Support

Akeeba Backup for Joomla!

#33480 Malware scan alert: akstorage_json.909.php

Posted in ‘Akeeba Backup for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Akeeba Backup version
n/a

Latest post by nicholas on Sunday, 02 August 2020 22:34 CDT

Friday, 31 July 2020 15:12 CDT

wirecreative

Please look at the bottom of this page (under Support Policy Summary) for our support policy summary, containing important information regarding our working hours and our support policy. Thank you!

EXTREMELY IMPORTANT: Please attach a ZIP file containing your Akeeba Backup log file in order for us to help you with any backup or restoration issue. If the file is over 2Mb, please upload it on your server and post a link to it.

Description of my issue:

Hi, a malware scan of my site today came up with one potential positive result in the Akeeba backup files:

administrator/components/com_akeeba/backup/akstorage_json.909.php
The file has been modified 4 days ago.
Possible PHP injection (abnormally long string - might be base64)

Although my assumption is that this is a false positive, I wanted to check with you before I mark it as ignorable.

Thanks,
Greg

Sunday, 02 August 2020 22:34 CDT

nicholas

When Akeeba Backup is running it needs to keep a temporary "memory" of its backup engine's state between individual page loads or remote API calls which step through the backup process. It does that by serialising its internal objects, encode them with base64 and put them in a .php file with a single die statement at the top of the file. This is done for security reasons. If someone were to try and access that file – which contains privileged information – directly from the web they'd get a blank page with no content.

This file is removed at the end of a successful backup. If the backup is stuck for more than three minutes or belongs to a failed backup that ran at least 3 minutes ago it will also be removed the next time you visit Akeeba Backup's control panel or start a new backup.

The file in question seems to be one of those "memory" files, left behind when a remote backup through the JSON API failed to run to completion. If you visit the Akeeba Backup control panel page it should go away.

If the file doesn't go away, check its contents. If the top line is a die statement it's OK, you can delete it manually. If it's something else there's a remote possibility that it is a malicious file, put there by an attacker who's trying to disguise their actions.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!