Script to find files following acymailing vulnerability

HDcms

hello
https://www.joomla.fr/actualites/information-de-securite
I was astonished to learn of a major security flaw in acymailing, for which I didn't receive a newsletter!
I checked and found infected files under medias.
As the infection due to this flaw, can be found in many directories.
Could you make a script to automatically find and eliminate these hacks due to the flaw in your software?

tlwebdesign

It’s the LEAST you could do for us. This is costing us so much time and effort it’s rediculous. I’m really re-considering my subscription as this is such a big and costly fuckup. I guess since we pay for support maybe you should also do the cleanup on all the sites that were affected by your bad code?

hanssie

Today I was informed by one of your customers, who also use AcyMailing, that they are having problems with AcyMailing on their website. They told me that they are victims of the AcyMailing remote code execution vulnerability . It bothers me that as a user (Enterprise subscription since July) of AcyMailing for my joomla website I am not informed about this serious problem by the AcyMailing organisation. My questions are: how can I check whether or not my website is infected? If my website is infected, what can I do to solve this problem? it is your responsibility to inform and assist your customers in a professional manner. They pay for a professional service and product!

mihha

We have already provided blog post about the issue here
https://www.acymailing.com/acymailing-security-update-%f0%9f%94%90-v8-5-0/

Our developers will additionally send a newsletter with all the details to all our users

hanssie

mihha
Dear Mihha,
To be honest, I think communicating through a blog post about this issue is not enough. Not everyone will read your blogs or are subscribed to them. You will have to approach the users really proactively. In addition, it would be to your company's credit if a patch also reports whether a component contains vulnerabilities. It would be even better if these vulnerabilities are automatically removed upon detection. I use your component for one month for one of my custormers. I am not yet convinced to advise my client to continue AcyMailing in the future. Please show us that you are a professional company that takes all the anxiety away from your clients. At this moment, there is still some room for improvement.

HDcms

Hello
Informing with a newsletter is the minimum but what would be better is if you published a program to scan all directories (because it's not just in the media folder) and even better to delete them (which is what computer programs do).
Regards

tlwebdesign

Couldn't agree more with HDcms that we need a program to scan for infected files.

Dax

Hello,

A newsletter has been sent on August 8 to inform our users about the security issue.
Since then, we prepared an article explaining more in depth how to identify the infected files and what actions you should perform in priority. We thus decided to send an additional email pointing to this article (it is sent for about 30% of our users, it may take a bit more time for you to receive it).
I'm updating the article when I receive more information/methods to detect infected files.

Most hosting providers already provide a way to search for files having a name that follows a specific pattern, I'll search if the main ones have a dedicated tutorial and update the article accordingly.

ssnobben

Dax what I didnt get any email updates about this ??

This was the report:

array(11) {
[0]=>
string(103) "/./administrator/components/com_easyblog/includes/blocks/handlers/thumbnails.php"
[1]=>
string(115) "/./administrator/components/com_easyblog/themes/default/blogs/dialogs/restore.thumbnails.php"
[2]=>
string(109) "/./components/com_easyarticles/themes/wireframe/templates/dialogs/delete.thumbnail.php"
[3]=>
string(105) "/./components/com_easyblog/themes/wireframe/helpers/featured/slider/thumbnails.php"
[4]=>
string(90) "/./components/com_easysocial/themes/wireframe/photos/thumbnails.php"
[5]=>
string(102) "/./components/com_kunena/template/aurelia/layouts/attachment/item/thumbnail.php"
[6]=>
string(101) "/./components/com_kunena/template/system/layouts/attachment/item/thumbnail.php"
[7]=>
string(78) "/./media/com_acym/images/thumbnails/thumbnail_0.php.png"
[8]=>
string(80) "/./media/com_acym/images/thumbnails/thumbnail_199.php.png"
[9]=>
string(79) "/./media/com_acym/images/thumbnails/thumbnail_92.php.png"
[10]=>
string(74) "/./modules/mod_easyblogshowcase/tmpl/thumbnails.php"
}

Should I delete all those files?

or only these? string(78) "/./media/com_acym/images/thumbnails/thumbnail_0.php.png"
[8]=>
string(80) "/./media/com_acym/images/thumbnails/thumbnail_199.php.png"
[9]=>
string(79) "/./media/com_acym/images/thumbnails/thumbnail_92.php.png"

Do you have a patch for this that can replace the issue?

