Script to find files following acymailing vulnerability
GgatomadridSupport Beginner
I added the lines as indicated i´ve got a blank page.
i delete these lines:
if (!empty($lastSlashPos) && strpos($oneFileName, ACYM_UPLOAD_FOLDER_THUMBNAIL) !== false && preg_match('/.*thumbnail.*php.*$/', substr($oneFileName, $lastSlashPos + 1))) {
$infectedFiles[] = $oneFileName;
} else {
$fileContent = file_get_contents($oneFileName);
if (preg_match('/^<\?php\n\$[a-z]+\s*=\s*\$_COOKIE\s*;/Ui', $fileContent) || preg_match('/^<\?php echo "jm"\."te"\."st"; \?>$/U', $fileContent)) {
$infectedFiles[] = $oneFileName;
}
}
and it "worked" but i cannot obviously get a list of infected files. What can be wrong in these lines? I updated to Enterprise 8.7.1.
Thank you,
GgatomadridSupport Beginner
IN my case i found manually a file created the 5th May. I deleted it. CAn be this file be realted to this vulnerability? Must i change passwords?
DaxSupport Talent
- Edited
@joomleb
A - You're right it's easier to share the modified file, here it is: https://fromsmash.com/OjXHpg6gzz-ct
The link is available 13 days, but a new version should be released by then with an auto-cleaner.
B - I changed a bit the script to do that
@gatomadrid some file editors may automatically change the quotes when copy-pasting, could you use the file in my link to see if it works better?
DaxSupport Talent
There's a limit to what I can do with this script, we've got to release it at some point and each modification pushes back the release date.
GgatomadridSupport Beginner
I still have the same blank page although I downloaded from the link that you gave us. The error is in this part of the code because if i delted it i don´t get the message.
&& strpos($oneFileName, ACYM_UPLOAD_FOLDER_THUMBNAIL) !== false && preg_match(
'/.thumbnail.php.*$/',
substr($oneFileName, $lastSlashPos + 1)
What can be wrong? the variable ACYM_UPLOAD_FOLDER_THUMBNAIL is not empty. I delete the first parte ( strpos($oneFileName, ACYM_UPLOAD_FOLDER_THUMBNAIL) !== false ) and then the second part (preg_match(
'/.thumbnail.php.*$/',
substr($oneFileName, $lastSlashPos + 1))
and in both cases i still have the same error: Blan ppage. A problem with the variable $oneFileName?
DaxSupport Talent
It may have been because of scanned files size, I modified the script and the download link accordingly.
GgatomadridSupport Beginner
Ahora si funciona. Gracias!
Hi
I've just downloaded version 8.7.3.µwhere will I find the new button to test if acymailing is infected?
You wrote you will have a solution in the next time to delete all the "new files". So let us know what to do after we found this files? And after we have change the passwords for the database and administrator of the website? What next ...
Can i delete the files?
When will be a solution?
Are we in danger with this files?
Kind regards
Anton
Today my webhoster informed me about potentially viruses in AcyMailing.
First of all, I never got any email notification about this security issue.
Reading this thread I really don't know, if there are still any viruses in my installation and if yes, what will they do.
Since I am not a coder I really expect YOU, the support, to give us some answers and an easy way to check the files and which php files should be deleted. I really don't want to crash my system by deleting the wrong php files.
Until now, I found 3 malicious files in the media/com_acym/images/thumbnails folder and deleted them. And I updated AcyMailing to the latest version.
So support, tell me, is there still something to do, better: what can you do to support your customers concerning this issue?
mihhaSupport Beginner
You should install the latest version (8.7.4) because we actually did something, and we provided a tool that will scan your entire site from the root folder and find all possible files that were injected because of the security hole that existed in AcyMailing
This is from our changelog
Hi Mihha,
ok, this seems to be fixed, although I don't know, how these malicious files could get into your system.
Hopefully you check your files in the future better before supplying your customers with a new update.
Cheers
Markus
mihhaSupport Beginner
We didn't provide those files. Files were injected into the clients sites because of the security vulnerability, which we explained in our blog posts
Those vulnerabilities have been fixed in the recent versions