Menu

Topic-icon Suspicious loc(dot)php file

  • azurelinksc
  • azurelinksc's Avatar Topic Author
  • Offline
  • Senior Member
  • Senior Member
More
4 months 2 weeks ago - 4 months 2 weeks ago #8579 by azurelinksc
Suspicious loc(dot)php file was created by azurelinksc
Hola Jose,

I've come across a suspicious file named loc(dot)php in several of the directories of Joomla sites I manage. Your scanner doesn't pick it up. I thought you might be interested in looking at it, but I can't seem to upload it here as an attachment even renamed as a txt file. Let me know if you want to take a look and how I can get it to you.

I've found it in the following locations:
/cli/loc.php
/components/com_ajax/loc.php
/includes/loc.php
/layouts/libraries/cms/loc.php
/layouts/plugins/system/loc.php
/libraries/fof/template/loc.php
/libraries/php-encryption/loc.php

It starts out with this line:
$s_pass = "";  // default password : b374k (login and change to new password)

The rest is compiled.
Last edit: 4 months 2 weeks ago by azurelinksc. Reason: Added more text.

Please Log in or Create an account to join the conversation.

More
4 months 2 weeks ago - 4 months 2 weeks ago #8580 by Jose
Replied by Jose on topic Suspicious loc(dot)php file
Hi azurelink,

Is the malware scanner configured to analyze the entire filesystem (Global configuration -> malware scanner tab -> timeline set to 'Any date') looking also for suspicious patterns (Global configuration -> malware scanner tab -> Deep scan enabled)?

Regards,
Jose
Last edit: 4 months 2 weeks ago by Jose. Reason: Change the location of malware settings

Please Log in or Create an account to join the conversation.

  • azurelinksc
  • azurelinksc's Avatar Topic Author
  • Offline
  • Senior Member
  • Senior Member
More
4 months 2 weeks ago - 4 months 2 weeks ago #8581 by azurelinksc
Replied by azurelinksc on topic Suspicious loc(dot)php file
No, those settings were not configured, but I have change it now — though on this site I already deleted those files. Have have other similar sites to do which I'm pretty sure have those suspect files in them. They all were extracted out of a multisite installation and the master site's files were restored in all of the slave sites. I'll let you know if the scanner picks up the loc files. Btw, the instructions weren't quite right. For others who might read this thread, the Malware Scan tab is in Configuration/Global Configuration. Do you want to look at the file?
Last edit: 4 months 2 weeks ago by azurelinksc.

Please Log in or Create an account to join the conversation.

More
4 months 2 weeks ago #8582 by Jose
Replied by Jose on topic Suspicious loc(dot)php file
Thanks for warning me about the error; I have just edited my post to point it to the right direction.

Yes, I want to check the file. Can you send it to my contact email? Maybe you will have to add it to a zipped file.

Regards,
Jose

Please Log in or Create an account to join the conversation.

More
4 months 2 weeks ago #8583 by Jose
Replied by Jose on topic Suspicious loc(dot)php file
For public knowledge:

The file is a encoded variant of a popular webshell named b374k. I have just uploaded it to my isolated environment and the malware scanner detects it if the Timeline param is set to "Any date".

 
 
Attachments:

Please Log in or Create an account to join the conversation.

  • azurelinksc
  • azurelinksc's Avatar Topic Author
  • Offline
  • Senior Member
  • Senior Member
More
4 months 1 week ago - 4 months 1 week ago #8584 by azurelinksc
Replied by azurelinksc on topic Suspicious loc(dot)php file
Does SCP prevent a password from brute force?

Also found these files:
/components/com_ajax/diag_login.php
/libraries/fof/template/site_autoloader.php
Last edit: 4 months 1 week ago by azurelinksc.

Please Log in or Create an account to join the conversation.

Time to create page: 0.071 seconds
Powered by Kunena Forum

Login or Sign In