Support

Akeeba Backup for Joomla!

#36853 addendum to ticket #36811: Malware found in restore.php

Posted in ‘Akeeba Backup for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Akeeba Backup version
n/a

Latest post by nicholas on Monday, 28 March 2022 07:55 CDT

Monday, 28 March 2022 07:04 CDT

johannes68

Hello Nicholas,

as I cannot reply on ticket #36811,  I would like to add my info here:  We got the same warning today, and it comes from our serverside "Linux Malware Detect" (LMD, Maldet) tool, from rfxn.com.  Seems they have changed somehow their reconnaissance pattern.

Maybe someone should tell them to exclude this akeeba files from their scanengine. I guess there will be more coming with this problem, als LMD is widely used.

In our case following files were critisized by the scanner:

Joomla:

/administrator/components/com_akeeba/Master/Installers/kickstart.txt
/administrator/components/com_akeeba/restore.php

Wordpress:

/wp-content/plugins/akeebabackupwp/app/Solo/assets/installers/kickstart.txt

In both case it was this critisized:

{HEX}Malware.Expert.php.unlink.error.reporting.unlink.unlink.unlink.unlink.file.put.contents

 

As it is obviously a false positive, the only solutions are on the hosting platform to exclude those files from LMD/Maldet scans in the configuration file,  and / or to inform RFXN.com and hopefully they would change it / whitelist it. I dont know if they would. Hopefully.

Have a nice day!
kind regards,
Johannes

Monday, 28 March 2022 07:55 CDT

nicholas

Correct, these are all false positives.

restore.php is a “headless” Kickstart, i.e. it's Kickstart without the user interface. The integrated restoration has its own interface rendered by the backup software you are using. restore.php is by default inert, it needs a restoration.php file to activate (password-protected). This file is written by the integrated restoration code when you start a restoration and removed at the end of the restoration (the clean-up step).

The kickstart.txt file is just kickstart.php with a non-executable extension. It's used when you choose to upload Kickstart using the DirectFTP / DirectSFTP archiver engine and when you are using the Site Transfer Wizard. As I said, it contains restore.php plus the user interface.

The archive extraction code does things which are not typically found in PHP software such as extracting compressed data, using encoded data, creating and updating files, changing permissions, deleting files — all in the same file. The use cases where you'd see ALL of that in a single file are archive creation / extraction tools and hacking scripts :) That's why they need to manually whitelist the files.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!