Facbook Pixel



Joomla! Module Security Compromise: mod_administrator

We've detected a compromise affecting Joomla!® installations. In this compromise, attackers installed a module called mod_administrator, which contains a file called config.php that lets the attacker add more bad files to the hosting account.

You can get more information about compromises and how to deal with them in My website was hacked. What should I do?.

Additional Signs You've Been Compromised

Besides the signs mentioned in My website was hacked. What should I do?, you can tell your site's been affected by this specific compromise if your account contains the following files:

  • /html/modules/mod_administrator/config.php
  • /html/plugins/user/sys09725827.php

Remedies

Remove the following files:

  • /html/modules/mod_administrator/config.php
  • /html/plugins/user/sys09725827.php
  • index.beta.php
  • index_old.php
  • egy.class.php
  • abg.php
  • kabe.php
  • x.txt

You should also:

  • Upgrade to the newest version of Joomla! Versions 1.6.x/1.7.x/2.5.0-2.5.2 contain a vulnerability that lets a malicious user become an Administrator on the website. To resolve this issue, Joomla! must be upgraded. You can find more information here.
  • Check your database for the username nekiua, users with a group_id of both 2 and 7, as well as any other malicious users. For more information, see Checking Joomla! Databases for Malicious Users.
  • Change your database password (more info).

Technical Info

Code Sample

This is a sample of code contained in /html/modules/mod_administrator/config.php:

Stat of File

Below is a stat of the file showing when the compromised file was last changed in the account:

File: 'config.php'
Access: 2014-01-10 16:32:55.441130000 -0700
Modify: 2013-12-27 07:01:55.206937000 -0700
Change: 2013-12-27 07:01:55.206937000 -0700

Sample HTTP Logs

x.x.x.x - - [27/Dec/2013:07:01:47 -0700] "GET SampleSite.tld/administrator/index.php HTTP/1.1" 200 4526 "-" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" 0 "x-httpd-php" "/html/administrator/index.php" 1235209
x.x.x.x - - [27/Dec/2013:07:01:49 -0700] "POST SampleSite.tld/administrator/index.php HTTP/1.1" 303 225 "http://SampleSite.tld/administrator/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 1 "x-httpd-php" "/html/administrator/index.php" 537279
x.x.x.x - - [27/Dec/2013:07:01:50 -0700] "GET SampleSite.tld/administrator/index.php HTTP/1.1" 200 25876 "http://SampleSite.tld/administrator/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 2 "x-httpd-php" "/html/administrator/index.php" 1061024
x.x.x.x - - [27/Dec/2013:07:01:51 -0700] "GET SampleSite.tld/administrator/index.php HTTP/1.1" 200 25876 "-" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" 3 "x-httpd-php" "/html/administrator/index.php" 137735
x.x.x.x - - [27/Dec/2013:07:01:52 -0700] "GET SampleSite.tld/administrator/index.php?option=com_installer HTTP/1.1" 200 21415 "-" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" 4 "x-httpd-php" "/html/administrator/index.php" 579406
x.x.x.x - - [27/Dec/2013:07:01:53 -0700] "POST SampleSite.tld/administrator/index.php?option=com_installer&view_install HTTP/1.1" 303 509 "mainaadmin/administrator/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 5 "x-httpd-php" "/html/administrator/index.php" 1284326
x.x.x.x - - [27/Dec/2013:07:01:56 -0700] "GET SampleSite.tld/administrator/index.php?option=com_installer&view=install HTTP/1.1" 200 21687 "mainaadmin/administrator/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 6 "x-httpd-php" "/html/administrator/index.php" 165016
x.x.x.x - - [27/Dec/2013:07:01:59 -0700] "POST SampleSite.tld/administrator/index.php HTTP/1.1" 200 21437 "http://SampleSite.tld/administrator/index.php?option=com_installer" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 7 "x-httpd-php" "/html/administrator/index.php" 544304
x.x.x.x - - [27/Dec/2013:07:02:01 -0700] "GET SampleSite.tld/administrator/index.php?option=com_installer&view_install HTTP/1.1" 200 21412 "-" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" 8 "x-httpd-php" "/html/administrator/index.php" 145839
x.x.x.x - - [27/Dec/2013:07:02:05 -0700] "GET SampleSite.tld/modules/mod_administrator/config.php, HTTP/1.1" 200 189 "-" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" 9 "x-httpd-php" "/html/modules/mod_administrator/config.php" 16822

