SOLVED MW:JS:GEN2?web.js.malware.fake_jquery.001
-
-
- Riccardo
- Elite Rocketeer
- Posts: 1078
- Thanks: 28
-
Here the steps of my workaround:
Despite the assurances of the joomla development team, that suggest that, with the upgrading from the cms, this vulnerability has been cleaned, this malware remains active and present. This situation requires a drastic and definitive intervention.
I have repeated this procedure successfully on 3 different websites.
System features of the three websites:
Web Server Apache, PHP Version 5.6.16, 5.5.44-MariaDB, joomla 3.4.8, template Cerulean 1.6
1. Clean the active source of the malware, hidden between the plugins from the joomla CMS.
FTP overwrite all joomla files (except the htaccess.txt and the installation directory = 5407 files) with the original files downloaded from the official website (from the same version)
2. Clean the compromised files in the template structure.Before proceeding with the template reinstallation, ensured you have saved (in your local PC) the edited/customized files.
- FTP overwrite of the complete \libraries\rokcommon\ directory
- Reinstalling of the Cerulean Template with the original files downloaded from the Rockettheme website - Last Edit: 8 years 10 months ago by Riccardo.
- Riccardo Rausch
www.rausch.it
-
-
-
- MrT
- Preeminent Rocketeer
- Posts: 101084
- Thanks: 13482
- Web Designer/Developer
-
I'm sorry but RT do not provide support for third-party products - If you need assistance with Akeeba products then you should ask them for assistance.
I would also add that in your cleasing method you should be removing the files that are not part of the "normal" installation. (i.e. those with the "01" "02" in them. copying files from elsewhere (to overwrite) or reinstalling products is not going to remove these files that contain the malicious code. If you do not delete these files then you will get infected again.
Regards, Mark. - Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information.
-
-
-
- Riccardo
- Elite Rocketeer
- Posts: 1078
- Thanks: 28
-
Here is the result of my comparison analysis from the three infected websites.
Found and cleaned in all three websites (maybe JS:GEN2?web.js.malware.fake_jquery.001):
edit_metadata.php -> administrator/templates/hathor/html/com_newsfeeds/newsfeed
directory -> libraries/cms/feed
response.php -> libraries/joomla/environment
component.php -> administrator/components/com_config/helper
banner.js -> media/com_banners
joomla.php -> libraries/fof/platform
sql.php -> administrator/components/com_contact/views
validate-jquery-uncompressed.js -> media/system/js
edit_metadata.php -> administrator/templates/hathor/html/com_weblinks/weblink
default_batch.php -> administrator/templates/hathor/html/com_tags/tags
edit_metadata.php -> administrator/templates/hathor/html/com_contact/contact
default_batch.php -> administrator/templates/hathor/html/com_categories/categories
message.php -> /templates/beez3/html
** Found and cleaned in website 1 **
files83.php -> administrator/components/com_finder/tables
model.php -> components/com_contact/models/rules
help16.php -> components/com_contact/helpers
article.php -> language/overrides
help.php -> layouts/joomla/system
stats.php -> media/rokgallery/1/16cdce45-ef9a-4c79-f398-162f85de380d
article.php -> administrator/components/com_languages
** Found and cleaned in website 2 (Here was active a spam malware)**
cfg.php \
221419394.php -> media/contacts/images
20151226221017384.php -> media/nnframework/less
I.php -> /images
ma.php -> /images
x.php -> /images
x.php -> /libraries
index.php -> /libraries
x.php -> /components
index2.php -> /administrator/components
clientv.php -> /administrator/components/com_banners/models
** Found and cleaned in website 3 **
Only the 13 files present in all three websites. - Last Edit: 8 years 10 months ago by Riccardo.
- Riccardo Rausch
www.rausch.it
-
-
-
- MrT
- Preeminent Rocketeer
- Posts: 101084
- Thanks: 13482
- Web Designer/Developer
-
So what product did you use to do the clean in the end?
Regards, Mark. - Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information.
-
-
-
- Riccardo
- Elite Rocketeer
- Posts: 1078
- Thanks: 28
-
This was a manual work!
No products;... considering what I have about read it in different security forums.It's very strange, some experts have so written, that this code are recognized from only two online scanner, since it is not a virus and is written with a general and normal web syntax.
I used WinMerge and have compared the different structures, focusing on the cms files that are present since 2014 - the year in which it is assumed was the distribution of this code. - Last Edit: 8 years 10 months ago by Riccardo.
- Riccardo Rausch
www.rausch.it
-
-
-
- MrT
- Preeminent Rocketeer
- Posts: 101084
- Thanks: 13482
- Web Designer/Developer
-
Ok - as I suggested then, it was a manual solution. It's just those message you posted made me think that perhaps you had used a tool... but yes I can see it's winmerge now you say.
Regards, Mark. - Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information.
-
Time to create page: 0.051 seconds