Dax

In the meantime, I prepared a code that may be able to list infected files, that you can add in the file administrator / components / com_acym / controllers / configuration / Listing.php in the function "listing":

$maliciousFiles = [];
$siteFiles = acym_getFiles(ACYM_ROOT, '.', true, true);
foreach ($siteFiles as $oneFileName) {
    $lastSlashPos = strrpos($oneFileName, '/');
    if (!empty($lastSlashPos) && strpos($oneFileName, ACYM_UPLOAD_FOLDER_THUMBNAIL) !== false && preg_match(
            '/.*thumbnail.*php.*$/',
            substr($oneFileName, $lastSlashPos + 1)
        )) {
        $maliciousFiles[] = $oneFileName;
    } elseif (filesize($oneFileName) < 10000) {
        $fileContent = file_get_contents($oneFileName);
        if (preg_match('/^<\?php\n\$[a-z]+\s*=\s*\$_COOKIE\s*;/Ui', $fileContent) || preg_match('/^<\?php echo "jm"\."te"\."st"; \?>$/U', $fileContent)) {
            $maliciousFiles[] = $oneFileName;
        }
    }
}

if (empty($maliciousFiles)) {
    acym_enqueueMessage('No malicious file detected', 'info');
} else {
    $message = 'Potentially malicious files detected:';
    $message .= '<ul><li>'.implode('</li><li>', $maliciousFiles).'</li></ul>';
    acym_enqueueMessage($message, 'error');
}

It should look like this:

Once done, a message should appear at the top of the AcyMailing configuration page which should look like this if it finds something:

This code only lists the files, it doesn't remove them.

serge

Dax I do not find a configuration folder, just a file

mmaass

Dax

Thank you for the code. It worked fine to find the files. Actually, the provider sent almost the same results (minus 2 thumbnails) to warn me about a possible breach.

Coincidentally, I also got a notification in the AcyMailing Configuration area, saying "Duplicate column name 'image'" with today's date (screenshot attached):

Could that be related?

I checked the #__acym_... database tables and could not find a table with a duplicate column. The only column image was in a table #__acym_custom_zone. That table has 0 records, though. I am still checking the installer package to find out whether this is a native table, but maybe you have a hint.

Edit: OK, the table #__acym_custom_zone is apparently a genuine part of AcyMailing. Still wondering about the meaning of the notification and what it implies ...

Thanks

joomleb

Dax
Thank you for you work. But I do not understand, Do we have to create the file ?
Why don't you added here the file to download ?
Why don't you added the file in the last AcyMailing 8.7.1 release ?

ssnobben

Ok checking up and removed ACY mailing for good.

Dax

ssnobben The ones under media/com_acym/images/thumbnails/ yes, the other ones seem legit so don't remove them.
I edited the detection code to also check for the file content. It will take a bit more time to execute as it scans every file.

@hanssie We did also send multiple emails about the vulnerability, in addition to the article. Preparing a patch that removes files on client websites has to target with a 100% accuracy, it would be worse if such a code would remove legit files.
We're preparing one but it takes time to test it.

@serge You may not have the latest version of AcyMailing installed, we recently split our controller files into multiple ones to ease the maintenance on them.

mmaass

serge

Mind that this is about the administrator part of the component. The path provided in Dax's post wraps to a new line after administrator so you might not have looked in "[root]/administrator/components/..." but in "[root]/components/...".

I first fell for that, too ... :-)

Dax

@mmaass Did you update from a version older than v7.9.4?
The "Duplicate column name image" message may show up when this new column already exists during an update (it mainly happens to us when doing tests on updates, but it can also happen when someone downgrades the version of AcyMailing then updates again).
In this case, the column isn't duplicated, it is an information message telling you that the update script couldn't create something that already exists.

rvsafetyed

I learned of this issue of with an infected site warning from our https://mysites.guru account - site management and security tool. This security tool flagged one of the two files (two located so far) as a hacked file with malicious code.

rakesh

Luckily I had Umify AV installed on my WHM and warned be immediately of this hack in the com_acym folders.
It started to affect the whole site and creating leaks at various places.
This tool located them all and was able to delete most of them quickly.
I checked each folder where they were located and found a few undeleted.