Hi,
We have now (prior, it was a Joomla site there) our sites installed in sub-dir of /public_html :
/public_html/site1_j3
/public_html/site1_j4
No more files in /public_html (protection = 750)
January 3th, after two weeks, we have found files in /public_html : "curl.php","db.php", .htaccess
This curl.php (attack) appears on 2 others Joomla site, and 2 providers at same date.
1/ have you heard of this "curl.php" attack on Joomla sites?
2/How to protect our /public_html root dir?
Any suggestions to protect our joomla sites and /public_html + Sub-dir are welcome.
Best regards,
Gilles
"curl.php" attack on Joomla sites /Public_html
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
-
- Joomla! Apprentice
- Posts: 13
- Joined: Wed Jan 04, 2023 7:29 am
- pe7er
- Joomla! Master
- Posts: 25010
- Joined: Thu Aug 18, 2005 8:55 pm
- Location: Nijmegen, Netherlands
- Contact:
Re: "curl.php" attack on Joomla sites /Public_html
Welcome to Joomla forum!vcmb wrote: ↑Wed Jan 04, 2023 7:47 amJanuary 3th, after two weeks, we have found files in /public_html : "curl.php","db.php", .htaccess
This curl.php (attack) appears on 2 others Joomla site, and 2 providers at same date.
1/ have you heard of this "curl.php" attack on Joomla sites?
2/How to protect our /public_html root dir?
Hackers might have added backdoor scripts on your server to upload other scripts.
To protect your website, you've to find out how the files have been uploaded to your server.
Maybe my article "How my new Joomla 4 website got hacked" in Joomla Community Magazine from last November gives you some pointers how to analyze the hack:
https://magazine.joomla.org/all-issues/ ... got-hacked
Kind Regards,
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
-
- Joomla! Apprentice
- Posts: 13
- Joined: Wed Jan 04, 2023 7:29 am
Re: "curl.php" attack on Joomla sites /Public_html
Thanks Peter,
We are going to read carafully this interesting article.
Today we fail to understand how they've penetrated 3 different providers and multiple Joomla sites with same technic "curl.php" file ...
Common points are :
- site installed under /public_html/site-xx_j3
- No file under /public_html: only Joomla directories, no .htaccess, protection 750
- Joomla 3.10.11 (some site mix of both)
- Some Joomla extensions use on all sites
How to best secure /public_html?
Thanks, Gil
We are going to read carafully this interesting article.
Today we fail to understand how they've penetrated 3 different providers and multiple Joomla sites with same technic "curl.php" file ...
Common points are :
- site installed under /public_html/site-xx_j3
- No file under /public_html: only Joomla directories, no .htaccess, protection 750
- Joomla 3.10.11 (some site mix of both)
- Some Joomla extensions use on all sites
How to best secure /public_html?
Thanks, Gil
- Webdongle
- Joomla! Master
- Posts: 44132
- Joined: Sat Apr 05, 2008 9:58 pm
Re: "curl.php" attack on Joomla sites /Public_html
viewtopic.php?f=714&t=946026
same for J4
or https://mysites.guru/
same for J4
or https://mysites.guru/
Once they gain access (usually through a 3rd party extension) they upload a script that allows them access to the server. If you have wp in another folder the hack could of originated from there
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 13
- Joined: Wed Jan 04, 2023 7:29 am
Re: "curl.php" attack on Joomla sites /Public_html
Hi,
Please find below CODE add inside "index.php" of / of our Joomla site :
AT THE FIRST 2 LINES
It seems that "PHP curl module" is used to attack Joomla!
Best regards,
Gil
====================================================
[ redacted ]
Please find below CODE add inside "index.php" of / of our Joomla site :
AT THE FIRST 2 LINES
It seems that "PHP curl module" is used to attack Joomla!
Best regards,
Gil
====================================================
[ redacted ]
Last edited by toivo on Sat Jan 07, 2023 1:06 am, edited 1 time in total.
Reason: mod note: malicious code removed - please observe the forum rules, available from https://forum.joomla.org/viewtopic.php?f=8&t=65
Reason: mod note: malicious code removed - please observe the forum rules, available from https://forum.joomla.org/viewtopic.php?f=8&t=65
-
- Joomla! Apprentice
- Posts: 13
- Joined: Wed Jan 04, 2023 7:29 am
Re: "curl.php" attack on Joomla sites /Public_html
Hi,
Is it possible to run Joomla v4 with PHP curl module disabled?
More scripts have been found with similar curl module calls :
db.php , simple.php, curl.php, cpanel.php , index.php (changed) , nf_tracking.php
Best regards,
Gil
Is it possible to run Joomla v4 with PHP curl module disabled?
More scripts have been found with similar curl module calls :
db.php , simple.php, curl.php, cpanel.php , index.php (changed) , nf_tracking.php
Best regards,
Gil
- PhilTaylor-Prazgod
- Joomla! Ace
- Posts: 1403
- Joined: Sat Aug 20, 2005 12:32 pm
- Location: Jersey, Channel Islands
- Contact:
Re: "curl.php" attack on Joomla sites /Public_html
I have been tracking 3 customers with this exact hack.
I can tell you for certain that this is not a Joomla based hack.
The "PHP curl module" cannot be used to "hack" - that is nonsense. If that were true every PHP server in the world would be compromised by now.
The hacker has full and unrestricted access to the whole cPanel server. Even if we change the cPanel passwords, the hacker is still able to login to cPanel (we have the logs to prove this) - this appears to be a flaw in WHM/cPanel somewhere.
The curl.php is uploaded seconds after the hacker logs into cPanel (again we have the login logs to prove this).
This is not a Joomla hack. This is a server compromise somewhere other than the infected site.
I can tell you for certain that this is not a Joomla based hack.
The "PHP curl module" cannot be used to "hack" - that is nonsense. If that were true every PHP server in the world would be compromised by now.
The hacker has full and unrestricted access to the whole cPanel server. Even if we change the cPanel passwords, the hacker is still able to login to cPanel (we have the logs to prove this) - this appears to be a flaw in WHM/cPanel somewhere.
The curl.php is uploaded seconds after the hacker logs into cPanel (again we have the login logs to prove this).
This is not a Joomla hack. This is a server compromise somewhere other than the infected site.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/