The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 13 posts ] 
Author Message
PostPosted: Sun Mar 18, 2012 8:13 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Jul 12, 2010 7:44 am
Posts: 13
Hi, I recently converted my static html site to Joomla.. I'm on version: 1.5.24

I was looking through my visitor stats, using CPanel, and found "additions" to my urls see below:

Code:
/images/stories/videos/web_show.flv&amp;buffer=http%3A%2F%2Fwww.witchers.net%2Fforum%2Fcache%2Ftemplates%2
/images/stories/videos/web_show.flv&amp;buffer=10&amp;autostart=http%3A%2F%2Fadventure.keuschnig.com%2   
/images/stories/videos/web_show.flv&amp;buffer=http%3A%2F%2Fmarc-rohe.net%2Fkontakt%2Ffiles%2Fsohef%2Fevok
/3d-models.html?start=http%3A%2F%2Fwww.deadlament.de%2Fintern%2Fbilder%2Fbilder_substage_2004%2Fbilder%2Flive%


It seems some of my urls, are being redirected to the german sites above, ie witchers.net, keuschnig.com, deadlament.de?, two of them give a 404 error, one gives a 200..

I've looked at the instructions on what to do, if you think you're site is hacked etc.. But before I take any drastic measures, just want to make sure its necessary..

The site has only been live 1 week.. What is this redirection about?


Top
 Profile  
 
PostPosted: Sun Mar 18, 2012 11:21 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12389
Location: The Girly Side of Joomla in Sussex
1. yous site is out of date, we have been on 1.5.25 for a while
2. are you folder permissions 777?
run the fpa tool and post the results

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Sun Mar 18, 2012 6:12 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Jul 12, 2010 7:44 am
Posts: 13
Here's the output from the forum post asst:
Forum Post Assistant (v1.2.0) : 18th March 2012 wrote:
Basic Environment :: wrote:
Joomla! Instance :: Joomla! 1.5.24-Stable (senu takaa ama naiki) 17-October-2011
Joomla! Configured :: Yes | Read-Only (444) | Owner: giodoc (uid: 32174/gid: 673) | Group: giodoc (gid: 673) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 1 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.37-2 | Technology: i686 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/giodoc/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.13 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: | Register Globals: 1 | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 256M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 256M

MySQL Configuration :: Version: 5.1.54 (Client:5.1.54) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 298.5 KiB | #of _FPA_TABLE: 39
Detailed Environment :: wrote:
PHP Extensions :: date (5.2.13) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dba () | dbase () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | gmp () | session () | iconv () | json (1.2.1) | mbstring () | mcrypt () | mhash () | ming () | ncurses () | posix () | pspell () | readline () | Reflection (0.1) | standard (5.2.13) | shmop () | SimpleXML (0.1) | SPL (0.2) | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | cgi-fcgi () | ew (0.9) | mysql (1.0) | mysqli (0.1) | pgsql () | htscanner (0.6.0) | imap () | soap () | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | pdo_mysql (1.0.2) | pdo_pgsql (1.0.2) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: zip | suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:
Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
Templates Discovered :: wrote:
Templates :: SITE :: beez (1.0.0) | JA_Purity (1.2.0) | rhuk_milkyway (1.0.2) | rt_gantry_j15 (3.1.18) | themza_j15_14 (1.0.0) |
Templates :: ADMIN :: Khepri (1.0) |


No I'm not running things with 777 permissions, 755 for folders, and I think 644, 444 for files

Got in touch with my webhost who say, they can't find any malware on the server.. As I said in the note above, those German URLs are being appended to the end of my URLs, but are giving a 404 error.. This is being done via =http, at the end of my URL.. Any help on what this is is much appreciated.


Top
 Profile  
 
PostPosted: Sun Mar 18, 2012 6:58 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12389
Location: The Girly Side of Joomla in Sussex
can we see the extensions your running as the we_show might be a clue. which one is the 200 site.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Sun Mar 18, 2012 7:20 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Jul 12, 2010 7:44 am
Posts: 13
Hi,
I think they are:
1. Aidanews2
2. Spearhead FB btn
3. Sigplus gallery
4. JCE (latest) I did check and its the latest version
5. Rokbox
6. Simple picture slideshow
7. system easycalc check plus
8. System-SEF, for URL redirection
9. JW_all videos

The one that hits a 200 is this one:
<code>
/3d-models.html?start=http%3A%2F%2Fwww.deadlament.de%2Fintern%2Fbilder%2Fbilder_substage_2004%2Fbilder%2Flive%
</code>

I've just created the list of extensions manually, is there a way to get an automated list using the diagnostic tool?

-Thanks for taking the time to look intio this with me.. :)


Top
 Profile  
 
PostPosted: Sun Mar 18, 2012 7:36 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12389
Location: The Girly Side of Joomla in Sussex
viewtopic.php?f=432&t=586336
"Select run time options detail level for the report and select the Information Privacy Level of the report (optional). You may leave this information at the defaults if desired, but providing additional information about installed extensions can usually help figure out the issue."

