Malware installed constantly on website

[blejalo]

Hello everyone,

For the last month, I have constantly had a problem with installing update google malware on the site. Joomla is patched 4.4.0, as are all extensions. I removed everything that was suspicious, but it still happens to me. I pissed myself. I restore backups every day, and so on in a circle. My host categorically refuses that it is not up to them. I tried blocking all exotic countries (Africa, Chile, Bulgaria, Romania, Zimbabwe, Russia, Poland, Ukraine etc...) through htaccess but they still deface it. I use a legal Joomlashaper template...

Has anyone had a similar problem?

[AMurray]

[Edit: I see the thread has been renamed, previously it referred possibly to this matter linked below]

Is this what you're referring to? https://www.malwarebytes.com/blog/news/ ... ad-malware. Did you inadvertently install the fake update?

Web browsers are not typically updated in the fashion of downloading and running a file. They update themselves in the background.

If still concerned about your site, try a security audit with https://mysites.guru. I believe the first month, for one website is currently free of charge. After that, it is a monthly subscription with unlimited sites that you can add.

[toivo]

Please post the results from the Forum Post Assistant (FPA) by following the instructions at https://forumpostassistant.github.io/docs/ so that the configuration can be reviewed.

Does this website use any of the security extensions available from the Site Security section of the JED?

BTW, why do you refer to malware as 'google malware'?

[blejalo]

Hello Everyone,

First I would like to thank you for your responses and interest in this problem. I'm very sorry if I was confused. I'll try simpler.

I refer to this issue: https://cybersecuritynews.com/beware-of ... me-update/

I did everything I could when I noticed the problem:

- password changed, double verification of administrator account enabled (they disabled it again and installed index.php);

- I deleted the database, changed the password, checked the entire file for malicious code and found nothing;

- I protected the administrator folder with a password, and the same again;

- I added akeeba admin tools, rescanned and the same again;

- blocked through htaccess access and nothing;

- I added the site https://mysites.guru/, scanned it, it didn't show anything extreme, I thought I would pay full support next month;

Tomorrow I will devote myself more to your advice, so I will write more extensively.

Joomla! Instance :: Joomla! 4.4.0-Stable (Pamoja) 17-October-2023
Joomla! Configured :: Yes | Writable (644) |
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: false | .htaccess/web.config: Yes | GZip: true | Cache: false | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: N/A | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: false | SSL: 0 | Error Reporting: none | Site Debug: false | Language Debug: false | Default Access: Public | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 4.4.0: Yes | Database Supports J! 4.4.0: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 3.10.0-1160.95.1.el7.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | System TMP Writable: Yes | Free Disk Space : 1542.05 GiB |

PHP Configuration :: Version: 8.2.11 | PHP API: fpm-fcgi | Session Path Writable: No | Display Errors: 0 | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: 1 | Open Base: /var/www/vhosts/jugcbl.rs.ba/:/tmp/ | Uploads: 1 | Max. Upload Size: 64M | Max. POST Size: 64M | Max. Input Time: 120 | Max. Execution Time: 60 | Memory Limit: 256M

Database Configuration :: Version: 10.5.22-MariaDB (Client:mysqlnd 8.2.11) | Database Size: 10.65 MiB | #of Tables with config prefix:  130 | #of other Tables:  0 | User Privileges : GRANT SELECTUser Privileges : INSERTUser Privileges : UPDATEUser Privileges : DELETEUser Privileges : CREATEUser Privileges : DROPUser Privileges : REFERENCESUser Privileges : INDEXUser Privileges : ALTERUser Privileges : CREATE TEMPORARY TABLESUser Privileges : LOCK TABLESUser Privileges : EXECUTEUser Privileges : CREATE VIEWUser Privileges : SHOW VIEWUser Privileges : CREATE ROUTINEUser Privileges : ALTER ROUTINEUser Privileges : EVENTUser Privileges : TRIGGER

