Discussion - Malicious Javascript in your site

[DrIanWay]

I use MySQL. Is there any way to protect it for the case your talk about? Thus, attacking my php files, the database is still protected?
Thanks, Dr. Ian Way.

[des911]

Hi All

I'm new to Joomla and Php. I've similar problem with my site and google suggests that I've the malicious script on 4 places.

http://mysiteurl.com/
http://mysiteurl.com/?feed=rss2
http://mysiteurl.com/?page_id=2
http://mysiteurl.com/p=1&cpage=1

The code looks like this: <script src=http://*rimo-*iano.dk/App_Data/Default.aspx.php
></script>

Any suggestions where I should be looking at to delete it?

Thanks in advance.

Mithai

[mandville]

is the extension from a 3rd party? does the link appear anywhere else/

[des911]

Hello Mandville

Thanks for your reply. For the moment the site is running smooth and I can't see the script in the index.php or default.php files both in the template and other files that I've gone through. Google only suggested these URLs to check and since the URLs are dynamic, I have no clue where to look at. Previously there was a script in the index.php in the template folder but I deleted the whole site and installed the script from scratch. then I changed the file permission of index.php to 444 and the script didn't come back. But the google still showing the given urls as infected. Please help. Thanks again.

[des911]

And yes the extensions are from third party but I've downloaded them from joomla site. Can they still be infected?

[mandville]

it could be that google just hasnt updated its directory afteryour hack.

[SOAMJENA]

I had malicious codes on index.php all over the sites, even though they were all running on 1.5.18 .

Now, Its all good, but my host said, that the server may have been backdoored, meaning, the hackers may have left some php file somewhere inside , by which they can enter again.

So, how can we find those suspicious files or anything ?

Is there a way to find them ?

[mandville]

security checklist 7, safe route to reovery. unless you have a few hours to spare to huynt every folder on your site and check every file!

[SOAMJENA]

Ok, so images, templates, db backup and then new joomla install and putting them back.

Thats it.

And yes, install the same components and modules and plugins again there on the new one.

security checklist 7, safe route to reovery. unless you have a few hours to spare to huynt every folder on your site and check every file!

[mandville]

install up2date versions of your extensions

[juanseomind]

just wondering, i understand this but i like to know random stuffm, when you talk about the file .js what does JS stand for?

[mandville]

just wondering, i understand this but i like to know random stuffm, when you talk about the file .js what does JS stand for?

apart from the title of this topic giving a clue
try
http://www.google.co.uk/search?q=file+type+suffix
followed by http://www.sharpened.net/helpcenter/extensions.php
and then
http://www.sharpened.net/helpcenter/extensions.php
or
http://filext.com/file-extension/JS

[triman101]

js stands for JavaScript. Its a programming language.

[J_M]

Ok Godaddy websites have been hacked again. I'm getting sick of this one. It's all over the news. The domains that websites are redirected to are hosted on Godaddy too. It's all over the internet.

I can't delete and upload everything again and again, I'm feel like I'm going to puke now.

Okay; I called'em right away and they seem to have fixed the website now. So cheers!

[vampxlr]

Do we have any extensions to scan our site for malicious javascript ??

[mandville]

Do we have any extensions to scan our site for malicious javascript ??

before this turns into a self promotional post fest, there are several scripts that claim they can scan for such scripts but are they guaranteeed to get all of them.
you also do not know if nything else is installed.
do it the correct way, the safe route to recovery and the rest of checklist 7 (and this topic)

[BauerSEO]

There was some kind of tool I used for scanning a long while ago for my blog because it was getting so many problems of this nature. But this was a couple years and I do not have that tool anymore, but thankfully I have not needed anything like it for a good bit.

[cropperesp]

virustotal.com is good for checking your site to see if it still contains malware.

But I find having a zipped backup only takes half an hour to restore a site properly.

Then just a case of closing off permissions where applicable, changing passwords, checking joomla and plugins, modules etc are up to date.

