A single spam link sometime is shown...

Discussion regarding Joomla! 2.5 security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
ufobm
Joomla! Apprentice
Joomla! Apprentice
Posts: 26
Joined: Wed Jul 06, 2011 10:26 am

A single spam link sometime is shown...

Post by ufobm » Mon Jul 21, 2014 3:35 pm

I think my website has been attacked by a spammy link...

I personally saw it only twice and for this reason it's difficult for me to find the origin of it like to find a needle in the haystack... In the cache of Joomla there's sometime this code:

Code: Select all

#x#a:4:{s:4:"body";s:28248:"<a href="http://www.themeroulette.com">wordpress themes</a>
I've used JAMSS but I had no evidence of the intrusion... I've scanned the template (that I've created from scratch), but it has no strange codes... Joomla is up to date... What can I try? Thank you!

itoctopus
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4025
Joined: Mon Nov 25, 2013 4:35 pm
Location: Montreal, Canada
Contact:

Re: A single spam link sometime is shown...

Post by itoctopus » Mon Jul 21, 2014 4:29 pm

- Check your .htaccess file
- Check your framework.php file
- Check your application.php files
- Search for base64 or eval in your code
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter

ufobm
Joomla! Apprentice
Joomla! Apprentice
Posts: 26
Joined: Wed Jul 06, 2011 10:26 am

Re: A single spam link sometime is shown...

Post by ufobm » Wed Jul 23, 2014 4:15 pm

itoctopus wrote:- Check your .htaccess file
- Check your framework.php file
- Check your application.php files
I checked ".htaccess", "includes/application.php" and "includes/framework.php". They are the same of the version downloadable from this website, except for the line 45 in framework.php that has:

Code: Select all

JError::setErrorHandling(E_ERROR, 'message', array('JError', 'customErrorPage'));
instead of:

Code: Select all

JError::setErrorHandling(E_ERROR, 'callback', array('JError', 'customErrorPage'));
Could this be the problem?
Anyway, where are the others application.php files?

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: A single spam link sometime is shown...

Post by Bernard T » Wed Jul 23, 2014 11:29 pm

It is possible you won't find it since it doesn't need to be present in your local files.
Some code snippet could load remote content to your website. New JAMSS version will also scan for this kind of stuff.

Try searching something like
"get_file_contents('http://"
"get_file_contents('$_POST"
"get_file_contents('$_GET"
"include('http://"
"require('http://"
...

I hope you get the idea how to make all variants.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

ufobm
Joomla! Apprentice
Joomla! Apprentice
Posts: 26
Joined: Wed Jul 06, 2011 10:26 am

Re: A single spam link sometime is shown...

Post by ufobm » Thu Jul 24, 2014 6:53 am

BernardT wrote:New JAMSS version will also scan for this kind of stuff.
The version I've downloaded from the pinned topic in this forum already offers this functionality? I've downloaded it a couples of days ago.

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: A single spam link sometime is shown...

Post by Bernard T » Thu Jul 24, 2014 10:33 am

No, it's not in the version linked in pinned topic, it's in untested version in 'master' branch.

You could get it here:
https://raw.githubusercontent.com/btopl ... /jamss.php
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

ufobm
Joomla! Apprentice
Joomla! Apprentice
Posts: 26
Joined: Wed Jul 06, 2011 10:26 am

Re: A single spam link sometime is shown...

Post by ufobm » Thu Jul 24, 2014 1:12 pm

Thank you!
The script returns a lot of information, but I can't find an evidence... Anyway the [youtube] is obfuscated... I used it for a while, but now it is not more downloadable from JED:
http://extensions.joomla.org/extensions ... nnels/3659

Is this plugin suspicious?

ufobm
Joomla! Apprentice
Joomla! Apprentice
Posts: 26
Joined: Wed Jul 06, 2011 10:26 am

Re: A single spam link sometime is shown...