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Sun Mar 18, 2012 7:49 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Jul 12, 2010 7:44 am
Posts: 13
Thanks ok, here's the report with the extensions, plugins and modules:
Forum Post Assistant (v1.2.0) : 18th March 2012 wrote:
Basic Environment :: wrote:
Joomla! Instance :: Joomla! 1.5.24-Stable (senu takaa ama naiki) 17-October-2011
Joomla! Configured :: Yes | Read-Only (444) | Owner: giodoc (uid: 32174/gid: 673) | Group: giodoc (gid: 673) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 1 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.37-2 | Technology: i686 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/giodoc/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.13 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: | Register Globals: 1 | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 256M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 256M

MySQL Configuration :: Version: 5.1.54 (Client:5.1.54) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 298.6 KiB | #of _FPA_TABLE: 39
Detailed Environment :: wrote:
PHP Extensions :: date (5.2.13) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dba () | dbase () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | gmp () | session () | iconv () | json (1.2.1) | mbstring () | mcrypt () | mhash () | ming () | ncurses () | posix () | pspell () | readline () | Reflection (0.1) | standard (5.2.13) | shmop () | SimpleXML (0.1) | SPL (0.2) | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | cgi-fcgi () | ew (0.9) | mysql (1.0) | mysqli (0.1) | pgsql () | htscanner (0.6.0) | imap () | soap () | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | pdo_mysql (1.0.2) | pdo_pgsql (1.0.2) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: zip | suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:
Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
Extensions Discovered :: wrote:
Components :: SITE :: Gantry (3.1.18) | WF_AGGREGATOR_VIMEO_TITLE (2.0.21) | [youtube] (2.0.21) | WF_FILESYSTEM_JOOMLA_TITLE (2.0.21) | WF_LINKS_JOOMLALINKS_TITLE (2.0.21) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.0.21) | WF_POPUPS_JCEMEDIABOX_TITLE (2.0.21) | WF_POPUPS_WINDOW_TITLE (2.0.21) | WF_ARTICLE_TITLE (2.0.21) | WF_AUTOSAVE_TITLE (2.0.21) | WF_BROWSER_TITLE (2.0.21) | WF_CLEANUP_TITLE (2.0.21) | WF_CONTEXTMENU_TITLE (2.0.21) | WF_DIRECTIONALITY_TITLE (2.0.21) | WF_FULLSCREEN_TITLE (2.0.21) | WF_IMGMANAGER_TITLE (2.0.21) | WF_INLINEPOPUPS_TITLE (2.0.21) | WF_LAYER_TITLE (2.0.21) | WF_LINK_TITLE (2.0.21) | WF_MEDIA_TITLE (2.0.21) | WF_NONBREAKING_TITLE (2.0.21) | WF_PASTE_TITLE (2.0.21) | WF_PREVIEW_TITLE (2.0.21) | WF_PRINT_TITLE (2.0.21) | WF_SEARCHREPLACE_TITLE (2.0.21) | WF_SOURCE_TITLE (2.0.21) | WF_SPELLCHECKER_TITLE (2.0.21) | WF_STYLE_TITLE (2.0.21) | WF_TABLE_TITLE (2.0.21) | WF_TEXTCASE_TITLE (2.0.21) | WF_VISUALCHARS_TITLE (2.0.21) | WF_XHTMLXTRAS_TITLE (2.0.21) | MailTo (1.5.0) | User (1.5.0) | Wrapper (1.5.0) |
Components :: ADMIN :: Banners (1.5.0) | Cache Manager (1.5.0) | Configuration Manager (1.5.0) | Contact Items (1.0.0) | Content Page (1.5.0) | Control Panel (1.5.0) | Frontpage (1.5.0) | Gantry (3.1.18) | Installation Manager (1.5.0) | JCE (2.0.21) | Unknown (-) | Editor - JCE (2.0.21) | Language Manager (1.5.0) | Mass Mail (1.5.0) | Media Manager (1.5.0) | Menus Manager (1.5.0) | Messaging (1.5.0) | Module Manager (1.5.0) | Newsfeeds (1.5.0) | PhocaSEF (1.0.0) | Plugin Manager (1.5.0) | Polls (1.5.0) | RokNavMenu Bundle (3.2) | Search (1.5.0) | Template Manager (1.5.0) | Trash (1.0.0) | User Manager (1.5.0) | Weblinks (1.5.0) |

