Discussion - Malicious Javascript in your site

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13272
Joined: Fri Aug 12, 2005 12:38 am
Location: Australia
Contact:

Re: Malicious Javascript in your site

Post by brad » Sun Jan 17, 2010 11:11 am

It's not an extension, it's a manual script that is very specific in it's usage and requirements.


[I've removed the rest of my post as it was offensive to others]

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Malicious Javascript in your site

Post by leolam » Sun Jan 17, 2010 11:21 am

brad wrote:It's not an extension, it's a manual script that is very specific in it's usage and requirements.
I already noticed you do not read. I asked you to add the Keepass to the initial post and you just bully yourself onto something different....
It's not an extension, it's a manual script that is very specific in it's usage and requirements.
What is the difference with the Joomla Forum Asisstant Tools (excellent) which is a stand alone script as well? That is posted in JED and heavy promoted (look in the top of your screen) (http://extensions.joomla.org/extensions ... tools/1734) Argument is not valid.....Consistency and transparency in decision making are though....

Good call Brad...Glad to see you active again (http://www.alltogetherasawhole.org might do you some good! ....amongst other things....)

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Malicious Javascript in your site

Post by mandville » Sun Jan 17, 2010 12:49 pm

As was pointed out before, JTS does not alter files in the way that the suggested cleaning script does.
--
edit to add : i will add the password tool to the checklist 7 as a suggested ftp security tool
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Malicious Javascript in your site

Post by leolam » Sun Jan 17, 2010 1:09 pm

mandville wrote:I will add the password tool to the checklist 7 as a suggested ftp security tool
Broomla is a virtual broom for cleaning (scripted) iframe injections in Joomla. It is intended for those who do not have a good backup to restore and who do not know how to manually repair a Joomla 1.5 website compromised by a (scripted) iframe injection FTP Trojan.

It is therefore not an ftp security tool at all. It belongs into recovery or whatever but definitely not in ftp security...Nothing to do with ftp-security I am afraid but appreciate the intension

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Malicious Javascript in your site

Post by mandville » Sun Jan 17, 2010 1:40 pm

it was keepass i was talking about - the password reminder tool that helps prevent ftp passwords being stored in the ftp prog.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Malicious Javascript in your site

Post by leolam » Sun Jan 17, 2010 1:49 pm

misunderstanding...tnx but it is already mentioned in that I think
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Malicious Javascript in your site

Post by mandville » Sun Jan 17, 2010 2:06 pm

yes - just added it today to Local Security
* Don't store user name/password in ftp program
o Use a password manager such as the free keepass
after your comments on it
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

fraz
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Jan 19, 2010 2:09 pm

Re: Malicious Javascript in your site

Post by fraz » Tue Jan 19, 2010 2:39 pm

anybody help me how to use this

Thanks

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Malicious Javascript in your site

Post by leolam » Tue Jan 19, 2010 3:23 pm

fraz wrote:anybody help me how to use this
Hello, You might want to explain where you point at? What s the issue, what are your problems , where you need help, what is the error you get, what is your platform......just to mention a few?

Please be good and use http://forum.joomla.org/viewtopic.php?f=428&t=272481 so we know what is your environment and psot detailed info so we can help you?

Cheers

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

srosaman
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Jan 26, 2010 4:26 am

Re: Malicious Javascript in your site

Post by srosaman » Tue Jan 26, 2010 5:06 am

http://www.iss.net/threats/gumblar.html or one of it's variants. Possibly when you used your FTP client, your ftp login details were logged and then used but the virus/trojan.
Hi just thought I would share. I have 24 sites. 16 have been hit with this. Cleaning joomla is bad enough but the whole server was hit so the server admin tools are all corrupt also. Of the 16 sites ALL had Joomla installed somewhere. 4 of the sites were not on my FTP client, no passwords stored on my computer anywhere. The remainder of my sites that were not hit, were listed on the ftp client. So for now I am ruling out the virus ftp thingy.

I changed computers Dec 09 and I have not added some of the affected sites passwords and user id's to my new computer. The old computer has not been in use (fried hard drive). The attacks all happened on the 23rd and 24th of Jan. 2010 on all of my sites.

None of my WP sites were affected. None of my hand coded sites either unless they also contained and instance of joomla 1.5 or 1.0. It did not matter what flavor or version. Three sites were recently upgraded to the latest release. I also have some social networking sites that use elgg. They were not affected unless joomla was there somewhere. So I am thinking it's something to do with Joomla. I am on a designated server not shared service so I am at a loss and just waiting on support to go through the logs. I have joomla installed with php and ftp. Made no difference.

