Confirming the validity of .alas76.php

V

VickiD

New Member
Hello,
Recently I discovered an attack on my joomla site where php files were placed in the tmp path. I have now been on a mission to look for under-cover attack objects. One suspicious object search that I do is to look for php scripts without JEXEC or die. I found a file named .alias76.php in a folder under fabrik_visualization\calendar\language\lt_LT .
Is there a reason this php file does not include the JEXEC or die command? Is there a way to confirm that it is legitimate?
Thanks so much,
VickiD
 
All "valid" Fabrik files are in the download zip or can be found in GitHub https://github.com/Fabrik/fabrik.

.alias76.php is surely not valid.

But "JEXEC or die command " is no proof for valid or hacked files at all. You can have malicious files with this statement and even with existing fabrik or Joomla filenames.

Best is to do a clean new installation of all (Joomla and components). You may move all old files to an extra folder, secured with a .htaccess so you can copy images, custom scripts, custom templates etc. after the new installation.

An other possibility is to compare all files against a non hacked backup with e.g. a tool like winmerge, which will show all added or modified files.

Which Joomla and component versions are you running? It doesn't make sense to clean up without closing the holes.
 
Hi Troester,
I had been running Joomla 3.2.0 - and I had not updated Fabrik controls for 6 months. I am painfully aware now of the need to stay current.
I upgraded to apache 2.4, php 5.5.15 and Joomla 3.3.6
and then I was able to run updates on all Fabrik components and plugins as of yesterday.
I run on windows server 2008

After your advice I looked at .htaccess and there are some references to known exploits. The code in the hacked files referenced base64_encode so my guess is that is the exploit that I opened the door to by not upgrading to latest releases and not using htaccess.
I can trot out a list of excuses (starting with this is all new to me) but ignorance is just ignorance and I am learning the hard way.
Of course the site was already compromised by the time I figured this out.
I need to do more research into best hack protection practices and how to use htaccess.
You are spot on with - it will just happen again. I am working now to understand how to keep the site attack free. I was just struggling to build and make the thing work.
My plan now is to start with a clean Joomla install and rebuild from scratch on my dev server.
My live site is upgraded and functional now - I have found many of the exploited objects. I'm hoping I found enough to disable the attack long enough to rebuild before my site goes down.

Thank you for your help! I am so grateful that there are people like you willing to help when new people ask what I'm sure are very old questions or do stupid things.

Kind regards,
VickiD
 
"Usually" you site won't go down - the hackers are not interessed in being detected but to use your site for spam mailing and/or attacing or infecting other ones.
There have been several Joomla security releases since 3.2.0 (latest was 3.2.7) so I assume this was the hole.

But even if you are updating immediatly after a new release you can be hacked. So it's essential to run regular backups.
 
Thank you Troester. I have backups but I don't know when I was first hacked. I can do as you said and run a compare of files there will still be many differences to work through. I can rebuild the site reasonably fast - 2 days or so and then it will be from a clean install.
You are a rock star - thanks for all of your help.
 
You must log in or register to reply here.

Useful links

  • Create a Fabrik Account (Downloads)
  • Create a Forum Account
  • Fabrik Wiki
  • Fabrik 4 Changelog /Install /Upgrade

    • Members online

    Total: 68 (members: 2, guests: 66)
    Back
    Top