Recent
Categories
View Replies (1)

Virus problem

  1. Issue
0
Votes
Undo
  1. pigos
    pigos
  2. Sherlock Holmes
  3. Commercial Templates
  4. Tuesday, 06 February 2018
  5.  Subscribe via email
Hi Ciaran,
I have a virus problem on a joomla site with J51 magnolia.
The virus is signaled by NOD32 with the following report:
<ESET>
<LOG>
<RECORD>
<COLUMN NAME="Ora">06/02/2018 16:58:13</COLUMN>
<COLUMN NAME="Scanner">Filtro HTTP</COLUMN>
<COLUMN NAME="Tipo di oggetto">FILE</COLUMN>
<COLUMN NAME="Oggetto">https://coinhive.com/lib/cryptonight.wasm<;/COLUMN>
<COLUMN NAME="Minaccia">una variante di Generik.HJNKXWD trojan horse</COLUMN>
<COLUMN NAME="Azione">connessione terminata</COLUMN>
<COLUMN NAME="Utente">win864-vm\admin864</COLUMN>
<COLUMN NAME="Informazioni">Minaccia rilevata all'accesso al Web dall'applicazione: C:\Program Files (x86)\Mozilla Firefox\firefox.exe (21F39178BBBF22B470B8F983F8957EF7C8A8A13D).</COLUMN>
<COLUMN NAME="Hash">8C964DE7BB13FA9683EED76C419256462393C55C</COLUMN>
<COLUMN NAME="Prima visualizzazione"></COLUMN>
</RECORD>
</LOG>
</ESET>

also https://sitecheck.sucuri.net report the virus, see attachment.

If you visit one of the pages, after a while your CPU reach 50% load while the js application is probably mining bitcoins.

I checked this page: http://www.pctutor.it/ipl/la-mia-classe.html
that contains only j51 magnolia, the main menu, one joomla module with custom html (only to load ans link the image) and J51 icons module.

In the attachment you can find the page source code saved by google chrome. In the "La mia Classe_files" folder you can find the file "timebucks_miner.js.download" that probably is related to the virus.

Can you suggest me a way to come out of this?

Could be worth to re-install J51 template? In this case I'll lose all my parametrization?

Many thanks and regards
Responses (1)
ciaran
ciaran
Love Fool Sherlock Holmes The Voice
Notable Answerer Notable Answerer
Accepted Answer Pending Moderation
0
Votes
Undo
Hello

Sorry to say this would not be a template related issue. It seems that your server has been compromised in some way. You will find the issue will remain regardless of the template you have enabled (eg. Protostar).

There is a number of articles on what you should do next however a good place to start would be... https://docs.joomla.org/Security_Checklist/You_have_been_hacked_or_defaced

CiarĂ¡n
  1. more than a month ago
  2. Commercial Templates
  3. # 1
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!

Site Links

Recommended

Join Our Newsletter

* indicates required
We respect your privacy and do not tolerate spam and will never sell, rent, lease or give away your information (name, email, number, etc.) to any third party. Nor will we send you unsolicited email.
Joomla51 - Mullaghmore, Co. Sligo, Ireland
Joomla51.com is not affiliated with or endorsed by the Joomla! Project or Open Source Matters.
The Joomla! name and logo is used under a limited license granted by
Open Source Matters the trademark holder in the United States and other countries.

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.

Ok