I have been all over the net today and it seems like there is a real uptick in this thing. http://justcoded.com/article/gumblar-fa ... oval-tool/ this site has a removal tool I have used it, the script is called curevir.php but it is somewhat limited because of file permissions, it does work though, if you can work around that it may be good for you.

Note: There have been 109 entries on this subject at justcoded, a lot of them in January 2010 and 39 of them in the last few days. Just sayin...

User avatar
hcdmkr
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Thu Nov 19, 2009 9:40 am

Re: Malicious Javascript in your site

Post by hcdmkr » Sat Jan 30, 2010 8:09 am

These attacks are discussed here as an individual. However, these collective solutions must joomla. If we use this script.

User avatar
paimages
Joomla! Intern
Joomla! Intern
Posts: 55
Joined: Thu Aug 18, 2005 2:22 pm
Location: Switzerland
Contact:

Re: Malicious Javascript in your site

Post by paimages » Thu Feb 18, 2010 11:03 am

I read the full post and I would like to share with you our preventing security strategy .

Use the FTP File System Layer
With this mode you don't need directory with the 777 CHMOD

Use a strong .htaccess
Orginal .htacess : http://docs.joomla.org/Preconfigured_.htaccess
We add:

Code: Select all

### Deny access to the .htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>

### only allow the browser to access index.php
DirectoryIndex index.php

In some case we add a filter again bad-bot : http://www.bg-pro.com/?goto=badbot

Install http:BL Plugin
http:BL System Plugin allows you to verify IP addresses of clients connecting to your website against the Project Honey Pot database. It check whether your visitor is an email harvester, a comment spammer or any other malicious client. Communication with verification server is done via DNS request mechanism. Now, thanks to http:BL System Plugin any potentially harmful clients are denied from accessing your website and therefore abusing it.
http://extensions.joomla.org/extensions ... ccess/2786

Install a monitoring system

We develop JMonitoring. It check the integrity of the main files of joomla like all the index.php (joomla and templates), configuration.php etc...
Checking a list of websites is a complicated task and that is why JMonitoring has been developped.
JMonitoring helps you to keep an eye on every Joomla websites you manage and let you know if they were errors on them or if they have been hacked.
http://extensions.joomla.org/extensions ... urity/9787

Finally subscribe the RSS Vulnerable Extensions List
http://feeds.joomla.org/JoomlaSecurityV ... Extensions and check with your monitoring tools if you have installed one of this extension.

Actually we use it on more than 40 joomla website with good results.
PA
www.inetis.ch - Joomla integrator and member of the Joomla.fr Team

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Malicious Javascript in your site

Post by mandville » Mon Feb 22, 2010 3:03 pm

paimages wrote:Finally subscribe the RSS Vulnerable Extensions List
http://feeds.joomla.org/JoomlaSecurityV ... Extensions and check with your monitoring tools if you have installed one of this extension.

Actually we use it on more than 40 joomla website with good results.
PA
#slight off topic but how are you finding the new format feed, is it working for you?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Malicious Javascript in your site

Post by mandville » Tue Feb 23, 2010 4:36 am

removing the code does not get to the root of the problem - why/how did it get there in the first place.

warning before running any scripts posted by users, make sure you have a suitable back up of your site.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Malicious Javascript in your site

Post by mandville » Tue Feb 23, 2010 4:54 am

on deeper checking of that script you would also need to edit some of the code of the script to match your site.
without more instructions provided by the coder, i would not recommend people who are not familiar with php to use it.
fabiomazzo - thank you for the effort but can you please expand on the script-instructions etc.
my advice still is, cleaning the code does not cure the reason it arose
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Malicious Javascript in your site

Post by leolam » Tue Feb 23, 2010 8:31 am

mandville wrote: my advice still is, cleaning the code does not cure the reason it arose
Which i definitely support 100%. Prevention is better than seeing the doctor the morning after....

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

fabiomazzo
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Tue Feb 23, 2010 3:59 am

Re: Malicious Javascript in your site

Post by fabiomazzo » Tue Feb 23, 2010 2:41 pm

My intention was not to promote myself, only developed a solution to my problem and decided to share. Ok Sorry, I think I'm in the wrong community. Bye

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Malicious Javascript in your site

Post by mandville » Tue Feb 23, 2010 3:04 pm

fabiomazzo wrote:.
Did you read any of the other comments and suggestion over your script?
fabiomazzo - thank you for the effort but can you please expand on the script-instructions etc.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

fabiomazzo
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Tue Feb 23, 2010 3:59 am