Post by ufobm » Thu Jul 24, 2014 1:28 pm

This is my FPA!
Forum Post Assistant (v1.2.4) : 24th July 2014 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.8-Stable (Ember) 8-November-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: (uid: /gid: ) | Group: (gid: ) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 1 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 1 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-431.20.3.el6.x86_64 | Technology: x86_64 | Web Server: Apache/2.4.9 (Unix) mod_fcgid/2.3.9 | Encoding: gzip, deflate | Doc Root: /web/htdocs/www.***.***/home/ | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.28 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: 0 | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 25M | Max. POST Size: 30M | Max. Input Time: 60 | Max. Execution Time: 120 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.37-35.1-log (Client:5.1.73) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 16.99 MiB | #of Tables: 92
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.28) | date (5.3.28) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | standard (5.3.28) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | imap () | SimpleXML (0.1) | soap () | SQLite (2.0-dev) | exif (1.4 $Id$) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | cgi-fcgi () | imagick (3.1.2) | SourceGuardian (9.5) | ffmpeg (0.6.0-svn) | tidy (2.0) | mhash () | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: zip | suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (2.5.0) | Default (1.0.0) | com_wrapper (2.5.0) |
Components :: ADMIN :: com_admin (2.5.0) | com_banners (2.5.0) | com_cache (2.5.0) | com_categories (2.5.0) | com_checkin (2.5.0) | com_config (2.5.0) | com_content (2.5.0) | com_cpanel (2.5.0) | com_finder (2.5.0) | com_installer (2.5.0) | JComments (2.3.0) | com_joomlaupdate (2.5.0) | com_languages (2.5.0) | com_login (2.5.0) | com_media (2.5.0) | com_menus (2.5.0) | com_messages (2.5.0) | com_modules (2.5.0) | com_newsfeeds (2.5.0) | com_phocagallery (3.2.2) | com_plugins (2.5.0) | com_redirect (2.5.0) | com_search (2.5.0) | com_templates (2.5.0) | com_tortags (1.3.5) | com_users (2.5.0) | com_weblinks (2.5.0) | com_xmap (2.3.2) | FlexiContact (6.02) | Akeeba (3.11.3) | COM_COALAWEBSOCIALLINKS (0.1.7) | Ninja RSS Syndicator (2.0.5) |

Modules :: SITE :: mod_articles_archive (2.5.0) | mod_articles_categories (2.5.0) | mod_articles_category (2.5.0) | mod_articles_latest (2.5.0) | mod_articles_news (2.5.0) | mod_articles_popular (2.5.0) | mod_banners (2.5.0) | mod_breadcrumbs (2.5.0) | mod_custom (2.5.0) | mod_feed (2.5.0) | mod_finder (2.5.0) | mod_footer (2.5.0) | JComments Latest (3.0.2) | JComments Latest Commented (1.0) | JComments Most Commented (1.2) | JComments Top Posters (2.3.1) | mod_languages (2.5.0) | mod_login (2.5.0) | mod_menu (2.5.0) | mod_phocagallery_image (3.2.0) | mod_phocagallery_menu (3.2.0) | mod_phocagallery_tree (3.1.2) | mod_random_image (2.5.0) | mod_related_items (2.5.0) | mod_search (2.5.0) | mod_stats (2.5.0) | mod_syndicate (2.5.0) | mod_tortags_often_clouds (1.3.5) | mod_users_latest (2.5.0) | mod_weblinks (2.5.0) | mod_whosonline (2.5.0) | mod_wrapper (2.5.0) | Flexi Custom Code (1.3) | Lof ArticlesSlideShow Module (2.2) | AddThis (1.1.5) | MOD_COALAWEBSOCIALLINKS (0.1.7) | Ninja RSS Syndicator (2.0.0) | MOD_COALAWEBLIKEBOX (0.1.7) |
Modules :: ADMIN :: mod_custom (2.5.0) | mod_feed (2.5.0) | JComments Latest Backend (2.0) | mod_latest (2.5.0) | mod_logged (2.5.0) | mod_login (2.5.0) | mod_menu (2.5.0) | mod_multilangstatus (2.5.0) | mod_popular (2.5.0) | mod_quickicon (2.5.0) | mod_status (2.5.0) | mod_submenu (2.5.0) | mod_title (2.5.0) | mod_toolbar (2.5.0) | mod_version (2.5.0) |

