfmXPTB0iAbXpg1505g2QGZpf+U2yL3fLJk29LzKb2yZauyGiePUfVaoY=
</HostId>
</Error>

Shouldn't this kind of stuff be called in backend instead of frontend?

Sincerely,
Thomas

Monday, 14 November 2016 08:42 CST

tampe125
Hello,

no I'm sorry but we do not host the javascript code of our component on Amazon AWS, everything is stored on your site.
Moreover Akeeba Backup on frontend does not load any javascript.
What does it make you think that it comes from Akeeba Backup? I just connected to your site and I get no errors in the console.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 14 November 2016 09:10 CST

nicholas
No, this does not come from our code. I have no idea what makes you think otherwise. There are several reasons why any decent developer wouldn't include arbitrary Amazon S3 links to their product (unless they are trying to hack you, or worse). Also I cannot see this error when I inspect your site on Chrome.

In fact, a trivial Google search very clearly points out that this is malware included in various Chrome extensions! The two extensions most likely to be the culprits are "Appspector" and "HTTP Headers". It seems like the developer was caught red-handed and his Chrome extensions removed. Therefore he had no use of these JS files any more and he removed them. That's why you get the errors.

So, you installed a Google Chrome extension which contained malware. At the very least it was able to intercept all usernames and passwords you ever typed in the browser. Most likely it would have already exploited zero day attacks against your operating system and install more persistent forms of malware which give hackers control over your computer in far less visible ways. At worst it may have installed an advanced persistent threat ("rootkit") which can even survive a reformatting of the hard drive by contaminating the operating system's recovery partition. At this point you should consider yourself fully hacked in two ways.

First of all you should assume your web presence is fully hacked. Assume that all your usernames and passwords for all sites you are using (from your own sites to your banks) have been leaked to a hacker. You must change all your passwords to everything you have ever visited from that compromised browser installation. You should do that from a different, clean computer and a different browser. Remember that Chrome auto-installs all extensions to any new installation as soon as you log in with your Google ID. This means that any other device running Chrome you've used is also very likely infected.

Moreover, you should assume your computer itself thoroughly hacked. I would suggest going for the nuclear option: delete everything, reformat the hard drive and install your operating system afresh from a fresh copy (ideally a read-only medium, such as a CD-ROM). Do not trust the recovery partition of Windows or macOS when you have this kind of valid reasons to believe that you have been infected with malware.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 14 November 2016 11:41 CST

WI_UMOS
Hi guys,

thank You for fast reaction and sorry for accusation. I just did search for amazonaws.com in code... Next time I'll do better research of my problems.
Anyway - holy fckn shit :D Your right. It's probably Appspector extension. I have list of all extension that I use at work and this one as I can see is not available currently (banned?).

Changing passwords and reinstalling everything - well that's gone be a lot of work for me... But You got to do what You got to do. ;)

Sincerely,
Thomas

Tuesday, 15 November 2016 02:04 CST

tampe125
You're welcome!

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 15 December 2016 17:17 CST

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2016-12-15 17:17 CST

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!