controller.php.suspected

More
8 years 11 months ago #58669 by fgossart
MY web site seems to be hacked but I cannot find how?
Probably it's not the right forum to ask some help, but I try ;)
I can see a new file named "file.php" at web site root and in com_flexicontent controller.php is renamed controller.php.suspected, but I can't see any differences with original controller.php

website is www.le-yeti.com

Please Log in or Create an account to join the conversation.

More
8 years 11 months ago #58670 by ggppdk
Replied by ggppdk on topic controller.php.suspected
Hello

this question is not specific to FLEXIcontent

- usually the renaming with such an extension is done by antivirus software running on the server,
that scans PHP files, also if the file is not different than the original, then is false positive

- even if file was modified, it may as well be by any other script than run on the server

ask your host provider for more information and post back here


-- Flexicontent is Free but involves a big effort on our part.
Like the our support? (for a bug-free FC, despite having a long list of functions) Like the features? Like the ongoing development and future commitment to FLEXIcontent?
-- Add your voice to the FLEXIcontent JED listing with a 5-star...

Please Log in or Create an account to join the conversation.

More
8 years 11 months ago #58671 by ggppdk
Replied by ggppdk on topic controller.php.suspected
Now i cannot see any malicious JS inside your website,
usually a hacked website will load malicious JS / flash / Java code

Did you have any report that something was found

Also please update Joomla, FLEXIcontent and other 3rd party extensions


-- Flexicontent is Free but involves a big effort on our part.
Like the our support? (for a bug-free FC, despite having a long list of functions) Like the features? Like the ongoing development and future commitment to FLEXIcontent?
-- Add your voice to the FLEXIcontent JED listing with a 5-star...

Please Log in or Create an account to join the conversation.

More
8 years 11 months ago - 8 years 11 months ago #58673 by ggppdk
Replied by ggppdk on topic controller.php.suspected
Hello

also controller.php contains our files downloads code,
that sets HTTP download headers and reads files from disk (after access checking)

that could trigger a false positive or "suspected" in the antivirus software, and it may be submited to antivirus company for further analysis

about "file.php" , it may be hack not related to the file:
controller.php.suspected

one is suspected and the other can be a real hacker file

Also please update Joomla, FLEXIcontent and other 3rd party extensions

and scan your site with more than 1 antivirus software, and/or ask your host provider


-- Flexicontent is Free but involves a big effort on our part.
Like the our support? (for a bug-free FC, despite having a long list of functions) Like the features? Like the ongoing development and future commitment to FLEXIcontent?
-- Add your voice to the FLEXIcontent JED listing with a 5-star...
Last edit: 8 years 11 months ago by ggppdk.

Please Log in or Create an account to join the conversation.

More
8 years 11 months ago #58730 by fgossart
Replied by fgossart on topic controller.php.suspected
Hello
I upgrade everything and found some SQL injections in redir_links table and disabled plugin system redir.

But my website still send spams though mail is disabled in config.
Log file says
[29-Nov-2015 03:37:14 UTC] mail() on [/home/xxxxxxx/public_html/plugins/flexicontent_fields/core/menu64.php(1963) : eval()'d code:775]: To: austinhammes@gmail.com -- Headers: Date: Sun, 29 Nov 2015 03:37:14 +0000 From: Sandy Harvey Message-ID: X-
There are hundreds of lines
And my controller is renamed .suspected again

Please Log in or Create an account to join the conversation.

More
8 years 11 months ago #58731 by ggppdk
Replied by ggppdk on topic controller.php.suspected
Hello

file:
public_html/plugins/flexicontent_fields/core/menu64.php
is not a flexicontent file

and once a website has been hacked, it is difficult to be certain that your do:

1. remove all malicious changes to existing files
eg hacks inside Joomla index.php, etc

2. remove all new malicious files added

3. Correct the original security issue, that allowed website to be hacked
- is it installed Joomla extension ?
- is it server software e.g. PHP ?
e.g. flexicontent.org > 1 year was once in a dedicated server with security whole in old PHP version, and we had to move the website ASAP
if you are in shared or semi-managed VPS server then your provider is doing this for you

4. need to change all admin passwords too, while and after doing the above

The hack will keep coming back until you do all the above

If you/we can find a specific issue with FC we can fix
- also did you access to backend ? or was unwanted access to backend UI ?

also which FC version / Joomla you were using /b]
- at the time that site was hacked
e.g. Joomla prior to 3.4.5 had an important security issue patched by 3.4.5


-- Flexicontent is Free but involves a big effort on our part.
Like the our support? (for a bug-free FC, despite having a long list of functions) Like the features? Like the ongoing development and future commitment to FLEXIcontent?
-- Add your voice to the FLEXIcontent JED listing with a 5-star...

Please Log in or Create an account to join the conversation.

Moderators: vistamediajoomlacornerggppdk
Time to create page: 0.434 seconds
Save
Cookies user preferences
We use cookies to ensure you to get the best experience on our website. If you decline the use of cookies, this website may not function as expected.
Accept all
Decline all
Essential
These cookies are needed to make the website work correctly. You can not disable them.
Display
Accept
Analytics
Tools used to analyze the data to measure the effectiveness of a website and to understand how it works.
Google Analytics
Accept
Decline