Re: Malicious Javascript in your site

Post by fabiomazzo » Wed Feb 24, 2010 1:18 pm

I have not mentioned about your comment, but on the edition of my post.
With a little more detailed documentation : http://innoit.com.br/phpantivir

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Malicious Javascript in your site

Post by mandville » Wed Feb 24, 2010 2:12 pm

thank you , that will assist those who think they can just upload and run the script and it will solve all their issues.

see this full depth explanation from PhilD
http://forum.joomla.org/viewtopic.php?p ... 0#p2052210
Last edited by mandville on Wed Feb 24, 2010 2:42 pm, edited 1 time in total.
Reason: to clarify that the script is not a "magic fix all script"
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

fabiomazzo
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Tue Feb 23, 2010 3:59 am

Re: Malicious Javascript in your site

Post by fabiomazzo » Wed Feb 24, 2010 2:29 pm

It's not a solution, not solve a lot of issues, just helps in ONE specific issue. Perhaps, it can help somebody.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Malicious Javascript in your site

Post by leolam » Wed Feb 24, 2010 5:14 pm

Thank you for posting the solution. If it helps even only one single person it will put smiles on your face!!

Cheers! 8)

Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

doreen2k
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Mar 09, 2010 5:46 pm

Re: Malicious Javascript in your site

Post by doreen2k » Tue Mar 09, 2010 5:52 pm

Thanks for the informative post.
I found this great tool to detect malware on your site {self promotion deleted}
Last edited by mandville on Tue Mar 09, 2010 6:58 pm, edited 1 time in total.
Reason: self promotion is against forum rules http://forum.joomla.org/viewtopic.php?f=8&t=65

fraz
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Jan 19, 2010 2:09 pm

Re: Malicious Javascript in your site

Post by fraz » Wed Mar 10, 2010 12:13 pm

I got problem during installation any body guide me

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Malicious Javascript in your site

Post by mandville » Wed Mar 10, 2010 3:40 pm

what exactly are you having an issue with.? and i deleted your double post
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

rolex678
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu May 06, 2010 2:52 am

Re: Malicious Javascript in your site

Post by rolex678 » Thu May 06, 2010 6:24 am

This type of infection is much more common with the password however. For that reason, you should follow these steps:

1. Scan your local computer, the clients computer, and any computer from which you have accessed the account using an up to date virus scanner such as http://malwarebytes.org CRITICAL!

2. Update the cPanel/FTP password with a password that is not easily guessable. Use 12-digits and something like example (!) &G5s#!K-|%H1

3. Submit your site for a rescan using your Google Webmaster account. If you do not already have an account please follow the instructions on this page to obtain one: http://www.google.com/support/webmaster ... swer=45432
thaks
4. Read the information provided below about this type of viral infection and how to further prevent it.

lrsv5
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Jul 05, 2007 10:53 pm

Re: Malicious Javascript in your site

Post by lrsv5 » Thu May 13, 2010 12:40 am

Only for your information: Last week 05-06-10 and last night 05-12-10, several websites were attacked for this script. All of them are hosted in GoDaddy; Fortunately, there is a function call "Restore" so we could restore files from some days ago and they replace the "hacked" files. I know this is not enough, but at least is a fast (and temporary) solution.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Malicious Javascript in your site

Post by mandville » Thu May 13, 2010 12:54 am

lrsv5 wrote:Only for your information: Last week 05-06-10 and last night 05-12-10, several websites were attacked for this script. All of them are hosted in GoDaddy; .
the godaddy conversation is here http://forum.joomla.org/viewtopic.php?f=432&t=515398
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

voscom
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Mon Mar 22, 2010 1:27 am
Contact:

Re: Malicious Javascript in your site

Post by voscom » Wed Jun 02, 2010 12:23 pm

I agree that SFTP won't protect against a keylogger, although there is not much information regarding this latest trojan/exploit (keylogging or password sniffing?), the pattern does seem to be with FTP. If one can use SFTP VS FTP, it is certainly more secure.

Not sure about you, but personally I would not use FTP over an open un-trusted network.
Last edited by mandville on Sat Jun 05, 2010 3:33 pm, edited 1 time in total.
Reason: signature against forum rules http://forum.joomla.org/viewtopic.php?f=8&t=65

meetoo0002
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Sat Jun 05, 2010 3:18 pm

Re: Malicious Javascript in your site

Post by meetoo0002 » Sat Jun 05, 2010 3:28 pm

Oh! I'm reading this article and I think It very good. :laugh:
Last edited by mandville on Sat Jun 05, 2010 3:33 pm, edited 1 time in total.
Reason: signature against forum rules http://forum.joomla.org/viewtopic.php?f=8&t=65


Locked

Return to “Security in Joomla! 1.5”