Site redirected and infected

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
Macbernie
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Jun 27, 2013 9:07 am

Site redirected and infected

Post by Macbernie » Thu Jun 27, 2013 9:24 am

Hi,
I encounter a problem with my Joomla 1.5.26 version. You'll see technicals informations below.
The site is often redirect to a spam website, some files like index.php are modified (<?php eval(base64_decode('...') is injected in first line of the file), .htaccess was too, and news files like LICESNE.php was created...
I installed CrawlProtect to generate a custom htaccess file, I cleaned some files but the problem comes back regularly. I don't know how can I clean the entire site.
Thanks to help

Problem Description :: Forum Post Assistant (v1.2.3) : 27th June 2013 wrote:redirection / malicious code
Actions Taken To Resolve by Forum Post Assistant (v1.2.3) 27th June 2013 wrote:- Scanning site and remove malicious code
- installing crawlprotect
Forum Post Assistant (v1.2.3) : 27th June 2013 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.26-Stable (senu takaa ama busani) 27-March-2012
Joomla! Configured :: Yes | Writable (644) | Owner: www-mm-preprod (uid: 1/gid: 1) | Group: www (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 1 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-bpo.5-amd64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /htdocs | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.6-1+lenny16 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: | Last Known Error: | Register Globals: 1 | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 32M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M

MySQL Configuration :: Version: 5.0.51a-24+lenny5-log (Client:5.0.51a) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 1.21 MiB | #of Tables: 160
Detailed Environment :: wrote:PHP Extensions :: zip (2.0.0) | xmlwriter (0.1) | libxml () | xml () | wddx () | tokenizer (0.1) | sysvshm () | sysvsem () | sysvmsg () | session () | SimpleXML (0.1) | sockets () | soap () | SPL (0.2) | shmop () | standard (5.2.6-1+lenny16) | Reflection (0.1) | posix () | mime_magic (0.1) | mbstring () | json (1.2.1) | iconv () | hash (1.0) | gettext () | ftp () | filter (0.11.0) | exif (1.4 $Id: exif.c,v 1.173.2.5.2.25 2008/03/12 17:33:14 iliaa Exp $) | dom (20031129) | dba () | date (5.2.6-1+lenny16) | ctype () | calendar () | bz2 () | bcmath () | zlib (1.1) | pcre () | openssl () | xmlreader (0.1) | cgi-fcgi () | curl () | gd () | mcrypt () | mysql (1.0) | mysqli (0.1) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_pgsql (1.0.2) | pgsql () | xsl (0.1) | Zend Engine (2.2.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (---) | tmp/ (777) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: tmp/ (777) |
Extensions Discovered :: wrote:Components :: SITE :: Gantry (3.1.5) | WF_XHTMLXTRAS_TITLE (2.3.2.4) | WF_NONBREAKING_TITLE (2.3.2.4) | WF_AUTOSAVE_TITLE (2.3.2.4) | WF_IMGMANAGER_TITLE (2.3.2.4) | WF_PRINT_TITLE (2.3.2.4) | WF_LAYER_TITLE (2.3.2.4) | WF_TABLE_TITLE (2.3.2.4) | WF_SOURCE_TITLE (2.3.2.4) | WF_VISUALCHARS_TITLE (2.3.2.4) | WF_DIRECTIONALITY_TITLE (2.3.2.4) | WF_TEXTCASE_TITLE (2.3.2.4) | WF_LINK_TITLE (2.3.2.4) | WF_INLINEPOPUPS_TITLE (2.3.2.4) | WF_CLIPBOARD_TITLE (2.3.2.4) | WF_SEARCHREPLACE_TITLE (2.3.2.4) | WF_ARTICLE_TITLE (2.3.2.4) | WF_PREVIEW_TITLE (2.3.2.4) | WF_SPELLCHECKER_TITLE (2.3.2.4) | WF_MEDIA_TITLE (2.3.2.4) | WF_FULLSCREEN_TITLE (2.3.2.4) | WF_VISUALBLOCKS_TITLE (2.3.2.4) | WF_KITCHENSINK_TITLE (2.3.2.4) | WF_LISTS_TITLE (2.3.2.4) | WF_ANCHOR_TITLE (2.3.2.4) | WF_STYLE_TITLE (2.3.2.4) | WF_CLEANUP_TITLE (2.3.2.4) | WF_CHARMAP_TITLE (2.3.2.4) | WF_BROWSER_TITLE (2.3.2.4) | WF_CONTEXTMENU_TITLE (2.3.2.4) | WF_LINK_SEARCH_TITLE (2.3.2.4) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.3.2.4) | WF_AGGREGATOR_GOOGLEMAPS_TITLE (2.3.2.4) | WF_AGGREGATOR_VIMEO_TITLE (2.3.2.4) | WF_AGGREGATOR_[youtube]_TITLE (2.3.2.4) | WF_POPUPS_JCEMEDIABOX_TITLE (2.3.2.4) | WF_POPUPS_WINDOW_TITLE (2.3.2.4) | WF_FILESYSTEM_JOOMLA_TITLE (2.3.2.4) | WF_LINKS_JOOMLALINKS_TITLE (2.3.2.4) | MailTo (1.5.0) | User (1.5.0) | Wrapper (1.5.0) |
Components :: ADMIN :: J2XML (1.5.4.73) | Configuration Manager (1.5.0) | RokCandy Bundle (1.3) | Joom!Fish (2.1.5) | Trash (1.0.0) | RokModule (1.2) | Plugin Manager (1.5.0) | AvReloaded (1.2.6) | Banners (1.5.0) | Gantry (3.1.5) | mod_cblogin (-) | plg_system_kunena (-) | AllEvents (-) | Unknown (-) | mod_sobipro_entries (-) | jUpgrade (2.5.11 FR) | Media Manager (1.5.0) | Content Page (1.5.0) | Search (1.5.0) | Mass Mail (1.5.0) | Messaging (1.5.0) | Version Verification Tool (2.0.3) | Weblinks (1.5.0) | JCE (2.3.2.4) | Unknown (-) | JCE (2.3.2.4) | Installation Manager (1.5.0) | Module Manager (1.5.0) | User Manager (1.5.0) | SpecImages (1.1) | Newsfeeds (1.5.0) | RokCandy (1.3) | Frontpage (1.5.0) | Menus Manager (1.5.0) | Cache Manager (1.5.0) | Contact Items (1.0.0) | Control Panel (1.5.0) | RokNavMenu Bundle (2.8) | yos_ammap (1.0.5.6) | AcyMailing Tag : Joomla User I (1.7.2) | AcyMailing Manage text (1.0.0) | AcyMailing Tag : Subscriber in (1.7.2) | AcyMailing : (auto)Subscribe d (1.7.2) | AcyMailing : share on social n (1.0.0) | AcyMailing : trigger Joomla Co (1.7.2) | AcyMailing : Statistics Plugin (1.7.2) | AcyMailing Tag : CB User infor (1.7.2) | AcyMailing Tag : content inser (1.7.2) | AcyMailing Tag : Date / Time (1.7.2) | AcyMailing table of contents g (1.0.0) | AcyMailing Module (1.7.2) | AcyMailing Template Class Repl (1.7.2) | AcyMailing Tag : Manage the Su (1.7.2) | AcyMailing Tag : Website links (1.7.2) | AcyMailing (1.7.2) | Template Manager (1.5.0) | Language Manager (1.5.0) | PhocaMaps (1.1.1) | Polls (1.5.0) |

