Website seems to be infected by JPG:PHPAgent-A [Trj] - joomla

i am trying to find malware infection in my site (Joomla 1.5.26) but i can not find anything suspicious.
Scanned online in several places as also searched in the filesystem!
Anyone with any ideas why my antivirus (avast) is keeping telling me that the website is infected? Actually it finds JPG:PHPAgent-A [Trj] threat on several images loaded by a specific module (which i have checked for infections!)
Here is a link: http://syroshouse.gr/index.php?option=com_content&view=article&id=3&Itemid=3

Actually these JPG files was infected with malware. For anybody interested:
http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html

Related

Trying to correct a file name in Windows Registry

While researching a Powershell security problem, I found several creative suggestions on SO.
But before I could try them out, I created my own problem in the forbidden Windows Registry.
By dumb mistake I partly erased a folder name, which I have been unable to correct.
Googled a slew of keyword combos that all led to Powershell USES, not to folder NAMES.
So here is my embarrassing first SO forum question:
In HKEY_CLASSES_ROOT, Powershell has five folders, appearing in this order:
MicrosoftPowerShellConsole1
MicrosoftPowerShell**?Name?**
MicrosoftPowerShellModule1
MicrosoftPowerShellScript1
MicrosoftPowerShellXMLData1
Can somebody suggest the best search keywords to use, or even better, the missing ?filename?
Thank you very much.
John

File History in Windows 8.1

I know this question has been apparently asked here and here
But mine is different.
Do file histories include only extensions such as pdf, jpg, mp3, doc
etc
File history for moved files is available not just deleted ones?
At preset I am accessing C:\Users\Myname\AppData\Roaming\Microsoft\Windows\Recent folder
But here I am not able to see recently modified files which come under a directory in Users\Myname folder. Why do all recent files not get mentioned here?
Is there place where these settings can be changed?
Is it possible to look up recently accessed/modified folders?
I have a developing background in assembly and C but restarting after more than 6 years. I saw other threads where they were doing things programmatically but did not understand much and looked their requirements were different from mine. I am willing to try out programmatic solutions if an online source is pointed to.
I take a regular back up of my files, but yesterday happened to give my PC into someone's hand when learning something and the person was an impulsive shift deleter not even bothering with the messages on the PC and was not very aware of what was being done or happening.
Question 2 is because I have earlier accidentally moved folders into another folder in a previous PC
I found this when I was trying to help somebody else find a file they recently accessed
In Windows 8.1 there is something called "Recent Places" under Favorites in File Explorer. This was in the same favorite list where I had kept Recent Items and still did not notice it because of getting panicky. This showed me the folders I had accessed something I really wanted a week back. It would have saved me so much tension and my precious time.
Now am planning to update to Windows 10 and google searched if I will still have access to this data and found this
http://answers.microsoft.com/en-us/windows/forum/windows_10-files/restore-recent-places-to-windows-10/037af727-9b06-485e-bb45-4a6c60a3f222?auth=1
Hope this is useful to someone

Most suitable place to store programdata for use over network

I am currently working on a CRM application. The application is meant for multiple users, so I need a suitable folder to store things like documents, notes and most importantly the database. This folder should be shared across all users and over network as well.
After searching online it seemed this folder is recommended: "C:\Users\Public\Public Documents". However, this seems like a rather 'hard to find' folder for our customers, who are for the most part little to no experience with computers.
Our non-programmer suggested simply using "C:\CRM\", since it is very easy to find even for new users (and unlikely to be forgotten during a backup!)
I've been trying to find out what the (technical) ups and downs about these two folders are, but I'm finding it hard to get a clear answer. So bassicaly my question is:
Can anyone explain to me why I shouldn't use "C:\CRM\", but I should use "C:\Users\Public\Public"? And what problems I could run into when I do use "C:\CRM\"?
Thanks in advance!

How to stop copyright theft of images?

