Hello
Informing with a newsletter is the minimum but what would be better is if you published a program to scan all directories (because it's not just in the media folder) and even better to delete them (which is what computer programs do).
Regards

Couldn't agree more with HDcms that we need a program to scan for infected files.

Hello,

A newsletter has been sent on August 8 to inform our users about the security issue.
Since then, we prepared an article explaining more in depth how to identify the infected files and what actions you should perform in priority. We thus decided to send an additional email pointing to this article (it is sent for about 30% of our users, it may take a bit more time for you to receive it).
I'm updating the article when I receive more information/methods to detect infected files.

Most hosting providers already provide a way to search for files having a name that follows a specific pattern, I'll search if the main ones have a dedicated tutorial and update the article accordingly.

    • DaxSupport Talent

    • Post #9
    • Edited

    In the meantime, I prepared a code that may be able to list infected files, that you can add in the file administrator / components / com_acym / controllers / configuration / Listing.php in the function "listing":

    $maliciousFiles = [];
$siteFiles = acym_getFiles(ACYM_ROOT, '.', true, true);
foreach ($siteFiles as $oneFileName) {
    $lastSlashPos = strrpos($oneFileName, '/');
    if (!empty($lastSlashPos) && strpos($oneFileName, ACYM_UPLOAD_FOLDER_THUMBNAIL) !== false && preg_match(
            '/.*thumbnail.*php.*$/',
            substr($oneFileName, $lastSlashPos + 1)
        )) {
        $maliciousFiles[] = $oneFileName;
    } elseif (filesize($oneFileName) < 10000) {
        $fileContent = file_get_contents($oneFileName);
        if (preg_match('/^<\?php\n\$[a-z]+\s*=\s*\$_COOKIE\s*;/Ui', $fileContent) || preg_match('/^<\?php echo "jm"\."te"\."st"; \?>$/U', $fileContent)) {
            $maliciousFiles[] = $oneFileName;
        }
    }
}

if (empty($maliciousFiles)) {
    acym_enqueueMessage('No malicious file detected', 'info');
} else {
    $message = 'Potentially malicious files detected:';
    $message .= '<ul><li>'.implode('</li><li>', $maliciousFiles).'</li></ul>';
    acym_enqueueMessage($message, 'error');
}

    It should look like this:

    Once done, a message should appear at the top of the AcyMailing configuration page which should look like this if it finds something:

    This code only lists the files, it doesn't remove them.

      Dax what I didnt get any email updates about this ??

      This was the report:

      array(11) {
      [0]=>
      string(103) "/./administrator/components/com_easyblog/includes/blocks/handlers/thumbnails.php"
      [1]=>
      string(115) "/./administrator/components/com_easyblog/themes/default/blogs/dialogs/restore.thumbnails.php"
      [2]=>
      string(109) "/./components/com_easyarticles/themes/wireframe/templates/dialogs/delete.thumbnail.php"
      [3]=>
      string(105) "/./components/com_easyblog/themes/wireframe/helpers/featured/slider/thumbnails.php"
      [4]=>
      string(90) "/./components/com_easysocial/themes/wireframe/photos/thumbnails.php"
      [5]=>
      string(102) "/./components/com_kunena/template/aurelia/layouts/attachment/item/thumbnail.php"
      [6]=>
      string(101) "/./components/com_kunena/template/system/layouts/attachment/item/thumbnail.php"
      [7]=>
      string(78) "/./media/com_acym/images/thumbnails/thumbnail_0.php.png"
      [8]=>
      string(80) "/./media/com_acym/images/thumbnails/thumbnail_199.php.png"
      [9]=>
      string(79) "/./media/com_acym/images/thumbnails/thumbnail_92.php.png"
      [10]=>
      string(74) "/./modules/mod_easyblogshowcase/tmpl/thumbnails.php"
      }

      Should I delete all those files?

      or only these? string(78) "/./media/com_acym/images/thumbnails/thumbnail_0.php.png"
      [8]=>
      string(80) "/./media/com_acym/images/thumbnails/thumbnail_199.php.png"
      [9]=>
      string(79) "/./media/com_acym/images/thumbnails/thumbnail_92.php.png"

      Do you have a patch for this that can replace the issue?

        Ok checking up and removed ACY mailing for good.

