Infected file was uploaded to mod_jevents_cal sending SPAM
By Guest on Monday, 16 May 2016
Posted in Contribute to JEvents
Replies 6
Likes 0
Views 2.7K
Votes 0
I received an email from CERT Australia specifiying:

"the national computer emergency response team (CERT), has received information indicating that your website has been compromised by the malicious 'Stealrat' remote access trojan (RAT). Websites compromised by Stealrat typically contain malicious PHP files that have been installed on the web server. Further information about Stealrat can be found by searching for "stealrat botnet".

Please note that simply removing the malicious PHP files will not make your website secure. There is a security weakness with the site that was exploited in order to install the malicious files, and this weakness must be remediated to prevent future compromises.

The malicious Stealrat files that have been identified on your site are listed below:

/ modules / mod_jevents_cal / tmpl / default / global.php"

It was jEvents v3.1.12 that was installed when this attack happened.
The jEvents on this infected website is now up to date and clean.

I was just letting you know to tighten the security of this module. Thank you for providing the module.
Hello,

That file actually doesn't exist in JEvents and is likely part of a much bigger problem with your site.

JEvents has quite a tight policy on security and we always use the Joomla! MVC and functions which clean most atracks.

I would suggest hardening your website and making so everything is up to date whilst profaning a full malware scan.

Many thanks
Tony
Guest
·
Monday, 16 May 2016 08:06
·
0 Likes
·
0 Votes
·
0 Comments
·
Hi Tony,

Thanks for your time to respond.

Yes, it's true that file doesn't exists in JEvents and was just injected somehow.
The Joomla and jEvents are now up to date, we just couldn't update previously as the hosting server doesn't have the required PHP version.

It's good to know that JEvents has a tight policy on security.

Would you have a suggestion for the full malware scan?

Many thanks.
Guest
·
Tuesday, 17 May 2016 00:51
·
0 Likes
·
0 Votes
·
0 Comments
·
Hello Compsos,

What I have found in many cases is that the script which is allowing the injection is way way from where these malicious files are located, as if the hacker / bot uploaded the script into the same directory of the script they are using to inject then it would be easy to find and fix. So they tend to upload tens of files maliciously and then come back to them a few months later to play havoc as you likely won't have a backup old enough to restore and update.

The key is to be kept up to date. I would advise using the likes of watchful.li, doing a full malware scan. This checks the original checksums of the Joomla! files.

You should then look at the likes of Akeeba Admin tools to improve your .htaccess security, whilst using the WAF (firewall). Once that is done, you can then setup the filewatcher. If any files are modified since the lastscan it will notify you of the file that has been modified.

Many thanks
Tony
Guest
·
Tuesday, 17 May 2016 01:04
·
0 Likes
·
0 Votes
·
0 Comments
·
Hi Tony,

Thank you very much for that. I will have a look at watchful.li as well.
Have a great day.

Regards,
Shiena
Guest
·
Tuesday, 17 May 2016 01:58
·
0 Likes
·
0 Votes
·
0 Comments
·
An you too Shiena, you are very welcome.
Guest
·
Tuesday, 17 May 2016 09:19
·
0 Likes
·
0 Votes
·
0 Comments
·
You can also try MyJoomla.com Their service is much more security oriented and they offer one site scan for free.
Guest
·
Thursday, 19 May 2016 07:05
·
0 Likes
·
0 Votes
·
0 Comments
·
View Full Post