0
Undo
Votes
I received an email from CERT Australia specifiying:
"the national computer emergency response team (CERT), has received information indicating that your website has been compromised by the malicious 'Stealrat' remote access trojan (RAT). Websites compromised by Stealrat typically contain malicious PHP files that have been installed on the web server. Further information about Stealrat can be found by searching for "stealrat botnet".
Please note that simply removing the malicious PHP files will not make your website secure. There is a security weakness with the site that was exploited in order to install the malicious files, and this weakness must be remediated to prevent future compromises.
The malicious Stealrat files that have been identified on your site are listed below:
/ modules / mod_jevents_cal / tmpl / default / global.php"
It was jEvents v3.1.12 that was installed when this attack happened.
The jEvents on this infected website is now up to date and clean.
I was just letting you know to tighten the security of this module. Thank you for providing the module.
"the national computer emergency response team (CERT), has received information indicating that your website has been compromised by the malicious 'Stealrat' remote access trojan (RAT). Websites compromised by Stealrat typically contain malicious PHP files that have been installed on the web server. Further information about Stealrat can be found by searching for "stealrat botnet".
Please note that simply removing the malicious PHP files will not make your website secure. There is a security weakness with the site that was exploited in order to install the malicious files, and this weakness must be remediated to prevent future compromises.
The malicious Stealrat files that have been identified on your site are listed below:
/ modules / mod_jevents_cal / tmpl / default / global.php"
It was jEvents v3.1.12 that was installed when this attack happened.
The jEvents on this infected website is now up to date and clean.
I was just letting you know to tighten the security of this module. Thank you for providing the module.
Hello,
That file actually doesn't exist in JEvents and is likely part of a much bigger problem with your site.
JEvents has quite a tight policy on security and we always use the Joomla! MVC and functions which clean most atracks.
I would suggest hardening your website and making so everything is up to date whilst profaning a full malware scan.
Many thanks
Tony
That file actually doesn't exist in JEvents and is likely part of a much bigger problem with your site.
JEvents has quite a tight policy on security and we always use the Joomla! MVC and functions which clean most atracks.
I would suggest hardening your website and making so everything is up to date whilst profaning a full malware scan.
Many thanks
Tony
JEvents Club members can get priority forum support at the Support Forum. As well as access to a variety of custom JEvents addons and benefits. Join the JEvents club today!Join the JEvents club today!
Hi Tony,
Thanks for your time to respond.
Yes, it's true that file doesn't exists in JEvents and was just injected somehow.
The Joomla and jEvents are now up to date, we just couldn't update previously as the hosting server doesn't have the required PHP version.
It's good to know that JEvents has a tight policy on security.
Would you have a suggestion for the full malware scan?
Many thanks.
Thanks for your time to respond.
Yes, it's true that file doesn't exists in JEvents and was just injected somehow.
The Joomla and jEvents are now up to date, we just couldn't update previously as the hosting server doesn't have the required PHP version.
It's good to know that JEvents has a tight policy on security.
Would you have a suggestion for the full malware scan?
Many thanks.
Hello Compsos,
What I have found in many cases is that the script which is allowing the injection is way way from where these malicious files are located, as if the hacker / bot uploaded the script into the same directory of the script they are using to inject then it would be easy to find and fix. So they tend to upload tens of files maliciously and then come back to them a few months later to play havoc as you likely won't have a backup old enough to restore and update.
The key is to be kept up to date. I would advise using the likes of watchful.li, doing a full malware scan. This checks the original checksums of the Joomla! files.
You should then look at the likes of Akeeba Admin tools to improve your .htaccess security, whilst using the WAF (firewall). Once that is done, you can then setup the filewatcher. If any files are modified since the lastscan it will notify you of the file that has been modified.
Many thanks
Tony
What I have found in many cases is that the script which is allowing the injection is way way from where these malicious files are located, as if the hacker / bot uploaded the script into the same directory of the script they are using to inject then it would be easy to find and fix. So they tend to upload tens of files maliciously and then come back to them a few months later to play havoc as you likely won't have a backup old enough to restore and update.
The key is to be kept up to date. I would advise using the likes of watchful.li, doing a full malware scan. This checks the original checksums of the Joomla! files.
You should then look at the likes of Akeeba Admin tools to improve your .htaccess security, whilst using the WAF (firewall). Once that is done, you can then setup the filewatcher. If any files are modified since the lastscan it will notify you of the file that has been modified.
Many thanks
Tony
JEvents Club members can get priority forum support at the Support Forum. As well as access to a variety of custom JEvents addons and benefits. Join the JEvents club today!Join the JEvents club today!
An you too Shiena, you are very welcome.
JEvents Club members can get priority forum support at the Support Forum. As well as access to a variety of custom JEvents addons and benefits. Join the JEvents club today!Join the JEvents club today!
- Page :
- 1
There are no replies made for this post yet.