Discussion - Malicious Javascript in your site

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Discussion - Malicious Javascript in your site

Post by leolam » Wed Jun 17, 2009 7:04 am

When you find malicious code in your site it is often a line of javascript inserted into the bottom of almost every .js file on the account that used character code escapes to make it harder to detect. It is most often also embedded in many of the otherwise blank index.html pages within the subdirectories of your Joomla install. It is often difficult to pinpoint the reason either a Joomla exploit (iframe) or if the violators had the account password.

This type of infection is much more common with the password however. For that reason, you should follow these steps:

1. Scan your local computer, the clients computer, and any computer from which you have accessed the account using an up to date virus scanner such as http://malwarebytes.org CRITICAL!

2. Update the cPanel/FTP password with a password that is not easily guessable. Use 12-digits and something like example (!) &G5s#!K-|%H1

3. Submit your site for a rescan using your Google Webmaster account. If you do not already have an account please follow the instructions on this page to obtain one: http://www.google.com/support/webmaster ... swer=45432

4. Read the information provided below about this type of viral infection and how to further prevent it.

What are malicious iframes and what causes them?

! Over the years hackers found it hard to trick people into visiting suspicious sites so they're now targeting legit sites and using them to infect unknowing customers. In most cases an FTP account's password is obtained through key logging malware, then legit website files are modified to distribute the malware and gather more passwords. If your PC has been infected with one of these trojans, your bank account, email accounts, and FTP accounts may no longer be secure.

What to do if you find malicious iframes on your PC?

1. Use the following online vulnerability scanner and ensure your software is up-to-date: http://secunia.com/vulnerability_scanni ... ?task=load
2. Download antivirus and fully scan your PC for malcious files. Here are some free online scanners:
http://housecall.trendmicro.com/
http://www.bitdefender.com/scan8/ie.html
http://www.kaspersky.com/virusscanner
http://support.f-secure.com/enu/home/ols.shtml
3. Update all passwords that may have been obtained. Do not use old passwords, generate new ones (see above)
4. Upload older versions of the files or contact support for assistance removing the malicious iframes.

Prevention measurements

- Ensure you use the latest browser version
- Disable javascript if possible
- Use Firefox with addon "noscript" (!)
- Download and install some antivirus software, make sure it stays updated
- Use http://www.avg.com.au/index.cfm?section ... onlinescan to test suspicious links you are given in emails or find online.

Others

BACKUP & DOWNLOAD (!) your site and database! Use either your cPanel features or use Joomlapack (http://www.joomlapack.net)....whatever you use: BACKUP!

Hope this helps!

Leo 8)
Last edited by ooffick on Wed Jan 02, 2013 6:52 pm, edited 1 time in total.
Reason: Mod Note: Changed Title of the post
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

_Stephan
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Wed Mar 08, 2006 8:07 pm

Re: Malicious Javascript in your site

Post by _Stephan » Wed Jun 17, 2009 2:46 pm

Very good post, I would also suggest that people open a case with their Hosting Provider as a few of them do care about security. And if they do, they might have access to some system logs that you might not and possibly assist you in identifying how the exploit was conducted. If the host supports it, use SFTP instead of FTP is a good idea as well.

antihack
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 163
Joined: Sat Mar 15, 2008 9:45 pm
Contact:

Re: Malicious Javascript in your site

Post by antihack » Thu Jun 18, 2009 1:56 pm

I would like to Agree with Leolam. The attack he was mentioning is True. Malware does look for FTP usernames and passwords on your computer in order to take over your website and use it.

Here is a link to the story covering this information:
http://news.zdnet.com/2100-9595_22-312957.html


Here is the key part of the story pertaining to this post:
===============================
In order to increase the number of botnets, the Golden Cash server installs an FTP (file transfer protocol) grabber on new zombies to steal credentials used by the computers to run Web sites, giving the server control over additional legitimate Web sites. Approximately 100,000 domains, including corporate domains from around the world, were identified among the stolen FTP credentials under Golden Cash's control, according to the report.
===============================


Scan your computers with at least 3-4 different Antivirus and Antispyware programs to be somewhat sure your system is clean.

Also, a strong firewall is recommended to help combat Spyware from sending your information over the internet.

