I've come across a dodgy file upload on our server. It is an image and the MIME TYPE checks out, though on the server it was also uploaded with the extension .asp and .cer.
On the surface its a photo some weird chinese symbols and the letters asp, though I am sure it is hiding malicious code. I did a google search by image and it came out in a few possibly unsecure directories in some other sites.
This is out of my league to even verify. Out of interest I opened the file in notepad and it has the clear string "Google" which only makes me believe more that it is malicious.
All I need to know is
1- is it malicious?
2-did it run and what did it do?
3- how do i protect against it?
I cant give the link to the actual file on my server since Its been removed, but I can zip and mail it to anyone who wants to take a look.
If anyone has some advise on where to start I would appreciate it.
Heres a link to the same image, which came up on my google search though this one most likely has different code injected
http://www.bakjuweel.be/ShowImage.aspx?img=/upload/fotogalerijen/13/3.asp;.jpg&w=135&h=111
UPDATE
After alot more research I have found that it had a modified header to inject code. I run it through virustotal.com and my suspicious were confirmed. https://www.virustotal.com/en/file/3eac6e45d5923632089b538ca86d576c9994bd25be7940165ec997484d7c6715/analysis/
What it does or whether it executed is still unknown
OK, the file was malicious it contained encoded php, all of which im not sure of there were far too many encoded layers. It created a backdoor that fetched and executed remote code. This file was not detected by any of our antivirus software, what gave it away way was <% eval(. was the only part not encoded.A hacker took advantage of a vunerability in an old version of FCKeditor to add and execute it. I am still looking for a way to prevent it in the future.
Related
A relative asked me to fixed a Joomla website (v2.5.16) who has been hacked last year, probably due to lack of update (is up to date now), unfortunately I have no information about this. The issue is that the front end take 2~ min to load. The administration is loading normally so whatever the issue is, it depend of the front end. I already disabled all modules one by one and switched the template with another one to make sure that thebug is not in template or plugins folders, without success.
I must add that the problem is "probably" more recent than the hack, according to this person. So maybe there was a script somewhere reaching a random server which may not work anymore.
PS : the website is on a shared hosting. I have the FTP access but no ssh.
I know that I don't give any details which can lead to resolve this, but I need more a method to track what can go wrong and where than a solution.
Thanks in advance,
We have written a lengthy post explaining why a website might be slow: http://www.itoctopus.com/20-questions-you-should-be-asking-yourself-if-your-joomla-website-is-slow
From the looks of it, it might that the website is still hacked. Try overwriting the Joomla files with a fresh Joomla install and see if that addresses the problem.
Solving this issue will probably involve some or all of the following:
updating Joomla and all third party extensions to the latest versions
checking for and fixing malicious files using http://myjoomla.com or
https://sucuri.net or similar
analysing the performance of the website using http://gtmetrix.com
(it's free) or similar to pinpoint and fix what is taking the most time to
load
If the website has been hacked, you may need to reset passwords etc once the malicious files have been removed. See https://joomla.stackexchange.com/a/180/120 for more information about securing the website once it is fixed.
We use Joomla and K2 for our website. On this page website in the the meta property="og:description" has been hacked and it shows this content="buy zolpidem us zolpidem online... And wo when we post to Facebook we get this text in the description.
Any idea where to look for this text and delete it? I have searched and found the K2 file that pulls the text. I just dont know where the text lives.
Thanks,
John
I just had this happen with Wordpress... in my case deleting and reinstalling the Facebook plugin fixed this particular issue. The strange thing was the FB plugin wasn't modified in any way.
The larger issue was the site had been hacked - which in your case is almost certainly true as well. I'm not familiar with Joomla, but scan the rest of your files/folders for malware or suspicious code (and your site structure for invisible files and folders (beginning with a '.'), possibly reinstall your files, check your htaccess file to make sure nothing has been added, check the registered users on the site -- any suspicious admins? -- and change your passwords.
In other words, this is a symptom of a greater problem, and not the problem itself.
Here is what I did. I had the hosting copy run a grep to search on my web data for the string containing the malicious text.
Once we found the files I used clean PHP files from another Joomla instal to overwrite the hacked files.