Plugins :: SITE :: plg_authentication_gmail (2.5.0) | plg_authentication_joomla (2.5.0) | plg_authentication_ldap (2.5.0) | plg_captcha_recaptcha (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_finder (2.5.0) | plg_content_geshi (2.5.0) | plg_content_jcomments (1.0) | plg_content_joomla (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_phocagallery (3.2.0) | plg_content_phocagalleryslides (3.2.0) | Content - TorTags (1.3.5) | plg_content_vote (2.5.0) | [youtube] Plugin (1.1) | Content - AddThis (1.1.7) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_jcommentsoff (1.0) | plg_editors-xtd_jcommentson (1.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_phocagallery (3.0.1) | plg_editors-xtd_readmore (2.5.0) | Button - TorTags (1.3.5) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.5.4.1) | plg_extension_joomla (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_content (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_tortags (1.3.5) | plg_finder_weblinks (2.5.0) | JComments - AutoSubscribe (2.1) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_search_categories (2.5.0) | plg_search_contacts (2.5.0) | plg_search_content (2.5.0) | plg_search_jcomments (1.0) | plg_search_newsfeeds (2.5.0) | Search - TorTags (1.3.5) | plg_search_weblinks (2.5.0) | plg_system_cache (2.5.0) | plg_system_debug (2.5.0) | plg_system_highlight (2.5.0) | plg_system_jcomments (1.0) | plg_system_languagecode (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_log (2.5.0) | plg_system_logout (2.5.0) | plg_system_p3p (2.5.0) | plg_system_redirect (2.5.0) | plg_system_remember (2.5.0) | plg_system_sef (2.5.0) | System - TorTags (1.3.5) | plg_system_article_preview (2.5.0) | PLG_CWGEARS (0.0.8) | plg_user_contactcreator (2.5.0) | plg_user_jcomments (1.0) | plg_user_joomla (2.5.0) | plg_user_profile (2.5.0) | Xmap - Content Plugin (2.0.4) | Xmap - Kunena Plugin (2.0.3) | Xmap - Mosets Tree Plugin (2.0.2) | Xmap - SobiPro Plugin (2.0.2) | Xmap - Virtuemart Plugin (2.0.1) | Xmap - WebLinks Plugin (2.0.1) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) |
Templates Discovered :: wrote:Templates :: SITE :: atomic (2.5.0) | beez5 (2.5.0) | beez_20 (2.5.0) | MYSITENAME (2.5.0) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: A single spam link sometime is shown...

Post by mandville » Thu Jul 24, 2014 7:35 pm

you are using an out of date and hackable version of joomla, out of date extensions, and extensions that are known to contain "malicious" code (spam links etc)
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: A single spam link sometime is shown...

Post by Bernard T » Thu Jul 24, 2014 7:52 pm

As mandville informed you, there is a lot to upgrade.

And you most probably have infected installation. Therefore you should follow the http://forum.joomla.org/viewtopic.php?f=621&t=582854 point by point, no shortcuts!

I hope JAMSS helps you identify malicious files (if any).
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

ufobm
Joomla! Apprentice
Joomla! Apprentice
Posts: 26
Joined: Wed Jul 06, 2011 10:26 am

Re: A single spam link sometime is shown...

Post by ufobm » Fri Jul 25, 2014 7:20 am

mandville wrote:you are using an out of date and hackable version of joomla, out of date extensions, and extensions that are known to contain "malicious" code (spam links etc)
Ok, now I see latest version is .23... But why if I check for updates in Joomla CP I get:
Nessun aggiornamento disponibile

Hai già l'ultima versione di Joomla!, la 2.5.8.
That means:
No updates available.

You already have the latest version of Joomla!, the 2.5.8.
The same for the extensions... And which are the extensions that are known to contain "malicious" code? Here I can't find them:
http://vel.joomla.org/index.php/live-vel

ufobm
Joomla! Apprentice
Joomla! Apprentice
Posts: 26
Joined: Wed Jul 06, 2011 10:26 am

Re: A single spam link sometime is shown...

