Menu

Topic-icon malware scan not showing problems but site is hack

  • Cyriac
  • Cyriac's Avatar Topic Author
  • Offline
  • Fresh Boarder
  • Fresh Boarder
More
2 years 5 months ago #2776 by Cyriac
Some years ago my site had got the pharma hack. I had got the site cleaned up and it looked like it was working fine to me.
The issue is that I have moved my site from 2.5 to 3.5 recently. I transfered the joomla core database and exentsion database using SP transfer to Joomla 3.5 install on a WAMP server. I even changed my host. Everything is working fine except the there were all these pharma content in some old articles and in the redirect section.
I have manually removed the pharma content for the articles and it has stayed like that but in the redirect section even though I deleted all the the fake redirects mentioning benoquin, famvir etc. it still keeps coming back. which means that something else is there in core files that keeps injecting this stuff in the sql. I ran the malware scanner in security check pro and it finds nothing even though it is clear that something is there.


Attachments:

Please Log in or Create an account to join the conversation.

More
2 years 5 months ago #2777 by Jose
Hi Cyriac,

By feault, the malware scanner only looks for malware in files modified a week ago. To scan the entire filesystem looking also for suspicious patterns, go to Global configuration --> Malware scanner and set the "deep scan" to Yes and the "timeline" to 10000.
Also I'm going to send you a modified version of the extensions with some improvements in the malware scanner. I will use the email you used to register in my site.

Regards,
Jose

Please Log in or Create an account to join the conversation.

  • Cyriac
  • Cyriac's Avatar Topic Author
  • Offline
  • Fresh Boarder
  • Fresh Boarder
More
2 years 5 months ago #2793 by Cyriac
Thank you that worked. It located some files that showed that they were high risk. Should i also do scan with OPSWAT so it can narrow down the files. I am not sure what the next step should be in this case? How do I remove / fix these files now that they are there?

Please Log in or Create an account to join the conversation.

More
2 years 5 months ago #2794 by Jose
Hi Cyriac,

Yes, you should analyze them using the OPSWAT scanner (if you don't have a valid API key, then I fear you should do this manually due to a change in the terms of service ). If they are reported as malicious, then files must be overwritten/deleted depending of if they are part of the Joomla core or not.
If you have doubts, I can help you.

Regards,
Jose

Please Log in or Create an account to join the conversation.

More
2 years 5 months ago - 2 years 5 months ago #2870 by Timeforsmilin
Replied by Timeforsmilin on topic malware scan not showing problems but site is hack
Hi Jose,
I bought and installed your software yesterday. It didn't show any malware, but fortunately some other software I installed did, and I got the site cleaned before it was taken offline. Are these new files included with what I downloaded yesterday? I had an API key from OPSWAT, but that is now gone, and their system says it's generating the API now.

I have recreated 2 sites from scratch, and uploaded all core Joomla files to all 3 of my domains to overwite any modified files. I've reinstalled all components, modules, and plugins to also overwrite any modified files there, but something is trying to send email from one of the domains, and the host can't see the problem as it's coming from one of the sites. I've changed all email passwords, and all login passwords, plus have 2 factor authentication active.

Do you have any idea how I can find this email issue?

Thanks,
Louis

Webmaster wrote: Hi Cyriac,

By feault, the malware scanner only looks for malware in files modified a week ago. To scan the entire filesystem looking also for suspicious patterns, go to Global configuration --> Malware scanner and set the "deep scan" to Yes and the "timeline" to 10000.
Also I'm going to send you a modified version of the extensions with some improvements in the malware scanner. I will use the email you used to register in my site.

Regards,
Jose

Last edit: 2 years 5 months ago by Timeforsmilin. Reason: Easier to read

Please Log in or Create an account to join the conversation.

More
2 years 5 months ago #2873 by Jose
Hi Louis,

I bought and installed your software yesterday. It didn't show any malware, but fortunately some other software I installed did, and I got the site cleaned before it was taken offline. Are these new files included with what I downloaded yesterday?

Do you still have the files not detected? If so, could you be so kind to send them? The latest version you downloaded have all improvements of the modified version I sent you before.

Do you have any idea how I can find this email issue?

This type of infection usually involves a backdoor or similar to launch the attack. Even with timeline to 10000 and the deep scan enabled, doesn't detect the malware scanner any suspicious file?

Regards,
Jose

Please Log in or Create an account to join the conversation.

Time to create page: 0.105 seconds
Powered by Kunena Forum

Login or Sign In