ConfigServer Community Forum

hello and first of all congraz for your great software!

today i noticed something strange in a account. the cxs scan returned the following

Scanning /home/xxxxxxx:
# Known exploit = [Fingerprint Match] [PHP REQUEST Exploit [P0007]]:
'/home/xxxxxxx/public_html/libraries/joomla/application/web/info.php'
# Known exploit = [Fingerprint Match] [PHP REQUEST Exploit [P0007]]:
'/home/xxxxxxx/public_html/libraries/joomla/filter/alias.php'
# Skipped - too many resources: 17593 ( > filemax=10000):
'/home/xxxxxxx/public_html/modules/mod_news_pro_gk4/cache'
# Known exploit = [Fingerprint Match] [PHP REQUEST Exploit [P0007]]:
'/home/xxxxxxx/public_html/plugins/system/utf.php'
# Known exploit = [Fingerprint Match] [PHP REQUEST Exploit [P0007]]:
'/home/xxxxxxx/public_html/plugins/system/gk_recaptcha/recaptcha/sql.php'
# Script version check [OLD] [Joomla Modules Anywhere Ext v1.13.3 < v3.4.3]:
'/home/xxxxxxx/public_html/plugins/system/modulesanywhere/'
# Known exploit = [Fingerprint Match] [PHP REQUEST Exploit [P0007]]:
'/home/xxxxxxx/public_html/templates/gk_sporter/lib/framework/gk.parser.php'
# Known exploit = [Fingerprint Match] [PHP REQUEST Exploit [P0007]]:
'/home/xxxxxxx/public_html/templates/gk_sporter/lib/menu/GKHandheld.php'

i tried to open the file via ssh and edit it to see the malicious code, but the files are empty and only a "<?php" tag is inside them.

is that normal?

you can cat the malicious file to view the content of malicious file .

theoxgr,

Found your post while looking for a similar answer.

You might find that the files that came up in the scan are all:
- 301 bytes in size
- when you view them, you only see the <?php until you scroll over to the right of the page, where you'll then find a nasty bit of php looking like

eval(base64_decode($_POST['---some value---']));?>

- If the file is also larger than 301 bytes, it might be a real file that has had this type of thing injected into it, and that is then used to trigger something else on your site.

I see you're also using Joomla. I've had a number of sites recently that have got this issue, with repeat attacks on a few (hence I was looking for how to close the loophole).

I suggest:
- ensuring your version of Joomla is the latest available (3.3.4 at the time of this post)
- If you're using an earlier version of Joomla, make sure it's up to the latest (1.5.26 + patch, 2.5.25 at time of post)
- Ensure any components you have installed are up to date. If you're not using components that might not be up to date, uninstall them as hackers might be striking the site using those.

I also use Project Honeypot protection to bounce known spammers, which seems to have helped (except on the site that I didn't which has been hacked again). There's a few components that would allow you to implement that including Akeeba Admin Tools, sh404SEF security functions, and other Spam prevention plugins.

Hope this helps others if it's too late to assist you theoxgr.

Patrick