Is there s a way for anti theft images? I'm not referring to web sites, what I want is if a JPEG is stolen it cannot be manipulated by the thief, only can be used by the owner.
This is not possible as jpeg doesn't have a mean to employ digital rights management. You could protect the file itself, but once somebody else has that file, he can do with it as he likes.
If you host an image on a website then you're stuck with the possibility that someone can download and save it, duplicate it and distribute it.
Some sites use watermarks to mark sample images and then know who they sell the full size images to. This might allow them some legal recourse if the image starts getting distributed.
In practice though this is almost impossible to protect against.
Hope that helps!
Even if you could come up with a protection scheme on the file itself, if the user can display it they only have to hit print screen to get a copy of the file they can work with. Unless you control the computer used to view the file completely it's not possible.
There's not really any good ways of preventing "theft" or free redistribution of content which you post freely on an accessible web-server.

Locating source of spam in Joomla

So, I've just started working with a new Joomla site, and something we've added has started hijacking various parts of the site and added links to various places we don't want. Unfortunately, I can't give out a link to the live site right now, but I can describe the problems:
In the footer, where it should say "Designed By: " and the name of the place we got our template from, it leaves the "Designed By:" but removes the name of the template author, and instead puts in two links (not giving the hijacker any more hits but here's the text of them), "online album" and "check whois"
When we hover over the site name, the alt text is set to "Forex Trading Home" which is most certainly not what it should be.
Finally, when you hover over the "Home" item in the main menu, a dropdown appears after a short delay, with a link to "cpanel reseller hosting" inside it.
Now, I'd like to get rid of these advertisements, but I've got no idea where they are coming from. If you guys know some commonly-hijacked files I can search in, or good debugging tricks to find them (I've tried FirePHP, but haven't had much success with it) I'd be much obliged. Unfortuantely, since a few people have been working on the site simultaneously, we're not really sure what extensions could have caused it (if that is in fact, the problem) - but all of them seemed ok, and came from the main Joomla extension site.
EDIT:
Here's a list of the modules I know were installed before we noticed the spam problems start happening:
EasyTemplate.
EasyTemplate - MultiPlugin
mod_picasaslideshow
Content - Picasa Album Embedding
Other than that, everything else was installed after the problems started, or was a theme that has since been uninstalled (and hence, I don't know what it is anymore). The theme that's on it now, I've looked at thoroughly, but is version of this Martial Arts Theme with a lot of modified images (and one change in the php from a .gif to a .png)
EDIT EDIT: So, still looking, but seems an older version of picasa2gallery (we had a new version at one point, but uninstalled it) had an LFI vulnerability. Perhaps that was the source. In any case, I think I'll be doing a full wipe, and just start over, really.
So, turns out the correct answer was "none of the above", not that I noticed that until after I erased everything to remove the hack.
Once I restored the theme, and nothing else, I noticed that the "hack" spam links were back, way too fast to even be an automated script.
That's when I discovered that there was a .gif file in the images directory that contained the "bad" PHP code to include the spam links. Ironically, the code they were using to make it was particularly bad, so at least I got a good laugh out of this long ordeal.
Moral of the story: Don't get themes from ThemZa, and if you do, be prepared to dig through them for cruft, if you like the way they look.
Your complete Joomla installation seems to be hacked, follow the guidelines what you should do now (re-installing and securing)
Check the server access logs. You'll most likely see accesses to a particular component (look for the com_* in the URI) that are excessive, or just out of place.
When this has happened to my sites it has been a particular component that hijackers are searching Google for (i.e. com_virtuemart was the last culprit) and then they attempt their exploit on the component hoping it is a flawed version.
If you can't positively identify and fix the hole they broke in through, it's likely the reinstall Tobias P. recommends is the only safe way. If somebody has access to files on that level, you have a big problem. You will need to identify which way they come in. This could have a multitude of reasons:
Somebody exploiting a Joomla security hole (or one in a plug-in)
Somebody having gained access to the FTP account through spying on a client computer
Somebody exploiting a weakness in the server software
this is most likely somebody exploiting a Joomla hole, and there's probably no reason to panic. But you definitely should find out, or do a reinstall. Maybe you'll find more specific help on the Joomla forums or with your ISP.
While you're at it, best change all FTP passwords too, just to make sure.
Good reading at Google: My site's been hacked - now what?

Resources