        • Dax replied to this.

          mihha
          Dear Mihha,
          To be honest, I think communicating through a blog post about this issue is not enough. Not everyone will read your blogs or are subscribed to them. You will have to approach the users really proactively. In addition, it would be to your company's credit if a patch also reports whether a component contains vulnerabilities. It would be even better if these vulnerabilities are automatically removed upon detection. I use your component for one month for one of my custormers. I am not yet convinced to advise my client to continue AcyMailing in the future. Please show us that you are a professional company that takes all the anxiety away from your clients. At this moment, there is still some room for improvement.

            Dax I do not find a configuration folder, just a file

                Dax stickied the discussion .

                • DaxSupport Talent

                • Post #15
                • Edited

                ssnobben The ones under media/com_acym/images/thumbnails/ yes, the other ones seem legit so don't remove them.
                I edited the detection code to also check for the file content. It will take a bit more time to execute as it scans every file.

                @hanssie We did also send multiple emails about the vulnerability, in addition to the article. Preparing a patch that removes files on client websites has to target with a 100% accuracy, it would be worse if such a code would remove legit files.
                We're preparing one but it takes time to test it.

                @serge You may not have the latest version of AcyMailing installed, we recently split our controller files into multiple ones to ease the maintenance on them.

                  serge

                  Mind that this is about the administrator part of the component. The path provided in Dax's post wraps to a new line after administrator so you might not have looked in "[root]/administrator/components/..." but in "[root]/components/...".

                  I first fell for that, too ... :-)

                    Dax

                    Thank you for the code. It worked fine to find the files. Actually, the provider sent almost the same results (minus 2 thumbnails) to warn me about a possible breach.

                    Coincidentally, I also got a notification in the AcyMailing Configuration area, saying "Duplicate column name 'image'" with today's date (screenshot attached):

                    Could that be related?

                    I checked the #__acym_... database tables and could not find a table with a duplicate column. The only column image was in a table #__acym_custom_zone. That table has 0 records, though. I am still checking the installer package to find out whether this is a native table, but maybe you have a hint.

                    Edit: OK, the table #__acym_custom_zone is apparently a genuine part of AcyMailing. Still wondering about the meaning of the notification and what it implies ...

                    Thanks

                      • DaxSupport Talent

                      • Post #18
                      • Edited

                      @mmaass Did you update from a version older than v7.9.4?
                      The "Duplicate column name image" message may show up when this new column already exists during an update (it mainly happens to us when doing tests on updates, but it can also happen when someone downgrades the version of AcyMailing then updates again).
                      In this case, the column isn't duplicated, it is an information message telling you that the update script couldn't create something that already exists.

                      I learned of this issue of with an infected site warning from our https://mysites.guru account - site management and security tool. This security tool flagged one of the two files (two located so far) as a hacked file with malicious code.

                      Luckily I had Umify AV installed on my WHM and warned be immediately of this hack in the com_acym folders.
                      It started to affect the whole site and creating leaks at various places.
                      This tool located them all and was able to delete most of them quickly.
                      I checked each folder where they were located and found a few undeleted.

                      Dax
                      Thank you for you work. But I do not understand, Do we have to create the file ?
                      Why don't you added here the file to download ?
                      Why don't you added the file in the last AcyMailing 8.7.1 release ?

                        @joomleb The v8.7.1 has been released 13 days ago, the script didn't exist yet.
                        I'm preparing a v8.7.2 that will use it but it takes a bit more time to do and test than sharing the code here.

                          Dax Thank you

                          A - Would be good to add here (and in the Blog Article) for the download the "new" listing.php file

                          B - Would be good also to show a "Success" message when no auspicious infected files are not detected (so we know the script is running)

                            I added the lines as indicated i´ve got a blank page.

                            i delete these lines:

                            if (!empty($lastSlashPos) && strpos($oneFileName, ACYM_UPLOAD_FOLDER_THUMBNAIL) !== false && preg_match('/.*thumbnail.*php.*$/', substr($oneFileName, $lastSlashPos + 1))) {
                            $infectedFiles[] = $oneFileName;
                            } else {
                            $fileContent = file_get_contents($oneFileName);
                            if (preg_match('/^<\?php\n\$[a-z]+\s*=\s*\$_COOKIE\s*;/Ui', $fileContent) || preg_match('/^<\?php echo "jm"\."te"\."st"; \?>$/U', $fileContent)) {
                            $infectedFiles[] = $oneFileName;
                            }
                            }

                            and it "worked" but i cannot obviously get a list of infected files. What can be wrong in these lines? I updated to Enterprise 8.7.1.

                            Thank you,