Back to top

rss feed
« precedente successivo »
Pagine: [1]   Vai giù

Autore Topic: Malware caricato sul sito via POST  (Letto 3642 volte)

Offline pandronic

  • Esploratore
  • **
  • Post: 75
    • Mostra profilo
Malware caricato sul sito via POST
« il: 03 Feb 2016, 13:04:38 »
Ciao a tutti! è molto che non scrivo e mi spiace scrivere per una cosa del genere.
Ultimamente un sito mi ha dato molto da fare. Tutto il software è aggiornato alle ultime versioni, le password sicure e cambiate più volte, ho cercato di seguire i consigli, ma sono riusciti ancora una volta ad entrare.

Non riesco a registrarmi al forum di joomla.org mi dice sempre che la mail non va bene, ho provato sia con provider americani arcinoti, sia con il mio dominio. Non so perché ma ho avuto sempre questo problema con joomla.org

Sono riuscito a "beccare" il colpevole sui log, in particolare si trattava del file "object.php" che ho trovato nella cartella /modules/mod_finder/object.php

Ho creato il post seguente con il forum-post-assistant ma non riesco a caricarlo su joomla.org per il motivo spiegato prima. Qualcuno riesce ad aiutarmi per favore?
 :'(

Citazione da: Problem Description :: Forum Post Assistant (v1.2.4) : 3rd February 2016
[size=85]Cracker able to upload malicious file vie POST request [/size]
Citazione da: Log/Error Message :: Forum Post Assistant (v1.2.4) : 3rd February 2016
[size=85]61.100.180.31 - - [01/Feb/2016:09:45:00 +0100] "GET /modules/sxbscm.php HTTP/1.1" 303 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:01 +0100] "GET /en/modules/sxbscm.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:03 +0100] "POST /modules/mod_weblinks/functions.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:10 +0100] "POST /plugins/finder/weblinks/weblinks.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:17 +0100] "POST /libraries/vendor/joomla/plugin.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:24 +0100] "POST /layouts/plugins/user/proxy.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:26 +0100] "POST /components/com_contact/helpers/association.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:28 +0100] "POST /components/com_phocagallery/views/phocagallerylinkcats/plugin.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:30 +0100] "POST /components/com_phocagallery/assets/plupload/css/cache.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:32 +0100] "POST /libraries/joomla/mediawiki/pages.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:33 +0100] "POST /layouts/joomla/form/renderlabel.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:34 +0100] "POST /cli/update_cron.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:35 +0100] "POST /libraries/vendor/phpmailer/phpmailer/xml.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:41 +0100] "POST /libraries/joomla/database/query.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:43 +0100] "POST /libraries/fof/form/field/title.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:44 +0100] "POST /modules/mod_cookiesaccept/press.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:45 +0100] "POST /libraries/legacy/table/menu/db.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:52 +0100] "POST /layouts/joomla/tinymce/togglebutton.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:45:59 +0100] "POST /components/com_weblinks/language/en-GB/css.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:46:06 +0100] "POST /libraries/import.legacy.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:46:07 +0100] "POST /includes/db.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:46:09 +0100] "POST /press.php HTTP/1.1" 404 1638 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:46:11 +0100] "POST /libraries/cms/html/icons.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:46:33 +0100] "POST /components/com_config/model/modules.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:46:34 +0100] "POST /libraries/joomla/microdata/microdata.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:46:35 +0100] "POST /libraries/joomla/twitter/statuses.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:46:36 +0100] "POST /libraries/joomla/input/json.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:46:59 +0100] "POST /libraries/cms/html/tag.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:00 +0100] "POST /libraries/cms/help/help.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:01 +0100] "POST /modules/mod_dn/helper.php HTTP/1.1" 200 17 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:03 +0100] "POST /templates/beez3/error.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:05 +0100] "POST /components/com_finder/session.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:07 +0100] "POST /libraries/joomla/mail/mail.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:19 +0100] "POST /libraries/joomla/facebook/album.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:20 +0100] "POST /libraries/joomla/mail/wrapper/css.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:22 +0100] "POST /libraries/joomla/linkedin/linkedin.