Modules :: SITE :: Login (1.5.0) | Newsflash (1.5.0) | Simple Image Rotator (1.2) | Simple Image Rotator (1.2) | RokAjaxSearch (2.1) | Wrapper (1.0.0) | Footer (1.5.0) | Feed Display (1.5.0) | AllVideos Reloaded (1.2.6) | Random Image (1.5.0) | Latest News (1.5.0) | RokNavMenu (2.8) | Banner (1.5.0) | Who\'s Online (1.0.0) | Poll (1.5.0) | Custom HTML (1.5.0) | Most Read Content (1.5.0) | Sections (1.5.0) | Breadcrumbs (1.5.0) | Menu (1.5.0) | Related Items (1.0.0) | YOS amMap (1.0) | AcyMailing Module (1.7.2) | RokNewsPager (1.7) | Search (1.0.0) | ccNewsletter (1.0.9) | JoomFish-Language Selection (2.1.5) | Archived Content (1.5.0) | RokSlideshow (4.2) | SpecImage (1.1) | Syndicate (1.5.0) | Statistics (1.5.0) |
Modules :: ADMIN :: Popular Items (1.0.0) | Login Form (1.0.0) | Footer (1.0.0) | Feed Display (1.5.0) | Quick Icons (1.0.0) | User Status (1.5.0) | Admin Submenu (1.0.0) | Admin Menu (1.0.0) | Title (1.0.0) | Custom HTML (1.5.0) | Logged in Users (1.0.0) | Direct Translation (2.1.5) | Online Users (1.0.0) | Unread Items (1.0.0) | Toolbar (1.0.0) | JCE File Browser (2.3.2.4) | Items Stats (1.0.0) | Latest News (1.0.0) |

