1. Fabrik 3.9 has been released. If you have updated Joomla to 3.9, this is a required update.
    Dismiss Notice

possible malware

Discussion in 'Professional Support' started by skyrun, Feb 16, 2018.

  1. skyrun

    skyrun Active Member

    Level: Professional
    fyi, my scanner found this file in a fabrik-sounding directory ..../fabrik_build/tests/unit/schema/fite.php
     
  2. troester

    troester Well-Known Member Staff Member

    Level: Community
    Found what?
    Which Fabrik version?
    This file is not in GitHub.
    But you don't need fabrik_build at all...
     
  3. skyrun

    skyrun Active Member

    Level: Professional
    i keep on the latest. not sure when the file got there. the ill-effects of hacking one of my 25 location sites started feb 12 abt.

    there are dozens of .php scripts that have been added or replaced (including a bit on the front of index.php in the root and to a similar file on admin that runs each time). those scripts copy themselves and on and on. they are used to send spam.

    i have heard this hack (called cloki sometimes) has infected joomla primarily but also some wordpress. so it's unclear where it comes from.

    so i would just check the git to make sure that file isn't on it... fite.php and fabrik is unintentionally helping spread it.
     
  4. troester

    troester Well-Known Member Staff Member

    Level: Community
    I checked before anwering, it's not there
    upload_2018-2-16_17-40-48.png
    But I just spent my day by cleaning a hacked Joomla site ...
    Which was hacked in December (I think, because of modified index.php files with this date) but closed down by the host two days ago.
    So maybe there are sites hacked some weeks ago but "used" now?
     
  5. skyrun

    skyrun Active Member

    Level: Professional
    great. same hack? did you see 'clocki' and 'xmcc' and a bunch of changed index.php's in most every directory?
    i wonder if joomla 3.8.5 has a vulnerability.
     
  6. troester

    troester Well-Known Member Staff Member

    Level: Community
    yup, a lot of index.php doing
    @include "\x2fis/h\....
    a nice cache/ps.php with
    define('_JEXEC', '07b....

    etc

    but this site was still running J!3.7.3
    (and I'm not sure if this was the Joomla version on 12-12-2017, the date of these index.phps)
     

Share This Page