Support

Akeeba Backup for Joomla!

#42627 PA Cortext XDR alert "php-fpm" during Akeeba backup Joomla

Posted in ‘Akeeba Backup for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
5.4.1
PHP version
8.4.16
Akeeba Backup version
10.1.0

Latest post by nicholas on Wednesday, 14 January 2026 02:12 CST

Tuesday, 13 January 2026 20:55 CST

fc338339

EXTREMELY IMPORTANT: Please attach a ZIP file containing your Akeeba Backup log file in order for us to help you with any backup or restoration issue. If the file is over 10MiB, please upload it on your server and post a link to it.


Dear Sirs,

1. can you send back these index.php for SOC to study 
2. can you tell us what operation are included in this index.php
3. during akeeba backup action, beside this radium number (i.e. install_####/bacend/backeup/index.php)   any other files also be operate, would you mind give us the file list


Since each time when we process Akeeba backup, SOC Alert will follow to come out. 

Please do help us to understand 

Thanks indeed 


//=== reply by Security Operation Center (SOC)  on Jan 6==//


We are received a SOC alert about hostname "vmapps89" (IP address: 172.27.2.41) on 05/JAN/2026.  A local threat was detected and blocked on a Linux RedHat system. The threat was identified in a newly-created PHP file located at /var/www/hktiscuat.hkpc.org/public_html/tmp/install_695b7755e815f/install_695b77560395f/backend/backup/index.php. is executed under the user "apache". Is action by you? Thanks.   Process Details & Full Command Lines:
  • "php-fpm" process executed with command line "php-fpm: pool www" and parent process "php-fpm: master process (/etc/php-fpm.conf)".
 


Wednesday, 14 January 2026 02:12 CST

nicholas

When Joomla installs a new extension it first unpacks its ZIP file in a temporary directory. This is what you are seeing. The index.php file you see is what is ultimately placed in the default backup output directory and consists of a single statement:

<?php die();

This file, along with the similarly devoid of content index.html file, is placed in the default backup output directory to prevent the web server from listing the directory contents. If we did not do that it would be trivial for an attacker to list and download the backup archives in the default backup output directory.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!