Compromised CMS and Outbound Spam - Joomla! Forum - community, help and support

-

our website has been compromised out bound spam.

/home/justcha/public_html/components/com_imageshow/views/list/footer.php: php.trojan.stoppost found
/home/justcha/public_html/components/com_xmap/views/html/template.php: php.trojan.stoppost found
/home/justcha/public_html/components/com_contact/router.php: php.trojan.stoppost found
/home/justcha/public_html/components/com_users/controllers/remind.php: php.trojan.stoppost found
/home/justcha/public_html/images/jsn_is_thumbs/images/metal/sql.php: php.trojan.stoppost found
/home/justcha/public_html/language/pt-br/cache.php: php.trojan.stoppost found
/home/justcha/public_html/libraries/joomla/database/exception.php: php.trojan.stoppost found
/home/justcha/public_html/libraries/phputf8/utils/bad.php: php.trojan.stoppost found
/home/justcha/public_html/libraries/phpmailer/language/blog.php: {hex}php.base64.v23au.184.unofficial found
/home/justcha/public_html/modules/mod_syndicate/tmpl/error.php: php.trojan.stoppost found
/home/justcha/public_html/modules/mod_djmenu/assets/css/file.php: php.trojan.stoppost found
/home/justcha/public_html/modules/mod_araticlws/mod_araticlws.php: {hex}php.cmdshell.unclassed.357.unofficial found
/home/justcha/public_html/modules/mod_araticlws/session.php: php.trojan.stoppost found
/home/justcha/public_html/plugins/acymailing/tagcontent/global.php: php.trojan.stoppost found
/home/justcha/public_html/plugins/josetta_ext/k2category/utf.php: php.trojan.stoppost found
/home/justcha/public_html/plugins/system/sef/option.php: {hex}php.base64.v23au.184.unofficial found
/home/justcha/public_html/plugins/captcha/.test.php: {hex}php.base64.v23au.184.unofficial found
/home/justcha/public_html/plugins/jsnimageshow/themeclassic/defines.php: php.malware.mailbot-1 found
/home/justcha/public_html/plugins/jsnimageshow/themestrip/search.php: php.trojan.stoppost found
/home/justcha/public_html/plugins/content/finder/options.php: php.trojan.stoppost found
/home/justcha/public_html/tmp/install_538fc513d1496/options.php: {hex}php.base64.v23au.184.unofficial found
/home/justcha/public_html/crm/include/session.php: php.trojan.stoppost found
ct-160095bash-3.2# exim -mvh 1yciex-0005w7-37; exim -mvb 1yciex-0005w7-37
1yciex-0005w7-37-h
justcha 512 32002
<lucas_wagner@justchair.com>
1427754757 0
-ident justcha
-received_protocol local
-body_linecount 42
-max_received_linelength 167
-auth_id justcha
-auth_sender justcha@server.mjwic.com
-allow_unqualified_recipient
-allow_unqualified_sender
-local
-sender_set_untrusted
xx
1
kasun-lakmal@blokspot.com

197p received: justcha server.mjwic.com local (exim 4.82)
(envelope-from <lucas_wagner@.com>)
id 1yciex-0005w7-37
kasun-lakmal@blokspot.com; mon, 30 mar 2015 18:32:37 -0400
030t to: kasun-lakmal@blokspot.com
046 subject: secret of slenderness without hunger
038 date: mon, 30 mar 2015 17:32:37 -0500
048f from: lucas wagner <lucas_wagner@.com>
061i message-id: <916dc61bafa84f2876dd513c8d189da8@justchair.com>
014 x-priority: 3
068 x-mailer: phpmailer 5.2.9 (https://github.com/phpmailer/phpmailer/)
018 mime-version: 1.0
085 content-type: multipart/alternative;
boundary="b1_916dc61bafa84f2876dd513c8d189da8"
032 content-transfer-encoding: 8bit
1yciex-0005w7-37-d

hi.

no need change way eat.

hxxp://ipasticcidellacuoca.it/press.php?e=8 read more right now.

