The Joomla! Forum ™

I've spent the last three days 10 hours a day on this issue. I cannot get any of my hosting providers to assist, I've run and re-run virus checks on AVG who is the main reporter of this, and I have no idea where to go from here.

I have seen the 12 point check lists of all the things to do, I've done the obvious ones--it would be easier at this point to have rebuilt the entire site from scratch.

Can someone lend some assistance on what to do. My site is http://www.ddmeonline .com and I just got the files clean and 4 hours later it's back and new files with the exploit virus.

How does this just start happening after a 6 month stable site is beyond me and why can't someone figure out how to remedy this?

Thank you

[ ] Download and RUN the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Post the generated results in your security/been hacked topic.

[ ] Ensure you have the latest version of Joomla for your 1.5 or 2.5 version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.

[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.

[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories More detailed information can be found in the Security Checklist 7

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

The Blackhole exploit kit is a very popular kit installed on insecure websites and targets vulnerabilities browsers and many popular browser plugins. The exploited browser or plugin then determines what is on the victim's computers and loads all exploits that this computer is vulnerable to and sometimes a Java applet tag that loads a Java Trojan horse. The script is also polymorphic and the browser users anti-virus may not detect it (lags behind) because of this.

Follow the advice mandville gave and also make sure your site is using the latest version (replace the files with) of 1.5. consider moving to 2.5 in the near future.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

I had the sampe problem with my web site and hardly managed to force my web hosting provider to upgrade his PLESK installation regarding this issue - http://kb.parallels.com/en/113321. They claimed that their PLESK was already upgraded but after reading this article http://blog.unmaskparasites.com/2012/06 ... m-domains/ I was convinced the problem is on their side. If your website is on PLESK managed hosing, please check these links. That could be the problem.

Yep, Mr. K in the end, after 3 weeks of terror, they admitted it was something they needed to do on PLESK. I am no longer with them, moving all my accounts to HG! Thanks for the feedback