PHP Extensions :: Core (8.2.11) | date (8.2.11) | libxml (8.2.11) | openssl (8.2.11) | pcre (8.2.11) | zlib (8.2.11) | bz2 (8.2.11) | calendar (8.2.11) | ctype (8.2.11) | hash (8.2.11) | filter (8.2.11) | ftp (8.2.11) | gettext (8.2.11) | gmp (8.2.11) | json (8.2.11) | iconv (8.2.11) | SPL (8.2.11) | random (8.2.11) | Reflection (8.2.11) | session (8.2.11) | standard (8.2.11) | mbstring (8.2.11) | SimpleXML (8.2.11) | sockets (8.2.11) | tokenizer (8.2.11) | xml (8.2.11) | cgi-fcgi (8.2.11) | mysqlnd (mysqlnd 8.2.11) | bcmath (8.2.11) | curl (8.2.11) | dba (8.2.11) | dom (20031129) | enchant (8.2.11) | fileinfo (8.2.11) | gd (8.2.11) | imagick (3.7.0) | imap (8.2.11) | intl (8.2.11) | ldap (8.2.11) | exif (8.2.11) | mysqli (8.2.11) | odbc (8.2.11) | PDO (8.2.11) | pdo_mysql (8.2.11) | PDO_ODBC (8.2.11) | pdo_pgsql (8.2.11) | pdo_sqlite (8.2.11) | pgsql (8.2.11) | Phar (8.2.11) | posix (8.2.11) | pspell (8.2.11) | redis (6.0.1) | soap (8.2.11) | sodium (8.2.11) | sqlite3 (8.2.11) | sysvmsg (8.2.11) | sysvsem (8.2.11) | sysvshm (8.2.11) | tidy (8.2.11) | xmlreader (8.2.11) | xmlwriter (8.2.11) | xsl (8.2.11) | zip (1.21.1) | Zend OPcache (8.2.11) | Zend Engine (4.2.11) |
Potential Missing Extensions ::
Disabled Functions :: opcache_get_status |

Switch User Environment :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (755) | api/ (755) |

Elevated Permissions (First 10) ::

Database statistics :: Uptime: 4272735 | Threads: 118 | Questions: 695272158 | Slow queries: 15 | Opens: 21489 | Open tables: 11718 | Queries per second avg: 162.722 |

Components :: Site ::
Core ::
3rd Party:: WF_POPUPS_JCEMEDIABOX_TITLE (2.9.54) ? | WF_AGGREGATOR_VIDEO_TITLE (2.9.54) ? | WF_AGGREGATOR_DAILYMOTION_TITLE (2.9.54) ? | WF_AGGREGATOR_[youtube]_TITLE (2.9.54) ? | WF_AGGREGATOR_AUDIO_TITLE (2.9.54) ? | WF_AGGREGATOR_VIMEO_TITLE (2.9.54) ? | WF_LINK_SEARCH_TITLE (2.9.54) ? | WF_LINKS_JOOMLALINKS_TITLE (2.9.54) ? | WF_FILESYSTEM_JOOMLA_TITLE (2.9.54) ? | WF_STYLE_TITLE (2.9.54) ? | WF_HR_TITLE (2.9.54) ? | WF_STYLESELECT_TITLE (2.9.54) ? | WF_CLEANUP_TITLE (2.9.54) ? | WF_SPELLCHECKER_TITLE (2.9.54) ? | WF_ATTRIBUTES_TITLE (2.9.54) ? | WF_FONTSIZESELECT_TITLE (2.9.54) ? | WF_CLIPBOARD_TITLE (2.9.54) ? | WF_BROWSER_TITLE (2.9.54) ? | WF_LINK_TITLE (2.9.54) ? | WF_SEARCHREPLACE_TITLE (2.9.54) ? | WF_VISUALCHARS_TITLE (2.9.54) ? | WF_HELP_TITLE (2.9.54) ? | WF_FULLSCREEN_TITLE (2.9.54) ? | WF_EMOTIONS_TITLE (2.9.54) ? | WF_TEXTCASE_TITLE (2.9.54) ? | WF_LANGCODE_TITLE (2.9.54) ? | WF_REFERENCE_TITLE (2.9.54) ? | WF_CONTEXTMENU_TITLE (2.9.54) ? | WF_ARTICLE_TITLE (2.9.54) ? | WF_IMGMANAGER_TITLE (2.9.54) ? | WF_ANCHOR_TITLE (2.9.54) ? | WF_WORDCOUNT_TITLE (2.9.54) ? | WF_MEDIA_TITLE (2.9.54) ? | WF_LISTS_TITLE (2.9.54) ? | WF_CHARMAP_TITLE (2.9.54) ? | JCE - Noneditable (1.0.0) ? | WF_VISUALBLOCKS_TITLE (2.9.54) ? | WF_KITCHENSINK_TITLE (2.9.54) ? | WF_TABLE_TITLE (2.9.54) ? | WF_NONBREAKING_TITLE (2.9.54) ? | WF_PRINT_TITLE (2.9.54) ? | WF_FORMATSELECT_TITLE (2.9.54) ? | WF_AUTOSAVE_TITLE (2.9.54) ? | WF_FONTCOLOR_TITLE (2.9.54) ? | WF_FONTSELECT_TITLE (2.9.54) ? | WF_PREVIEW_TITLE (2.9.54) ? | WF_DIRECTIONALITY_TITLE (2.9.54) ? |

