The Joomla! Forum ™

Hello, my website got hacked.. i saw a c99 shell on my website.. and i removed it immediately.. but even after removing when i open my site it says connecting ra-mma.ru. now can someone please suggest me how to remove this code from my site.. i spent years to make this site.. lots of effort.. dont wana lose this site at all. please suggest me what i should do to remove this code

Hello, my website got hacked.. i saw a c99 shell on my website.. and i removed it immediately.. but even after removing when i open my site it says connecting xxx.ru. now can someone please suggest me how to remove this code from my site.. i spent years to make this site.. lots of effort.. dont wana lose this site at all. please suggest me what i should do to remove this code

This belongs in the security forums of Joomla 2.5 where clearly is outlined what to do when you are hacked. You might want to have a look at the a security checklist and follow steps as outlined in Chapter 7 of that

Leo

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---

Do you have a recent back-up of your website?

Steps to take: http://docs.joomla.org/Security_Checklist_7

_________________
Kind Regards,
Peter Martin, Global Moderator - Community Leadership Team
http://www.db8.nl - Joomla specialist, Nijmegen, Nederland
Joomla 2.5 multilanguage in 10 steps: http://www.db8.nl/multilanguage-in-10-steps

You are probably victum of the htaccess hack that is popular right now.
Read the following topic 9especially posts by mandville and PhilD and also perform ALL of the info listed below.
viewtopic.php?f=432&t=705216
You must state what version of Joomla you are using.

[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file. Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory), and fresh copies of extensions and templates used. Upload the copy of your configuration file. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories More detail can be found in the security Checklist 7 link below.

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

Note: The forum post tool will work with 1.0.x, J1.6.x, J1.7.x, 2.5.x versions of Joomla.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

[moderators comment - please do not multiple /cross post the same question.]
Topics merged

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Hi hashimbaig!

I have written a small script called JAMMS that scans files for fingerprints of some malware, and it actually should detect some kinds of c99 infections. I'd appreciate if you could run a scan and let me know if it worked for you... JAMMS direct download

Unfortunately the script still doesn't take any actions yet, so you'll have to do this part on your own. Please follow the steps in PhilD's post, specially the part with Vulnerable Extensions List ...

_________________
Croatian Joomla Translation coordinator | www.orion-web.hr
JAMSS author- viewtopic.php?f=621&t=777957
PHP/WebApp Security enthusiast (OWASP) & Linux Admin
don't PM me with requests (unless you want paid help), post in forum

I've deleted all the .htaccess files from all joomla folders.. and add a new. htaccess to root.. so that malware site is not showing when i open my site.. but when i open http://www.mysite.com its showing.. and if i type just mysite.com its not showing.. what could be the reason?

Very good news that you created such a tool for us and it can be very important for us in the future. What about creating a separate thread about it and maybe the moderators can make it sticky? Will you add it to JED?

caution - befoe wandering off topic
site scanning tools are not 100% proven.
there is one that is already a sticky viewtopic.php?f=432&t=590555
i understand that the "jamm" tool is in beta and therefore not suitable for listing on the jed (which doesnt normally list security scanners)

hashimbaig - what is the latest?

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Sorry if I was in off-topic, I wanted to offer "JAMSS" for testing in this particular case..
Sure, this is early beta and not suitable for anything but good testing, but it could help someone unaware of infection which JAMSS can recognize in this moment. When the script mature then I guess I'll pack it into full-blown component...

I'm also interested what's the status here... it's significant that only www. subdomain is infected, so it can be in .htaccess, or maybe template, module, component, content ?? ... without seeing it live it can't be determined...

_________________
Croatian Joomla Translation coordinator | www.orion-web.hr
JAMSS author- viewtopic.php?f=621&t=777957
PHP/WebApp Security enthusiast (OWASP) & Linux Admin
don't PM me with requests (unless you want paid help), post in forum

It was cache once i deleted now its all fine.. thanks all for ur support. im just trying to figure out whats the weak point in my site.. i've data of around 900gb data too many videos and audios.. i cant backup those.. my pc have 500gb hard disk.. and i've a very decent speed.. i don't care if i lose the videos i just dont wana lose the articles and info i added.. how do i know what extension i've is the culprit. if someone can scan my site i can pay for the job.. i've 1 program acunetix it scan for vulun . but i dont think it do gud job for joomla

--> Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package ...

... and enable the extensions report in FPA, and post the results...

Did you had the time to test my JAMSS script suggested above?

_________________
Croatian Joomla Translation coordinator | www.orion-web.hr
JAMSS author- viewtopic.php?f=621&t=777957
PHP/WebApp Security enthusiast (OWASP) & Linux Admin
don't PM me with requests (unless you want paid help), post in forum

Thanks BernardT but someone has suggested me never run third party scripts on site.. it can cause damage.. I will run the FPA and paste the report here.. thanks a ton

Sure, using or not using is a matter of choice and comfort. My scanner does only reading, no changes are made, but I take no responsibility for it's usage whatsoever...

_________________
Croatian Joomla Translation coordinator | www.orion-web.hr
JAMSS author- viewtopic.php?f=621&t=777957
PHP/WebApp Security enthusiast (OWASP) & Linux Admin
don't PM me with requests (unless you want paid help), post in forum