The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 123 posts ]  Go to page 1, 2, 3, 4, 5  Next
Author Message
PostPosted: Wed Jun 17, 2009 7:04 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 13949
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
When you find malicious code in your site it is often a line of javascript inserted into the bottom of almost every .js file on the account that used character code escapes to make it harder to detect. It is most often also embedded in many of the otherwise blank index.html pages within the subdirectories of your Joomla install. It is often difficult to pinpoint the reason either a Joomla exploit (iframe) or if the violators had the account password.

This type of infection is much more common with the password however. For that reason, you should follow these steps:

1. Scan your local computer, the clients computer, and any computer from which you have accessed the account using an up to date virus scanner such as http://malwarebytes.org CRITICAL!

2. Update the cPanel/FTP password with a password that is not easily guessable. Use 12-digits and something like example (!) &G5s#!K-|%H1

3. Submit your site for a rescan using your Google Webmaster account. If you do not already have an account please follow the instructions on this page to obtain one: http://www.google.com/support/webmaster ... swer=45432

4. Read the information provided below about this type of viral infection and how to further prevent it.

What are malicious iframes and what causes them?

! Over the years hackers found it hard to trick people into visiting suspicious sites so they're now targeting legit sites and using them to infect unknowing customers. In most cases an FTP account's password is obtained through key logging malware, then legit website files are modified to distribute the malware and gather more passwords. If your PC has been infected with one of these trojans, your bank account, email accounts, and FTP accounts may no longer be secure.

What to do if you find malicious iframes on your PC?

1. Use the following online vulnerability scanner and ensure your software is up-to-date: http://secunia.com/vulnerability_scanni ... ?task=load
2. Download antivirus and fully scan your PC for malcious files. Here are some free online scanners:
http://housecall.trendmicro.com/
http://www.bitdefender.com/scan8/ie.html
http://www.kaspersky.com/virusscanner
http://support.f-secure.com/enu/home/ols.shtml
3. Update all passwords that may have been obtained. Do not use old passwords, generate new ones (see above)
4. Upload older versions of the files or contact support for assistance removing the malicious iframes.

Prevention measurements

- Ensure you use the latest browser version
- Disable javascript if possible
- Use Firefox with addon "noscript" (!)
- Download and install some antivirus software, make sure it stays updated
- Use http://www.avg.com.au/index.cfm?section ... onlinescan to test suspicious links you are given in emails or find online.

Others

BACKUP & DOWNLOAD (!) your site and database! Use either your cPanel features or use Joomlapack (http://www.joomlapack.net)....whatever you use: BACKUP!

Hope this helps!

Leo 8)

_________________
-- Joomla Professional Support Services : http://gws-desk.com --
-- Good & Cheap Joomla Sites Ready To Roll : http://gws-deals.today --
-- Joomla Specialized Hosting Solutions : www.gws-host.com --
-- Member Joomla Bug Squad --


Last edited by ooffick on Wed Jan 02, 2013 6:52 pm, edited 1 time in total.
Mod Note: Changed Title of the post


Top
 Profile  
 
PostPosted: Wed Jun 17, 2009 2:46 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Mar 08, 2006 8:07 pm
Posts: 33
Very good post, I would also suggest that people open a case with their Hosting Provider as a few of them do care about security. And if they do, they might have access to some system logs that you might not and possibly assist you in identifying how the exploit was conducted. If the host supports it, use SFTP instead of FTP is a good idea as well.


Top
 Profile  
 
PostPosted: Thu Jun 18, 2009 1:56 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Mar 15, 2008 9:45 pm
Posts: 163
I would like to Agree with Leolam. The attack he was mentioning is True. Malware does look for FTP usernames and passwords on your computer in order to take over your website and use it.