Components :: Admin ::
Core :: com_content (4.0.0) 1 | com_login (4.0.0) 1 | com_redirect (4.0.0) 1 | com_banners (4.0.0) 1 | com_categories (4.0.0) 1 | com_templates (4.0.0) 1 | com_languages (4.0.0) 1 | com_messages (4.0.0) 1 | com_installer (4.0.0) 1 | com_users (4.0.0) 1 | com_checkin (4.0.0) 1 | com_privacy (3.9.0) 1 | com_associations (4.0.0) 1 | com_fields (4.0.0) 1 | com_finder (4.0.0) 1 | com_wrapper (4.0.0) 1 | com_postinstall (4.0.0) 1 | com_ajax (4.0.0) 1 | com_contenthistory (4.0.0) 1 | com_joomlaupdate (4.0.3) 1 | com_plugins (4.0.0) 1 | com_config (4.0.0) 1 | com_tags (4.0.0) 1 | com_modules (4.0.0) 1 | com_admin (4.0.0) 1 | com_guidedtours (4.3.0) 1 | com_search (4.0.0-dev) 1 | com_cpanel (4.0.0) 1 | com_actionlogs (3.9.0) 1 | com_scheduler (4.1.0) 1 | com_cache (4.0.0) 1 | com_mails (4.0.0) 1 | com_media (3.0.0) 1 | com_newsfeeds (4.0.0) 1 | com_menus (4.0.0) 1 | com_workflow (4.0.0) 1 |
3rd Party:: GSD (1.0) 1 | SP Page Builder (3.8.10) 1 | com_admintools (7.4.4) 1 | com_akeebabackup (9.8.3) 1 | COM_JCE (2.9.54) 1 | com_phocadownload (4.0.9) 1 |

Modules :: Site ::
Core :: mod_articles_latest (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_articles_category (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_search (4.0.0-dev) 1 | mod_syndicate (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_login (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_articles_popular (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_stats (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_articles_archive (3.0.0) 1 |
3rd Party:: sigplus (1.5.0.298) 1 | SP Page Builder (3.8.10) 1 |

Modules :: Admin ::
Core :: mod_toolbar (3.0.0) 1 | mod_version (3.0.0) 1 | mod_title (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_loginsupport (4.0.0) 1 | mod_latestactions (3.9.0) 1 | mod_sampledata (3.8.0) 1 | mod_popular (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_guidedtours (4.3.0) 1 | mod_logged (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_post_installation_messages (4.0.0) 1 | mod_latest (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_privacy_dashboard (3.9.0) 1 | mod_login (3.0.0) 1 | mod_privacy_status (4.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_frontend (4.0.0) 1 | mod_messages (4.0.0) 1 | mod_user (4.0.0) 1 |
3rd Party:: mod_sppagebuilder_icons (1.0.2) 1 | mod_sppagebuilder_admin_menu (1.4) 1 |