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:23 +0100] "POST /components/com_jce/views/popup/view.html.php HTTP/1.1" 500 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:30 +0100] "POST /plugins/content/emailcloak/search.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:37 +0100] "POST /components/com_contact/helpers/gallery.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:43 +0100] "POST /media/editors/codemirror/mode/asciiarmor/include.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:50 +0100] "POST /templates/caedbalos_home/index.php HTTP/1.1" 200 17 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:52 +0100] "POST /components/com_phocagallery/views/info/view.html.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:47:54 +0100] "POST /plugins/content/flike/flike.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:01 +0100] "POST /templates/protostar/html/layouts/proxy.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:08 +0100] "POST /templates/beez5/html/com_content/featured/functions.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:10 +0100] "POST /templates/caedbalos_2_col/test.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:12 +0100] "POST /modules/mod_dn/language/ru-RU/sql.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:19 +0100] "POST /templates/protostar/header.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:31 +0100] "POST /components/com_content/views/archive/alias.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:33 +0100] "POST /media/editors/codemirror/mode/haxe/include.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:46 +0100] "POST /images/dirs.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:53 +0100] "POST /components/com_finder/controllers/suggestions.json.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:48:59 +0100] "POST /libraries/vendor/joomla/session/files.php HTTP/1.1" 404 1641 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:02 +0100] "POST /modules/mod_tags_popular/tmpl/article.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:08 +0100] "POST /modules/mod_phocagallery_image/models/fields/phocahead.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:10 +0100] "POST /plugins/finder/weblinks/weblinks.php HTTP/1.1" 200 3925 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:13 +0100] "POST /libraries/joomla/form/fields/url.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:15 +0100] "POST /libraries/legacy/dispatcher/dispatcher.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:17 +0100] "POST /modules/mod_search/mod_search.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:19 +0100] "POST /components/com_phocagallery/models/info.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:20 +0100] "POST /libraries/fof/form/form.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:27 +0100] "POST /templates/beez3/component.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:29 +0100] "POST /components/com_content/models/form.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:36 +0100] "POST /libraries/joomla/linkedin/oauth.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:43 +0100] "POST /libraries/joomla/mediawiki/search.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:45 +0100] "POST /modules/mod_tags_popular/helper.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:47 +0100] "POST /object.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:54 +0100] "POST /templates/caedbalos_home/user.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:55 +0100] "POST /components/com_banners/models/inc.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:57 +0100] "POST /layouts/joomla/toolbar/global.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:49:59 +0100] "POST /layouts/libraries/system.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:50:17 +0100] "POST /libraries/joomla/filesystem/functions.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:50:19 +0100] "POST /images/phocagallery/azienda/thumbs/alias.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:50:20 +0100] "POST /templates/protostar/html/global.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:50:22 +0100] "POST /modules/mod_random_image/tmpl/press.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0" 61.100.180.31 - - [01/Feb/2016:09:50:24 +0100] "POST /libraries/cms/form/field/system.php HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"[/size]
Citazione da: Actions Taken To Resolve by Forum Post Assistant (v1.2.4) 3rd February 2016
[size=85]I deleted the file, but I think the door is still open[/size]
Citazione da: Forum Post Assistant (v1.2.4) : 3rd February 2016
Citazione da: Basic Environment ::
[size=85]Joomla! Instance :: Joomla! 3.4.8-Stable (Ember) 24-December-2015
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: mymoscat (uid: 1/gid: 1) | Group: mymoscat (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 1 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: none | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes

