Wow! You got Malicious Javascript in your site?

Discussion regarding Joomla! 2.5 security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Wow! You got Malicious Javascript in your site?

Post by leolam » Wed Jan 02, 2013 4:09 pm

Hi, This originates from a post I entered a few years ago (2009) in the Joomla 1.5-forum which had 70,000 visits. The Security Moderators and I discussed an update of the topic and here you find now the updated version. Please feel post any question on these issues to the post. We are all here to help you?

Malicious Code In Your Site!

When you find malicious code in your site it is often a line of javascript inserted into the bottom of almost every .js file on the account that used character code escapes to make it harder to detect. It is most often also embedded in many of the otherwise blank index.html pages within the sub-directories of your Joomla install. It is often difficult to pinpoint the reason either a Joomla exploit (iframe) or if the violators had the account password.

This type of infection is much more common with the password being weak or breached (do not use your birthday/name of your dog, Kids name/etc!!!) however. For that reason, you are strongly advised to follow these steps:

1. Scan your local computer, the clients computer, and any computer from which you have accessed the account using an up to date virus scanner such as http://malwarebytes.org CRITICAL!

2. Update the cPanel/FTP password with a password that is not easily guessable. Use 14-digits and something like ( example (!) ) &G5s#!K-|%H1G^

3. Submit your site for a rescan using your Google Webmaster account. If you do not already have an account please follow the instructions on this page to obtain one and [url=http://support.google.com/webmasters/bi ... wer=163633]Review Google's advise] CRITICAL! (Note: You can get a Google Webmasters Account at this link: http://www.google.com/webmasters)

4. Read the information provided below about this type of viral infection and how to further prevent it.

What are malicious iframes and what causes them?

! Over the years hackers found it hard to trick people into visiting suspicious sites so they're now targeting legit sites and using them to infect unknowing customers. In most cases an FTP account's password is obtained through key logging Malware, then legit website files are modified to distribute the Malware and gather more passwords. If your PC has been infected with one of these Trojans, your bank account, email accounts, and FTP accounts may no longer be secure. Note that Filezilla stores your password in plain text! Use strongly encrypted passwords with programs like (free)Keepass! http://keepass.info/

What to do if you find malicious iframes on your PC?

1. Use the following online vulnerability scanner and ensure your software is up-to-date: http://secunia.com/vulnerability_scanni ... ?task=load (this is only indicative and not final!: Thease online scanners do make tons of mistakes)
2. Download antivirus and fully scan your PC for malicious files. Here are some free online scanners:
http://housecall.trendmicro.com/
http://www.bitdefender.com/scan8/ie.html
http://www.kaspersky.com/virusscanner
http://support.f-secure.com/enu/home/ols.shtml
3. Update all passwords that may have been obtained. Do not use old passwords, generate new ones (see above)
4. Upload older versions of the files or contact support for assistance removing the malicious iframes.

Prevention measurements

- Ensure you use the latest browser version CRITICAL!
- Disable javascript if possible
- Use Firefox with addon "noscript" (!)
- Download and install some (free) antivirus software, make sure it stays updated CRITICAL!
- Use http://www.avg.com.au/index.cfm?section ... onlinescan to test suspicious links you are given in emails or find online.

Others

BACKUP & DOWNLOAD your site and database! Use either your cPanel features or use https://www.Akeebabackup.com or whatever you use:

Now we get often the question "what extension does protect my site" Answer is simple: NONE : You will need to make sure that your host has its security features optimized (mainly Mod_Security/IPTables Protection/Live upload scanning/suPHP or Mod_Ruid and many more). Than you make sure that YOU (!) do not make the basic mistakes: Folder permissions wrong! Never, ever! set folders to anything else than 755 and do not set your files other than 644 (global config of Joomla will be set auto to '444) Once again...Some extensions migt help you discover vulnerabilities on your server but two key elements make the day or break the day: You & your PC and Your hosting Company!

You use to visit warez/filesharing/porn-sites? Use an other computer than to access your site and make sure you have top-notch protection! Do not underestimate the fact that behind a simple image of the "sun" a whole piece of code can be hissed! Download any zip etc and scan before opening the file!

If you are not sure post a message here! We are all here to assist each other!

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

Locked

Return to “Security in Joomla! 2.5”