Libraries ::
Core ::
3rd Party::

Plugins ::
Core :: plg_system_remember (3.0.0) 1 | plg_system_logrotation (3.9.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_privacyconsent (3.9.0) 0 | plg_system_updatenotification (3.5.0) 1 | plg_system_jooa11y (4.2.0) 1 | plg_system_debug (3.0.0) 1 | plg_system_fields (3.7.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_shortcut (4.2.0) 1 | plg_system_webauthn (4.0.0) 1 | plg_system_guidedtours (4.3.0) 1 | plg_system_httpheaders (4.0.0) 0 | plg_system_skipto (4.0.0) 1 | plg_system_task_notification (4.1) 1 | plg_system_accessibility (4.0.0) 0 | plg_system_highlight (3.0.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_schedulerunner (4.1) 1 | plg_system_cache (3.0.0) 0 | plg_system_languagecode (3.0.0) 0 | plg_system_logout (3.0.0) 1 | plg_system_actionlogs (3.9.0) 0 | plg_system_log (3.0.0) 1 | plg_system_sessiongc (3.8.6) 1 | plg_privacy_user (3.9.0) 1 | plg_privacy_message (3.9.0) 1 | plg_privacy_content (3.9.0) 1 | plg_privacy_consents (3.9.0) 1 | plg_privacy_actionlogs (3.9.0) 1 | plg_workflow_publishing (4.0.0) 1 | plg_workflow_notification (4.0.0) 1 | plg_workflow_featuring (4.0.0) 1 | plg_behaviour_versionable (4.0.0) 1 | plg_behaviour_taggable (4.0.0) 1 | plg_behaviour_compat (4.4.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_subform (4.0.0) 1 | plg_fields_editor (3.7.0) 1 | plg_authentication_cookie (3.0.0) 1 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_search_newsfeeds (4.0.0-dev) 1 | plg_search_content (4.0.0-dev) 1 | plg_search_tags (4.0.0-dev) 1 | plg_search_categories (4.0.0-dev) 1 | plg_search_contacts (4.0.0-dev) 1 | plg_api-authentication_token (4.0.0) 1 | plg_api-authentication_basic (4.0.0) 0 | plg_user_terms (3.9.0) 0 | plg_user_token (3.9.0) 1 | plg_user_joomla (3.0.0) 1 | plg_user_contactcreator (3.0.0) 0 | plg_user_profile (3.0.0) 0 | plg_media-action_resize (4.0.0) 1 | plg_media-action_crop (4.0.0) 1 | plg_media-action_rotate (4.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_content_confirmconsent (3.9.0) 0 | plg_content_pagenavigation (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_fields (3.7.0) 1 | Content - SP Page Builder (3.8.10) 1 | plg_content_finder (3.0.0) 0 | plg_content_pagebreak (3.0.0) 1 | plg_quickicon_downloadkey (4.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_overridecheck (4.0.0) 1 | plg_quickicon_privacycheck (3.9.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_eos (4.4.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_extension_finder (4.0.0) 1 | plg_extension_namespacemap (4.0.0) 1 | plg_sampledata_multilang (4.0.0) 1 | plg_installer_folderinstaller (3.6.0) 1 | plg_installer_urlinstaller (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | plg_installer_override (4.0.0) 1 | plg_installer_webinstaller (4.