Joomla com_finder with a header.php

    Hi togehter...
    On my servers i always have a look on the postfix mailqueue.
    Today i got an email from my monitoring that 700 mails are still in the queue.
    So i'd a look on the server and there are over 700 email from one domain with different emailaddresses of this domain.


    At first i'd checked a misconfiguration of the postfix. But the postfix is working fine and isn't an open relay.
    Then i did check the webspace, if the user has created such emails.
    Nothing.
    At last i had a look on the apache log of the domain.
    And there i found some entries

    Code
    1. 219.84.0.147 - - [17/Apr/2013:17:43:48 +0200] "POST /administrator/components/com_finder/views/filter/header.php HTTP/1.1" 401 771 "-" "Mozilla/5.0"
    2. 171.99.214.239 - - [17/Apr/2013:17:43:51 +0200] "POST /administrator/components/com_finder/views/filter/header.php HTTP/1.1" 401 771 "-" "Mozilla/5.0"
    3. 93.64.131.211 - - [17/Apr/2013:17:44:48 +0200] "POST /administrator/components/com_finder/views/filter/header.php HTTP/1.1" 401 771 "-" "Mozilla/5.0"
    4. 187.192.240.201 - - [17/Apr/2013:17:44:51 +0200] "POST /administrator/components/com_finder/views/filter/header.php HTTP/1.1" 401 771 "-" "Mozilla/5.0"
    5. 186.134.129.196 - - [17/Apr/2013:17:49:12 +0200] "POST /administrator/components/com_finder/views/filter/header.php HTTP/1.1" 401 771 "-" "Mozilla/5.0"
    6. 189.168.160.32 - - [17/Apr/2013:17:50:25 +0200] "POST /administrator/components/com_finder/views/filter/header.php HTTP/1.1" 401 771 "-" "Mozilla/5.0"
    7. 93.41.187.127 - - [17/Apr/2013:17:51:15 +0200] "POST /administrator/components/com_finder/views/filter/header.php HTTP/1.1" 401 771 "-" "Mozilla/5.0"
    8. 93.64.131.211 - - [17/Apr/2013:17:51:48 +0200] "POST /administrator/components/com_finder/views/filter/header.php HTTP/1.1" 401 771 "-" "Mozilla/5.0"
    9. 187.22.241.41 - - [17/Apr/2013:17:52:39 +0200] "POST /administrator/components/com_finder/views/filter/header.php HTTP/1.1" 401 771 "-" "Mozilla/5.0"


    Everytime if the script got a POST the mailqueue grows up.


    Now i'd renamed the file and downloaded it (See attachment)
    Can someone explain me how the user got this file on his webspace. The file date is from today, but the user does not have a ftp account and the xferlog of the proftp shows no upload...


    Thanks for help

    Files

    • header.zip

      (2.35 kB, downloaded 33 times, last: )

    I think it's a security issue. Before some months I also had some security problems with an template for joomla. Because I hate joomla I switched to wordpress :D
    To the problem. Lot's of bots are searching for buggy modules and create their own files. In my case this bot changed some template files + the index.php and added to the footer some lines (malware). I think you have a problem with an mail spamming bot.