Wednesday, 17 September 2014 13:35
beggarly

Virus detected in xmap!

An open forum for opinions and general questions

Re: Virus detected in xmap!

Postby guilleva » Sat Feb 26, 2011 9:35 pm

Update about this:
http://joomla.vargas.co.cr/en/news/4-xmap/95-security-notice
User avatar
guilleva
Administrator
Administrator
 
Posts: 1527
Joined: Wed Sep 12, 2007 3:10 am
Location: San José, Costa Rica

Re: Virus detected in xmap!

Postby xmz » Sun Feb 27, 2011 10:02 am

Hi

Unfortunately I downloaded and installed an infected xmap. Could you please be more precise about how serious and dangerous the virus is.
I saw your announcement yesterday and I stopped apache, and being checking all logs, database and directories for anything suspicious, but apart from the 2 files you mentioned all the rest seems clean.
We have a small server just for our shelves and I took care of hardening it as much as I knew, and the site is runnig as fastcgi.

The file theme.php does not look to dangerous, I can't figure out how it is suposed to fire in any case does not look like a well done job. I would say is made to infect windows servers

I have decided to do not load a back up beacuse my newest backup is not new enough and that means too many hours of work lost. I just changed all the passwords database prefix fix permissions etc

Can you confirm anything about this? Has the virus infected someone indeed?
Do you still advice I should delete everything and start from zero?


Many thanks in advance
xmz
Fresh Boarder
Fresh Boarder
 
Posts: 3
Joined: Sun Feb 27, 2011 9:56 am

Re: Virus detected in xmap!

Postby guilleva » Sun Feb 27, 2011 5:06 pm

Hi, well I must say that I think that the file theme.php may be very serious as it allow the hacker to download and upload any file from and to your server, also when you install the infected version of Xmap, a email will be sent to a gmail address with the some of your server's info, should be something similar to this:
Code: Select all
Dosya Yolu : C:/your/path/to/joomla
Server Admin : yourpostmaste@address.com
Server isletim sistemi : Apache/2.2.14 (Win32) DAV/2 mod_autoindex_color PHP/5.3.1
Shell Link : http://yourdomain.com/administrator/index.php
Avlanan Site : yourdomain.com


If you don't have the php setting "short_open_tag" enabled, then this theme.php is useless as it won't parse the PHP content.

Probably you had luck and you uninstall it before they try to do something, but to be sure probably you may want to search in your document root folder for the sting "base64_decode", you will find some Joomla core files, (that's okay) but if you find lines that look similar to this:
Code: Select all
<?php eval("?>".base64_decode("PD9waHANCiRraW1lPSJhbWVuc2VtaWhAZ21haWwuY29tIjsNCiRiYXNsaWs9IkVMX011SGFNTWVEIFNlcnZlciBBdm....")); ?>

then that's probably a malicious or infected file.


You can also double check your apache logs and look for any request to /components/com_xmap/cache/theme.php, if you don't have any, then probably they didn't reach your site.

This theme.php file doesn't seems to do anything by itself, it's like a backdoor waiting for instructions.
User avatar
guilleva
Administrator
Administrator
 
Posts: 1527
Joined: Wed Sep 12, 2007 3:10 am
Location: San José, Costa Rica

Re: Virus detected in xmap!

Postby xmz » Sun Feb 27, 2011 7:14 pm

Many thanks for you answer

The server is runing debian lenny amd-64 bits. The virtual host runs php as fast-cgi with suexec.
short_open_tag is On.

Looking for the sting "base64_decode", in the document root finds nothing strange, just the same files it finds in a "healthy" joomla installation.

I have doble checked the apache logs and did not find any single mention to theme.php, or any strange POST.

Checking the mail.log from the 23 rd of february I found what I guess is the email to a gmail address you said the infected xmap send.
Is it amensemih@gmail.com ?

I'm confused now, apart from that email there is no other sign of exploitation, in the server logs, joomla files or database.
I deleted the infected files and changed every single password, database prefix etc. Should I load a backup?


Best regards
xmz
Fresh Boarder
Fresh Boarder
 
Posts: 3
Joined: Sun Feb 27, 2011 9:56 am

Re: Virus detected in xmap!

Postby guilleva » Sun Feb 27, 2011 8:45 pm

Hi, I think that you are safe, if they didn't called the theme.php file then they didn't do anything.

Regards,

Guillermo
User avatar
guilleva
Administrator
Administrator
 
Posts: 1527
Joined: Wed Sep 12, 2007 3:10 am
Location: San José, Costa Rica

Re: Virus detected in xmap!

Postby xmz » Sun Feb 27, 2011 10:22 pm

Many thanks Guillermo for your support.

I will watch out the site closely to notice any strange behaviour.
I also think like you, that the virus was not initiated and therefore there is no real reason to fear.
Good luck and many thanks again.
xmz
Fresh Boarder
Fresh Boarder
 
Posts: 3
Joined: Sun Feb 27, 2011 9:56 am

Re: Virus detected in xmap!

Postby pequexmap » Wed Mar 16, 2011 9:11 pm

Hello, I have the viruses. I uninstall and reinstall xmap 1.2.11
i can´t reinstall my website.
How to check the site and the logs for to Know If I have any problem?

Thanks.
pequexmap
Fresh Boarder
Fresh Boarder
 
Posts: 3
Joined: Thu Mar 03, 2011 11:09 am

Re: Virus detected in xmap!

Postby jannypana » Thu Apr 14, 2011 10:45 am

Well I am surprised there is not more comments and discussion about it?
jannypana
Fresh Boarder
Fresh Boarder
 
Posts: 3
Joined: Thu Apr 14, 2011 10:32 am

Re: Virus detected in xmap!

Postby daviddaly5 » Sun Sep 30, 2012 2:59 pm

What is the best course of action to take if your site is infected with malware?
User avatar
daviddaly5
Fresh Boarder
Fresh Boarder
 
Posts: 2
Joined: Sun Sep 30, 2012 2:51 pm

Previous

Return to General



Who is online

Users browsing this forum: No registered users and 4 guests