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | K2 - SP Page Builder (3.8.10) 0 | plg_webservices_modules (4.0.0) 1 | plg_webservices_menus (4.0.0) 1 | plg_webservices_privacy (4.0.0) 1 | plg_webservices_config (4.0.0) 1 | plg_webservices_users (4.0.0) 1 | plg_webservices_newsfeeds (4.0.0) 1 | plg_webservices_banners (4.0.0) 1 | plg_webservices_messages (4.0.0) 1 | plg_webservices_redirect (4.0.0) 1 | plg_webservices_content (4.0.0) 1 | plg_webservices_tags (4.0.0) 1 | plg_webservices_media (4.1.0) 1 | plg_webservices_installer (4.0.0) 1 | plg_webservices_languages (4.0.0) 1 | plg_webservices_plugins (4.0.0) 1 | plg_webservices_templates (4.0.0) 1 | plg_captcha_recaptcha_invisible (3.8) 0 | plg_captcha_recaptcha (3.4.0) 0 | plg_actionlog_joomla (3.9.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_multifactorauth_fixed (4.2.0) 0 | plg_multifactorauth_totp (3.2.0) 1 | plg_multifactorauth_webauthn (4.2.0) 1 | plg_multifactorauth_email (4.2.0) 1 | plg_multifactorauth_yubikey (3.2.0) 1 | plg_task_demo_tasks (4.1) 1 | plg_task_requests (4.1) 1 | plg_task_check_files (4.1) 1 | plg_task_site_status (4.1) 1 | plg_filesystem_local (4.0.0) 1 |
3rd Party:: System - Helix Ultimate Framework (2.0.17) 1 | plg_system_gsd (5.4.1) 1 | System - SP Page Builder Pro Update (3.8.10) ? | plg_system_nrframework (4.10.76) 0 | PLG_SYSTEM_ADMINTOOLS (7.4.4) 1 | System - SP PageBuilder (3.8.10) 1 | plg_system_osmylicensesmanager (2.0.15) 1 | System - JV-Extensions (1.0.1) 1 | plg_system_jce (2.9.54) 1 | plg_editors_tinymce (5.10.7) 1 | plg_editors_jce (2.9.54) 1 | plg_editors_codemirror (5.65.15) 1 | plg_fields_mediajce (2.9.54) 1 | plg_search_sppagebuilder (3.8.10) 1 | plg_search_sigplus (1.5.0.298) 0 | plg_content_jvrelatives (6.0.0) 1 | PLG_EMBED_GOOGLE_MAP (2.3.0) 1 | plg_content_sigplus (1.5.0.298) 1 | plg_content_jce (2.9.54) 1 | PLG_QUICKICON_AKEEBABACKUP (9.8.3) 1 | plg_quickicon_jce (2.9.54) 1 | plg_extension_jce (2.9.54) 1 | plg_installer_jce (2.9.54) 1 | SP Simple Portfolio - SP Page Build (3.8.10) ? | plg_finder_booklibrary (6.0.0) 0 | plg_finder_sppagebuilder (3.8.10) 0 | PLG_ACTIONLOG_ADMINTOOLS (7.4.4) 0 | plg_editors-xtd_sigplus (1.5.0.298) 1 |

Templates :: Site :: cassiopeia (1.0) 1 | Fortune (2.0.0) 1 |
Templates :: Admin :: atum (1.0) 1 |

[blejalo]

here it is fpa

[Webdongle]

Restoring a backup to a hacked site will often just replace the hack. If you believe your site is hacked please see viewtopic.php?f=813&t=988545 or https://mysites.guru/

[PhilTaylor-Prazgod]

I have manually reviewed the audit results and like you say, "it didn't show anything" extreme, hacked, or of concern at the time of the audit.

The site is not currently hacked at all.

This is seconded, and confirmed, by https://sitecheck.sucuri.net/

Future audits will show any changes over time, thats the usefulness of repeat audits and the baseline.

[blejalo]

Hi, PhilTaylor-Prazgod!

Thank you for your help and for responding. You have helped me a lot. Your site and support is very valuable. I have sent the advice and recommendations, now we will see. I deleted some suspicious files (also, I was comparing files and folders). We'll see what happens. I am currently reading the logs to try to see which file was called at a certain time of day.