Discussion - Malicious Javascript in your site
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Fledgling
- Posts: 1
- Joined: Sun Jun 13, 2010 8:53 am
- Contact:
Re: Malicious Javascript in your site
I use MySQL. Is there any way to protect it for the case your talk about? Thus, attacking my php files, the database is still protected?
Thanks, Dr. Ian Way.
Thanks, Dr. Ian Way.
Dr. Ian Way
http://www.scibet.com
http://www.scibet.com
-
- Joomla! Fledgling
- Posts: 3
- Joined: Sun Jun 13, 2010 5:39 pm
Re: Malicious Javascript in your site
Hi All
I'm new to Joomla and Php. I've similar problem with my site and google suggests that I've the malicious script on 4 places.
http://mysiteurl.com/
http://mysiteurl.com/?feed=rss2
http://mysiteurl.com/?page_id=2
http://mysiteurl.com/p=1&cpage=1
The code looks like this: <script src=http://*rimo-*iano.dk/App_Data/Default.aspx.php
></script>
Any suggestions where I should be looking at to delete it?
Thanks in advance.
Mithai
I'm new to Joomla and Php. I've similar problem with my site and google suggests that I've the malicious script on 4 places.
http://mysiteurl.com/
http://mysiteurl.com/?feed=rss2
http://mysiteurl.com/?page_id=2
http://mysiteurl.com/p=1&cpage=1
The code looks like this: <script src=http://*rimo-*iano.dk/App_Data/Default.aspx.php
></script>
Any suggestions where I should be looking at to delete it?
Thanks in advance.
Mithai
Last edited by mandville on Sun Jun 13, 2010 6:13 pm, edited 1 time in total.
Reason: broke links to prevent infection and spam juice
Reason: broke links to prevent infection and spam juice
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
is the extension from a 3rd party? does the link appear anywhere else/
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Fledgling
- Posts: 3
- Joined: Sun Jun 13, 2010 5:39 pm
Re: Malicious Javascript in your site
Hello Mandville
Thanks for your reply. For the moment the site is running smooth and I can't see the script in the index.php or default.php files both in the template and other files that I've gone through. Google only suggested these URLs to check and since the URLs are dynamic, I have no clue where to look at. Previously there was a script in the index.php in the template folder but I deleted the whole site and installed the script from scratch. then I changed the file permission of index.php to 444 and the script didn't come back. But the google still showing the given urls as infected. Please help. Thanks again.
Thanks for your reply. For the moment the site is running smooth and I can't see the script in the index.php or default.php files both in the template and other files that I've gone through. Google only suggested these URLs to check and since the URLs are dynamic, I have no clue where to look at. Previously there was a script in the index.php in the template folder but I deleted the whole site and installed the script from scratch. then I changed the file permission of index.php to 444 and the script didn't come back. But the google still showing the given urls as infected. Please help. Thanks again.
-
- Joomla! Fledgling
- Posts: 3
- Joined: Sun Jun 13, 2010 5:39 pm
Re: Malicious Javascript in your site
And yes the extensions are from third party but I've downloaded them from joomla site. Can they still be infected?
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
it could be that google just hasnt updated its directory afteryour hack.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- SOAMJENA
- Joomla! Ace
- Posts: 1274
- Joined: Thu May 01, 2008 12:36 pm
- Location: QubeSys Technologies Pvt. Ltd ,INDIA
- Contact:
Re: Malicious Javascript in your site
I had malicious codes on index.php all over the sites, even though they were all running on 1.5.18 .
Now, Its all good, but my host said, that the server may have been backdoored, meaning, the hackers may have left some php file somewhere inside , by which they can enter again.
So, how can we find those suspicious files or anything ?
Is there a way to find them ?
Now, Its all good, but my host said, that the server may have been backdoored, meaning, the hackers may have left some php file somewhere inside , by which they can enter again.
So, how can we find those suspicious files or anything ?
Is there a way to find them ?
Web Design, eCommerce and Software Development
Joomla Premium Extensions,Templates and Support Packages
Joomla Premium Extensions,Templates and Support Packages
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
security checklist 7, safe route to reovery. unless you have a few hours to spare to huynt every folder on your site and check every file!
