Script to find files following acymailing vulnerability

Dax

@joomleb The v8.7.1 has been released 13 days ago, the script didn't exist yet.
I'm preparing a v8.7.2 that will use it but it takes a bit more time to do and test than sharing the code here.

joomleb

Dax Thank you

A - Would be good to add here (and in the Blog Article) for the download the "new" listing.php file

B - Would be good also to show a "Success" message when no auspicious infected files are not detected (so we know the script is running)

gatomadrid

I added the lines as indicated i´ve got a blank page.

i delete these lines:

if (!empty($lastSlashPos) && strpos($oneFileName, ACYM_UPLOAD_FOLDER_THUMBNAIL) !== false && preg_match('/.*thumbnail.*php.*$/', substr($oneFileName, $lastSlashPos + 1))) { $infectedFiles[] = $oneFileName; } else { $fileContent = file_get_contents($oneFileName); if (preg_match('/^<\?php\n\$[a-z]+\s*=\s*\$_COOKIE\s*;/Ui', $fileContent) || preg_match('/^<\?php echo "jm"\."te"\."st"; \?>$/U', $fileContent)) { $infectedFiles[] = $oneFileName; } }

and it "worked" but i cannot obviously get a list of infected files. What can be wrong in these lines? I updated to Enterprise 8.7.1.

Thank you,

gatomadrid

IN my case i found manually a file created the 5th May. I deleted it. CAn be this file be realted to this vulnerability? Must i change passwords?

Dax

@joomleb
A - You're right it's easier to share the modified file, here it is: https://fromsmash.com/OjXHpg6gzz-ct
The link is available 13 days, but a new version should be released by then with an auto-cleaner.
B - I changed a bit the script to do that

@gatomadrid some file editors may automatically change the quotes when copy-pasting, could you use the file in my link to see if it works better?

joomleb

Dax
Would be good to add to the script also an automatic email reporting to you to collect statistics on all suspicious infected files...

Dax

There's a limit to what I can do with this script, we've got to release it at some point and each modification pushes back the release date.

gatomadrid

@Dax

I still have the same blank page although I downloaded from the link that you gave us. The error is in this part of the code because if i delted it i don´t get the message.

&& strpos($oneFileName, ACYM_UPLOAD_FOLDER_THUMBNAIL) !== false && preg_match(
'/.thumbnail.php.*$/',
substr($oneFileName, $lastSlashPos + 1)

What can be wrong? the variable ACYM_UPLOAD_FOLDER_THUMBNAIL is not empty. I delete the first parte ( strpos($oneFileName, ACYM_UPLOAD_FOLDER_THUMBNAIL) !== false ) and then the second part (preg_match(
'/.thumbnail.php.*$/',
substr($oneFileName, $lastSlashPos + 1))

and in both cases i still have the same error: Blan ppage. A problem with the variable $oneFileName?

Dax

It may have been because of scanned files size, I modified the script and the download link accordingly.

gatomadrid

Ahora si funciona. Gracias!

HDcms

Hi
I've just downloaded version 8.7.3.µwhere will I find the new button to test if acymailing is infected?

teddybear060470

You wrote you will have a solution in the next time to delete all the "new files". So let us know what to do after we found this files? And after we have change the passwords for the database and administrator of the website? What next ...

Can i delete the files?

When will be a solution?

Are we in danger with this files?

Kind regards
Anton

info@webkonturen.de

Today my webhoster informed me about potentially viruses in AcyMailing.
First of all, I never got any email notification about this security issue.
Reading this thread I really don't know, if there are still any viruses in my installation and if yes, what will they do.

Since I am not a coder I really expect YOU, the support, to give us some answers and an easy way to check the files and which php files should be deleted. I really don't want to crash my system by deleting the wrong php files.

Until now, I found 3 malicious files in the media/com_acym/images/thumbnails folder and deleted them. And I updated AcyMailing to the latest version.

So support, tell me, is there still something to do, better: what can you do to support your customers concerning this issue?

mihha

You should install the latest version (8.7.4) because we actually did something, and we provided a tool that will scan your entire site from the root folder and find all possible files that were injected because of the security hole that existed in AcyMailing

This is from our changelog

info@webkonturen.de

Hi Mihha,
ok, this seems to be fixed, although I don't know, how these malicious files could get into your system.
Hopefully you check your files in the future better before supplying your customers with a new update.

Cheers
Markus

mihha

We didn't provide those files. Files were injected into the clients sites because of the security vulnerability, which we explained in our blog posts

Those vulnerabilities have been fixed in the recent versions

« Previous Page