Modules :: SITE :: AiDaNews (1.1.1) | AiDaNews 2 (2.1.1) | Archived Content (1.5.0) | ARI Cloud Carousel (1.5.13) | Banner (1.5.0) | Breadcrumbs (1.5.0) | Breadcrumbs Advanced (1.5.0) | Custom HTML (1.5.0) | Feed Display (1.5.0) | FL Latest Articles (1.5) | Footer (1.5.0) | Latest News (1.5.0) | Login (1.5.0) | Menu (1.5.0) | Most Read Content (1.5.0) | Newsflash (1.5.0) | Poll (1.5.0) | Random Image (1.5.0) | Random Image Plus (2.4.1) | Related Items (1.0.0) | RokNavMenu (3.2) | Search (1.0.0) | Sections (1.5.0) | sigplus (1.3.4.12) | SlideShow Pro (2.1) | Spearhead Facebook Like Button (3.0) | Statistics (1.5.0) | Syndicate (1.5.0) | Who\'s Online (1.0.0) | Wrapper (1.0.0) |
Modules :: ADMIN :: Custom HTML (1.5.0) | Feed Display (1.5.0) | Footer (1.0.0) | Latest News (1.0.0) | Logged in Users (1.0.0) | Login Form (1.0.0) | Admin Menu (1.0.0) | Online Users (1.0.0) | Popular Items (1.0.0) | Quick Icons (1.0.0) | Items Stats (1.0.0) | User Status (1.5.0) | Admin Submenu (1.0.0) | Title (1.0.0) | Toolbar (1.0.0) | Unread Items (1.0.0) |

Plugins :: SITE :: Authentication - Example (1.5) | Authentication - GMail (1.5) | Authentication - Joomla (1.5) | Authentication - LDAP (1.5) | Authentication - OpenID (1.5) | Simple Picture Slideshow (1.5.5) | Content - Email Cloaking (1.5) | Content - Example (1.0) | Content - Code Highlighter (Ge (1.5) | AllVideos (by JoomlaWorks) (4.1) | Content - Load Modules (1.5) | Content - Pagebreak (1.5) | Content - Page Navigation (1.5) | Content - RokBox (1.9) | Content - Image gallery - sigp (1.3.4.12) | Content - Vote (1.5) | Editor - JCE (2.0.21) | Editor - TinyMCE 3 (3.2.6) | Editor - XStandard Lite for Jo (1.0) | Button - Image (1.0.0) | Button - Pagebreak (1.5) | Button - Readmore (1.5) | RokNavMenu - Boost (3.2) | RokNavMenu - Extended Link (3.2) | Search - Categories (1.5) | Search - Contacts (1.5) | Search - Content (1.5) | Search - Newsfeeds (1.5) | Search - Sections (1.5) | Search - Weblinks (1.5) | System - Backlinks (1.5) | System - Cache (1.5) | System - Debug (1.5) | System - Gantry (3.1.18) | System - Legacy (1.5) | System - Log (1.5) | System - Mootools Upgrade (1.5) | System - Remember Me (1.5) | System - RokBox (2.8) | System - SEF (1.5) | System - EasyCalcCheck PLUS (1.5-14-1) | User - Example (1.0) | User - Joomla! (1.5) | XML-RPC - Blogger API (1.0) | XML-RPC - Joomla API (1.0) |
Templates Discovered :: wrote:
Templates :: SITE :: beez (1.0.0) | JA_Purity (1.2.0) | rhuk_milkyway (1.0.2) | rt_gantry_j15 (3.1.18) | themza_j15_14 (1.0.0) |
Templates :: ADMIN :: Khepri (1.0) |


Top
 Profile  
 
PostPosted: Sun Mar 18, 2012 8:04 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12389
Location: The Girly Side of Joomla in Sussex
messy:ok
jce install looks corrupt due to showing language files, remove and reinstall
all videos plg - out of date
and what is the extension "Unknown (-)"

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Sun Mar 18, 2012 8:21 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Jul 12, 2010 7:44 am
Posts: 13
Ok, thanks I'll do that, I have no idea what the unknown one is...

Sorry about the mess, I'll try and attach some screen grabs from the saved diagnostic page:

Anything else I should do? My host just decode those URLs, and it seems they are leading back to my site. for example the 3d-model.html link, leads to a page numbered 200, ie page 200 of 2.. Just a blank page of my site??, same with the web.flv=http links, what is this? I'm attaching that as screen-grab 4C


You do not have the required permissions to view the files attached to this post.


Top
 Profile  
 
PostPosted: Sun Mar 18, 2012 8:24 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Jul 12, 2010 7:44 am
Posts: 13
here are the other screen grabs


You do not have the required permissions to view the files attached to this post.


Top
 Profile  
 
PostPosted: Sun Mar 18, 2012 8:54 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12389
Location: The Girly Side of Joomla in Sussex
beyond following checklist 7 safe route to recovery for sanity sake
i would be very tempted to strip out out all your plugins etc and update them eg tinymce3 is now on ver 3.5.x it might also clear that unknown extension.
pop over to jce website for advice on that default language coding issue

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Sun Mar 18, 2012 8:59 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Jul 12, 2010 7:44 am
Posts: 13
Thanks mandeville, I'm currently stripping out those extensions.. Just a little anxious about erasing everything and starting from scratch... :-\


Top
 Profile  
 
PostPosted: Sun Mar 18, 2012 11:16 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Jul 12, 2010 7:44 am
Posts: 13
Just out of interest, in order to understand things abt better.. What is this kind of "attack" called, ie when a bot or something appends =http./www.xxxx.com after a sef url on a site? And is there a way to prevent this kind of thing happening?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ] 



Who is online

Users browsing this forum: No registered users and 17 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group