problem description :: forum post assistant (v1.2.4) : 3rd april 2015 wrote:compromised cms , outbound spam
log/error message :: forum post assistant (v1.2.4) : 3rd april 2015 wrote:no error message
last php error(s) reported :: forum post assistant (v1.2.4) : 3rd april 2015 wrote:[31-dec-2014 19:01:21 america/chicago] php strict standards: variables should assigned reference in /home/justcha/public_html/plugins/system/webfonts/helpers/head.php on line 26
forum post assistant (v1.2.4) : 3rd april 2015 wrote:
basic environment :: wrote:joomla! instance :: joomla! 2.5.11-stable (ember) 26-april-2013
joomla! platform :: joomla platform 11.4.0-stable (brian kernighan) 03-jan-2012
joomla! configured :: yes | read-only (444) | owner: justcha (uid: 1/gid: 1) | group: justcha (gid: 1) | valid for: 2.5
configuration options :: offline: 1 | sef: 1 | sef suffix: 1 | sef rewrite: 1 | .htaccess/web.config: yes | gzip: 0 | cache: 0 | ftp layer: 0 | ssl: 0 | error reporting: none | site debug: 0 | language debug: 0 | default access: 1 | unicode slugs: 1 | database credentials present: yes

host configuration :: os: linux | os version: 2.6.32-042stab094.8 | technology: i686 | web server: apache | encoding: gzip, deflate | doc root: /home/justcha/public_html | system tmp writable: yes

php configuration :: version: 5.4.38 | php api: apache2handler | session path writable: yes | display errors: 1 | error reporting: 24567 | log errors to: error_log | last known error: 31st december 2014 19:01:21. | register globals: | magic quotes: | safe mode: | open base: /home/justcha:/usr/lib/php:/usr/local/lib/php:/tmp | uploads: 1 | max. upload size: 1024m | max. post size: 260m | max. input time: 80 | max. execution time: 18000 | memory limit: 256m

mysql configuration :: version: 5.5.40-cll (client:5.5.40) | host: --protected-- (--protected--) | collation: latin1_swedish_ci (character set: latin1) | database size: 14.20 mib | #of tables: 227
detailed environment :: wrote:php extensions :: core (5.4.38) | date (5.4.38) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7) | zlib (2.0) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | filter (0.11.0) | ftp () | gd () | gettext () | gmp () | hash (1.0) | iconv () | spl (0.2) | json (1.2.1) | mbstring () | mcrypt () | session () | mysql (1.0) | mysqli (0.1) | standard (5.4.38) | phar (2.0.1) | posix () | reflection ($id: f6367cdb4e3f392af4a6d441a6641de87c2e50c4 $) | mysqlnd (mysqlnd 5.0.10 - 20111026 - $id: c85105d7c6f7d70d609bb4c000257868a40840ab $) | simplexml (0.1) | sockets () | imap () | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | zip (1.11.0) | apache2handler () | pdo (1.0.4dev) | pdo_sqlite (1.0.1) | pdo_mysql (1.0.2) | ioncube loader () | zend guard loader () | zend engine (2.4.0) |
potential missing extensions :: suhosin |

switch user environment (experimental) :: php cgi: no | server su: no | php su: no | custom su (litespeed/cloud/grid): yes
potential ownership issues: no

apache modules :: core | mod_authn_file | mod_authn_default | mod_authz_host | mod_authz_groupfile | mod_authz_user | mod_authz_default | mod_auth_basic | mod_include | mod_filter | mod_deflate | mod_log_config | mod_logio | mod_env | mod_expires | mod_headers | mod_unique_id | mod_setenvif | mod_version | mod_proxy | mod_proxy_connect | mod_proxy_ftp | mod_proxy_http | mod_proxy_scgi | mod_proxy_ajp | mod_proxy_balancer | mod_ssl | itk | http_core | mod_mime | mod_status | mod_autoindex | mod_asis | mod_info | mod_suexec | mod_cgi | mod_negotiation | mod_dir | mod_actions | mod_userdir | mod_alias | mod_rewrite | mod_so | mod_disable_suexec | mod_bwlimited | mod_php5 | apache |
potential missing modules :: mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |
folder permissions :: wrote:core folders :: images/ (777) | components/ (777) | modules/ (777) | plugins/ (777) | language/ (777) | templates/ (777) | cache/ (777) | logs/ (777) | tmp/ (777) | administrator/components/ (777) | administrator/modules/ (777) | administrator/language/ (777) | administrator/templates/ (777) |