Eighteen48
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Wed May 27, 2009 11:09 pm

Re: Malicious Javascript in your site

Post by Eighteen48 » Sun Jun 21, 2009 9:25 pm

The recent rash of attacks not only attack index.html files but also php files, you can find the offending code as both javascript or iframes, sometimes even both. Besides using Joomlapack as the OP suggested, I would also suggest jFireWall EndPoint Protection Anti-Hacker
J!3.4.x:
Add-ons Administrator Lock, AddThis Smart Layers, Akeeba Backup, RSForms Pro, RSFiles, OSMeta, OSMap, OSpam-a-not, RokBooster, RokCandy, MailChimp, DISQUS Comments,

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Malicious Javascript in your site

Post by leolam » Mon Jun 22, 2009 3:21 am

Eighteen48 wrote:Besides using Joomlapack as the OP suggested, I would also suggest jFireWall EndPoint Protection Anti-Hacker
Joomlapack is a backup mechanism and is no security tool. jFirewall does not protect your site from an executable being uploaded and run from your ftp-client off your own PC (!) Review what I mentioned on key logging malware. That is your local computer. Our stats show that most attacks as discussed here are initiated from user's own PC.

Again make sure you use very good (multiple) protection software. At present top notch online scanners are offered by PrevX (http://www.prevx.com/freescan.asp) and Pandasecurity (http://www.pandasecurity.com) with its free Active Scan. We (GWS-Group) use PrevX and Pandasecurity commercial versions on our corporate and private systems and networks and they do a very good job and work well together.

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

antihack
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 163
Joined: Sat Mar 15, 2008 9:45 pm
Contact:

Re: Malicious Javascript in your site

Post by antihack » Fri Jun 26, 2009 7:00 pm

More information on how serious this is. A new story uncovers that a virus has been stealing FTP login information from the Big Boys.

http://www.theregister.co.uk/2009/06/26 ... ware_hack/

They found logins for ftp.bbc.co.uk, ftp.cisco.com, ftp.amazon.com, ftp.monster.com and, even security sites including ftp.mcafee.com and ftp.symantec.com along the extensive list of more than 68,000.

gulenzek
Joomla! Apprentice
Joomla! Apprentice
Posts: 15
Joined: Tue May 20, 2008 8:06 pm
Contact:

Re: Malicious Javascript in your site

Post by gulenzek » Wed Jul 01, 2009 11:24 am

I have also some Web sites in Godaddy. During last 15months, my joomla installations -- 1.5.7, 1.5.8 and 1.5.11 -- have been hacked 4 times. >:( The attackers are overwriting index.php, index.html, deafult.php, default_item.php files and adding "eachbul.net/click=" together with a hexadecimal number by assigning to "click" parameter in an iframe tag.

And another incident, the attackers overwriting another address -- yourlotcar. cn:8080 /index.php -- in an iframe again. Although my installations 1.5.8 and 1.5.11, I really don't understand how this happens.
I am using CuteFTP 2.0 to access my account and my computers have up-to-date anti-virus softwares.
Last edited by mandville on Thu Oct 14, 2010 1:07 pm, edited 1 time in total.
Reason: broke link to prevent infection and juice
because open source matters..

_Stephan
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Wed Mar 08, 2006 8:07 pm

Re: Malicious Javascript in your site

Post by _Stephan » Wed Jul 01, 2009 12:04 pm

You might want to try running another Anti-Virus in parallel just in case, I heard AVG does a good job and it is Free. http://free.avg.com/

If goDaddy supports it, you might want to try using SFTP instead of FTP, these would at least help rule out that the problem is not on your side. if you are able to to use SFTP, I would of course recommend you change all your passwords.

See this article: http://www.theregister.co.uk/2009/06/26 ... ware_hack/

Stephan

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Malicious Javascript in your site

Post by leolam » Wed Jul 01, 2009 2:39 pm

gulenzek wrote:yourlotcar.cn:8080/index.php
If you have that in your site it is 99,99 % sure that it is coming from any of you logging in with ftp from your own PC. This measn that the moment you login you load automatically the executable to the site and is run and bye bye site....

AVG does NOT discover this piece of crap (!) on your PC

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Malicious Javascript in your site

Post by leolam » Wed Jul 01, 2009 2:41 pm

_Stephan wrote: you might want to try using SFTP instead of FTP, these would at least help rule out that the problem is not on your side.
With all respect...SFTP does not protect this specific malware (key-logging etc) so does not help for this specific issue

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

_Stephan
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Wed Mar 08, 2006 8:07 pm

Re: Malicious Javascript in your site

Post by _Stephan » Wed Jul 01, 2009 3:00 pm

Leo,

I agree that SFTP won't protect against a keylogger, although there is not much information regarding this latest trojan/exploit (keylogging or password sniffing?), the pattern does seem to be with FTP. If one can use SFTP VS FTP, it is certainly more secure.

