Forums

chronocontact.html.php disappears

raifs 11 Jul, 2011
For some time now I've been struggling with a weird problem.

chronocontact.html.php disappears

Even if I copy this file and rename it chronocontact2.html.php for example it still gets deleted in about 3 to 6 hours.

Why? No other files are touched no trace in access log files. How can this be???

Thanks.
GreyHead 11 Jul, 2011
Hi raifs ,

Sorry, I've no idea, I don't recall anything like that being reported here before and I can’t think of any obvious explanation. Have you asked your ISP/hosting company for help?

Bob
raifs 11 Jul, 2011
No I haven't asked.

But there must be something with this file... no other file are touched and even if I rename the file it still gets deleted. If it is an attack or something similar they couldn't delete the renamed file - how would they know?
You have an encoded line inside the file - maybe there's something to do with that...?
I just can't figure out why only chronocontact.html.php gets deleted...
nml375 11 Jul, 2011
Hi raifs & Bob,
The first thing that comes to mind for me, is that an antivirus cronjob removes the file as a suspected virus/malvare. It is most likely the "eval(base64_decode(..." piece of code triggering the AV scanner, as this is a common technique to hide code from the user.

The hidden code in this case is rather harmless (though perhaps not 100% GPL-kosher), but these AV filters usually trigger on the actual hiding of the code itself - not what the hidden code does.

/Fredrik
raifs 11 Jul, 2011
Hi Fredrik,

thanks for the information. Never thought of that. I will try to find out if that is the case.

Thanks again.
Raifs
GreyHead 12 Jul, 2011
Hi Fredrik,

Good catch. That makes sense - and didn't cross my mind as a possibility. I'd forgotten about the base64 encoded problems.

Bob
raifs 12 Jul, 2011
Yes,

it was an antivirus who deleted this file. Hosting company said "Regular expression match = [decode regex]" and they added this file to their safe list. So i think that solves my problem.
Thanks.
Kinda weird that no one else had this issue:)

Regards,
Raifs
GreyHead 12 Jul, 2011
Hi Raifs,

Not vanishing files - we did have some problems with an anti-virus scanner a few months ago but that gave an error report. Perhpas I should have put two and two together though.

Bob
Nibinaear 04 Oct, 2011
I'm getting this as well. My hosting company (Eukhost) sent me this message yesterday when I reloaded my Joomla site, they haven't done this on any other ocassion:


Subject: autismwo: Suspicious File found
Hello , 

Malicious file /home/OURSITEPATH/components/com_chronocontact/chronocontact.html.php found under your user USERNAME and it has been removed on the server sunderland.eukhosting.net 

 ==============================================================================  
/home/OURSITEPATH/components/com_chronocontact/chronocontact.html.php: {HEX}base64.inject.unclassed.7.UNOFFICIAL FOUND
/home/OURSITEPATH/components/com_chronocontact/chronocontact.html.php: Removed. 
==================== ========================================================== 


We're not using Chrono Forms anymore so don't know if deleting this file will stop CF from functioning. I just thought I'd report it as you may want to prevent it from hapenning for future versions.
GreyHead 04 Oct, 2011
Hi Nibinaear ,

Thanks for the info. The file may be suspicious but it isn't malicious. This is a false report and your webhost should reinstate the file and whielist ti to prevent further errors.

That said if you aren't using ChronoForms then uninstall it and all will be well.

Bob
vito81 03 Mar, 2014
good morning

chronocontact.html.php the file is locked and deleted.

Hosting has determined that the file can not be inserted in the files considered reliable because it potentially harmful.

They asked to edit the file.

Please make the change as soon as possible.
GreyHead 03 Mar, 2014
Hi Vito,

I have already replied to your email and on Skype. This file is not malicious, does not contain a virus and the correct answer is for your web host to white-list it in their virus scanner software.

If they won't do that then you should change web host as soon as possible,

Bob
This topic is locked and no more replies can be posted.