elevated permissions (first 10) :: administrator/ (777) | administrator/cache/ (777) | administrator/components/ (777) | administrator/help/ (777) | administrator/includes/ (777) | administrator/language/ (777) | administrator/manifests/ (777) | administrator/modules/ (777) | administrator/modules/mod_imageshow_quickicon/ (777) | administrator/templates/ (777) |
extensions discovered :: wrote:components :: site :: com_mailto (2.5.0) | wf_link_search_title (2.3.1) | [youtube] (2.3.1) | wf_aggregator_vimeo_title (2.3.1) | wf_aggregator_googlemaps_title (2.3.1) | wf_mediaplayer_jceplayer_title (2.3.1) | wf_links_joomlalinks_title (2.3.1) | wf_filesystem_joomla_title (2.3.1) | wf_popups_jcemediabox_title (2.3.1) | wf_popups_window_title (2.3.1) | wf_popups_widgetkit_title (2.0.3) | wf_popups_rokbox_title (2.0.0) | wf_fullscreen_title (2.3.1) | wf_contextmenu_title (2.3.1) | wf_searchreplace_title (2.3.1) | wf_anchor_title (2.3.1) | wf_iframe_title (2.0.1) | wf_browser_title (2.3.1) | wf_nonbreaking_title (2.3.1) | wf_xhtmlxtras_title (2.3.1) | wf_style_title (2.3.1) | wf_textcase_title (2.3.1) | [do not buy our kitchens!] (2.3.1) | wf_table_title (2.3.1) | wf_preview_title (2.3.1) | wf_layer_title (2.3.1) | wf_autosave_title (2.3.1) | wf_imgmanager_ext_title (2.0.13) | wf_caption_title (2.0.3) | wf_article_title (2.3.1) | wf_mediamanager_title (2.0.8) | wf_spellchecker_title (2.3.1) | wf_visualchars_title (2.3.1) | wf_inlinepopups_title (2.3.1) | wf_templatemanager_title (2.0.4) | wf_lists_title (2.3.1) | wf_emotions_title (2.0.2) | wf_source_title (2.3.1) | wf_link_title (2.3.1) | wf_cleanup_title (2.3.1) | wf_fullpage_title (2.0.2) | wf_filemanager_title (2.1.5) | wf_visualblocks_title (2.3.1) | wf_media_title (2.3.1) | wf_clipboard_title (2.3.1) | wf_imgmanager_title (2.3.1) | wf_directionality_title (2.3.1) | wf_print_title (2.3.1) | com_wrapper (2.5.0) | spambotcheck (1.0.1) |
components :: admin :: acymailing tag : manage su (3.7.0) | acymailing table of contents g (1.0.0) | acymailing manage text (1.0.0) | acymailing tag : date / time (3.7.0) | acymailing : share on social n (1.0.0) | acymailing : statistics plugin (3.7.0) | acymailing tag : content inser (3.7.0) | acymailing : handle click trac (3.7.0) | acymailing module (3.7.0) | acymailing : (auto)subscribe d (3.7.0) | acymailing tag : cb user infor (3.7.0) | acymailing template class repl (3.7.0) | acymailing tag : joomla user (3.7.0) | acymailing : trigger joomla co (3.7.0) | acymailing tag : website links (3.7.0) | acymailing tag : virtuemart in (1.2.1) | acymailing tag : insert modu (3.7.0) | acymailing tag : subscriber in (3.7.0) | acymailing (4.1.0) | com_weblinks (2.5.0) | com_messages (2.5.0) | com_modules (2.5.0) | com_config (2.5.0) | com_newsfeeds (2.5.0) | com_cache (2.5.0) | virtuemart (-) | ecb currency converter (1.0) | com_banners (2.5.0) | com_content (2.5.0) | com_checkin (2.5.0) | imageshow (4.7.0) | imageshow (4.7.0) | com_redirect (2.5.0) | com_xmap (2.3.2) | com_media (2.5.0) | com_installer (2.5.0) | com_joomlaupdate (2.5.0) | com_cpanel (2.5.0) | com_languages (2.5.0) | csvi (5.5) | jce (2.3.1) | unknown (-) | editor - jce (2.3.1) | editor - jce (2.3.1) | plg_quickicon_jcefilebrowser (2.5.0) | jce file browser (2.3.1) | virtuemart_allinone (2.0.20b) | magic zoom plus module joo (v4.4.57 [v1.2) | magic zoom plus (v4.4.57 [v1.2) | com_search (2.5.0) | com_users (2.5.0) | com_plugins (2.5.0) | com_admin (2.5.0) | chronoforms (4.0 rc3.5.1) | com_finder (2.5.0) | com_menus (2.5.0) | com_categories (2.5.0) | com_login (2.5.0) | com_k2 (2.6.9) | mod_k2_comments (-) | mod_k2_comments (-) | com_templates (2.5.0) | com_webfonts (2.0.7) | com_ijoomla_seo (3.1.5) | sales (1.0.0) |