Not sure about you, but personally I would not use FTP over an open un-trusted network.

User avatar
ianmac
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4784
Joined: Sat Sep 24, 2005 11:01 pm
Location: Toronto, Canada

Re: Malicious Javascript in your site

Post by ianmac » Mon Jul 06, 2009 7:07 pm

_Stephan wrote:Leo,

I agree that SFTP won't protect against a keylogger, although there is not much information regarding this latest trojan/exploit (keylogging or password sniffing?), the pattern does seem to be with FTP. If one can use SFTP VS FTP, it is certainly more secure.

Not sure about you, but personally I would not use FTP over an open un-trusted network.
The better solution is to do everything over ssh. That said, if your local computer is infected, your site is at great risk.

Ian

gulenzek
Joomla! Apprentice
Joomla! Apprentice
Posts: 15
Joined: Tue May 20, 2008 8:06 pm
Contact:

Re: Malicious Javascript in your site

Post by gulenzek » Tue Jul 07, 2009 1:08 pm

leolam wrote:
gulenzek wrote:yourlotcar.cn:8080/index.php
If you have that in your site it is 99,99 % sure that it is coming from any of you logging in with ftp from your own PC. This measn that the moment you login you load automatically the executable to the site and is run and bye bye site....

AVG does NOT discover this piece of crap (!) on your PC

Leo 8)
I am using 3 different machines and FTP installations on them (CuteFtp 2.0 and Cute FTP 7.0). How can I detect which one is infected. BTW, two of the machines have AVG Free and one another has F-Secure Antivirus software. And I have installed "Spyware" on them.

I would be grateful if any help comes..

Regards
because open source matters..

antihack
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 163
Joined: Sat Mar 15, 2008 9:45 pm
Contact:

Re: Malicious Javascript in your site

Post by antihack » Tue Jul 07, 2009 1:30 pm

I would scan with Antivir, and PC Tools Antivirus as well. (I also included Panda Online Scan in case you would rather an online scan)

Here is Antivir - http://www.free-av.com/
Here is PCTools - http://www.pctools.com/free-antivirus/
Here is Panda Online Scan - http://www.pandasecurity.com/activescan/index/

Although scanning with 2 different Antispyware would be a good idea too.

Here is SuperAntispyware - http://www.superantispyware.com/
Here is Spybot - http://www.safer-networking.org/

Since you have AVG. You might want to uninstall AVG temporarily while you scan with these other programs. Never install more than 1 antivirus program at a time.

You can of course reinstall AVG after your done scanning.


NOTE: If you don't find any malware, then you need to work with your hosting provider to secure your site. Including making sure that you have done everything in the Joomla Security Checklist.

jdavis74
Joomla! Explorer
Joomla! Explorer
Posts: 443
Joined: Fri Jul 03, 2009 5:38 pm

Re: Malicious Javascript in your site

Post by jdavis74 » Fri Jul 17, 2009 11:34 pm

To actually remove the injection, there's a great utility called TurboSR.

It has the ability to scan all of the text in all of the files on your site. You give it a line of text to match (the injected script) and what to replace it with (leave blank), run the utility, and you're site is good to go again - provided you've patched the security hole.

TurboSR
Last edited by ooffick on Tue Oct 26, 2010 7:47 am, edited 1 time in total.
Reason: Mod Note: Removed manual Signature. Please read the Forum rules for details.
Joseph Davis
Technical Support Representative
[email protected]
http://hosting.com

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Malicious Javascript in your site

Post by leolam » Fri Jul 24, 2009 1:56 pm

jdavis74 wrote:It has the ability to scan all of the text in all of the files on your site. You give it a line of text to match (the injected script) and what to replace it with (leave blank), run the utility, and you're site is good to go again - provided you've patched the security hole.
This is what you can do with every text editor such as Notepad, Notepad +/+ or Dreamweaver to name a couple who have that option (search and replace). This is a basic workable solution though requires that you download first all of the files and folders and upload after the scan the entire site once again....

