Post-installation display issue

[LukeDouglas]

If I click on a admin installation message or go to the Components / Post-Installation Messages, I get a blank page with this:

Code: Select all

Linux+"some-code"[[]] 

I have deleted the administrator/cache folder 'manually' of all files/folders except index.htm and I have replaced the index.htm. Delete browser cache and tried again. I have 'Fixed' the database. No change.

Does anyone know what is causing this and how I can resolve the issue?

[brian]

Based on a quick google of that string your web site has been hackd

[Webdongle]

http://forum.joomla.org/viewtopic.php?f=714&t=757645

[itoctopus]

Which version of Joomla are you running? Can you post the FPA results (the link was provided by Webdongle above)? What I'm really interested in is the version of Joomla.

[LukeDouglas]

3.5.1

[LukeDouglas]

Joomla! Instance :: Joomla! 3.5.1-Stable (Unicorn) 05-April-2016
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: gedazzle (uid: 1/gid: 1) | Group: gedazzle (gid: 1) | Valid For: 3.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 1 | FTP Layer: 0 | SSL: 0 | Error Reporting: none | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-573.22.1.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/gedazzle/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.5.33 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 24567 | Log Errors To: error_log | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 64M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 256M

MySQL Configuration :: Version: 5.6.29 (Client:mysqlnd 5.0.11-dev - 20120503 - $Id: 15d5c781cfcad91193dceae1d2cdd127674ddb3e $) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 7.60 MiB | #of Tables: 114

PHP Extensions :: Core (5.5.33) | date (5.5.33) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (2.0) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | mbstring () | mcrypt () | standard (5.5.33) | mysqlnd (mysqlnd 5.0.11-dev - 20120503 - $Id: 15d5c781cfcad91193dceae1d2cdd127674ddb3e $) | mysqli (0.1) | mysql (1.0) | Phar (2.0.2) | posix () | pspell () | Reflection ($Id: dc76d2fe0f3e9c327c1d4ca617d94e26c7fae98d $) | imap () | SimpleXML (0.1) | soap () | sockets () | exif (1.4 $Id: ff29fdd0fa0b922fd32e2f5704857dcc8543f628 $) | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | suhosin (0.9.36) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | pdo_mysql (1.0.2) | SourceGuardian (10.1) | ionCube Loader () | Zend Guard Loader () | Zend Engine (2.5.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::

