Email highjacked - CLOSED

[SimonJae]

Hi all
Thanks for a great product 

Could anyone point to where I might find a hack that is causing us great concern -

The site is set up as a Catalogue with a "Ask A Question" button... the trouble is that when an email is sent... we receive an email from what is seen as "MSOffice Service Centre" with no content and any email address scrubbed - so we cant respond or follow up. Further if I change the 'backend' email address; the same thing persists - so it is somewhere in the code - mail.php - I am guessing!!

Where might this 'hack' have been installed? Any ideas... your thoughts would be greatly appreciated

Thanks, Simon

[SimonJae]

- sorry if I am posting in the wrong area   

[jenkinhill]

If you have been hacked then there is likely to be more than one malicious file. Your Joomla/VM versions?

[SimonJae]

Hi Jenkin,
Thanks for your response. Both a pretty old - at the clients insistence. He is one of these that also believes this can be fixed in 10 minutes without any input from himself'

Joomla - 2.5.4   VM - 2.0.6a

Any ideas? I feel sure a file has been hacked, though for the life of me I cant find the 'form' action

Thanks in advance, Simon

[GJC Web Design]

as Jenks suggests

why would a hacker, after gaining access.. just hard code an email address?  If you feel the site is hacked.. look for recently changed files , scan with software etc .. then the whole site would be suspect

with those versions the whole site is wide open anyway.. and cleaning a site always takes hours .. not minutes

but as i say.. seems like an odd "hack" if this is all they changed

as far as i remember the mails are sent from the com_virtuemart/helpers/shopfunctionsf.php

[jenkinhill]

I have done quite a few recoveries of hacked sites, and it does take time. In most cases the database is not affected, so it is possible to build a new site using identical versions of Joomla and any other extensions that had been installed, including VirtueMart. Check the current image files one by one and if OK the copy the images over to the new installation, and the same with any downloadable media and overrides. Then set the "new" site to use a copy of the "old" database. Check function, and if OK then update all versions and add any security patches, followed by checking again. Then if all seems good, replace the old site with the new.

And yes, it does take time!

[SimonJae]

Thanks guys

This site has been targeted before - in fact 3 times... so I know the procedure pretty well - thanks Kelvyn/Jenkin. What I am hoping is it is a residual from a previous hack... thanks GJC - I feel its a file thing as although I change the site's primary email address - emails come into the old address with the same string/signature - I will check out the "shopfunctionsf" file.

If anything comes to mind revolving around these emails that you can think of.. any heads up would be appreciated. Once found return, report and sign-off on the thread

Thanks again guys. Simon

[GJC Web Design]

but if your not updating to latest versions this is all a waste of time.. they will be back!

hackers swap lists of vulnerable sites

[ssc3]

See the Critical Security Leak reported here.

http://virtuemart.net/news/latest-news/475-critical-security-leak-in-all-joomla-versions-please-update-immediatly

If this is caused by an automated script, making regular visits to your site and reinfecting it, you will be probably be hacked again,
unless you upgrade.

I have seen several different variations of the above in site's logs.

It looks like it is working its way through lists of URLs looking for Joomla sites,
visiting each site at least once a day.

If this particular hack has not effected you yet, it is only a matter of time before it does.

[jjk]

One tool which might detect a number of suspicious files is this one: http://forum.joomla.org/viewtopic.php?f=714&t=778692
I think it still works on Joomla 2.5.x. But that's only a 'first aid' tool.

[Milbo]

You should update to

vm2.6.22 and j2.5.28 with the security

fix posted here http://virtuemart.net/news/latest-news/475-critical-security-leak-in-all-joomla-versions-please-update-immediatly

[SimonJae]

Max!!!!
I have been in hospital for 6 months - excuse my disappearance!! Hope youre enjoying "Karpool Karoake"  )))  (embarassed)

After changing the primary emails - I have discovered the client's email/pc (windows) has a trojan and has highjacked emails coming out of the website. After all but upgrading and doing as Kelvyn had suggested.

The 'take-away' must be that clients understand the worth of a website of such complexity - and give due respect to the responsabilities of having one. I will charge him highly.

Thanks guys for being here to lend an ear - greatly appreciated

Simon

>> will apply the fix... thanks @ Milbo

shall close the thread

[SimonJae]

<< CLOSED  >>

[Milbo]

YEh crazy shit happened to you my friend. People wonder about my habit to eat garlic any day :-). I just wanted to point on the right versions, so that you can update without problems. I wanted also to point out, that it is not necessary to update to the last version.