Here is a link to the story covering this information:
http://news.zdnet.com/2100-9595_22-312957.html


Here is the key part of the story pertaining to this post:
===============================
In order to increase the number of botnets, the Golden Cash server installs an FTP (file transfer protocol) grabber on new zombies to steal credentials used by the computers to run Web sites, giving the server control over additional legitimate Web sites. Approximately 100,000 domains, including corporate domains from around the world, were identified among the stolen FTP credentials under Golden Cash's control, according to the report.
===============================


Scan your computers with at least 3-4 different Antivirus and Antispyware programs to be somewhat sure your system is clean.

Also, a strong firewall is recommended to help combat Spyware from sending your information over the internet.


Top
 Profile  
 
PostPosted: Sun Jun 21, 2009 9:25 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Wed May 27, 2009 11:09 pm
Posts: 3
The recent rash of attacks not only attack index.html files but also php files, you can find the offending code as both javascript or iframes, sometimes even both. Besides using Joomlapack as the OP suggested, I would also suggest jFireWall EndPoint Protection Anti-Hacker

_________________
Site: J1.5.10
Add-0ns: jSecure Authentication, AlphaRegistration, RokBoxLogin v1.1, RokStories, RokBridge v 1.0rc9, OpenX J1.5! Module, RokAjaxSearch, J! @ Work SEF Patch


Top
 Profile  
 
PostPosted: Mon Jun 22, 2009 3:21 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 13949
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Eighteen48 wrote:
Besides using Joomlapack as the OP suggested, I would also suggest jFireWall EndPoint Protection Anti-Hacker
Joomlapack is a backup mechanism and is no security tool. jFirewall does not protect your site from an executable being uploaded and run from your ftp-client off your own PC (!) Review what I mentioned on key logging malware. That is your local computer. Our stats show that most attacks as discussed here are initiated from user's own PC.

Again make sure you use very good (multiple) protection software. At present top notch online scanners are offered by PrevX (http://www.prevx.com/freescan.asp) and Pandasecurity (http://www.pandasecurity.com) with its free Active Scan. We (GWS-Group) use PrevX and Pandasecurity commercial versions on our corporate and private systems and networks and they do a very good job and work well together.

Leo 8)

_________________
-- Joomla Professional Support Services : http://gws-desk.com --
-- Good & Cheap Joomla Sites Ready To Roll : http://gws-deals.today --
-- Joomla Specialized Hosting Solutions : www.gws-host.com --
-- Member Joomla Bug Squad --


Top
 Profile  
 
PostPosted: Fri Jun 26, 2009 7:00 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Mar 15, 2008 9:45 pm
Posts: 163
More information on how serious this is. A new story uncovers that a virus has been stealing FTP login information from the Big Boys.

http://www.theregister.co.uk/2009/06/26 ... ware_hack/

They found logins for ftp.bbc.co.uk, ftp.cisco.com, ftp.amazon.com, ftp.monster.com and, even security sites including ftp.mcafee.com and ftp.symantec.com along the extensive list of more than 68,000.


Top
 Profile  
 
PostPosted: Wed Jul 01, 2009 11:24 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue May 20, 2008 8:06 pm
Posts: 15
I have also some Web sites in Godaddy. During last 15months, my joomla installations -- 1.5.7, 1.5.8 and 1.5.11 -- have been hacked 4 times. >:( The attackers are overwriting index.php, index.html, deafult.php, default_item.php files and adding "eachbul.net/click=" together with a hexadecimal number by assigning to "click" parameter in an iframe tag.

And another incident, the attackers overwriting another address -- yourlotcar. cn:8080 /index.php -- in an iframe again. Although my installations 1.5.8 and 1.5.11, I really don't understand how this happens.
I am using CuteFTP 2.0 to access my account and my computers have up-to-date anti-virus softwares.

_________________
because open source matters..


Last edited by mandville on Thu Oct 14, 2010 1:07 pm, edited 1 time in total.
broke link to prevent infection and juice


Top
 Profile  
 
PostPosted: Wed Jul 01, 2009 12:04 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Mar 08, 2006 8:07 pm
Posts: 33
You might want to try running another Anti-Virus in parallel just in case, I heard AVG does a good job and it is Free. http://free.avg.com/

If goDaddy supports it, you might want to try using SFTP instead of FTP, these would at least help rule out that the problem is not on your side. if you are able to to use SFTP, I would of course recommend you change all your passwords.