Components :: SITE :: com_mailto (3.0.0) | com_wrapper (3.0.0) | WF_FORMATSELECT_TITLE (2.5.16) | WF_NONBREAKING_TITLE (2.5.16) | WF_LAYER_TITLE (2.5.16) | WF_FILEMANAGER_TITLE (2.1. | WF_SPELLCHECKER_TITLE (2.5.16) | WF_XHTMLXTRAS_TITLE (2.5.16) | WF_CLIPBOARD_TITLE (2.5.16) | WF_INLINEPOPUPS_TITLE (2.5.16) | WF_ARTICLE_TITLE (2.5.16) | WF_FONTSIZESELECT_TITLE (2.5.16) | WF_CONTEXTMENU_TITLE (2.5.16) | WF_BROWSER_TITLE (2.5.16) | WF_TEXTCASE_TITLE (2.5.16) | WF_LISTS_TITLE (2.5.16) | WF_FONTCOLOR_TITLE (2.5.16) | WF_LINK_TITLE (2.5.16) | WF_KITCHENSINK_TITLE (2.5.16) | WF_PREVIEW_TITLE (2.5.16) | WF_HR_TITLE (2.5.16) | WF_VISUALCHARS_TITLE (2.5.16) | WF_FONTSELECT_TITLE (2.5.16) | WF_PRINT_TITLE (2.5.16) | WF_MEDIA_TITLE (2.5.16) | WF_AUTOSAVE_TITLE (2.5.16) | WF_IFRAME_TITLE (2.1.1) | WF_ANCHOR_TITLE (2.5.16) | WF_CLEANUP_TITLE (2.5.16) | WF_IMGMANAGER_EXT_TITLE (2.0.30) | WF_STYLE_TITLE (2.5.16) | WF_SOURCE_TITLE (2.5.16) | WF_SEARCHREPLACE_TITLE (2.5.16) | WF_TABLE_TITLE (2.5.16) | WF_IMGMANAGER_TITLE (2.5.16) | WF_VISUALBLOCKS_TITLE (2.5.16) | WF_CAPTION_TITLE (2.1.11) | WF_CHARMAP_TITLE (2.5.16) | WF_STYLESELECT_TITLE (2.5.16) | WF_MEDIAMANAGER_TITLE (2.0.15) | WF_DIRECTIONALITY_TITLE (2.5.16) | WF_FULLSCREEN_TITLE (2.5.16) | WF_MICRODATA_TITLE (1.0.10) | WF_AGGREGATOR_VIMEO_TITLE (2.5.16) | WF_AGGREGATOR_DAILYMOTION_TITL (2.5.16) | WF_AGGREGATOR_VINE_TITLE (2.5.16) | WF_AGGREGATOR_[youtube]_TITLE (2.5.16) | K2 Links for JCE Link (2.2) | WF_LINKS_JOOMLALINKS_TITLE (2.5.16) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.5.16) | WF_LINK_SEARCH_TITLE (2.5.16) | WF_POPUPS_JCEMEDIABOX_TITLE (2.5.16) | WF_POPUPS_WINDOW_TITLE (2.5.16) | WF_POPUPS_ROKBOX_TITLE (2.1.2) | WF_FILESYSTEM_JOOMLA_TITLE (2.5.16) |
Components :: ADMIN :: com_login (3.0.0) | com_joomlaupdate (3.0.0) | com_messages (3.0.0) | Gantry (4.1.31) | com_newsfeeds (3.0.0) | com_templates (3.0.0) | com_config (3.0.0) | COM_SIGPRO (3.1.0) | com_search (3.0.0) | com_banners (3.0.0) | com_postinstall (3.2.0) | com_finder (3.0.0) | com_ajax (3.2.0) | com_weblinks (3.5.0) | com_cpanel (3.0.0) | com_menus (3.0.0) | com_tags (3.1.0) | com_redirect (3.0.0) | Akeeba (4.6.1) | com_checkin (3.0.0) | com_categories (3.0.0) | com_plugins (3.0.0) | com_contenthistory (3.2.0) | com_xmap (2.3.4) | com_languages (3.0.0) | com_content (3.0.0) | COM_ACLMANAGER (2.4.6) | com_admin (3.0.0) | com_users (3.0.0) | com_installer (3.0.0) | com_modules (3.0.0) | RokSprocket (2.1.12) | com_regularlabsmanager (6.0.1) | Unknown (-) | com_cache (3.0.0) | com_media (3.0.0) | Unknown (-) | JCE (2.5.16) |

Modules :: SITE :: RokSprocket Module (2.1.12) | mod_languages (3.0.0) | mod_feed (3.0.0) | mod_random_image (3.0.0) | mod_finder (3.0.0) | mod_wrapper (3.0.0) | mod_articles_category (3.0.0) | mod_articles_archive (3.0.0) | mod_tags_similar (3.1.0) | mod_articles_categories (3.0.0) | mod_custom (3.0.0) | mod_articles_news (3.0.0) | mod_articles_latest (3.0.0) | RokNavMenu (2.0. | mod_footer (3.0.0) | mod_search (3.0.0) | mod_breadcrumbs (3.0.0) | mod_stats (3.0.0) | mod_related_items (3.0.0) | mod_tags_popular (3.1.0) | mod_banners (3.0.0) | mod_syndicate (3.0.0) | mod_articles_popular (3.0.0) | Tabs & Sliders (by JoomlaW (2.0) | mod_menu (3.0.0) | mod_weblinks (3.5.0) | mod_whosonline (3.0.0) | mod_users_latest (3.0.0) | mod_login (3.0.0) |
Modules :: ADMIN :: mod_cachecleaner (5.0.0PRO) | mod_feed (3.0.0) | mod_status (3.0.0) | mod_quickicon (3.0.0) | mod_title (3.0.0) | mod_submenu (3.0.0) | mod_custom (3.0.0) | mod_toolbar (3.0.0) | mod_logged (3.0.0) | mod_latest (3.0.0) | mod_menu (3.0.0) | mod_popular (3.0.0) | mod_stats_admin (3.0.0) | mod_multilangstatus (3.0.0) | mod_version (3.0.0) | mod_login (3.0.0) |

