Hi

My server has developed the unfortunate habit of sending out spam email in the middle of the night.

I've managed to isolate the files responsible, etc - but not yet certain if the problem is a Joomla exploit or some other vulnerability.

There are a couple of things I'm wondering if people would able to shed light upon.

The first is that I'm setting up a cron job that will run every few hours to tell me if files have been modified.

This is the unix command:

find . -type f -ctime -1

Thing is when I run it, it returns these files (among others).

./templates/system/index.php
./templates/ecolife/index.php
./templates/beez3/index.php
./templates/protostar/index.php

Does this make any sense? (I've not altered the files, and, as far as I can tell, they haven't actually been altered.)

Secondly, the exploit seems to involve invoking a file called "style.php" that's in the libraries directory.

Does anybody know if that file is part of a standard installation? (I have installations where it doesn't appear...).

Any advice very gratefully received!

Thanks.

Hi,

Sorry to hear you are having issues with your site.

Generally, with most hacks they tend to target the files that create the site output. In Joomla, that is usually the index.php file in the root of the site and the index.php file in the active template/s.

Sometimes when investigating hacked sites, I see that files appear like they haven't changed but new code has actually been added with a very large indent so it appears way off to the right.
You can replace the files with the originals from a frexsh zip of Joomla and the template to make sure they are clean and use a program like examdiff (or git if you use it) to check for changes if the files show to have changed again.

With the style.php file, you can also check that against a fresh download of the same version of Joomla you are running. If the file is not in the zip package then it is not a core file and would have been added through a 3rd party extension or the hack.

If your install's core was not up to date then it may have been a core hack or it could have been through a 3rd party extension. You can check for known vulnerabilities here to check if you have any of those extensions installed: vel.joomla.org/

To make sure everything is clean, I find the best way is to take a copy of the database to install locally and then rebuild the site with fresh core/extension files and copying the images folder into the copy.

There are some free security extensions available which will protect against most common exploits like jhackguard as well as fully featured firewall extensions like admintools pro and rsfirewall. There is also ninja firewall which is a free standalone firewall you can add to the sites directory nintechnet.com/ninjafirewall/

Best of luck.

Regards,

Rob

Hi Rob

I just wanted to thank you for your reply, and apologize for not responding earlier. I've been fighting fires as a result of the Joomla compromise.

It turned out it was the 0-day remote execution compromise that was patched in December.

I've cleaned the site, and all now seems stable.

Are you able to recommend a particular security extension? I'm using admintools pro, and modsecurity is installed on the server, but if you were able to recommend something specifically for Joomla that would be much appreciated.

Thanks again for your response. Your tip about the indent was very helpful!

Best,

Jeremy

Hi Jeremy,

Glad you got on top of it.

Personally I would use admin tools and find a host that has a good history and approach to security. We use SiteGround here and they have been fairly proactive with patching php versions etc.

But might be good to shop around and get some other opinions as well

Thanks