Host Configuration :: OS: Linux |  OS Version: 2.6.32-531.29.2.lve1.3.11.1.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/mymoscat/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.5.31 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors:  | Error Reporting: 32767 | Log Errors To:  | Last Known Error:  | Register Globals:  | Magic Quotes:  | Safe Mode:  | Open Base:  | Uploads: 1 | Max. Upload Size: 128M | Max. POST Size: 128M | Max. Input Time: -1 | Max. Execution Time: 300 | Memory Limit: 256M

MySQL Configuration :: Version: 5.6.23-cll-lve (Client:5.6.23) | Host:  --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 6.15 MiB | #of Tables: 83[/size]
Citazione da: Detailed Environment ::
[size=85]PHP Extensions :: Core (5.5.31) | date (5.5.31) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (2.0) | bz2 () | calendar () | ctype () | curl () | hash (1.0) | filter (0.11.0) | ftp () | gettext () | gmp () | SPL (0.2) | iconv () | pcntl () | readline (5.5.31) | Reflection ($Id: dc76d2fe0f3e9c327c1d4ca617d94e26c7fae98 d $) | session () | standard (5.5.31) | shmop () | SimpleXML (0.1) | mbstring () | tokenizer (0.1) | xml () | cgi-fcgi () | PDO (1.0.4dev) | pdo_mysql (1.0.2) | fileinfo (1.0.5) | intl (1.1.0) | tidy (2.0) | bcmath () | Phar (2.0.2) | gd () | mysql (1.0) | xmlwriter (0.1) | sockets () | pgsql () | json (1.2.1) | exif (1.4 $Id: ff29fdd0fa0b922fd32e2f5704857dcc8543f62 8 $) | soap () | pdo_pgsql (1.0.2) | zip (1.11.0) | xmlrpc (0.51) | mysqli (0.1) | imap () | dom (20031129) | pdo_sqlite (1.0.1) | xmlreader (0.1) | posix () | mcrypt () | xsl (0.1) | mhash () | ionCube Loader () | Zend OPcache (7.0.4-devFE) | Zend Guard Loader () | Zend Engine (2.5.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes |  PHP SU: Yes |   Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No [/size]
Citazione da: Folder Permissions ::
[size=85]Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: [/size]
Citazione da: Extensions Discovered ::
[size=85]Components :: SITE :: com_mailto (3.0.0) | com_wrapper (3.0.0) | Default (1.0.0) | WF_INLINEPOPUPS_TITLE (2.5.12) | WF_HR_TITLE (2.5.12) | WF_FONTSELECT_TITLE (2.5.12) | WF_FONTCOLOR_TITLE (2.5.12) | WF_SEARCHREPLACE_TITLE (2.5.12) | WF_FULLSCREEN_TITLE (2.5.12) | WF_STYLESELECT_TITLE (2.5.12) | WF_CLIPBOARD_TITLE (2.5.12) | WF_NONBREAKING_TITLE (2.5.12) | WF_LAYER_TITLE (2.5.12) | WF_AUTOSAVE_TITLE (2.5.12) | WF_KITCHENSINK_TITLE (2.5.12) | WF_LINK_TITLE (2.5.12) | WF_PRINT_TITLE (2.5.12) | WF_IMGMANAGER_TITLE (2.5.12) | WF_STYLE_TITLE (2.5.12) | WF_XHTMLXTRAS_TITLE (2.5.12) | WF_CLEANUP_TITLE (2.5.12) | WF_ANCHOR_TITLE (2.5.12) | WF_VISUALBLOCKS_TITLE (2.5.12) | WF_CONTEXTMENU_TITLE (2.5.12) | WF_DIRECTIONALITY_TITLE (2.5.12) | WF_TABLE_TITLE (2.5.12) | WF_MEDIA_TITLE (2.5.12) | WF_CHARMAP_TITLE (2.5.12) | WF_BROWSER_TITLE (2.5.12) | WF_LISTS_TITLE (2.5.12) | WF_ARTICLE_TITLE (2.5.12) | WF_SPELLCHECKER_TITLE (2.5.12) | WF_PREVIEW_TITLE (2.5.12) | WF_SOURCE_TITLE (2.5.12) | WF_TEXTCASE_TITLE (2.5.12) | WF_FONTSIZESELECT_TITLE (2.5.12) | WF_VISUALCHARS_TITLE (2.5.12) | WF_FORMATSELECT_TITLE (2.5.12) | WF_AGGREGATOR_VIMEO_TITLE (2.5.12) | WF_AGGREGATOR_YOUTUBE_TITLE (2.5.12) | WF_AGGREGATOR_VINE_TITLE (2.5.12) | WF_AGGREGATOR_DAILYMOTION_TITL (2.5.12) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.5.12) | WF_LINK_SEARCH_TITLE (2.5.12) | WF_FILESYSTEM_JOOMLA_TITLE (2.5.12) | WF_POPUPS_WINDOW_TITLE (2.5.12) | WF_POPUPS_JCEMEDIABOX_TITLE (2.5.12) | WF_LINKS_JOOMLALINKS_TITLE (2.5.12) |
Components :: ADMIN :: com_postinstall (3.2.0) | com_templates (3.0.0) | com_search (3.0.0) | com_config (3.0.0) | com_languages (3.0.0) | com_banners (3.0.0) | com_modules (3.0.0) | com_categories (3.0.0) | com_menus (3.0.0) | com_weblinks (3.4.1) | com_cache (3.0.0) | com_admin (3.0.0) | com_contenthistory (3.2.0) | com_content (3.0.0) | com_phocagallery (4.1.2) | com_redirect (3.0.0) | com_users (3.0.0) | com_cpanel (3.0.0) | com_ajax (3.2.0) | com_login (3.0.0) | com_newsfeeds (3.0.0) | com_plugins (3.0.0) | com_installer (3.0.0) | com_tags (3.1.0) | com_finder (3.0.0) | Unknown (-) | JCE (2.5.12) | com_media (3.0.0) | com_joomlaupdate (3.0.0) | com_messages (3.0.0) | com_checkin (3.0.0) |