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- SOAMJENA
- Joomla! Ace
- Posts: 1274
- Joined: Thu May 01, 2008 12:36 pm
- Location: QubeSys Technologies Pvt. Ltd ,INDIA
- Contact:
Re: Malicious Javascript in your site
Ok, so images, templates, db backup and then new joomla install and putting them back.
Thats it.
And yes, install the same components and modules and plugins again there on the new one.
Thats it.
And yes, install the same components and modules and plugins again there on the new one.
mandville wrote:security checklist 7, safe route to reovery. unless you have a few hours to spare to huynt every folder on your site and check every file!
Web Design, eCommerce and Software Development
Joomla Premium Extensions,Templates and Support Packages
Joomla Premium Extensions,Templates and Support Packages
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
install up2date versions of your extensions
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Fledgling
- Posts: 1
- Joined: Tue Jul 06, 2010 1:41 am
Re: Malicious Javascript in your site
just wondering, i understand this but i like to know random stuffm, when you talk about the file .js what does JS stand for?
Last edited by mandville on Tue Jul 06, 2010 2:10 am, edited 1 time in total.
Reason: signature against forum rules http://forum.joomla.org/viewtopic.php?f=8&t=65
Reason: signature against forum rules http://forum.joomla.org/viewtopic.php?f=8&t=65
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
apart from the title of this topic giving a cluejuanseomind wrote:just wondering, i understand this but i like to know random stuffm, when you talk about the file .js what does JS stand for?
try
http://www.google.co.uk/search?q=file+type+suffix
followed by http://www.sharpened.net/helpcenter/extensions.php
and then
http://www.sharpened.net/helpcenter/extensions.php
or
http://filext.com/file-extension/JS
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Apprentice
- Posts: 9
- Joined: Wed Aug 25, 2010 8:59 am
Re: Malicious Javascript in your site
js stands for JavaScript. Its a programming language.
-
- Joomla! Enthusiast
- Posts: 165
- Joined: Mon Mar 31, 2008 5:34 pm
- Contact:
Re: Malicious Javascript in your site
Ok Godaddy websites have been hacked again. I'm getting sick of this one. It's all over the news. The domains that websites are redirected to are hosted on Godaddy too. It's all over the internet.
I can't delete and upload everything again and again, I'm feel like I'm going to puke now.
Okay; I called'em right away and they seem to have fixed the website now. So cheers!
I can't delete and upload everything again and again, I'm feel like I'm going to puke now.
Okay; I called'em right away and they seem to have fixed the website now. So cheers!
Stay Cool!
- vampxlr
- Joomla! Apprentice
- Posts: 21
- Joined: Thu Sep 30, 2010 3:16 am
Re: Malicious Javascript in your site
Do we have any extensions to scan our site for malicious javascript ??
Signature rules: Literal URLs only - http://forum.joomla.org/viewtopic.php?f=8&t=65
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
before this turns into a self promotional post fest, there are several scripts that claim they can scan for such scripts but are they guaranteeed to get all of them.vampxlr wrote:Do we have any extensions to scan our site for malicious javascript ??
you also do not know if nything else is installed.
do it the correct way, the safe route to recovery and the rest of checklist 7 (and this topic)
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- BauerSEO
- Joomla! Apprentice
- Posts: 8
- Joined: Tue Aug 03, 2010 8:06 pm
Re: Malicious Javascript in your site
There was some kind of tool I used for scanning a long while ago for my blog because it was getting so many problems of this nature. But this was a couple years and I do not have that tool anymore, but thankfully I have not needed anything like it for a good bit.
That's right, I'm Jack Bauer. What of it?
- cropperesp
- Joomla! Apprentice
- Posts: 15
- Joined: Mon Aug 04, 2008 3:52 pm
Re: Malicious Javascript in your site
virustotal.com is good for checking your site to see if it still contains malware.
But I find having a zipped backup only takes half an hour to restore a site properly.
Then just a case of closing off permissions where applicable, changing passwords, checking joomla and plugins, modules etc are up to date.
But I find having a zipped backup only takes half an hour to restore a site properly.
