Adsense Ads replaced with malware ads

[JJB]

Hi Folks,

I really hope someone can help with this.

I was informed yesterday that my joomla site had malware on it, granted this site had run fine for a long time, however when i checked there was an 'alien' admistrator so obviously the site had been hacked.

I have now removed the rogue user however the malware still appears.
From what i can tell any adsense code is replaced by these rogue (flash) malware ads can someone please help

The site is at [url]http://mailboxbirmingham.%20co.uk/[/url]

I have changed and removed templates/themes but the same thing still happens.
Short of rebuilding the site i dont know what to do.


Cheers

JJ

[jackrabbit]

The malware has been injected in a core file.
You can just upload the Joomla 3 package and unpack to overwrite all the files. If it exists after that process, you will need to do the same step for the third party extensions in use. Check your htaccess file to see if it redirecting to any URL

[JJB]

Thanks JackRabbit.

You will have to help me out here - as i am a bit of a novice.

I have been looking how to upgrade to v3 (from 2.5.24) and it all seems a bit complicated ...... any chance you could give me a step by step guide or point me in the right direction to a simple guide.
OR would it be possible to do it without an upgrade.

ALSO

What sort of thing am i looking for in the Htaccess file, and what should i look to change.

[jackrabbit]

Since you are using 2.5.24, do the overwrite with that package. My mistake, I thought I was in the J3 forum. Once the malware is removed, you can upgrade to J3. You should also change all passwords before the process just to be sure that who ever got in will not be there when you are done.

No need to sweat the htaccess if it was never modified. Just overwrite with the one that comes with the Joomla package.

[Bernard T]

If you found active superuser injected in your system it means there is (or was) a vulnerability in your website, either old Joomla or 3rd-pty extension. You should do a proper cleanup procedure, just replacing existing files with original ones won't do it. Most of the time there are extra files seeded in your website that enable attacker to have full access anytime they want, so your website can be infected again anytime.

I don't see malware in the place of adsense right now, so you should also scan your computer(s) with a proper antivirus and antimalware product. Local computer infection could be inserting the malware links also.

1. Preparation
   • Note which version of Joomla you have. Download the "Joomla Full Install" package for this version. (we will upgrade later)
   • Also note which 3rd party extensions you have installed.
   • Review Vulnerable Extensions List to make sure any 3rd party extensions versions used don't appear on the Live Vulnerable list. If they do, note them and don't install them, search for alternative extension.
   • Download all 3rd party extensions packages only from the developer's website in versions that are currently used. (we will upgrade later)
   • Review and action Security Checklist 7. Ensure you follow all of the steps stated.
2. Backup and remove all Website Files
   • Save a copy of the configuration.php file to your PC.
   • Delete ALL files in your Joomla installation. This is ONLY the files and directories in the joomla_root/ directory NOT the database!
   • Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Security Checklist 7 contains a list or recommended scanners.
   • Change all passwords and if possible user names for the website host control panel.
   • Change the Joomla database user name and password.
   • Use proper permissions on files and directories.
     • They should never be 777,
     • Use 644 for files and 755 for directories.
     • The configuration.php file can be set to 444 which is read only.
   • Check your .htaccess for for any odd code (i.e. code which is not in the standard htaccess.txt supplied as part of the Joomla installation).
   • Check the crontab or Task Scheduler for unexpected jobs/tasks.
   • Ensure you do not have anonymous FTP enabled.
   • Verify individually that any non-Joomla file that will be placed back on the website (such as, but not limited to, images, pdf files, files for download, and other documents and files) are valid and are supposed to be a part of your website.
3. Install the clean Joomla - the same version you had until now (we will upgrade later)
   • Extract/copy the Joomla files to your FTP root folder
   • Create a NEW database and install without sample data to it
   • Install the 3rd party extensions(including any custom template) to the new Joomla. (That insures you have the files in place for the 3rd party extensions)
   • Edit the configuration.php file of the new Joomla to connect to your original database. (we installed some moments ago to new database, you can delete it thereafter)
4. Update Joomla and extensions
   • Make a backup
   • update your Joomla to the current stable version
   • update all extensions of your site to the current version (skip those that you found on Live VEL and don't have appropriate updates)
5. Reinstate the deleted files
   • Upload any non-Joomla files (images, movies, download documents etc.) that are necessary for your website.

IMPORTANT
Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the back-doors that may have been inserted and hidden in various files and directories.
More detailed information can be found in the security Checklist 7 link above.