Modules :: SITE :: mod_articles_archive (3.0.0) | mod_articles_news (3.0.0) | mod_phocagallery_image (4.0.0) | mod_whosonline (3.0.0) | mod_breadcrumbs (3.0.0) | mod_articles_categories (3.0.0) | mod_syndicate (3.0.0) | mod_articles_popular (3.0.0) | mod_footer (3.0.0) | mod_banners (3.0.0) | mod_login (3.0.0) | mod_users_latest (3.0.0) | mod_tags_popular (3.1.0) | Facebook Like (1.4.5) | mod_custom (3.0.0) | mod_menu (3.0.0) | mod_random_image (3.0.0) | mod_stats (3.0.0) | mod_finder (3.0.0) | mod_feed (3.0.0) | mod_related_items (3.0.0) | mod_search (3.0.0) | mod_weblinks (3.4.1) | mod_tags_similar (3.1.0) | mod_articles_latest (3.0.0) | mod_languages (3.0.0) | mod_articles_category (3.0.0) | DisplayNews (2.7) | mod_wrapper (3.0.0) | CookiesAccept (1.3) |
Modules :: ADMIN :: mod_submenu (3.0.0) | mod_multilangstatus (3.0.0) | mod_version (3.0.0) | mod_login (3.0.0) | mod_logged (3.0.0) | mod_status (3.0.0) | mod_custom (3.0.0) | mod_quickicon (3.0.0) | mod_menu (3.0.0) | mod_feed (3.0.0) | mod_popular (3.0.0) | mod_title (3.0.0) | mod_toolbar (3.0.0) | mod_stats_admin (3.0.0) | mod_latest (3.0.0) |

Plugins :: SITE :: plg_twofactorauth_yubikey (3.2.0) | plg_twofactorauth_totp (3.2.0) | plg_user_joomla (3.0.0) | plg_user_profile (3.0.0) | plg_user_contactcreator (3.0.0) | plg_editors_tinymce (4.1.7) | plg_editors_codemirror (5.6) | plg_editors_jce (2.5.12) | plg_editors-xtd_readmore (3.0.0) | plg_editors-xtd_image (3.0.0) | plg_editors-xtd_phocagallery (4.1.2) | plg_editors-xtd_pagebreak (3.0.0) | plg_editors-xtd_article (3.0.0) | plg_installer_webinstaller (1.0.5) | plg_quickicon_extensionupdate (3.0.0) | plg_quickicon_jcefilebrowser (2.5.12) | plg_quickicon_joomlaupdate (3.0.0) | plg_search_contacts (3.0.0) | plg_search_newsfeeds (3.0.0) | plg_search_tags (3.0.0) | plg_search_weblinks (3.4.1) | plg_search_categories (3.0.0) | plg_search_content (3.0.0) | plg_finder_contacts (3.0.0) | plg_finder_newsfeeds (3.0.0) | plg_finder_tags (3.0.0) | plg_finder_weblinks (3.4.1) | plg_finder_categories (3.0.0) | plg_finder_content (3.0.0) | plg_system_languagecode (3.0.0) | plg_system_log (3.0.0) | plg_system_redirect (3.0.0) | plg_system_remember (3.0.0) | System - FunCaptcha (3.0) | plg_system_sef (3.0.0) | plg_system_languagefilter (3.0.0) | plg_system_debug (3.0.0) | plg_system_cache (3.0.0) | plg_sytem_marcosinterceptor (1.6) | plg_system_jce (2.5.12) | plg_system_logout (3.0.0) | plg_system_highlight (3.0.0) | plg_system_p3p (3.0.0) | plg_extension_joomla (3.0.0) | plg_authentication_joomla (3.0.0) | plg_authentication_gmail (3.0.0) | plg_authentication_cookie (3.0.0) | plg_authentication_ldap (3.0.0) | plg_captcha_nocaptcharecaptcha (1.0.0) | plg_captcha_recaptcha (3.4.0) | plg_content_phocagalleryslides (4.1.2) | plg_content_joomla (3.0.0) | plg_content_phocagallery (4.1.2) | plg_content_pagebreak (3.0.0) | plg_content_pagenavigation (3.0.0) | plg_content_geshi (2.5.0) | plg_content_vote (3.0.0) | plg_content_finder (3.0.0) | plg_content_emailcloak (3.0.0) | Content - Facebook Like Button (3.0.23) | plg_content_phoca_open_graph (3.0.1) | plg_content_loadmodule (3.0.0) | [/size]
Citazione da: Templates Discovered ::
[size=85]Templates :: SITE :: protostar (1.0) | beez_20 (2.5.0) | caedbalos_home (1.0.0) | atomic (2.5.0) | beez3 (3.1.0) | beez5 (2.5.0) | caedbalos_2_col (1.0.0) | caedbalos_default (1.0.0) |
Templates :: ADMIN :: hathor (3.0.0) | isis (1.0) | bluestork (2.5.0) | [/size]
Connesso
Sarò ben felice di aiutare sul forum, mi indispettiscono i messaggi privati o le mail. Se volete aiuto in privato, assumerò che state chiedendo un preventivo. Risolvere un problema sul forum significa aiutare tutti sarò contento di contribuire.