Then just a case of closing off permissions where applicable, changing passwords, checking joomla and plugins, modules etc are up to date.
-
- Joomla! Apprentice
- Posts: 15
- Joined: Fri May 28, 2010 4:10 pm
- Contact:
Re: Malicious Javascript in your site
last day my computer get infected by keylogger and my email , paypal and file hosting account hacked , we need to use antivirus applications and even we believe something safe . java script is perfect for useful things and dangerous for hacking attempts too . i hope we make joomla everyday better and better .
Please read forum rules regarding signatures: http://forum.joomla.org/viewtopic.php?t=65
- Paycheck
- Joomla! Enthusiast
- Posts: 205
- Joined: Sat Dec 31, 2005 7:41 pm
- Location: San Clemente, Ca.
Re: Malicious Javascript in your site
I was recently hit as well on a site I developed using Joomla 1.5
Here is where the 64Decode script was placed in my files. Hope this helps others.
Here is where the 64Decode script was placed in my files. Hope this helps others.
/home1/bajashop/public_html/cms/includes/defines.php
/home1/bajashop/public_html/archive/configuration.php
/home1/bajashop/public_html/archive/globals.php
I am also seeing a couple hacking files located here:
/home1/bajashop/public_html/cms/images/img.php
/home1/bajashop/public_html/archive/priv.php
Be nice we all aren't geniuses
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
J1.x ? as not sure what they are and in an archive folder../home1/bajashop/public_html/archive/configuration.php
/home1/bajashop/public_html/archive/globals.php
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- Paycheck
- Joomla! Enthusiast
- Posts: 205
- Joined: Sat Dec 31, 2005 7:41 pm
- Location: San Clemente, Ca.
Re: Malicious Javascript in your site
Version 1.5.22mandville wrote:J1.x ? as not sure what they are and in an archive folder../home1/bajashop/public_html/archive/configuration.php
/home1/bajashop/public_html/archive/globals.php
Be nice we all aren't geniuses
- Prowebdesign
- Joomla! Enthusiast
- Posts: 197
- Joined: Sun Oct 04, 2009 10:37 am
- Contact:
Re: Malicious Javascript in your site
How easy or hard is it to hack a site with malicious code?
Best regards,
Streamline
Web design blog and tutorials http://www.majas-lapu-izstrade.lv
http://www.uniqcube.com
Streamline
Web design blog and tutorials http://www.majas-lapu-izstrade.lv
http://www.uniqcube.com
-
- Joomla! Apprentice
- Posts: 49
- Joined: Wed May 06, 2009 10:38 am
- Contact:
Re: Malicious Javascript in your site
Hackers have many methods of hacking a website.
First, they'll scan it with various tools to look for some known vulnerability. Recently, many sites have been subjected to scanning for phpmyadmin folders.
These probing scans will leave clues in your log files. Look for many GETs or POSTs about the same time and returning 404s (page not found).
The key to protect against this attack is to make sure all software is updated and to follow the security guidelines for all software.
Second, the hackers may try a dictionary attack on various login pages. A dictionary attack uses a dictionary of commonly used passwords and it tries various username and password combinations on login pages. The key here is always use strong passwords.
Third, the hackers may use stolen FTP credentials. These are stolen by viruses on PC used to FTP files to websites. The virus can either search for the file that stores the saved passwords, or "sniff" the FTP traffic. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to see and steal the login credentials and then logs in as a legitimate user via FTP and infects the website.
The key to protection here is to use SFTP, which encrypts the traffic, and constantly scan your PC for viruses. This hack attack will leave clues in the FTP logs, if you have them activated.
There is also cross-site scripting, SQL injection and a variety of other methods, but if you stick to known, good software, the creators are generally responsible for those types of safeguards.
To answer your question directly, it is easy to hack a website if you don't follow the security guidelines, it's hard if you do.
First, they'll scan it with various tools to look for some known vulnerability. Recently, many sites have been subjected to scanning for phpmyadmin folders.
These probing scans will leave clues in your log files. Look for many GETs or POSTs about the same time and returning 404s (page not found).
The key to protect against this attack is to make sure all software is updated and to follow the security guidelines for all software.
