Extension Manager

Myjoomla.com thinks site has been hacked

7 months 2 weeks ago #77711

Odin (PKA Jeff) Mayland's Avatar Odin (PKA Jeff) Mayland

I just wanted to bring this to your attention that myjoomla.com believes the site is hacked because of the following:

/plugins/system/regularlabs/regularlabs.php

Line: 131
$attributes = new Registry(base64_decode($attributes));

7 months 2 weeks ago #77714

Peter van Westen's Avatar Peter van Westen Admin

That's a false positive which you should report to myjoomla.com.

4 months 5 days ago #79917

Phil Taylor (myJoomla.com Developer)'s Avatar Phil Taylor (myJoomla.com Developer)

myJoomla.com DOESNT believe the site is hacked because of that line.

myJoomla.com shows that file in its suspect content list, the preamble of that tool clearly states that not all files listed will be bad, it makes clear that unless they are marked with a [HACKED] label, they are suspect, and not manually reviewed and marked as hacked.

We would not flag a site as hacked based on the line of code above.

Using base64_decode in the params of another function or class instantiation is a trick about 80% of PHP based hacks use. Therefore it is right an proper that the suspect content tool display it.

Whereever I see these matches I manually whitelist the md5 hash of the file, which removes it from the list on all 50,000 connected sites to myJoomla.com - until there is a new release and the hash of the file changes.

4 months 5 days ago #79918

Peter van Westen's Avatar Peter van Westen Admin

Thanks for the clarification :)