See this article: http://www.theregister.co.uk/2009/06/26 ... ware_hack/

Stephan


Top
 Profile  
 
PostPosted: Wed Jul 01, 2009 2:39 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 13949
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
gulenzek wrote:
yourlotcar.cn:8080/index.php
If you have that in your site it is 99,99 % sure that it is coming from any of you logging in with ftp from your own PC. This measn that the moment you login you load automatically the executable to the site and is run and bye bye site....

AVG does NOT discover this piece of crap (!) on your PC

Leo 8)

_________________
-- Joomla Professional Support Services : http://gws-desk.com --
-- Good & Cheap Joomla Sites Ready To Roll : http://gws-deals.today --
-- Joomla Specialized Hosting Solutions : www.gws-host.com --
-- Member Joomla Bug Squad --


Top
 Profile  
 
PostPosted: Wed Jul 01, 2009 2:41 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 13949
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
_Stephan wrote:
you might want to try using SFTP instead of FTP, these would at least help rule out that the problem is not on your side.
With all respect...SFTP does not protect this specific malware (key-logging etc) so does not help for this specific issue

Leo 8)

_________________
-- Joomla Professional Support Services : http://gws-desk.com --
-- Good & Cheap Joomla Sites Ready To Roll : http://gws-deals.today --
-- Joomla Specialized Hosting Solutions : www.gws-host.com --
-- Member Joomla Bug Squad --


Top
 Profile  
 
PostPosted: Wed Jul 01, 2009 3:00 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Mar 08, 2006 8:07 pm
Posts: 33
Leo,

I agree that SFTP won't protect against a keylogger, although there is not much information regarding this latest trojan/exploit (keylogging or password sniffing?), the pattern does seem to be with FTP. If one can use SFTP VS FTP, it is certainly more secure.

Not sure about you, but personally I would not use FTP over an open un-trusted network.


Top
 Profile  
 
PostPosted: Mon Jul 06, 2009 7:07 pm 
User avatar
Joomla! Virtuoso
Joomla! Virtuoso

Joined: Sat Sep 24, 2005 11:01 pm
Posts: 4785
Location: Toronto, Canada
_Stephan wrote:
Leo,

I agree that SFTP won't protect against a keylogger, although there is not much information regarding this latest trojan/exploit (keylogging or password sniffing?), the pattern does seem to be with FTP. If one can use SFTP VS FTP, it is certainly more secure.

Not sure about you, but personally I would not use FTP over an open un-trusted network.


The better solution is to do everything over ssh. That said, if your local computer is infected, your site is at great risk.

Ian


Top
 Profile  
 
PostPosted: Tue Jul 07, 2009 1:08 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue May 20, 2008 8:06 pm
Posts: 15
leolam wrote:
gulenzek wrote:
yourlotcar.cn:8080/index.php
If you have that in your site it is 99,99 % sure that it is coming from any of you logging in with ftp from your own PC. This measn that the moment you login you load automatically the executable to the site and is run and bye bye site....

AVG does NOT discover this piece of crap (!) on your PC

Leo 8)


I am using 3 different machines and FTP installations on them (CuteFtp 2.0 and Cute FTP 7.0). How can I detect which one is infected. BTW, two of the machines have AVG Free and one another has F-Secure Antivirus software. And I have installed "Spyware" on them.

I would be grateful if any help comes..

Regards

_________________
because open source matters..


Top
 Profile  
 
PostPosted: Tue Jul 07, 2009 1:30 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Mar 15, 2008 9:45 pm
Posts: 163
I would scan with Antivir, and PC Tools Antivirus as well. (I also included Panda Online Scan in case you would rather an online scan)

Here is Antivir - http://www.free-av.com/
Here is PCTools - http://www.pctools.com/free-antivirus/
Here is Panda Online Scan - http://www.pandasecurity.com/activescan/index/

Although scanning with 2 different Antispyware would be a good idea too.