[f1b0n4cc1]

last day my computer get infected by keylogger and my email , paypal and file hosting account hacked , we need to use antivirus applications and even we believe something safe . java script is perfect for useful things and dangerous for hacking attempts too . i hope we make joomla everyday better and better .

[Paycheck]

I was recently hit as well on a site I developed using Joomla 1.5

Here is where the 64Decode script was placed in my files. Hope this helps others.

/home1/bajashop/public_html/cms/includes/defines.php
/home1/bajashop/public_html/archive/configuration.php
/home1/bajashop/public_html/archive/globals.php

I am also seeing a couple hacking files located here:

/home1/bajashop/public_html/cms/images/img.php
/home1/bajashop/public_html/archive/priv.php

[mandville]

/home1/bajashop/public_html/archive/configuration.php
/home1/bajashop/public_html/archive/globals.php

J1.x ? as not sure what they are and in an archive folder..

[Paycheck]

/home1/bajashop/public_html/archive/configuration.php
/home1/bajashop/public_html/archive/globals.php

J1.x ? as not sure what they are and in an archive folder..

Version 1.5.22

[Prowebdesign]

How easy or hard is it to hack a site with malicious code?

[WeWatch]

Hackers have many methods of hacking a website.

First, they'll scan it with various tools to look for some known vulnerability. Recently, many sites have been subjected to scanning for phpmyadmin folders.

These probing scans will leave clues in your log files. Look for many GETs or POSTs about the same time and returning 404s (page not found).

The key to protect against this attack is to make sure all software is updated and to follow the security guidelines for all software.

Second, the hackers may try a dictionary attack on various login pages. A dictionary attack uses a dictionary of commonly used passwords and it tries various username and password combinations on login pages. The key here is always use strong passwords.

Third, the hackers may use stolen FTP credentials. These are stolen by viruses on PC used to FTP files to websites. The virus can either search for the file that stores the saved passwords, or "sniff" the FTP traffic. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to see and steal the login credentials and then logs in as a legitimate user via FTP and infects the website.

The key to protection here is to use SFTP, which encrypts the traffic, and constantly scan your PC for viruses. This hack attack will leave clues in the FTP logs, if you have them activated.

There is also cross-site scripting, SQL injection and a variety of other methods, but if you stick to known, good software, the creators are generally responsible for those types of safeguards.

To answer your question directly, it is easy to hack a website if you don't follow the security guidelines, it's hard if you do.

[Prowebdesign]

Thanks for the detailed answer WeWatch!
You actually made me alert and I'm a bit scared of these damn viruses now since they can easily steal my data. Of course I'm using anti-virus software, but they only fights the consequences ...

Guess it's time to start thinking of data synchronization.

[leolam]

Can we please stay on topic: Malicious Javascript in your site?

Thanks!

Leo

[valerun]

for some reason, the system did not let me post the snippet, resulting in a super-strange 'no rights to access /posting.php' message... I can't even post a plaintext version of that... so in a very roundabout way to describe it, the html fragment is all about a bunch of links to canadian pharmacies pushing their wares...

[Bernard T]

http://pastebin.com/ ?

[valerun]

for some reason, the system did not let me post the snippet, resulting in a super-strange 'no rights to access /posting.php' message... I can't even post a plaintext version of that... so in a very roundabout way to describe it, the html fragment is all about a bunch of links to canadian pharmacies pushing their wares...

sorry guys - looks like the first half of the message just disappeared... retyping here:

looks like our site got hacked - at least one page (http://www.emotorwerks. com/about/team) has invisible pharmacy spam html code that I cannot find a source of.

I have read a bunch of threads here and saw the recommended actions and checklists etc. Unfortunately, we don't have time to sort this all out ourselves so we want to hire a Joomla security expert who's done a bunch of these before to quickly help us out.

What's the best way to do this?

Thanks,
Valery

[dpacadmin]

I use this site to scan suspected sites, they also have a cleaning service;
https://sucuri.net/services

One other I remembered;
http://myjoomla.com/site/is/hacked