The hacked PHP file was pulling a string of malicious text from a text file named value(s)
I then backed-up the website and installed another layer of security called Admin Tools. The Pro version cost money but could be used on as any websites as I needed.
Since this is my first time posting a question on stackexchange, please excuse me if I've not included anything. Suggestions for a better post are very welcome!
Background
I'm looking for a way to create a file:// link in e-mails with a specific purpose. In my company we're all using Macbooks with Outlook as our e-mail-client. As soon as a specific document is updated, I would like to be able to e-mail a colleague saying: "here is the to the file". My personal link would be: file:///Users/<MyUserName>/Dropbox/Filepath.ext. However, this does not evaluate correctly on my colleagues computer. I have made it to work with a manual username change, but I'm hoping that there is a way to automatically fill in the username of that person.
My Question:
How can I make the link in such a way that it will always refer to that user's specific user folder?
Resources explored
I've tried working with file://~/ but that always gives a 'can't find the document' error. I've tried googling it but Dropbox and other services only point towards URL-links or to their website. Stackexchange hasn't provided me with an answer so far (Internal links / ":file//" links is without answer). Searching for 'computer independent file links' haven't given me any solace either.
Any help would be greatly appreciated!
not sure if this is what you want. You can check the dorpbox API and read a bit about it. But an easier way might be IFTTT, a free tool which launch triggers. So basically you need to create a folder in dropbox for each user and then use this tool to make triggers for each user. You can send an email and include the new dropbox link and as well you can program the IFTTT to send a file://Users//Dropbox/USER_DROPBOX_FOLDER/{{FILENAME}} whenever a file is placed in his folder.
Can any one know what this file is about? http://www.symbios.pk/x.dep.PIE.htc? Is it safe to keep on server? I've never seen such before and this is one of highest accesses pages on my site.
At a fast glance, this looks safe and appears to stem from a CSS3 compatibility layer: CSS3 PIE. If you are worried, you can always re-download the file from the website and re-add it, but I would keep a backup first in case of any version incompatibilities.
The file on your web server doesn't match Beta 1.0.0's PIE.htc exactly but it is rather similar and it also already good to know that a .htc file does indeed come from CSS3 PIE. The extension of a file obviously doesn't say much about its contents but it's still reassuring to see that it is an expected file ending. (I've never encountered an .htc file before, so this raised some concerns for me.)
As for it being visited a lot, this doesn't have to mean anything. Possibly the file is being checked out by bots or someone is hotlinking your JS file; it's hard to say without context but if it's a JavaScript file from some framework you should be fine. The good news here is that this is JavaScript, so it can't compromise your server (but it could attack a browser loading the file).
If all else fails and you know where your pages use this file, you could try renaming the file so anyone hotlinking or just guessing for the existence of the file would have a tougher time. I don't really understand why someone would take interest in a small JavaScript file, though.
Interestingly, visiting your main page at symbios.pk doesn't load the file, though. Maybe some back-end module? If multiple people are working on the website, I would suggest asking all of the developers if they know about this file. It would be interesting to compare the creation date with that of similar files.
This is a little bit of a strange question.
I've been working on a website and in it's early stages of development it went through some drastic redesigns (several of them in fact) and now the directory is bloated with images and assets which were part of the old designs. Some of these assets were re-used and some were not. The server space of which I'm uploading the website is smaller than the website at the moment and I know once I clear out the old assets that it'll fit on the webspace.
I'm basically wanting some magical tool to filter out which images have been used and which have not - so ultimately I can remove the ones that have not been used.
I ask it in this forum because if there isn't a magical tool to do this (I sincerely hope there is), I'll need to write some sort of script (PHP perhaps?) to accomplish this.
I have never found one, and tend to take the approach of manually removing old images that I can easily tell are no longer needed. And accepting that I will not get them all.
The reverse approach to this is to remove all of the images, and see which ones are needed ( using firebug or suchlike to identify missing images on the pages ).
The problem with an automated tools is that images in css and code may not be picked up. If you set an image in code, from a range of parameters, how can any tool find that?
I hope someone else can come along and prove me wrong....