Monday, 24 November 2014 13:57
beggarly

Virus detected in xmap!

An open forum for opinions and general questions

Virus detected in xmap!

Postby gwmbox » Wed Feb 23, 2011 5:35 am

Hi guys, need to check, my antivirus software is detecting a virus in xmap, something related to PHP/Shell.O.1 php virus. From what I have read it is related sending emails out?

Anyone else confirm or know anything about it?

Cheers

GW
gwmbox
Fresh Boarder
Fresh Boarder
 
Posts: 3
Joined: Wed Feb 23, 2011 5:32 am

Re: Virus detected in xmap!

Postby franzb » Wed Feb 23, 2011 10:34 am

I found him first: http://joomla.vargas.co.cr/en/forum?view=topic&f=5&t=3409
:P

1.2.9 and 1.2.10 is infected.
franzb
Fresh Boarder
Fresh Boarder
 
Posts: 2
Joined: Tue Feb 22, 2011 11:59 am

Re: Virus detected in xmap!

Postby gwmbox » Wed Feb 23, 2011 11:41 am

Well I am surprised there is not more comments and discussion about it?

Does no one use xmap anymore?

GW
gwmbox
Fresh Boarder
Fresh Boarder
 
Posts: 3
Joined: Wed Feb 23, 2011 5:32 am

Re: Virus detected in xmap!

Postby guilleva » Wed Feb 23, 2011 4:05 pm

Hi guys, thanks for reporting this. We are investigating this issue.

There are no more comments as the download package was modified a couple of days ago, we still doesn't know how, but we are trying to find it out. In the mean time, we have disabled the download section.

We will enable it when this vulnerability get fixed and the packages cleaned/restored.

Regards,

Guillermo
User avatar
guilleva
Administrator
Administrator
 
Posts: 1527
Joined: Wed Sep 12, 2007 3:10 am
Location: San José, Costa Rica

Re: Virus detected in xmap!

Postby tyger » Thu Feb 24, 2011 8:21 am

@guileva

Can u tell us exactly the day when Xmap was virused?
I saw now u can download it, is safe?
tyger
Fresh Boarder
Fresh Boarder
 
Posts: 2
Joined: Thu Feb 24, 2011 8:13 am

Re: Virus detected in xmap!

Postby spadilla » Thu Feb 24, 2011 6:03 pm

Can you please provide details as to whether the extension is safe to download and install now? I have many sites affected by this.

Also, if we installed one of the malicious packages, what procedure should we follow to be sure our site is safe again? Just uninstall and reinstall the new version?

Are there any details regarding what the virus was capable of? Was it a local machine virus or something that can cause server vulnerability?
spadilla
Fresh Boarder
Fresh Boarder
 
Posts: 5
Joined: Mon May 19, 2008 1:53 am

Re: Virus detected in xmap!

Postby dpk » Thu Feb 24, 2011 7:54 pm

More information please!

Based on what was posted elsewhere in this forum, it sounds like a bogus file named "theme.php" (that should not exist) was discovered in the cache folder within the xmap installation package. The cache folder should not have php files in it. "Theme.php" is actually a remotely controlled mail script that will turn your server into a spam zombie.

This "vulnerability" was posted on the Joomla.org vulnerable extensions list today and classified as a "malicious payload." This is not a vulnerability, technically speaking. It is malware embedded in the xmap installation package, assuming the report is accurate. This could only happen by someone hacking into joomla.vargas.co.cr!

The vulnerability is on this website.
There may be back doors enabling further hacking.
Other extensions may have been compromised.


Please explain what corrective action has been taken!
dpk
Fresh Boarder
Fresh Boarder
 
Posts: 8
Joined: Mon May 26, 2008 4:04 am

Re: Virus detected in xmap!

Postby sparkosis » Thu Feb 24, 2011 10:34 pm

I just checked my Xmap 1.2.10 installer that I downloaded from this site on October 30, 2010 and there is no theme.php file in the cache folder, only index.html. So perhaps the problem was introduced after I downloaded it.

Richard
sparkosis
Fresh Boarder
Fresh Boarder
 
Posts: 10
Joined: Sat Dec 29, 2007 9:04 pm

Re: Virus detected in xmap!

Postby tyger » Fri Feb 25, 2011 8:11 am

I check Xmap 1.2.10 archive downloadated on 19.02.2011, seems it doesn't have theem.php in cache folder.
tyger
Fresh Boarder
Fresh Boarder
 
Posts: 2
Joined: Thu Feb 24, 2011 8:13 am

Re: Virus detected in xmap!

Postby guilleva » Fri Feb 25, 2011 4:18 pm

Hi All,

Yes, the site was hacked, we are still trying to figure out how that happened. They altered some installation packages between Feb 21st and Feb 23rd. so if you downloaded Xmap between those two days, I strongly suggest you to uninstall it and to check the rest of your site for malicious files. We removed the infected file as soon as I was notified about this issue.

I have made a full reinstallation of the site, deinstalled most of the third party extensions used on the site and taken some extra security measures to prevent from this happening again, but I'm going to be monitoring the site very closely to detect any unusual activity.

FYI. The affected package also had a malicious line the in the file install.xmap.php (the very fist line)

I have uplodad a clean package to joomlacode.org, so you can feel safe downloading it from there:
http://joomlacode.org/gf/project/xmap/frs/

I really sorry about all the problems this may have caused to you.

Regards,

Guillermo
User avatar
guilleva
Administrator
Administrator
 
Posts: 1527
Joined: Wed Sep 12, 2007 3:10 am
Location: San José, Costa Rica

Next

Return to General



Who is online

Users browsing this forum: No registered users and 1 guest