MD5Sums of Known Malicious Files

  • ea4406c2d17f0bd78dba5687778ad992
  • a888d268b88a9356f2b70ca1cbd8fa59
  • a5681b391700a5cdfa9e63024203f299
  • 09364f388f7450b35d5ed7ac709a2696
  • 9cdce1b6b6d5f2e54f72833ad9078bd9
  • 3101137950288eac4eab9bc78addbf90
  • 3233e0a58699c45573f2889109cfb31a
  • b085d20946d7b42b981bf95b037ec306
  • bd53573e577d00807a3ae0fcbaff8e69
  • 57a6b37f37cc707b12a0bf5c004b4a00
  • ed4dc176fa3a313f26ab39262b4ff7fc
  • 9b5a04cbccc4e20035f3aefe6de3a0c2
  • 25fb6dbdeb7391ec45281bbb90ccc200
  • fdb0f08753b5c12e5acdbe890349c690
  • 62c8486b3d05c537e5f81efec750937b
  • 09f925b1c827f4708da33d0315fd26b5
  • dd691fccb35d971fdd60743f2f590895
  • 79905c64e893632b1517b06d3f07fd60
  • 62c8486b3d05c537e5f81efec750937b

Additional Malicious Files

You should also remove any of the following files if you find them on your hosting account:

