Support

Akeeba Backup for Joomla!

#30659 Malware reported in multiple files following recent update to latest version

Posted in ‘Akeeba Backup for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Akeeba Backup version
n/a

Latest post by westiefan on Monday, 10 December 2018 03:32 CST

westiefan
Please look at the bottom of this page (under Support Policy Summary) for our support policy summary, containing important information regarding our working hours and our support policy. Thank you!

EXTREMELY IMPORTANT: Please attach a ZIP file containing your Akeeba Backup log file in order for us to help you with any backup or restoration issue. If the file is over 2Mb, please upload it on your server and post a link to it.

Description of my issue:

Hi Nicholas,

I have updated a couple of site to the latest version of Akeeba (1 in Joomla version 3.9.0 to pro version 6.3.2, and 1 in Wordpress version 5.0 to WP Pro version 3.3.2)

Both have been reported by our hosting company malware scanner as having a number of files that are infected with malware.

These are the only 2 sites that I have so far updated, and both have reported the same malware infection for all reported files. The malware infection is reported as: malware.unlink.chmod.php.1

Please can you advise what (if anything) we can do about this, as our hosting supplier has disabled all PHP Mail services on the server for these sites until the malware issue is resolved.

As both sites use online forms it is crucial to get this issue resolved as quickly as possible so that the client forms can be re-enabled.

Thank you

Regards

John

westiefan
Just a quick follow up, the affected files are:

"kickstart.txt", "restore.php" & "update.zip" (though this one is probably because it contains copies of the other 2 files)

Regards

John

nicholas
Akeeba Staff
Manager
Hello John,

This is a recurring question and it is NOT a bug or an issue in Akeeba Backup or any of our software. This kind of software is simply looking for patterns of code which are usually – but not exclusively – used in malicious software. These patterns consist of infrequently used PHP features such as base64 encoding, binary file format writing and heavy use of regular expressions. These are all patterns which have to be used to create backup archives in Akeeba Backup, extract backup archives in Akeeba Restore / UNiTE / Akeeba Kickstart (they all use the Akeeba Restore engine) or scan files for malware in Admin Tools. So it’s normal for these patterns to appear in our software. The problem with “malware scanners” which deal with source code is that they can only check the presence of patterns, marking files for further human inspection. They can NOT positively identify the intent of the code. Code is like prose. Our current level of technology as a species is not yet at the point where a machine can read free form text and understand its intent.

Please contact your host and let them know that our code, which has been around for more than twelve years, is definitely legitimate and they can actually take a look themselves. This is exactly what their “malware scanner” did, it’s just that they have no idea how to use it and for what purpose. Take this from the person who writes his own “malware scanner” (Admin Tools’ PHP File Change Scanner has the Threat Score feature which is exactly that), understands the pitfalls and has clearly documented them.

For your information, restore.php (Akeeba Restore) is also used by Joomla! itself to apply its own updates. An older version of that file can be found in all Joomla! releases in the folder administrator/components/com_joomlaupdate since Joomla! 2.5.1. Kickstart is a web interface around Akeeba Restore and includes Akeeba Restore.

So, not to put too fine a point on it, your host is incompetent. Ask them for a full refund (at the very least!) since they screwed up your site for no reason whatsoever. Better yet, find a different hosting company where they know what they are doing. Hosting companies who know what they are doing do not rely on "malware scanners" because they know they can't rely on their results to take automated action (FYI, 5% to 10% of the core files distributed with Drupal, Joomla! and WordPress trigger a malware scanner – since I have written such a thing I have of course tested it thoroughly!). Even if they did work, they are like the notorious Maginot line during WW2: when (not if!) the attacker works past them you are screwed. Really good hosts employ anomaly detection which consists of perimeter security including but not limited to operating system and web server firewalls, email scanning and traffic analysis at the very least. The idea is you watch what is going in and what is going out. If they detect an anomaly then and only then will they suspend the account until the client communicates with them. Good hosts don't use proven to be ineffective and error-prone technology to block sites and then not allow the client to state that the code is legitimate for Pete's sake!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

westiefan
Hi Nicholas,

Thank you for your extended response, I assumed that this would be the case, and I have taken it up with our hosting supplier. I have also pointed out to them the quality of the code you provide, and they are looking into updating their scanner accordingly.

However, I will pass on your comments to them, as I think they need to know this (if they do not already know it), and they do seem to be aware of the short comings of the scanner, but my issue is that they have blocked the PHP mail service because of the scanner result, and therefore it means that I cannot update to the latest Akeeba version until they have fixed the scanner filters.

I was aware of the Joomla core "restore.php" file, but had no realised that it was using your code, so that explains that one.

In every other respect our hosting supplier is extremely good, so I just need to "educate" them about issues like this, so your comments will help.

Thank you again for your prompt response, as always, it is much appreciated.

Regards

John

Ps. Please feel free to close this ticket after reading my reply.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!