Post by ufobm » Thu Sep 04, 2014 9:30 am

I've updated Joomla but the problem persist... Could you help me investigate the problem? When I clean the cache the spam link disappears for a while... Then it returns.
Forum Post Assistant (v1.2.4) : 4th September 2014 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.24-Stable (Ember) 25-July-2014
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: (uid: /gid: ) | Group: (gid: ) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 1 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 1 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-431.20.3.el6.x86_64 | Technology: x86_64 | Web Server: Apache/2.4.10 (Unix) mod_fcgid/2.3.9 | Encoding: gzip, deflate | Doc Root: /web/htdocs/www.xxx.yy/home/ | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.28 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: 0 | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 25M | Max. POST Size: 30M | Max. Input Time: 60 | Max. Execution Time: 120 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.37-35.1-log (Client:5.1.73) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 19.93 MiB | #of Tables: 95
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.28) | date (5.3.28) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | standard (5.3.28) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | imap () | SimpleXML (0.1) | soap () | SQLite (2.0-dev) | exif (1.4 $Id$) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | cgi-fcgi () | imagick (3.1.2) | SourceGuardian (9.5) | ffmpeg (0.6.0-svn) | tidy (2.0) | mhash () | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: zip | suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (2.5.0) | Default (1.0.0) | com_wrapper (2.5.0) |
Components :: ADMIN :: com_admin (2.5.0) | com_banners (2.5.0) | com_cache (2.5.0) | com_categories (2.5.0) | com_checkin (2.5.0) | com_config (2.5.0) | com_content (2.5.0) | com_cpanel (2.5.0) | com_finder (2.5.0) | com_installer (2.5.0) | JComments (3.0.4) | com_joomlaupdate (2.5.0) | com_languages (2.5.0) | com_login (2.5.0) | com_media (2.5.0) | com_menus (2.5.0) | com_messages (2.5.0) | com_modules (2.5.0) | com_newsfeeds (2.5.0) | com_phocagallery (3.2.2) | com_plugins (2.5.0) | com_redirect (2.5.0) | com_search (2.5.0) | com_templates (2.5.0) | com_tortags (1.3.5) | com_users (2.5.0) | com_weblinks (2.5.0) | com_xmap (2.3.2) | FlexiContact (6.02) | Akeeba (3.11.4) | COM_COALAWEBSOCIALLINKS (0.1.7) | Ninja RSS Syndicator (2.0.5) |

Modules :: SITE :: mod_articles_archive (2.5.0) | mod_articles_categories (2.5.0) | mod_articles_category (2.5.0) | mod_articles_latest (2.5.0) | mod_articles_news (2.5.0) | mod_articles_popular (2.5.0) | mod_banners (2.5.0) | mod_breadcrumbs (2.5.0) | mod_custom (2.5.0) | mod_feed (2.5.0) | mod_finder (2.5.0) | mod_footer (2.5.0) | JComments Latest (3.0.4) | JComments Latest Commented (1.1) | JComments Most Commented (1.4) | JComments Top Posters (2.3.2) | mod_languages (2.5.0) | mod_login (2.5.0) | mod_menu (2.5.0) | mod_phocagallery_image (3.2.0) | mod_phocagallery_menu (3.2.0) | mod_phocagallery_tree (3.1.2) | mod_random_image (2.5.0) | mod_related_items (2.5.0) | mod_search (2.5.0) | mod_stats (2.5.0) | mod_syndicate (2.5.0) | mod_tortags_often_clouds (1.3.5) | mod_users_latest (2.5.0) | mod_weblinks (2.5.0) | mod_whosonline (2.5.0) | mod_wrapper (2.5.0) | Flexi Custom Code (1.3) | Lof ArticlesSlideShow Module (2.2) | AddThis (1.1.5) | MOD_COALAWEBSOCIALLINKS (0.1.7) | Ninja RSS Syndicator (2.0.0) | MOD_COALAWEBLIKEBOX (0.1.7) | mod_eprivacy (2.14) |
Modules :: ADMIN :: mod_custom (2.5.0) | mod_feed (2.5.0) | JComments Latest Backend (2.0) | mod_latest (2.5.0) | mod_logged (2.5.0) | mod_login (2.5.0) | mod_menu (2.5.0) | mod_multilangstatus (2.5.0) | mod_popular (2.5.0) | mod_quickicon (2.5.0) | mod_status (2.5.0) | mod_submenu (2.5.0) | mod_title (2.5.0) | mod_toolbar (2.5.0) | mod_version (2.5.0) |

