File injected on into Joomla site

Question

we had Joomla 2.5.8. a virus file list.php was created in this path /public_html/modules/mod_jacontentslider/assets/css

This file was sending spam emails non stop.

we thought it was php hack and update to latest version of php and upgraded joomla 2.5.11 and we got hit again with the same issue.

Any thoughts?

Update

I tried to download this infected file (list.php) to my windows 7 PC. The Microsoft security essentials software detected the virus and didn't allow me to download this file.

So, is there some software on linux (CentOS 5.9) side that will scan the files periodically and automatically delete bad ones or notify us? We had clam installed which is of no use. It did not detect this virus file.

We changed the joomla password, php user password. still it was hacked — Vivek Chandraprakash, Jul 30 '13 at 14:28
If your Joomla is up to date, all of your extensions are up to date, and you are using complex passwords on both the Joomla passwords but also mysql and your cPanel/FTP then you might also consider a virus on your computer. We had a similar issue with a client. We kept changing their FTP password but their site kept getting hacked. It turned out they had a virus that compromised Filezilla (the passwords are stored as plain text). They updated their password and the hackers had it instantly. — Brent Friar, Jul 30 '13 at 15:24
Also if you didn't replace all of your files they may have left a back door. Or they may be coming from elsewhere if you are on shared hosting. — Elin, Jul 30 '13 at 15:52
@Elin, When i searched for bad files, I just did a search for the keyword base64 encode and decode and looked for php files in images and css folders. Is there any other way to scan for bad files? — Vivek Chandraprakash, Jul 30 '13 at 16:12
I would replace all of the joomla files with a fresh download. — Elin, Jul 31 '13 at 20:44

score 2 · Accepted Answer · answered Jul 30 '13 at 14:47

This type of issue is common with outdated CMS solutions. Its usualy quite prone to vulnerabilities because of it's popularity. There are a lot of things you can do to prevent these type of attack, depending if you are on a shared server or a dedicated one there are solutions avaialable. I'll name only a few

First, start by changing your password to a passphrase with characters, numbers, sepcial characters (15)
Change your passphrase often
Ensure all of your server software is up to date on patches and knowned vulnerability, if on a shared server contact your provider with issues you have been facing.
Use sftp for transfers and definitely don't use filezilla
Invest in a firewall, very efficient to prevent brute force password attacks on certain ip range
Ultimately, you can visit these types of site that sell you protection for Joomla http://extensions.joomla.org/extensions/access-a-security/site-security/site-protection/8384 or these type of site that explains avaialable hacks for joomla http://www.exploit-db.com/papers/15780/

Hopefully these few advices will help you solve the problem you are faced with.

@Valentin Despa : Main problem for me is that Filezilla stores your password in plain text on your computer which allows malware program or hackers to read the settings file of filezilla and get your password for free! — legrandviking, Aug 07 '13 at 18:59

score 2 · Answer 2 · edited May 23 '17 at 12:06

2

Upgrade to the latest version of the Joomla 2.5 series for starters. Not that this version had any security fixes, however it's still always best to do so. It could very well be due to an extension you're using on your site.

I answered some questions a while back, explaining Joomla updates, things to take into account and what extensions can be used to keep your site more secure.

Joomla! 2.5.4 Hacked: Having trouble with diagnosis

and

Why should I keep my Joomla version up to date?

Hope this helps

edited May 23 '17 at 12:06

Community

1
1

answered Jul 30 '13 at 14:48

Lodder

19,758
10
59
100

Thank you very much. I will try the extension. – Vivek Chandraprakash Jul 30 '13 at 15:06

score 1 · Answer 3 · answered Oct 02 '13 at 09:59

8 Ways to secure Joomla and prevent being hacked!

Change the default database prefix (jos_)
Use a SEF component
Use the correct CHMOD for each folder and file.
Password protect your administrative area.
Keep your website up-to-date.
Use a .htaccess file to secure your Joomla.
Passwords - Use a unique and strong password.
Install the jSecure Authentication plugin.

For more details : http://www.toxzen.co.za/tutorials/item/30-8-ways-to-secure-joomla-and-prevent-being-hacked

File injected on into Joomla site

Update

3 Answers3