0

I developed and I am now supporting a Joomla 1.5. It appears that it was hacked recently with: MW:SPAM:SEO (http://labs.sucuri.net/db/malware/malware-entry-mwspamseo). I have looked at the directory structure (using FTP) and I have discovered a folder called: 'f42ad68b3fb9cdd940d9eacc861791aa' in libraries\joomla\session\storage. What is this folder used for? I never used it when I developed the website.

w0051977
  • 15,099
  • 32
  • 152
  • 329
  • never heard of or seen a folder of that name. It doesnt belong to the core Joomla folder so best delete it. – Lodder Aug 09 '12 at 21:12
  • @Lodder, do you know what the folder (storage) is used for? Is it safe to delete the contents? Do it have any dependancies elsewhere? – w0051977 Aug 09 '12 at 21:31
  • I am pretty sure it contains the files that are used to store sessions, cache and other bits and bobs – Lodder Aug 09 '12 at 22:03
  • @lodder, are these sessions common to all users? – w0051977 Aug 09 '12 at 22:05
  • yes, they are. for more information regarding sessions, please read http://php.net/manual/en/intro.session.php – Lodder Aug 09 '12 at 22:10
  • @Lodder, are you able to post an answer so that I can give credit? Are you certain I should "just delete it"? Are you sure that it does not have any dependancies elsewhere? – w0051977 Aug 10 '12 at 20:27
  • @Lodder, can you offer any specific advice to removing this malware? Thanks. – w0051977 Aug 10 '12 at 20:31

2 Answers2

0

The default files within libraries\joomla\session\storage are:

  1. acp.php
  2. database.php
  3. eaccelerator.php
  4. index.html
  5. memcache.php
  6. none.php
  7. xcahe.php

Extensions installed should not manipulate any core Joomla files and store anything within the core folders. there is there are any, delete them for security reasons.

The majority of files notied above are for sessions and cache For more information on sessions, please read: php.net/manual/en/intro.session.php

As for solving hacking in the future, I answered a question not long ago which explains some things you can do and recommended extensions. Joomla! 2.5.4 Hacked: Having trouble with diagnosis

Community
  • 1
  • 1
Lodder
  • 19,758
  • 10
  • 59
  • 100
  • Thanks. There is 150MB of content in f42ad68b3fb9cdd940d9eacc861791aa. Can you offer any advice removing 'MW:SPAM:SEO' (http://labs.sucuri.net/db/malware/malware-entry-mwspamseo)? – w0051977 Aug 10 '12 at 20:39
  • 150MB !?! wow make sure you get that deleted as soon as possible and read by answer to another question here: http://stackoverflow.com/questions/11036763/joomla-2-54-hacked-having-trouble-with-diagnosis/11037642#11037642 – Lodder Aug 10 '12 at 20:45
  • Are you sure I can delete it without looking for dependancies elsewhere? – w0051977 Aug 10 '12 at 20:48
0

I've had a cope of attacks from this malware. In my case it seems to have entered through an image slide plugin ( for joomla 2.5). For want of a better approach I downloaded the whole site and serched for t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'} ');}dnnViewState();

This is the malware code string as per the sucuri scan of the site. There was one instance of this in a javacript script, which when removed produced a clean bill of health for the site according to the the sucuri scanner. I would not lightly delete a whole folder of files, particularly as this malware has a small footprint - only 1 line of javascript. I know this thread is well out of date but perhaps others are still having problems. My infections occurred around Feb 2013

Pete
  • 1