Plugins :: SITE :: plg_authentication_gmail (2.5.0) | plg_authentication_joomla (2.5.0) | plg_authentication_ldap (2.5.0) | plg_captcha_recaptcha (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_finder (2.5.0) | plg_content_geshi (2.5.0) | plg_content_jcomments (1.0) | plg_content_joomla (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_phocagallery (3.2.0) | plg_content_phocagalleryslides (3.2.0) | Content - TorTags (1.3.5) | plg_content_vote (2.5.0) | [youtube] Plugin (1.1) | Content - AddThis (1.1.7) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_jcommentsoff (1.0) | plg_editors-xtd_jcommentson (1.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_phocagallery (3.0.1) | plg_editors-xtd_readmore (2.5.0) | Button - TorTags (1.3.5) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.5.4.1) | plg_extension_joomla (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_content (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_tortags (1.3.5) | plg_finder_weblinks (2.5.0) | JComments - AutoSubscribe (2.2.1) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_jcomments (1.0) | plg_search_categories (2.5.0) | plg_search_contacts (2.5.0) | plg_search_content (2.5.0) | plg_search_jcomments (1.0) | plg_search_newsfeeds (2.5.0) | Search - TorTags (1.3.5) | plg_search_weblinks (2.5.0) | plg_system_cache (2.5.0) | plg_system_debug (2.5.0) | plg_system_highlight (2.5.0) | plg_system_jcomments (1.0) | plg_system_languagecode (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_log (2.5.0) | plg_system_logout (2.5.0) | plg_system_p3p (2.5.0) | plg_system_redirect (2.5.0) | plg_system_remember (2.5.0) | plg_system_sef (2.5.0) | System - TorTags (1.3.5) | plg_system_article_preview (2.5.0) | PLG_CWGEARS (0.0.8) | PLG_SYS_EPRIVACY (2.14) | plg_user_contactcreator (2.5.0) | plg_user_jcomments (1.0) | plg_user_joomla (2.5.0) | plg_user_profile (2.5.0) | Xmap - Content Plugin (2.0.4) | Xmap - Kunena Plugin (2.0.3) | Xmap - Mosets Tree Plugin (2.0.2) | Xmap - SobiPro Plugin (2.0.2) | Xmap - Virtuemart Plugin (2.0.1) | Xmap - WebLinks Plugin (2.0.1) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) |
Templates Discovered :: wrote:Templates :: SITE :: atomic (2.5.0) | beez5 (2.5.0) | beez_20 (2.5.0) | siteName_Template (2.5.0) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: A single spam link sometime is shown...

Post by Bernard T » Tue Sep 09, 2014 6:38 pm

If you would have followed the checklists to the end you would have cleaned the Joomla properly.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

ufobm
Joomla! Apprentice
Joomla! Apprentice
Posts: 26
Joined: Wed Jul 06, 2011 10:26 am

Re: A single spam link sometime is shown...

Post by ufobm » Wed Sep 10, 2014 7:48 am

Bernard T wrote:If you would have followed the checklists to the end you would have cleaned the Joomla properly.
Thank you for the help Bernard. I've already:
- Checked my .htaccess file
- Checked my framework.php file
- Checked my application.php files
- Searched for base64 or eval in my code with JAMSS (but it returns a lot of false positive, so maybe I've missed something)
- Used the FPA
- Updated my Joomla to the latest version
- Updated my Joomla Extensions
- I deleted files in temp and cache

The last thing remains to do is to remove all the website files and reinstate them, but I would prefer to not doing that... I've used WinMerge to check differences in the files I supposed to be more vulnerables.
Anyway the link is shown very few times. I delete the cache and it disappears for weeks...

If you see in the FPA a vulnerable extension please let me know.

Thank you very much again.


Locked

Return to “Security in Joomla! 2.5”