11a__5mqlh.php 11M.php 124ji.php 12fcFMdO.php 13VeYa.php
15bM.php 15ZWVjaI.php 18v.php 18y5gyE.php 19SE.php
1A1nkeRI.php 1b4lbTM.php 1by.php 1cmRiKOS.php 1DDf.php
1dvR_a6o_.php 1E__X9__e.php 1FfhfDW.php 1FS__tNMqr.php 1ge_ZtKNX.php
1gldhze.php 1gR5h.php 1H6x.php 1hoVRp7S.php 1JQvtd.php
1kXdMCSTI.php 1L7fRQ5C.php 1la__.php 1l_oU6k6.php 1lWyA.php
1mR.php 1MR.php 1O__h.php 1oNxMMCq.php 1ow7DOrJF.php
1OWOVF.php 1pCmCdlrp.php 1pt.php 1qgAYtklc.php 1qlaOsA.php
1R9eIe2m.php 1RVU8.php 1SgewPrsh.php 1tH46Em.php 1TkUfbB.php
1U__4T.php 1uMBjA.php 1VQL37V.php 1wFuJkZ.php 1Wq5ZAxOM.php
1WseoLv.php 1XhJVinc.php 1Xvv.php 1y__6ksoY6.php 1YDE.php
1YenY.php 1Yu.php 1YWa_.php _1Z6qcJHf.php 1ZehjH.php
1Zl9.php 1zon.php 218_Gtr9.php 21EFlIvMY.php 21Ieum___.php
23wAi1l.php 24BV.php 251aHB6.php 25d4.php 25hfn.php
26rSSqS__.php 27QDV.php 27Y.php 29eL.php 29f.php
29G.php 29_vC__.php 2aA1zHS.php 2agcg1E.php 2AJmq6D2.php
2alZDqnQ4.php 2aYUpBBkt.php 2bxS2Nk.php 2BYwJU.php 2cDL5.php
2cE1GCVB.php 2Cnq.php 2DJSkNWI.php _2d.php 2DupZx.php
2EZ1QrU.php 2F2b.php 2fGFd.php 2FnS_gX.php 2FWLntVrd.php
2Ge_VdbUr.php 2GUrmPwKy.php 2_Hez9.php 2hJ.php 2hVw4.php
2IO.php 2jBQsptj.php 2Jfjkv_.php 2Jui.php _2Kw.php
2L8f.php 2MC.php 2mLmqR__b.php 2m__wo.php 2Od.php
2Q2Mo.php 2rbSXBH.php 2S6Qxna.php 2SLUGa.php 2SYq.php
2tVJOv.php 2UB95XglL.php 2ujAbTM.php 2UwTn.php 2waaEPp.php
2WAt1I4Ce.php 2Wk9H6.php 2XjlTXur.php 2YQErI.php 2__Z3DzY.php
2ZEA1yZua.php 2ZqB.php _34.php 358UgTz.php 37_4Tw6U.php
37Bo.php 37RDkt.php 38Xah.php 39iyQp.php 39w.php
3AHm_.php 3bPxgZVS.php 3BS.php 3cbex.php 3cUIS14.php
3Cy6iyiM.php 3D1.php 3dtqUrGX9.php 3EGgAh.php 3eXDAsRiQ.php
3eZApPes.php 3favXKXa.php 3FENdYxuL.php __3fPU.php 3G999N1tF.php
3gL5g.php 3H6.php 3i2kuYpqv.php 3I_NOC.php 3Isr.php
__3I__Vmt4j.php 3LDLAs_.php 3m7mZC.php 3mqO7cTe.php _3Mw12DU8.php
3MXaU67.php 3NZxs_oN.php 3_O5v.php 3O8_.php 3oa.php
3oG.php 3oQo4g.php 3ouoSR7A.php 3pAYJC.php 3qe.php
3qiR.php 3rd.php 3__R_.php 3rr2o.php 3S8iIOrnV.php
3Si9TVP6.php 3t3Jne.php 3tiR9B.php 3TnJIM8r.php 3U3.php
3veVTQKtx.php 3WIth.php 3wQujkpA.php 3X6cuGc7o.php 3XIB5LiNd.php
3xjHKDid.php 3XoPB.php 3XO.php 3XUt2p__Y.php 3XvlV.php
3y7dyO.php 3y7mZm.php 3YgObJ4.php 3yjCHSp.php 41Po.php
41X5RTQ.php 424bUDxk6.php 42S9.php 42YWEc.php 44ZyOvoP.php
478sV.php 47Uul.php __47ux4in.php 47YW_3eDB.php 49A_.php
49j9Pg.php 49Z___bQfC.php 4Au8wM3fF.php 4B2X.php 4c4LAI4.php
4CCt.php 4cMsLaM.php _4d71c9J.php 4DPKgT.php 4Eatu1Qy.php
4eL.php 4EPI.php 4F4Abi.php 4FeIDXjw.php 4gFnWQg.php
4GVX7f.php 4Hgo.php 4HoC.php 4I9.php 4ikns_lh.php
4Irta8.php 4j2J.php 4JLX.php 4JRYQ9.php 4JUavBKA.php
__4jY1.php 4KFyW9tPF.php 4KXE.php 4k__z9v__TC.php 4kZU.php
4LBv2__fO.php 4ld.php 4LGgL9d.php 4LLw.php 4lnsRe.php
4M6CkbVQ4.php 4mcJ.php 4o7rTs1.php 4oaz5fesP.php 4OBq.php
4OlaT__y.php 4OwyT.php 4Oxivmh.php 4__pqNkDy.php 4pSza.php
4PzV7yu.php 4qsU99.php __4r8N.php 4rJlXAuwD.php 4rlfVL.php
4rM.php 4rtu.php 4siGUTFZZ.php 4SYZRKy.php 4UEZ.php
4uSZ9wFz.php 4Vc.php 4vWFik2H_.php 4v__ynsp.php 4xzSak.php
4YcQA.php 4YD.php 4zqPO.php 4zvar.php __51NVKjJy.php
51R_Lb.php 51rTJqPSr.php 51t5qciK.php 51TAMqrzZ.php 52dJK.php
54j9By.php 54mB9_r.php 55vnivkE.php 56b.php 56z__.php
57KccI.php 57oijeAI9.php 58oQ3zpY.php 59J8cHIZ.php 5aRUNPsk.php
5biTrMq.php 5BSLpa.php 5CJLhS1ll.php 5CRdqPC.php 5d1U9.php
5D5VaBO4j.php 5dhcRs.php 5EIgNaoL9.php 5FtpLy.php 5glqTekW4.php
5GpwfNdz.php 5h6__5d.php 5H6X__vFow.php _5hXrkj.php 5HZXe.php
5Ia.php 5iQNvK6D7.php 5__Ke.php 5l__d2MA.php 5lkecKpp.php
5MCVPbPXc.php 5mokC.php 5nGHT.php 5OPEDE1m.php 5p1ElJ6.php
___5.php 5pkHL.php 5PprRdbJ.php 5qAY.php 5QKMVK.php
5RGEt.php 5ROW9xl7A.php 5s4M6.php 5S5U37Wcj.php __5sfDW.php
5sFnKUvx.php 5Taw7nJm.php 5TBX.php 5UUAsly.php 5vAn.php
5VYToVmzw.php 5XvM8c.php 5ZwY.php 6__27__hno.php 628gR.php
62RJH.php 64GqMS.php 64UZO.php 65fkqQ.php 65ot.php
66x.php 6_7EC.php __68IAXKp.php 68Y6F9P.php 6981I4.php
69RhaSXlO.php 6aOjc2mRy.php 6AX9Aanx.php 6axGxO7.php 6BTXMYm.php
6BU.php 6c2Cf.php _6C.php 6DgfsQuVr.php 6diNJ2.php
6DOv5eW.php 6_epe.php 6EZoon8.php 6Fomqe.php 6FUp.php
6FxRo5u.php 6goqNLp8.php 6hEWBw.php 6_i1f5.php 6ideCOG.php
6IR.php 6iUNb.php 6J7Zj.php 6jOGH_.php 6K6Tgb.php
6Lc.php 6Lre.php 6Mq.php 6mT.php 6mX5C_.php
6nh1vLeE.php 6NP.php 6NvDQln.php