Offline pandronic

  • Esploratore
  • **
  • Post: 75
    • Mostra profilo
Re:Malware caricato sul sito via POST
« Risposta #1 il: 03 Feb 2016, 19:27:00 »
sono andato a eliminare/sostituire tutti file dove ricorre la voce POST nel log, talvolta ho sostituito le cartelle intere dai pacchetti originali del core o delle estensioni installate.

Premesso che il sito non era stato realizzato da me, ma me lo sono ritrovato circa un anno fa a doverlo gestire, c'era una estensione chiamata "weblink" che non ho idea di cosa sia e a cosa servisse. Non ho trovato neanche informazioni su google, e penso non sia nella directory ufficiale di joomla, anzi penso sia la porta d'ingresso dell'attacco.

Sembra che questa estensione sia in qualche modo legata al finder, o almeno era inclusa nella cartella plugins/finder/weblinks

era installata anche come modulo mod_weblinks e componente com_weblinks

Qualcuno ha notizie su questa estensione?

grazie
Connesso
Sarò ben felice di aiutare sul forum, mi indispettiscono i messaggi privati o le mail. Se volete aiuto in privato, assumerò che state chiedendo un preventivo. Risolvere un problema sul forum significa aiutare tutti sarò contento di contribuire.

Offline pandronic

  • Esploratore
  • **
  • Post: 75
    • Mostra profilo
Re:Malware caricato sul sito via POST
« Risposta #2 il: 05 Feb 2016, 13:49:08 »
Ho capito di cosa si tratta: weblinks è un'applicazione contenuta nel core di Joomla fino alla versione 2.5.

Io mi sono ritrovato con il sito alla versione 2.5, e quindi l'ho portato alla 3.0 (e successive) eseguendo l'installazione guidata.

Il problema di questi aggiornamenti è che hanno magari installato i nuovi file, ma evidentemente non hanno rimosso moduli datati (da una copia del sito mi risulta che il plugin weblinks risale addirittura al 2005, mentre il pacchetto modulo/componente/plugin al 2012).
non stupisce quindi che io come molti altri utenti ci siamo ritrovati con il sito crackato (non sto a riportare tutti i topic aperti recentemente con tematiche simili)

Il metodo dell'utente mariaelenaboschi http://forum.joomla.it/index.php/topic,256371.msg1190958.html#msg1190958
funziona perché la vulnerabilità è nel weblinks del finder che si trova nella cartella libraries.

Aggiornare semplicemente Joomla da una vecchia versione alla 3.4.8 non basterà. Bisogna rimuovere com_weblinks, mod_weblinks e sostituire integralmente la cartella libraries, infine rimuovere la tabella "prefisso_weblinks" dal database per prudenza.

Una volta fatto questo NON dovrete diffondere la notizia, né investigare ulteriormente, né avvisare in qualche modo la community, perché lì fuori ci sono un sacco di hacker cattivi e il cliente può bersi qualsiasi cosa e per convincersi dovrebbe guardare una puntata di Mr.Robot
« Ultima modifica: 05 Feb 2016, 13:50:58 da pandronic »
Connesso
Sarò ben felice di aiutare sul forum, mi indispettiscono i messaggi privati o le mail. Se volete aiuto in privato, assumerò che state chiedendo un preventivo. Risolvere un problema sul forum significa aiutare tutti sarò contento di contribuire.
Pagine: [1]   Vai su
« precedente successivo »
 



Web Design Bolzano Kreatif


Copyleft: Tutto il materiale pubblicato o comunque presente all'interno del sito www.joomla.it
può essere utilizzato, diffuso e modificato liberamente.
Hosting fornito gratuitamente da Joomlahost.it
Disegno web da kreatif multimedia srl