Here is SuperAntispyware - http://www.superantispyware.com/
Here is Spybot - http://www.safer-networking.org/

Since you have AVG. You might want to uninstall AVG temporarily while you scan with these other programs. Never install more than 1 antivirus program at a time.

You can of course reinstall AVG after your done scanning.


NOTE: If you don't find any malware, then you need to work with your hosting provider to secure your site. Including making sure that you have done everything in the Joomla Security Checklist.


Top
 Profile  
 
PostPosted: Fri Jul 17, 2009 11:34 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Fri Jul 03, 2009 5:38 pm
Posts: 443
To actually remove the injection, there's a great utility called TurboSR.

It has the ability to scan all of the text in all of the files on your site. You give it a line of text to match (the injected script) and what to replace it with (leave blank), run the utility, and you're site is good to go again - provided you've patched the security hole.

TurboSR

_________________
Joseph Davis
Technical Support Representative
jdavis@hosting.com
http://hosting.com


Last edited by ooffick on Tue Oct 26, 2010 7:47 am, edited 1 time in total.
Mod Note: Removed manual Signature. Please read the Forum rules for details.


Top
 Profile  
 
PostPosted: Fri Jul 24, 2009 1:56 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 13949
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
jdavis74 wrote:
It has the ability to scan all of the text in all of the files on your site. You give it a line of text to match (the injected script) and what to replace it with (leave blank), run the utility, and you're site is good to go again - provided you've patched the security hole.
This is what you can do with every text editor such as Notepad, Notepad +/+ or Dreamweaver to name a couple who have that option (search and replace). This is a basic workable solution though requires that you download first all of the files and folders and upload after the scan the entire site once again....

Leo 8)

_________________
-- Joomla Professional Support Services : http://gws-desk.com --
-- Good & Cheap Joomla Sites Ready To Roll : http://gws-deals.today --
-- Joomla Specialized Hosting Solutions : www.gws-host.com --
-- Member Joomla Bug Squad --


Top
 Profile  
 
PostPosted: Fri Jul 31, 2009 1:40 pm 
Joomla! Ace
Joomla! Ace

Joined: Sat Oct 21, 2006 8:53 am
Posts: 1334
My 1.0.x site was hacked a while ago and whilst I managed to upload most of the index files again I never discovered why Docman would never work so I rebuilt using 1.5.x. Since then as soon as a security update becomes available this becomes the next site priority update. I use Joomlapack and reinstalling works well. But of course when doing a backup the trick is to do this after every edit session (daily if editors work on the site) and keep at least enough previous backups (say a weeks worth) locally (I use JPRemote) just in case you missed a hack and need to go back in the list.

Reading here about being mostly compromised by virus code on ones local management PC infiltrating the FTP sessions, it occurs to me that an extra stage in the process whereby the virus scan is done automatically specifically on the FTP software prior to it being booted. Take Dreamweaver, start it but somehow the antivirus kicks in to scan the relavant files and then gives an OK. Would this be possible or even useful?

And what about a cleanup program. Say if the index files are compromised is it not possible to do a simple replace with a known good file. Same applies to a js line of text - discover the faulty code and do a site scan to highlight or even delete. Sounds a bit complicated perhaps because of the variation in likely corrupt lines of code. just wondered.

When using these scanners, unlike say Norton, (a quarantine action) is it some sort of report?

_________________
Thanks for your time.


Top
 Profile  
 
PostPosted: Fri Jul 31, 2009 2:06 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sat Jul 25, 2009 3:54 am
Posts: 56
Enter the ramblings of a newbie.....