Plugins :: SITE :: plg_quickicon_akeebabackup (1.0) | plg_quickicon_jcefilebrowser (2.5.16) | plg_quickicon_extensionupdate (3.0.0) | plg_quickicon_joomlaupdate (3.0.0) | Xmap - SobiPro Plugin (2.0.2) | Xmap - Virtuemart Plugin (2.0.3) | Xmap - WebLinks Plugin (2.0.1) | Xmap - Content Plugin (2.0.4) | XMAP_PLUGIN_K2 (1.3) | Xmap - Mosets Tree Plugin (2.0.2) | Xmap - Kunena Plugin (3.0.0) | plg_search_weblinks (3.5.0) | plg_search_contacts (3.0.0) | plg_search_tags (3.0.0) | plg_search_content (3.0.0) | plg_search_newsfeeds (3.0.0) | plg_search_categories (3.0.0) | plg_content_emailcloak (3.0.0) | Content - RokInjectModule (1.7) | Simple Picture Slideshow (1.5. | plg_content_loadmodule (3.0.0) | plg_content_geshi (2.5.0) | AllVideos (by JoomlaWorks) (4.7.0) | AllVideos (by JoomlaWorks) (4.7.0) | plg_content_vote (3.0.0) | PLG_CONTENT_ADMIRORCOLUMNIZER (3.5) | plg_content_pagenavigation (3.0.0) | Content - Simple Image Gallery (3.1.0) | plg_content_pagebreak (3.0.0) | plg_content_joomla (3.0.0) | Tabs & Sliders [for articl (3.0.0) | plg_content_finder (3.0.0) | K2 - Simple Image Gallery Pro (3.1.0) | plg_editors_tinymce (4.3.3) | plg_editors_jce (2.5.16) | plg_editors_codemirror (5.12) | plg_captcha_recaptcha (3.4.0) | plg_editors-xtd_article (3.0.0) | plg_editors-xtd_readmore (3.0.0) | Button - Simple Image Gallery (3.1.0) | plg_editors-xtd_pagebreak (3.0.0) | plg_editors-xtd_image (3.0.0) | plg_editors-xtd_module (3.5.0) | plg_twofactorauth_totp (3.2.0) | plg_twofactorauth_yubikey (3.2.0) | plg_user_contactcreator (3.0.0) | plg_user_joomla (3.0.0) | plg_user_profile (3.0.0) | plg_finder_weblinks (3.5.0) | plg_finder_contacts (3.0.0) | plg_finder_tags (3.0.0) | plg_finder_content (3.0.0) | plg_finder_newsfeeds (3.0.0) | plg_finder_categories (3.0.0) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) | plg_extension_joomla (3.0.0) | plg_system_languagecode (3.0.0) | PLG_SYSTEM_BACKUPONUPDATE_TITL (3.7) | plg_system_sef (3.0.0) | System - One Click Action (2.1) | PLG_SYSTEM_AKEEBAUPDATECHECK_T (1.1) | plg_system_highlight (3.0.0) | System - Gantry (4.1.31) | plg_system_jce (2.5.16) | plg_system_updatenotification (3.5.0) | plg_system_stats (3.5.0) | System - ACL Manager (2.4.6) | plg_system_p3p (3.0.0) | PLG_SYS_ADMINEXILE (2.3.6) | System - RokCommon (3.2.4) | plg_system_log (3.0.0) | plg_system_regularlabs (16.4.18881) | plg_system_nnframework (16.3.25323) | plg_system_xcalendar (1.5.0) | plg_system_cache (3.0.0) | System - JCE MediaBox (1.2.2) | plg_system_remember (3.0.0) | plg_system_redirect (3.0.0) | plg_system_debug (3.0.0) | plg_system_cachecleaner (5.0.0PRO) | PLG_SYSTEM_AKGEOIP (1.0.6) | System - RokSprocket (2.1.12) | System - RokExtender (2.0.0) | plg_system_logout (3.0.0) | plg_system_languagefilter (3.0.0) | plg_authentication_gmail (3.0.0) | plg_authentication_cookie (3.0.0) | plg_authentication_joomla (3.0.0) | plg_authentication_ldap (3.0.0) |

Templates :: SITE :: gantry (4.1.29) | beez_20 (2.5.0) | protostar (1.0) | beez5 (2.5.0) | beez3 (3.1.0) | atomic (2.5.0) |
Templates :: ADMIN :: bluestork (2.5.0) | isis (1.0) | hathor (3.0.0) |

[Webdongle]

That's the first step of http://forum.joomla.org/viewtopic.php?f=714&t=757645 . How many of the other steps have you performed ?

[LukeDouglas]

Everything except creating a new Joomla installation and restore the data. I have copied over the most recent Joomla 3.5.1 files, removed the installation file, did a manual comparisons of files to see if there were 'extra' files that were present, found two and removed them after ascertaining that they were indeed hack files.