modules :: site :: mod_users_latest (2.5.0) | k2 comments (2.6.9) | mod_articles_latest (2.5.0) | tcvn vm dropdown category (1.0) | mod_virtuemart_product (2.0.20b) | mod_virtuemart_currencies (2.0.20b) | mod_finder (2.5.0) | k2 users (2.6.9) | mod_virtuemart_manufacturer (2.0.20b) | mod_related_items (2.5.0) | mod_footer (2.5.0) | mod_menu (2.5.0) | mod_weblinks (2.5.0) | mod_syndicate (2.5.0) | dj-menu (1.7.4) | mod_virtuemart_category (2.0.20b) | mod_wrapper (2.5.0) | mod_articles_news (2.5.0) | mod_articles_popular (2.5.0) | mod_random_image (2.5.0) | mod_breadcrumbs (2.5.0) | custom banner (for joomla 2.) | chronoforms (v4 rc3.0) | acymailing module (3.7.0) | mod_custom (2.5.0) | dj-menu (1.7.4) | mod_articles_category (2.5.0) | mod_articles_archive (2.5.0) | mod_login (2.5.0) | mod_stats (2.5.0) | mod_whosonline (2.5.0) | magic zoom plus module joo (v4.4.57 [v1.2) | k2 user (2.6.9) | jsn imageshow (4.7.0) | k2 content (2.6.9) | mod_search (2.5.0) | mod_articles_categories (2.5.0) | mod_banners (2.5.0) | k2 tools (2.6.9) | mod_feed (2.5.0) | mod_languages (2.5.0) | mod_virtuemart_search (2.0.20b) | virtuemart shopping cart (2.0.20b) | full slider (1.0) | system (1.0.0) |
modules :: admin :: jsn imageshow quick icons (4.7.0) | mod_submenu (2.5.0) | mod_toolbar (2.5.0) | mod_menu (2.5.0) | mod_logged (2.5.0) | mod_multilangstatus (2.5.0) | mod_popular (2.5.0) | mod_latest (2.5.0) | mod_custom (2.5.0) | mod_status (2.5.0) | mod_login (2.5.0) | k2 stats (admin) (2.6.9) | mod_quickicon (2.5.0) | mod_feed (2.5.0) | k2 quick icons (admin) (2.6.9) | mod_title (2.5.0) | mod_version (2.5.0) |

plugins :: site :: plg_extension_joomla (2.5.0) | plg_search_contacts (2.5.0) | plg_search_weblinks (2.5.0) | search - k2 (2.6.9) | plg_search_virtuemart (2.0.20b) | plg_search_content (2.5.0) | plg_search_categories (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_article (2.5.0) | button - imageshow (4.7.0) | plg_editors-xtd_readmore (2.5.0) | plg_user_contactcreator (2.5.0) | plg_user_joomla (2.5.0) | plg_user_profile (2.5.0) | user - k2 (2.6.9) | user - spambotcheck (1.1.12) | plg_authentication_ldap (2.5.0) | plg_authentication_joomla (2.5.0) | plg_authentication_gmail (2.5.0) | plg_editors_codemirror (1.0) | editor - jce (2.3.1) | plg_editors_tinymce (3.5.4.1) | xmap - weblinks plugin (2.0.1) | xmap - virtuemart plugin (2.0.1) | xmap - content plugin (2.0.4) | vm - calculation avalara tax (2.0.18b) | acymailing : trigger joomla co (3.7.0) | acymailing tag : insert modu (3.7.0) | acymailing tag : website links (3.7.0) | acymailing : handle click trac (3.7.0) | acymailing manage text (1.0.0) | acymailing tag : joomla user (3.7.0) | acymailing : statistics plugin (3.7.0) | acymailing tag : date / time (3.7.0) | acymailing : share on social n (1.0.0) | acymailing tag : cb user infor (3.7.0) | acymailing tag : content inser (3.7.0) | acymailing tag : subscriber in (3.7.0) | acymailing tag : virtuemart in (1.2.1) | acymailing table of contents g (1.0.0) | acymailing template class repl (3.7.0) | acymailing tag : manage su (3.7.0) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_jcefilebrowser (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | josetta - k2 items (2.6.9) | josetta - k2 categories (2.6.9) | vmpayment_standard (2.0.20b) | vm payment plugin moneybookers (2.0.6) | vm payment plugin moneybookers (2.0.6) | vm payment plugin moneybookers (2.0.6) | vm payment plugin moneybookers (2.0.6) | vm payment - authorize.net aim (2.0.20b) | vm payment plugin moneybookers (2.0.6) | vm payment plugin moneybookers (2.0.6) | vm - payment, systempay (2.0.8c) | vm payment plugin moneybookers (2.0.6) | vm payment plugin moneybookers (2.0.6) | vmpayment_heidelpay (12.09) | vm - payment, klarna (2.0.20b) | vmpayment_moneybookers (2.0.6) | vmpayment_paypal (2.0.20b) | vm - payment, payzen (2.0.8c) | acymailing : (auto)subscribe d (3.7.0) | plg_system_remember (2.5.0) | plg_system_sef (2.5.0) | google maps (2.18) | plg_system_log (2.5.0) | system - jce mediabox (1.1.6) | plg_system_debug (2.5.0) | plg_system_languagefilter (2.5.0) | system - jsn imageshow (4.7.0) | plg_system_redirect (2.5.0) | plg_system_languagecode (2.5.0) | system - k2 (2.6.9) | plg_system_logout (2.5.0) | plg_system_jsnframework (1.2.13) | plg_system_cache (2.5.0) | plg_system_highlight (2.5.0) | plg_system_p3p (2.5.0) | plg_webfonts (2.0.2) | system - google analytics free (4.1) | system - ijseo (3.0.0) | ijoomla news (1.0.0) | ijoomlaupgradealert (1.0) | webmaster site verification (1.0) | plg_system_titlemanager (3.0) | system - jquery easy (1.5.6) | vmshipment_weight_countries (2.0.20b) | plg_captcha_recaptcha (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_k2 (2.6.9) | plg_finder_content (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_newsfeeds (2.5.0) | source picasa (1.1.4) | theme classic (1.2.3) | source instagram (1.0.0) | source joomgallery (1.0.2) | theme carousel (1.0.6) | theme flow (1.0.4) | theme grid (1.0.9) | theme slider (1.1.5) | theme strip (1.0.5) | plg_content_loadmodule (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_geshi (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_joomla (2.5.0) | content - jsn imageshow (4.7.0) | plg_content_emailcloak (2.5.0) | chronoforms (v4 rc3.0) | plg_content_finder (2.5.0) | plg_content_vote (2.5.0) | ijseo_plugin (3.0.0) |
templates discovered :: wrote:templates :: site :: atomic (2.5.0) | chair (2.5.0) |
templates :: admin :: hathor (2.5.0) | bluestork (2.5.0) |