Second, the hackers may try a dictionary attack on various login pages. A dictionary attack uses a dictionary of commonly used passwords and it tries various username and password combinations on login pages. The key here is always use strong passwords.
Third, the hackers may use stolen FTP credentials. These are stolen by viruses on PC used to FTP files to websites. The virus can either search for the file that stores the saved passwords, or "sniff" the FTP traffic. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to see and steal the login credentials and then logs in as a legitimate user via FTP and infects the website.
The key to protection here is to use SFTP, which encrypts the traffic, and constantly scan your PC for viruses. This hack attack will leave clues in the FTP logs, if you have them activated.
There is also cross-site scripting, SQL injection and a variety of other methods, but if you stick to known, good software, the creators are generally responsible for those types of safeguards.
To answer your question directly, it is easy to hack a website if you don't follow the security guidelines, it's hard if you do.
- Prowebdesign
- Joomla! Enthusiast
- Posts: 197
- Joined: Sun Oct 04, 2009 10:37 am
- Contact:
Re: Malicious Javascript in your site
Thanks for the detailed answer WeWatch!
You actually made me alert and I'm a bit scared of these damn viruses now since they can easily steal my data. Of course I'm using anti-virus software, but they only fights the consequences ...
Guess it's time to start thinking of data synchronization.
You actually made me alert and I'm a bit scared of these damn viruses now since they can easily steal my data. Of course I'm using anti-virus software, but they only fights the consequences ...
Guess it's time to start thinking of data synchronization.
Best regards,
Streamline
Web design blog and tutorials http://www.majas-lapu-izstrade.lv
http://www.uniqcube.com
Streamline
Web design blog and tutorials http://www.majas-lapu-izstrade.lv
http://www.uniqcube.com
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Malicious Javascript in your site
Can we please stay on topic: Malicious Javascript in your site?
Thanks!
Leo
Thanks!
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
-
- Joomla! Fledgling
- Posts: 3
- Joined: Sat Jul 19, 2014 7:30 pm
Re: Discussion - Malicious Javascript in your site
for some reason, the system did not let me post the snippet, resulting in a super-strange 'no rights to access /posting.php' message... I can't even post a plaintext version of that... so in a very roundabout way to describe it, the html fragment is all about a bunch of links to canadian pharmacies pushing their wares...
- Bernard T
- Joomla! Guru
- Posts: 782
- Joined: Thu Jun 29, 2006 11:44 am
- Location: Hrvatska
- Contact:
Re: Discussion - Malicious Javascript in your site
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
-
- Joomla! Fledgling
- Posts: 3
- Joined: Sat Jul 19, 2014 7:30 pm
Re: Discussion - Malicious Javascript in your site
sorry guys - looks like the first half of the message just disappeared... retyping here:valerun wrote:for some reason, the system did not let me post the snippet, resulting in a super-strange 'no rights to access /posting.php' message... I can't even post a plaintext version of that... so in a very roundabout way to describe it, the html fragment is all about a bunch of links to canadian pharmacies pushing their wares...
looks like our site got hacked - at least one page (http://www.emotorwerks. com/about/team) has invisible pharmacy spam html code that I cannot find a source of.
I have read a bunch of threads here and saw the recommended actions and checklists etc. Unfortunately, we don't have time to sort this all out ourselves so we want to hire a Joomla security expert who's done a bunch of these before to quickly help us out.
What's the best way to do this?
Thanks,
Valery
Last edited by mandville on Tue Jul 22, 2014 6:40 am, edited 1 time in total.
Reason: broke link
Reason: broke link
- dpacadmin
- Joomla! Champion
- Posts: 6029
- Joined: Sat Aug 16, 2008 1:46 pm
- Location: the Bat Cave
- Contact:
Re: Discussion - Malicious Javascript in your site
I use this site to scan suspected sites, they also have a cleaning service;
https://sucuri.net/services
One other I remembered;
http://myjoomla.com/site/is/hacked
https://sucuri.net/services
One other I remembered;
http://myjoomla.com/site/is/hacked
Last edited by dpacadmin on Tue Jul 22, 2014 6:37 am, edited 1 time in total.