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

cantthinkofanickname
Joomla! Ace
Joomla! Ace
Posts: 1334
Joined: Sat Oct 21, 2006 8:53 am

Re: Malicious Javascript in your site

Post by cantthinkofanickname » Fri Jul 31, 2009 1:40 pm

My 1.0.x site was hacked a while ago and whilst I managed to upload most of the index files again I never discovered why Docman would never work so I rebuilt using 1.5.x. Since then as soon as a security update becomes available this becomes the next site priority update. I use Joomlapack and reinstalling works well. But of course when doing a backup the trick is to do this after every edit session (daily if editors work on the site) and keep at least enough previous backups (say a weeks worth) locally (I use JPRemote) just in case you missed a hack and need to go back in the list.

Reading here about being mostly compromised by virus code on ones local management PC infiltrating the FTP sessions, it occurs to me that an extra stage in the process whereby the virus scan is done automatically specifically on the FTP software prior to it being booted. Take Dreamweaver, start it but somehow the antivirus kicks in to scan the relavant files and then gives an OK. Would this be possible or even useful?

And what about a cleanup program. Say if the index files are compromised is it not possible to do a simple replace with a known good file. Same applies to a js line of text - discover the faulty code and do a site scan to highlight or even delete. Sounds a bit complicated perhaps because of the variation in likely corrupt lines of code. just wondered.

When using these scanners, unlike say Norton, (a quarantine action) is it some sort of report?
Thanks for your time.

User avatar
nanoamp
Joomla! Intern
Joomla! Intern
Posts: 56
Joined: Sat Jul 25, 2009 3:54 am

Re: Malicious Javascript in your site

Post by nanoamp » Fri Jul 31, 2009 2:06 pm

Enter the ramblings of a newbie.....

1. All anti-virus software can only do so much.
2. Check you sever logs for suspicious ip's
3. Do a comparison check on critical files regularly
4. Fight the Microsoft hold and use a Unix, Linux based OS as it is less vulnerable attack

Only in great numbers can we be strong against this sort of attack. Joomla is less vulnerable to malicious attach compared to some other open source and proprietary CMS software due to a strong community.

well that is my $0.02's worth

:-)
Running Joomla 1.5.113 Stable "So 1.5.14 is here so soon!" Where is 1.6!
Only with an open mind can you really understand open source"

cantthinkofanickname
Joomla! Ace
Joomla! Ace
Posts: 1334
Joined: Sat Oct 21, 2006 8:53 am

Re: Malicious Javascript in your site

Post by cantthinkofanickname » Mon Aug 03, 2009 6:44 am

nanoamp wrote:1. All anti-virus software can only do so much.
2. Check you sever logs for suspicious ip's
3. Do a comparison check on critical files regularly
4. Fight the Microsoft hold and use a Unix, Linux based OS as it is less vulnerable attack
I there are several sites this could take all day! What is a suspicious IP?
Thanks for your time.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Malicious Javascript in your site

Post by leolam » Tue Aug 04, 2009 4:57 am

nanoamp wrote:Joomla is less vulnerable to malicious attacks compared to some other open source
I believe that is something of wishful thinking.

The most important thing in all circumstances is to implement the latest releases of Joomla at all times! Just the last days hundreds of Joomla-driven sites in Netherlands were compromised because they were running outdated and vulnerable versions of Joomla. This was widely published in Dutch newspapers. If these sites would have used latest and updated versions, a secure hosting environment (http://docs.joomla.org/Category:Security_Checklist) and the security settings applied this would not have happened.

Fact is that the Webmaster of a site can do a lot him/her self to protect the site....On a host without sufficient base security such as suPHP and mod_security? You will know that one of these days you will be whacked for sure!

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

cantthinkofanickname
Joomla! Ace
Joomla! Ace
Posts: 1334
Joined: Sat Oct 21, 2006 8:53 am

Re: Malicious Javascript in your site

Post by cantthinkofanickname » Tue Aug 04, 2009 6:45 am

an't agree more. As soon as 1.5.14 became available I took a backup, manually upgraded, and then took another backup on all my 3 sites.
Thanks for your time.

