Free extensions for Joomla!

[gwmbox]

Hi guys, need to check, my antivirus software is detecting a virus in xmap, something related to PHP/Shell.O.1 php virus. From what I have read it is related sending emails out?

Anyone else confirm or know anything about it?

Cheers

GW

[franzb]

I found him first: http://joomla.vargas.co.cr/en/forum?view=topic&f=5&t=3409


1.2.9 and 1.2.10 is infected.

[gwmbox]

Well I am surprised there is not more comments and discussion about it?

Does no one use xmap anymore?

GW

[guilleva]

Hi guys, thanks for reporting this. We are investigating this issue.

There are no more comments as the download package was modified a couple of days ago, we still doesn't know how, but we are trying to find it out. In the mean time, we have disabled the download section.

We will enable it when this vulnerability get fixed and the packages cleaned/restored.

Regards,

Guillermo

[tyger]

@guileva

Can u tell us exactly the day when Xmap was virused?
I saw now u can download it, is safe?

[spadilla]

Can you please provide details as to whether the extension is safe to download and install now? I have many sites affected by this.

Also, if we installed one of the malicious packages, what procedure should we follow to be sure our site is safe again? Just uninstall and reinstall the new version?

Are there any details regarding what the virus was capable of? Was it a local machine virus or something that can cause server vulnerability?

[dpk]

More information please!

Based on what was posted elsewhere in this forum, it sounds like a bogus file named "theme.php" (that should not exist) was discovered in the cache folder within the xmap installation package. The cache folder should not have php files in it. "Theme.php" is actually a remotely controlled mail script that will turn your server into a spam zombie.

This "vulnerability" was posted on the Joomla.org vulnerable extensions list today and classified as a "malicious payload." This is not a vulnerability, technically speaking. It is malware embedded in the xmap installation package, assuming the report is accurate. This could only happen by someone hacking into joomla.vargas.co.cr!

The vulnerability is on this website.
There may be back doors enabling further hacking.
Other extensions may have been compromised.

Please explain what corrective action has been taken!

[sparkosis]

I just checked my Xmap 1.2.10 installer that I downloaded from this site on October 30, 2010 and there is no theme.php file in the cache folder, only index.html. So perhaps the problem was introduced after I downloaded it.

Richard

[tyger]

I check Xmap 1.2.10 archive downloadated on 19.02.2011, seems it doesn't have theem.php in cache folder.

[guilleva]

Hi All,

Yes, the site was hacked, we are still trying to figure out how that happened. They altered some installation packages between Feb 21st and Feb 23rd. so if you downloaded Xmap between those two days, I strongly suggest you to uninstall it and to check the rest of your site for malicious files. We removed the infected file as soon as I was notified about this issue.

I have made a full reinstallation of the site, deinstalled most of the third party extensions used on the site and taken some extra security measures to prevent from this happening again, but I'm going to be monitoring the site very closely to detect any unusual activity.

FYI. The affected package also had a malicious line the in the file install.xmap.php (the very fist line)

I have uplodad a clean package to joomlacode.org, so you can feel safe downloading it from there:
http://joomlacode.org/gf/project/xmap/frs/

I really sorry about all the problems this may have caused to you.

Regards,

Guillermo