there lot more problems obvious:

1. recent version of 2.5.x series 2.5.28 , running 2.5.11 or 17 versions behind.
2. of folders 777. 777 (and it's ugly cousin 666) allow read , write permissions (and in event of 777 execute) other. other give user ability edit , manipulate files , folders. typically, can imagine, bad security. use 644 permissions files , 755 permissions folders...





Comments

Post a Comment

Popular posts from this blog

Warning, the Safe Path is not accessible vm3 - Joomla! Forum - community, help and support

-
i have install virtumart 3 , safe path error (vmerror: warning, safe path not accessible (does not exist or no permission), safety reasons important create folder in path not accessible url or unguessable name, create folder 'invoices' , 'keys' in store sensitive data secure. our suggested path system '/home/shop3/vmfiles/'. you can use complex folder name 'password' example '/home/shop3/public_html/administrator/components/com_virtuemart/pgq9b3kscpin/'. use link config) does have idea why, if created folder, can't warning out? virtumart virtuemart 3.0.8 joomla! 3.3.6 stable problem solved Board index Joomla! 3.x - Ask Support Questions Here Extensions for Joomla! 3.x
Read more

uppercase letters in url - Joomla! Forum - community, help and support

-
hello all, i in process of migrating joomla 2.5 1.5. 1 of categories in 1.5 version had capital letters in name. in joomla 2.5, uppercase letters in article/menu/category alias automatically converted lowercase. i tried changing menu alias in database, caused 404 error in category-blog page. i have been trying many days find solution, reason being many of pages category in 1.5 site have lots of facebook likes don't want lose. does work-around exist allow me manually change category/menu alias category blog page , articles have category name uppercase letters? any appreciated. thanks! you can 301 redirect uppercase urls lowercase. Board index Joomla! Older Version Support Joomla! 2.5 Search Engine Optimization (Joomla! SEO) in Joomla! 2.5
Read more

Joomla! Update is not offering Joomla 3 - Joomla! Forum - community, help and support

-
hi i trying upgrade joomla 2.5.27 3.6. have checked requirements (i've upgraded site), purged cache , gone short term support, when click save & close told (as before) have latest joomla version - not offer me joomla 3.6 (or else). have suggestions please? thank you c you can download joomla 3.x update , install manually using joomla's extension installer. don't forget create backup before doing that. Board index Joomla! 3.x - Ask Support Questions Here General Questions/New to Joomla! 3.x
Read more