Ultimamente su installazioni di joomla di alcuni nostri clienti il nostro sistema antivirus ci segnala:
Rilevati file malevoli su dominioesempio.it
indicando come file potrenzialmente pericolosi alcuni file php trovati dall'antivirus e prontamente cancellati
nelle vostre directory di joomla et simili
controllate la cartella images/banners e images/stories
per file nascosti tipo php files, che iniziano con .cache_xx or .lib_xxx
e nella cartella stories chiamati story.php o 0day.php
sono stati uplodati con una versione vecchia di JCE plugin exploit
Rimuovetelo immediatamente o continuerà a modificare i vostri file
consigliamo inoltre la seguente linea di azioni (in inglese)
I don’t know how the infection began, but it is possible that it was to a poor admin password. When you install Joomla for the first time, it asks for an administrator username and pass, and lot of people just type admin in both cases. Any simple script that uses brute force methods to enter the administrator can try using that easy passwords and enter really easily.
So these are my suggestions...
1- Never user easy to guess passwords, even in testing sites, or provisory installations;
2- If you ever need to see the changes on a site but your ISP (company used to login to Internet) has a cache so your ISP cache is not cleaned, you can always surf anonymously using tools like... anonymouse.org so you can see how the rest of the world is seeing your site;
3- if you want to check if there are other files infected on your server, and you have root access, you can use PUTTY and enter via SSH to your server (Linux) and type this line...
find /home -type f -iname "*.php" -print0 | xargs -0 egrep 'gzuncompress\(base64_decode'
This will check on every file to see if the hacked code is still there.
If you need anything else you are always free to post questions here or contacting me...
I tried a few things like updating to 1.5.26 but the .htaccess files kept reappearing.
I used Cpanel's Virus Scanner and it found the file images/stories/story.php
I removed it and it worked for me.
No more htaccess files appeared.