1. All anti-virus software can only do so much.
2. Check you sever logs for suspicious ip's
3. Do a comparison check on critical files regularly
4. Fight the Microsoft hold and use a Unix, Linux based OS as it is less vulnerable attack

Only in great numbers can we be strong against this sort of attack. Joomla is less vulnerable to malicious attach compared to some other open source and proprietary CMS software due to a strong community.

well that is my $0.02's worth

:-)

_________________
Running Joomla 1.5.113 Stable "So 1.5.14 is here so soon!" Where is 1.6!
Only with an open mind can you really understand open source"


Top
 Profile  
 
PostPosted: Mon Aug 03, 2009 6:44 am 
Joomla! Ace
Joomla! Ace

Joined: Sat Oct 21, 2006 8:53 am
Posts: 1334
nanoamp wrote:
1. All anti-virus software can only do so much.
2. Check you sever logs for suspicious ip's
3. Do a comparison check on critical files regularly
4. Fight the Microsoft hold and use a Unix, Linux based OS as it is less vulnerable attack


I there are several sites this could take all day! What is a suspicious IP?

_________________
Thanks for your time.


Top
 Profile  
 
PostPosted: Tue Aug 04, 2009 4:57 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 13949
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
nanoamp wrote:
Joomla is less vulnerable to malicious attacks compared to some other open source
I believe that is something of wishful thinking.

The most important thing in all circumstances is to implement the latest releases of Joomla at all times! Just the last days hundreds of [drive] sites in Netherlands were compromised because they were running outdated and vulnerable versions of Joomla. This was widely published in Dutch newspapers. If these sites would have used latest and updated versions, a secure hosting environment (http://docs.joomla.org/Category:Security_Checklist) and the security settings applied this would not have happened.

Fact is that the Webmaster of a site can do a lot him/her self to protect the site....On a host without sufficient base security such as suPHP and mod_security? You will know that one of these days you will be whacked for sure!

Leo 8)

_________________
-- Joomla Professional Support Services : http://gws-desk.com --
-- Good & Cheap Joomla Sites Ready To Roll : http://gws-deals.today --
-- Joomla Specialized Hosting Solutions : www.gws-host.com --
-- Member Joomla Bug Squad --


Top
 Profile  
 
PostPosted: Tue Aug 04, 2009 6:45 am 
Joomla! Ace
Joomla! Ace

Joined: Sat Oct 21, 2006 8:53 am
Posts: 1334
an't agree more. As soon as 1.5.14 became available I took a backup, manually upgraded, and then took another backup on all my 3 sites.

_________________
Thanks for your time.


Top
 Profile  
 
PostPosted: Sun Sep 20, 2009 6:30 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Fri Jul 17, 2009 11:18 pm
Posts: 4
The iframe problem is getting worse these days. Some hosting companies help to remove it after scanning but most of the companies do not provide support for that. I had a lot of problems of iframe injection in the past. I do not store the user name and passwords on my ftp client software. On top of that, I try to use a dedicated PC to do all the uploading and this PC is well protected by the Anti virus software.

_________________
Signature rules: Literal URLs only - viewtopic.php?f=8&t=65


Top
 Profile  
 
PostPosted: Thu Sep 24, 2009 8:58 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sat Apr 25, 2009 3:43 pm
Posts: 17
Is using ssh from a clean pc good enough or ssh at some point is also vulnerable?


Top
 Profile  
 
PostPosted: Wed Sep 30, 2009 9:11 am 
Joomla! Guru
Joomla! Guru

Joined: Mon Oct 01, 2007 11:35 am
Posts: 522
About six weeks ago all the websites in my shared hosting account were compromised. Sadly I had not made backups often enough so I have left them exactly as they were until I am sure I can repair everything without too much effort.
The first sign was that all my Joomla sites showed only a blank page. When i checked the files on the server, it became clear that almost all files with index or default in the name had been infected. In these files, an iframe was inserted between script tags, usually at the bottom. Luckily, instead of displaying the iframes, Joomla's php choked on these tags. As far as I know no javascript files have been affected.
After scanning my PC and doing some research, and remembering an alert I had got on opening a PDF on the web, I found that some trojan used the FTP passwords in my PC to do its ugly work on the server.
Now I am half way getting a script together that does a complete cleaning and at the same time checks if every folder has an index.html file. Cleaning hundreds or thousands of these files manually would take far too much time. When it is completed I will spread the script under the GPL.