Giselle_C
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Fri Jul 17, 2009 11:18 pm
Contact:

Re: Malicious Javascript in your site

Post by Giselle_C » Sun Sep 20, 2009 6:30 am

The iframe problem is getting worse these days. Some hosting companies help to remove it after scanning but most of the companies do not provide support for that. I had a lot of problems of iframe injection in the past. I do not store the user name and passwords on my ftp client software. On top of that, I try to use a dedicated PC to do all the uploading and this PC is well protected by the Anti virus software.
Signature rules: Literal URLs only - http://forum.joomla.org/viewtopic.php?f=8&t=65

dark_element
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Sat Apr 25, 2009 3:43 pm
Contact:

Re: Malicious Javascript in your site

Post by dark_element » Thu Sep 24, 2009 8:58 am

Is using ssh from a clean pc good enough or ssh at some point is also vulnerable?

ewel
Joomla! Guru
Joomla! Guru
Posts: 522
Joined: Mon Oct 01, 2007 11:35 am

Re: Malicious Javascript in your site

Post by ewel » Wed Sep 30, 2009 9:11 am

About six weeks ago all the websites in my shared hosting account were compromised. Sadly I had not made backups often enough so I have left them exactly as they were until I am sure I can repair everything without too much effort.
The first sign was that all my Joomla sites showed only a blank page. When i checked the files on the server, it became clear that almost all files with index or default in the name had been infected. In these files, an iframe was inserted between script tags, usually at the bottom. Luckily, instead of displaying the iframes, Joomla's php choked on these tags. As far as I know no javascript files have been affected.
After scanning my PC and doing some research, and remembering an alert I had got on opening a PDF on the web, I found that some trojan used the FTP passwords in my PC to do its ugly work on the server.
Now I am half way getting a script together that does a complete cleaning and at the same time checks if every folder has an index.html file. Cleaning hundreds or thousands of these files manually would take far too much time. When it is completed I will spread the script under the GPL.

My question is: is the infection discussed in this thread a different one or the same? If it is different, could you provide some more details on what files are infected and how? I am asking because I might be able to put in some .js repair functionality in once I am doing so for .php files. Has anyone made a useful regular expression yet?

Having asked and said this, I do not want to put up anyone' s hopes, I am just hobbying around without deadlines...

lemonjuice
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Tue Jun 30, 2009 6:55 pm

Re: Malicious Javascript in your site

Post by lemonjuice » Fri Oct 02, 2009 10:37 am

Please read forum rules regarding the use of signatures: http://forum.joomla.org/viewtopic.php?f=8&t=65

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Malicious Javascript in your site

Post by leolam » Thu Oct 15, 2009 10:52 am

@ Ewel,
This is exactly the issue I posted.

If you have Shell access you can clean it with a shell command assuming we get some little info. Script is rather complicated. All index.php and all index.html files are infected as also some 56 other files on your system.

If you do not have Shell you can ask your host to clean it for you...the run takes no more than 3 minutes to clean your site the most so they should be able to assist you here. If not you might consider to change shared host who does help you properly

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

ewel
Joomla! Guru
Joomla! Guru
Posts: 522
Joined: Mon Oct 01, 2007 11:35 am

Re: Malicious Javascript in your site

Post by ewel » Thu Oct 15, 2009 11:33 am

Thanks for the tips. I never understood shell access although i probably have it. I now have a script that successfully cleans iframe tags, but I still need to create a regex to also clean script tags - I already know what it should look for. Then I expect to have a script and method in hand that can clean most sites hit by this trojan completely or almost completely.
I have noticed that per site the number of files infected can be different, as far as I can see because the FTP connection for infecting the file would have failed; it seems the trojan connects by FTP for each infection. My FTP connection log had an unbelievable spike. Hardest hit are index.html and default*.php files.

sandratycovaone
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Wed Oct 21, 2009 8:31 am

Re: Malicious Javascript in your site

Post by sandratycovaone » Wed Oct 21, 2009 8:50 am

Hey Leolam.
Myself Sandra and according to your problem.I suggest you to romove that javascript code from your joomla blog. After that check compatibility of your code with standard code. If you find any bridge between there, you should have to go for the advice of Joomla expert. Anyways thanks for posting it .Stay connected.
WHERE THERE IS A WILL THERE IS A WAY

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Malicious Javascript in your site

Post by mandville » Sat Nov 14, 2009 5:11 pm

HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

chilli_mint
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Thu Sep 10, 2009 9:59 am

Re: Malicious Javascript in your site

Post by chilli_mint » Mon Nov 16, 2009 11:01 pm

This isn't a question, am just reporting that I've just (hopefully) cleaned up after an attack.

The php code in the index.php files started with eval(base64_decode(' .... ')
and there was a javascript code in the index.html files with a link to a site that my browser said was malicious. I also found javascript document.write('...') at the bottom of several .js files.

Now its just a waiting game to see whether my new FTP password has been compromised.


Locked

Return to “Security in Joomla! 1.5”