Plugins :: SITE :: User - Example (1.0) | User - Joomla! (1.5) | Search - Content (1.5) | Search - Sections (1.5) | Search - Newsfeeds (1.5) | Search - Joomfish Weblinks (2.1.5) | Search - Weblinks (1.5) | Search - Joomfish Content (2.1.5) | Search - Joomfish Contacts (2.1.5) | Search - Joomfish Sections (2.1.5) | Search - Contacts (1.5) | Search - Categories (1.5) | Search - Joomfish Categories (2.1.5) | Search - Joomfish Newsfeeds (2.1.5) | Editor - XStandard Lite for Jo (1.0) | Editor - JCE (2.3.2.4) | Editor - TinyMCE 3 (3.2.6) | Editor - RokPad (1.7) | Content - Example (1.0) | Plugin- YOS Ammap (1.0) | Content - Custom Page Title (1.1) | Phoca Maps Plugin (1.1.0) | Content - AllVideos Reloaded (1.2.6) | Content - Code Highlighter (Ge (1.5) | Joomfish Alternative Language (2.1.5) | Content - Load Modules (1.5) | Content - Page Navigation (1.5) | Content - Vote (1.5) | Content - Pagebreak (1.5) | Content - Email Cloaking (1.5) | Content - RokBox (1.8) | Button - Readmore (1.5) | Button - AllVideos Reloaded (1.2.6) | Button - Pagebreak (1.5) | Button - RokCandy (1.3) | Button - Image (1.0.0) | Authentication - Example (1.5) | Authentication - GMail (1.5) | Authentication - Joomla (1.5) | Authentication - OpenID (1.5) | Authentication - LDAP (1.5) | System - SEF (1.5) | System - Debug (1.5) | System - RokCandy (1.3) | Joomfish - Abstraction Layer (2.1.5) | System - AllVideos Reloaded (1.2.6) | AcyMailing : (auto)Subscribe d (1.7.2) | System - Log (1.5) | System - IE8 Compatibility (1.2) | System - Cache (1.5) | System - Mootools Upgrade (1.5) | System - Title Manager (1.0.1) | Joomfish - Basic Router (2.1.5) | System - J2XML (1.5.3.10) | System - Remember Me (1.5) | System - Legacy (1.5) | System - Backlinks (1.5) | System - RokGantry Cache (1.0) | System - RokBox (2.6) | System - RokGZipper (1.11) | Joomfish - Missing Translation (2.1.5) | XML-RPC - J2XML API (1.5.3.8) | XML-RPC - Joomla API (1.0) | XML-RPC - Blogger API (1.0) | RokNavMenu - Boost (2.8) | RokNavMenu - Extended Link (2.8) | AcyMailing Tag : content inser (1.7.2) | AcyMailing Tag : Joomla User I (1.7.2) | AcyMailing Template Class Repl (1.7.2) | AcyMailing Manage text (1.0.0) | AcyMailing table of contents g (1.0.0) | AcyMailing : share on social n (1.0.0) | AcyMailing : Statistics Plugin (1.7.2) | AcyMailing : trigger Joomla Co (1.7.2) | AcyMailing Tag : Date / Time (1.7.2) | AcyMailing Tag : Manage the Su (1.7.2) | AcyMailing Tag : Subscriber in (1.7.2) | AcyMailing Tag : CB User infor (1.7.2) | AcyMailing Tag : Website links (1.7.2) |
Templates Discovered :: wrote:Templates :: SITE :: rt_paradox_j15 (1.5.0) | JA_Purity (1.2.0) | rhuk_milkyway (1.0.2) | beez (1.0.0) |
Templates :: ADMIN :: Khepri (1.0) |
Top
User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15152
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Site redirected and infected

Post by mandville » Fri Jun 28, 2013 7:58 pm

please review and action security checklist
also you have open folder permissions 777 and out of date extensions.
what are the contents of your tmp folders and your htacess file
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Top
User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1115
Joined: Sat Aug 13, 2011 6:27 am

Re: Site redirected and infected

Post by Slackervaara » Sat Jun 29, 2013 2:29 pm

Interesting with CrawlProtect that you used, because I have not heard about it before. It would be interesting to get advice from the moderators about this security addon for Joomla.
http://www.crawltrack.net/crawlprotect/ ... tation.php
Top
Locked

Return to “Security in Joomla! 1.5”