New Joomla Site potentially hacked with russian text

[jchristian]

Hello,
First is to say I am not a developer or a person who is uber sharp on joomla. I'm new to the software as someone has recently put together a website for us using the software. Anyway, our site used to register highly in google for a particular search string related to our core business. Today we have shunted to the second page. With our new Joomla site we did remain after publishing for a few months at a high rank but suddenly in the past few months have suffered worse results. In order to understand why google suddenly punished us i started poking around. Something very odd i quickly noticed was that when i searched for a particular page on our site i got the results but in the meta description in the search results (i only assumed that was what it was) was some russian text.

this was the text that appeared in google. the russian is the unknown:

Karisia Walking Safari - Tumaren Camel Safari
http://www.karisia.com/home/root/walkin ... el-safari‎
3 Night Tumaren Walking Safari. поздравления с новорожденным. Kids: Excellent; Difficulty: Easy; Wildlife: Excellent; Landscapes: Excellent; See This trip on ...

i showed my web developer who blamed the host ( modwest.com ) I then contacted the host who blamed the developer. how shall i proceed to diagnose this problem? Many thanks for your ideas.
Cheers, Jamie

[duyet]

I think this is a template problem. The template is downloaded from some where, which contains backlinks to template's developer (bad) sites. This is quite common for those free templates out there. You have to go thru al the php files in your template dir and search for "s_shap", this is where the links are set:

Code: Select all

<div id="s_shap">
<a title="поздравления с новорожденным" target="_blank" href="http://likefunny.org">поздравления с новорожденным</a>
</div>

But you probably won't find them. Usually those are well hidden within an base64_decode() function. If you find them it can be removed, make sure to back up the file(s) first before changing anything since it might break your site.

Search this forum for more info on backlinks in free templates.

Good luck

[mandville]

suggestions,
run and post the fpa so we can see more of the site details.
speak to the developer and ask them for the original copies of the template to check and reinstall

[jchristian]

Duyet. Many Thanks. Will ask my developer to look into the template. Mandville, excuse my ignorance (im just a safari guide) what is an fpa ?

[jchristian]

Aso. Here is what modwest my host had to say:

Hi James,

I am still investigating, though did find what appears to be some form
of malicious code on the page we spoke of over the phone:

http://www.karisia.com/home/root/walkin ... mel-safari

The code I found is a basic link, though hidden, and to a Russian website:

<a href="http://likefunny.org" target="_blank" title="поздравления с
новорожденным">поздравления с новорожденным</a>

I found this by viewing the source of the karisia.com page linked above,
in my browser (just right-click on the page, and select "view page
source"), and then searched on that source page for the Russian that
appeared in that Google search result. I haven't yet identified where
this code is specifically located, and am still digging.

Regarding SSL, this isn't really a factor, as SSL certificates are used
to encrypt and secure the transfer of sensitive data (such as credit
card numbers, etc) between users. However, there are quite a few
security-related Joomla plugins that may help in further securing your
installation.

I'll spend a bit more time investigating this, to see if I can track
down any compromised files, and will be in touch as soon as possible
with an update.

Thank you!

[mandville]

this is the fpa - http://forum.joomla.org/viewtopic.php?f=621&t=582860
it is a site diagnostic tool that will help track down issues, but it wont normally say how your site got its dodgy links

[duyet]

I don't think the FPA will help finding the hidden links.

Not sure if you know but there are 2 links on your page, 1 near the "3 Night Tumaren Walking Safari" as mentioned above and the other one is near "6 Night Permanent Camp Walking Safari"

Code: Select all

<div id="s_shap">
<a title="Охранные системы - Каталог товаров" target="_blank" href="http://megashop24.net">Охранные системы - Каталог товаров</a>
</div>

[mandville]

as stated, the fpa may assist in seeing more info about your site that may be the cause of your link spam. tell us what your template supplier has said about the code in their templates. ask for the original copies so they can be compared

[chiao]

Hi,jchristian

I hope you already solved the problem.

If not yet, perhaps you might want to refer to this article
http://forum.joomla.org/viewtopic.php?f=618&t=726187

I had the exact same problem on my templat on a Yootheme template,I find here : templates\yoo_glass\warp\systems\joomla\layouts\com_content\article. Open 'default.php' and look for code like this:

Code: Select all

<?php
$ytji = 'PGRpdiBpZD0ieDQo9GE040L3RgtC10YDQvtCyINC4INCc0KTQozwvZGl2Pg==';
echo base64_decode($ytji);?>

You have to remove all of them, and check your HTML output.
Good Luck!

[mandville]

chiao - dissregarding posting in an old topic for the moment, what did yoo' say when you told them that a template you got from them had hacking code in it?

[izzatasat]

Found same bug while doing SEO on my client's site.
<?php $fml='PGRpdiBpZD0ieWotc24iPjxhIGhyZWY9Imh0dHA6Ly9saWtlZnVubnkub3JnLyIgdGFyZ2V0PSJfYmxhbmsiIHRpdGxlPSLQv9GA0LjQutC+0LXQvdGMINGA0L7QttC00LXQvdC40Y88L2E+PC9kaXY+'; echo base64_decode($fml);?>

how to find and remove?

1. Open Dreamveaver
2. From top menu click Edit > Find and Replace (mac "Command + F" and windows "Control + F")
3. Choose Find in: Folder > [Your Joomla Template
4. Copy and Paste to "Find" section: base64_decode then click "Find all"
5. Open all files ( I've got default.php and item.php)
6. Remove entire php code
<?php $fml='PGRpdiBpZD0ieWotc24iPjxhIGhyZWY9Imh0dHA6Ly9saWtlZnVubnkub3JnLyIgdGFyZ2V0PSJfYmxhbmsiIHRpdGxlPSLQv9GA0LjQutCRgNC40LrQvtC70YzQvdGL0LUg0YLQvtGB0YLRiyDQvdCwINC00LXQvdGMINGA0L7QttC00LXQvdC40Y88L2E+PC9kaXY+'; echo base64_decode($fml);?>
7. Save files and upload back to the server
8. After, Check again if you have left anything.