My question is: is the infection discussed in this thread a different one or the same? If it is different, could you provide some more details on what files are infected and how? I am asking because I might be able to put in some .js repair functionality in once I am doing so for .php files. Has anyone made a useful regular expression yet?

Having asked and said this, I do not want to put up anyone' s hopes, I am just hobbying around without deadlines...


Top
 Profile  
 
PostPosted: Fri Oct 02, 2009 10:37 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Jun 30, 2009 6:55 pm
Posts: 12
maybe this is relevant http://forums.majorgeeks.com/showthread.php?t=35407

_________________
Please read forum rules regarding the use of signatures: viewtopic.php?f=8&t=65


Top
 Profile  
 
PostPosted: Thu Oct 15, 2009 10:52 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 13949
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
@ Ewel,
This is exactly the issue I posted.

If you have Shell access you can clean it with a shell command assuming we get some little info. Script is rather complicated. All index.php and all index.html files are infected as also some 56 other files on your system.

If you do not have Shell you can ask your host to clean it for you...the run takes no more than 3 minutes to clean your site the most so they should be able to assist you here. If not you might consider to change shared host who does help you properly

Leo 8)

_________________
-- Joomla Professional Support Services : http://gws-desk.com --
-- Good & Cheap Joomla Sites Ready To Roll : http://gws-deals.today --
-- Joomla Specialized Hosting Solutions : www.gws-host.com --
-- Member Joomla Bug Squad --


Top
 Profile  
 
PostPosted: Thu Oct 15, 2009 11:33 am 
Joomla! Guru
Joomla! Guru

Joined: Mon Oct 01, 2007 11:35 am
Posts: 522
Thanks for the tips. I never understood shell access although i probably have it. I now have a script that successfully cleans iframe tags, but I still need to create a regex to also clean script tags - I already know what it should look for. Then I expect to have a script and method in hand that can clean most sites hit by this trojan completely or almost completely.
I have noticed that per site the number of files infected can be different, as far as I can see because the FTP connection for infecting the file would have failed; it seems the trojan connects by FTP for each infection. My FTP connection log had an unbelievable spike. Hardest hit are index.html and default*.php files.


Top
 Profile  
 
PostPosted: Wed Oct 21, 2009 8:50 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Wed Oct 21, 2009 8:31 am
Posts: 3
Hey Leolam.
Myself Sandra and according to your problem.I suggest you to romove that javascript code from your joomla blog. After that check compatibility of your code with standard code. If you find any bridge between there, you should have to go for the advice of Joomla expert. Anyways thanks for posting it .Stay connected.

_________________
WHERE THERE IS A WILL THERE IS A WAY


Top
 Profile  
 
PostPosted: Sat Nov 14, 2009 5:11 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12466
Location: The Girly Side of Joomla in Sussex
and here is a current list of some of the topics o this subject

viewtopic.php?f=432&t=411735
viewtopic.php?f=432&t=459912
viewtopic.php?f=432&t=460154
viewtopic.php?f=432&t=459463
viewtopic.php?f=432&t=458464
viewtopic.php?f=432&t=455335
viewtopic.php?f=432&t=456376

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Mon Nov 16, 2009 11:01 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Thu Sep 10, 2009 9:59 am
Posts: 3
This isn't a question, am just reporting that I've just (hopefully) cleaned up after an attack.

The php code in the index.php files started with eval(base64_decode(' .... ')
and there was a javascript code in the index.html files with a link to a site that my browser said was malicious. I also found javascript document.write('...') at the bottom of several .js files.

Now its just a waiting game to see whether my new FTP password has been compromised.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 123 posts ]  Go to page 1, 2, 3, 4, 5  Next



Who is online

Users browsing this forum: No registered users and 18 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group