The Joomla! Forum ™

My site is attacked by following script :

[edit]
Link references removed
[/edit]

index.php page under template folder is infected by this script . If I replace the index page then the site will run. But every day this script injected in index.php page.

Please help how can I get permanent solution to block this script?

Thanks in advance

Hi
please check this post, here i have given steps to resolve this problem
viewtopic.php?f=432&t=411032
Regards
Amit Patekar

_________________
Regards
Amit Patekar
Follow me on twitter @amitpatekar
Or visit http://www.itdesignlab.com

Thanks for your quick reply.My server is Windows 2003 Server. I have already done those things.

1) I have reload the joomla site once again.
2) I change my FTP password and also blocked the read write permission in ftp.
3) I have scanned with Malwarebytes' Anti-Malware .


But still the site is hacked 2times after reload the site . Previously All index.php and index.html files are attacked by iframe. But now only index.php files are infected with this script(Mentioned above).

Please help me to block the attack. This is very urgent.

a running windows system with installed anti * scanner is not
a very good idea. (i mean, the scanner wont find all the stuff if windows is up and running)

boot from a clean cd with anti * tools and if your server then is clean, that you might be clean.

if the attacker returns all the night:

1) there are still fragments left from the hack
2) the server has a security issue you dont know adn thus the attacker can return

_________________
http://www.schrammen.net

format your Windows 2003 Server, as there are some files in windows, which once get infected cannot be cleaned, by any antivirus, sorry to say that.

_________________
Regards
Amit Patekar
Follow me on twitter @amitpatekar
Or visit http://www.itdesignlab.com

Thanks for your suggestion... Hi fw116... Can you please tell me some specific names of anti tool? Because I already run "Malwarebytes' Anti-Malware" in the server . But it's not worked.

I can not format the server. i.e, Live site, I can n't stop for single day.

if you have other suggestion please guide me....


Thanks

http://ubcd4win.com/

you dont like to hear this, but i would expect that you wont have a choice.

u have to stop that thing and check whats going on... everything else wont help you.

_________________
http://www.schrammen.net

agreed, if you dont have a plan that includes your site being down for a day then you dont really have any decent back up plans or plans for downtime.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

There is a possibility that your PC is infected and transfers the infection every time you reinstall the site ?

_________________
http://weblinksonline.co.uk/joomla-faq.html

Thanks for your reply....Yes only I replaced the index.php file under template folder and site is running fine. I have checked with "Malwarebytes' Anti-Malware" but virus are not found in my server machine. So please suggest me any good tool which can remove this virus. server formatting is not possible for me ....so please give me any alternative solution by which I can block this script attack.

Now only index.php under template folder is infected by the unwanted script and after the script attack the site is completely down only header and footer is shown ,Contain of the site is blank .


Thanks in advance

"server machine" please explain your definition of "server machine"
Do you mean the PC you use to transfer the files to your Server ?
or the Server itself ?

_________________
http://weblinksonline.co.uk/joomla-faq.html

Server itself..... where I hosted the site... Server Configuration is :

OS - Windows 2003
IIS - 6.0

outsch....

all updates installed , here : IIS 6 ?

well, as i said.... you have to down the server and then check for malware... on a running windows system it does not make any sense.

_________________
http://www.schrammen.net

"Yes only I replaced the index.php file under template folder and site is running fine."

In addition to everything that has been said, you have done nothing to remove the backdoors that were likely inserted in various other site files. You will need to at least use a Joomla full install package to overwrite all Joomla core files and check the configuration.php file for stuff that should not be there. By not removing (sometimes well hidden) backdoors you will have a recurring problem.

One way or another you are going to have to have the site down for a period of time in order to fix it. If the site remains live you will eventually be flagged by Google and such anyway as an unsafe site.

It has been suggested that you take the server down and do a virus_malware check on it or wipe the drive and re_image the system (install a clean backup system image) on it and start over. That is probably best if you think server may be infected.

If you think it is only the website files compromised, then you can do the following at minimum.
Download the zip package and upload to the website without unpacking the zip file on your local computer. Once the zip file is there in the proper directory, then use your servers control panel file manager to unpack the zip overwriting the core Joomla files, then remove the installation directory the full install created.
Download fresh zip packages of any extensions and templates you use and reinstall them. If any extensions require unpackaging a zip file first (some do), then upload this zip package to the server and use the server to unpack the file to a temp directory and point Joomla install (Install from directory) to the directory.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Have you checked your own PC ?

_________________
http://weblinksonline.co.uk/joomla-faq.html

Is there any component, or php script which will check which files are modified or which files are not the same size as that of the original joomla files.
I was using such script in past for joomla 1, not sure if it is there for joomla 1.5.15.

I think using this we can find out which files are compromised. At lease joomla core files if not 3rd part components and modules.

Regards
Amit

_________________
Regards
Amit Patekar
Follow me on twitter @amitpatekar
Or visit http://www.itdesignlab.com

Search for filist.php.

http://extensions.joomla.org/extensions/tools/site-management-tools/1734 any help ?

Also check your PC for viruses. If your PC is infected it will infect your site every time you transfer files.

_________________
http://weblinksonline.co.uk/joomla-faq.html

Joomla Diagnostics is excellent too but you'll have to have a clean site to make the reference file first.

the iframe works, on firefox... in IE7, everytime I load the page.. the site crash!!!

the screen freezes.. is this normal? or have a way to fix?

thanks

See my sticky related to this specific issue: viewtopic.php?f=432&t=411735

Gumblar i.e is most often inserted through an exploit via ftp as described in the sticky

Leo

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---

I had the same problem ..thanks to your thread i overcame it.....great job,guys:)

_________________
Videolan developer!