News:

You may pay someone to create your store, or you visit our seminar and become a professional yourself with the silver certification

Main Menu

Email highjacked - CLOSED

Started by SimonJae, February 09, 2016, 09:28:27 AM

Previous topic - Next topic

SimonJae

Hi all
Thanks for a great product  :)

Could anyone point to where I might find a hack that is causing us great concern -

The site is set up as a Catalogue with a "Ask A Question" button... the trouble is that when an email is sent... we receive an email from what is seen as "MSOffice Service Centre" with no content and any email address scrubbed - so we cant respond or follow up. Further if I change the 'backend' email address; the same thing persists - so it is somewhere in the code - mail.php - I am guessing!!

Where might this 'hack' have been installed? Any ideas... your thoughts would be greatly appreciated

Thanks, Simon
Let the interface live.

SimonJae

- sorry if I am posting in the wrong area    :-X
Let the interface live.

jenkinhill

If you have been hacked then there is likely to be more than one malicious file. Your Joomla/VM versions?
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

SimonJae

Hi Jenkin,
Thanks for your response. Both a pretty old - at the clients insistence. He is one of these that also believes this can be fixed in 10 minutes without any input from himself'

Joomla - 2.5.4   VM - 2.0.6a

Any ideas? I feel sure a file has been hacked, though for the life of me I cant find the 'form' action

Thanks in advance, Simon
Let the interface live.

GJC Web Design

as Jenks suggests

why would a hacker, after gaining access.. just hard code an email address?  If you feel the site is hacked.. look for recently changed files , scan with software etc .. then the whole site would be suspect

with those versions the whole site is wide open anyway.. and cleaning a site always takes hours .. not minutes

but as i say.. seems like an odd "hack" if this is all they changed

as far as i remember the mails are sent from the com_virtuemart/helpers/shopfunctionsf.php
GJC Web Design
VirtueMart and Joomla Developers - php developers https://www.gjcwebdesign.com
VM4 AusPost Shipping Plugin - e-go Shipping Plugin - VM4 Postcode Shipping Plugin - Radius Shipping Plugin - VM4 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
https://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

jenkinhill

I have done quite a few recoveries of hacked sites, and it does take time. In most cases the database is not affected, so it is possible to build a new site using identical versions of Joomla and any other extensions that had been installed, including VirtueMart. Check the current image files one by one and if OK the copy the images over to the new installation, and the same with any downloadable media and overrides. Then set the "new" site to use a copy of the "old" database. Check function, and if OK then update all versions and add any security patches, followed by checking again. Then if all seems good, replace the old site with the new.

And yes, it does take time!
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

SimonJae

Thanks guys

This site has been targeted before - in fact 3 times... so I know the procedure pretty well - thanks Kelvyn/Jenkin. What I am hoping is it is a residual from a previous hack... thanks GJC - I feel its a file thing as although I change the site's primary email address - emails come into the old address with the same string/signature - I will check out the "shopfunctionsf" file.

If anything comes to mind revolving around these emails that you can think of.. any heads up would be appreciated. Once found return, report and sign-off on the thread

Thanks again guys. Simon
Let the interface live.

GJC Web Design

but if your not updating to latest versions this is all a waste of time.. they will be back!

hackers swap lists of vulnerable sites
GJC Web Design
VirtueMart and Joomla Developers - php developers https://www.gjcwebdesign.com
VM4 AusPost Shipping Plugin - e-go Shipping Plugin - VM4 Postcode Shipping Plugin - Radius Shipping Plugin - VM4 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
https://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

ssc3

#8
See the Critical Security Leak reported here.

http://virtuemart.net/news/latest-news/475-critical-security-leak-in-all-joomla-versions-please-update-immediatly

If this is caused by an automated script, making regular visits to your site and reinfecting it, you will be probably be hacked again,
unless you upgrade.

I have seen several different variations of the above in site's logs.

It looks like it is working its way through lists of URLs looking for Joomla sites,
visiting each site at least once a day.

If this particular hack has not effected you yet, it is only a matter of time before it does.
Virtuemart Payment Plugins
https://plugins.online-store.co.uk

jjk

One tool which might detect a number of suspicious files is this one: http://forum.joomla.org/viewtopic.php?f=714&t=778692
I think it still works on Joomla 2.5.x. But that's only a 'first aid' tool.
Non-English Shops: Are your language files up to date?
http://virtuemart.net/community/translations

Milbo

Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

SimonJae

Max!!!!
I have been in hospital for 6 months - excuse my disappearance!! Hope youre enjoying "Karpool Karoake"  )))  (embarassed)

After changing the primary emails - I have discovered the client's email/pc (windows) has a trojan and has highjacked emails coming out of the website. After all but upgrading and doing as Kelvyn had suggested.

The 'take-away' must be that clients understand the worth of a website of such complexity - and give due respect to the responsabilities of having one. I will charge him highly.

Thanks guys for being here to lend an ear - greatly appreciated

Simon

>> will apply the fix... thanks @ Milbo

shall close the thread
Let the interface live.

SimonJae

Let the interface live.

Milbo

YEh crazy shit happened to you my friend. People wonder about my habit to eat garlic any day :-). I just wanted to point on the right versions, so that you can update without problems. I wanted also to point out, that it is not necessary to update to the last version.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/