Hello,
The issue at hand is that files, such as my_site.com.jpg, were uploaded onto a website, but they are not actually pictures. Among these files, one is a php file, another is a list of links, and the rest are empty. These files are located in the images folder of the joomla template.
I have deleted all of the files except for the list of links. However, when I attempt to delete it, it reappears. It seems as if there may be another file elsewhere that is causing it to recover. If anyone has experienced something similar, please share your insight.
Request access logs files from your hosting provider to identify when and which IP address uploaded the malicious scripts.
Additionally, review the logs located in the following directories: /usr/local/apache/domlogs/user, /etc/httpd/logs/access_log, and /var/log/messages.
Theoretically, any unlikely scenario can occur, and a hacker may be more persistent and thorough than you, exploring vulnerabilities while you sleep. If engaged in a long-term battle with a hacker, they may exploit unknown vulnerabilities or even conduct experiments to test whether you are monitoring jpeg files.
Here are a couple of examples that are practical and not unlikely:
In one scenario, two files are used: simple php code is connected to a complex .jpeg file that has already been recorded. Because the code is so straightforward, no antivirus will detect it and it won't be flagged as malicious manually.
Another common vulnerability occurs when certain conditions coincide: if a user is able to upload a photo and the engine writes the original bytes from the jpeg file without processing, it becomes possible to execute .php code that is contained within the source due to the cgi settings.fix_pathinfo=1.
I recommend conducting a thorough security audit of the website. This involves checking for any vulnerabilities or loopholes that may have allowed unauthorized files to be uploaded. It's important to review the file upload settings, permissions, and access controls to identify any weaknesses in the website's security measures.
Additionally, consider implementing measures such as file type verification during the upload process. This can help prevent non-image files, such as the PHP file you mentioned, from being uploaded to the images folder.
Regarding the recurring appearance of the list of links file even after deletion, it's possible that there could be a script or malware embedded elsewhere on the website that is responsible for re-uploading the file. Check for any suspicious or unfamiliar code within the website's files and database.
I highly recommend updating all website plugins, themes, and extensions to their latest versions. Outdated software can be susceptible to security vulnerabilities, so keeping everything up to date is crucial for maintaining a secure web environment.
It's also advisable to change all passwords associated with the website, including those for FTP, cPanel, and any other administrative accounts. This is a proactive measure to prevent unauthorized access in case the website's security has been compromised.
Consider reaching out to the web hosting provider to report the incident and seek their assistance in investigating the root cause of the issue. They may be able to provide additional insights and support in resolving the security concerns.
The issue you're facing with the persistent file could be due to a backdoor exploit or a cron job that regenerates the file. First, check your server for any suspicious scripts or scheduled tasks that could be recreating the file. Make sure your Joomla, extensions, and templates are up-to-date to mitigate vulnerabilities.
Additionally, scan your server for malware; tools like Joomla's own security extensions can help identify compromised files. If the problem persists, consider changing your FTP credentials and reviewing file permissions to prevent unauthorized access.