"curl.php" attack on Joomla sites /Public_html

[vcmb]

Hi,
We have now (prior, it was a Joomla site there) our sites installed in sub-dir of /public_html :
/public_html/site1_j3
/public_html/site1_j4
No more files in /public_html (protection = 750)

January 3th, after two weeks, we have found files in /public_html : "curl.php","db.php", .htaccess
This curl.php (attack) appears on 2 others Joomla site, and 2 providers at same date.

1/ have you heard of this "curl.php" attack on Joomla sites?

2/How to protect our /public_html root dir?


Any suggestions to protect our joomla sites and /public_html + Sub-dir are welcome.

Best regards,
Gilles

[pe7er]

January 3th, after two weeks, we have found files in /public_html : "curl.php","db.php", .htaccess
This curl.php (attack) appears on 2 others Joomla site, and 2 providers at same date.

1/ have you heard of this "curl.php" attack on Joomla sites?

2/How to protect our /public_html root dir?

Welcome to Joomla forum!

Hackers might have added backdoor scripts on your server to upload other scripts.
To protect your website, you've to find out how the files have been uploaded to your server.

Maybe my article "How my new Joomla 4 website got hacked" in Joomla Community Magazine from last November gives you some pointers how to analyze the hack:
https://magazine.joomla.org/all-issues/ ... got-hacked

[vcmb]

Thanks Peter,
We are going to read carafully this interesting article.

Today we fail to understand how they've penetrated 3 different providers and multiple Joomla sites with same technic "curl.php" file ...

Common points are :
- site installed under /public_html/site-xx_j3
- No file under /public_html: only Joomla directories, no .htaccess, protection 750
- Joomla 3.10.11 (some site mix of both)
- Some Joomla extensions use on all sites

How to best secure /public_html?

Thanks, Gil

[Webdongle]

viewtopic.php?f=714&t=946026
same for J4
or https://mysites.guru/

...
Today we fail to understand how they've penetrated 3 different providers and multiple Joomla sites with same technic "curl.php" file ......

Once they gain access (usually through a 3rd party extension) they upload a script that allows them access to the server. If you have wp in another folder the hack could of originated from there

[vcmb]

Hi,
Please find below CODE add inside "index.php" of / of our Joomla site :
AT THE FIRST 2 LINES

It seems that "PHP curl module" is used to attack Joomla!

Best regards,
Gil
====================================================

[ redacted ]

[vcmb]

Hi,

Is it possible to run Joomla v4 with PHP curl module disabled?

More scripts have been found with similar curl module calls :
db.php , simple.php, curl.php, cpanel.php , index.php (changed) , nf_tracking.php

Best regards,
Gil

[PhilTaylor-Prazgod]

I have been tracking 3 customers with this exact hack.

I can tell you for certain that this is not a Joomla based hack.

The "PHP curl module" cannot be used to "hack" - that is nonsense. If that were true every PHP server in the world would be compromised by now.

The hacker has full and unrestricted access to the whole cPanel server. Even if we change the cPanel passwords, the hacker is still able to login to cPanel (we have the logs to prove this) - this appears to be a flaw in WHM/cPanel somewhere.

The curl.php is uploaded seconds after the hacker logs into cPanel (again we have the login logs to prove this).

This is not a Joomla hack. This is a server compromise somewhere other than the infected site.