[LukeDouglas]

Also, I did a scan and found that each template 'index.php' did have nefarious code script inserted which I removed.

[Webdongle]

Also, I did a scan and found that each template 'index.php' did have nefarious code script inserted which I removed.

"Scan all machines with FTP, Joomla super admin, and Joomla admin access " on
http://forum.joomla.org/viewtopic.php?f=714&t=757645 means your computers not the server. There are other steps before that. The next step after running the fpa is deleting all the files from the server.

Here is a summary of http://forum.joomla.org/viewtopic.php?f=714&t=757645
(Before you ask the same question everyone asks. NO there is no short cut ... you need to delete ALL the files from the server)

1. Run the fpa and post the results on here
2. Uninstall any untrusted 3rd party extensions and Templates https://vel.joomla.org/live-vel
3. Delete all the files from the server
4. Scan your computer and all computers that have server or Joomla admin access
5. Change Passwords
6. Install Joomla (of the same version) to a new database. Install up to date 3rd party extensions (that are not on the VEL) then edit the configuration.php to connect to the original database. Update Joomla if you have and old version
7. Change your Joomla SU/Admin Passwords and check the users/groups/access levels are correct and not been tampered with. Update your Joomla And run the fpa again

Step #f is simply installing Joomla and 3rd party extensions to an empty database so you get fresh files. Then connect the files to the database that has your data. That gives you your site back. The rest cleans the site and helps keep it secure.

You should have original images on your computer. Thumbnails generated by gallery extensions can be re-generated by the Component once you have rebuilt the site files.

[LukeDouglas]

Hmmm...I indicated that I had done all of the steps except created a new site.

As far as deleting all files from the server, that's a no-go. I lease a server and have over 80+ client websites it. I ain't about to delete all the files simply for one website. I 'may' think about re-creating the website if I can't get this issue resolved.

[Webdongle]

Hmmm...I indicated that I had done all of the steps except created a new site

No ... when asked what steps you took your answer indicated that you had missed out some steps.

I worked during the creation of the computer industry so I'm no novice in knowing how to keep my computer clean

But in your OP you asked "Does anyone know what is causing this and how I can resolve the issue?" which 'indicated' that (with all your experience) you still don't know how to fix it. After being directed to the post that gives instructions that will help solve your issue ... you only followed some of the steps. The step you missed out was (arguably) the most important one of deleting the files.

The answer to you question "Does anyone know what is causing this and how I can resolve the issue?" is:
Despite your assertion of "I'm no novice in knowing how to keep my computer clean" ... you still have a hack file (or hack files) on your server
and
Deleting all the files from your server or getting a server security expert to clean your site are your best options.

[itoctopus]

@LukeDouglas

There might be an .htaccess file in a higher directory causing this problem (for example, if the website resides in a subdirectory, then there might be an .htaccess file with hacked content).


We had a case a couple of weeks ago where the cause of the hack was an .htaccess in the upper folder. Check that and post back here if possible.

[Webdongle]

...
There might be an .htaccess file in a higher directory causing this problem (for example, if the website resides in a subdirectory, then there might be an .htaccess file with hacked content)....

If there is then that will not be the source ... it will be something added with the use of the hack files that are still on the server.

...
We had a case a couple of weeks ago where the cause of the hack was an .htaccess in the upper folder. Check that and post back here if possible.

You may have had a hacked ".htaccess in the upper folder" but the hack files used to put it there are still on your server. You run a 2009 version of wordpress on a 2009 version of php and get hacked frequently


@LukeDouglas

The location of files that have been hacked are not the source of the hack nor are they the hack files themselves. The only way to get rid of the hack files is to delete all the files from the server or hire a server security expert.

The code on your server is associated with a wordpress hack ... do you run wp on your server ?

[itoctopus]

@Webdongle - Would you please stop defaming our website? Your post and your behavior are reported.

We have the right of helping others and offering suggestions, if you don't like our suggestions/solutions, then you can bring it up in a civilized way - but please stop falsely defaming our website on completely unrelated posts. I can't see what's wrong with telling the OP to check the .htaccess file in an upper directory, which was the cause of a hack on a 3.5.1 website we fixed a couple of weeks ago.

@LukeDouglas - If possible please report back what you see.

[Webdongle]

... Would you please stop defaming our website? Your post and your behavior are reported.

We have the right of helping others and offering suggestions, if you don't like our suggestions/solutions, then you can bring it up in a civilized way - but please stop falsely defaming our website on completely unrelated posts. ....

I just posted facts. Everything in my previous posts are facts and are on topic

Hack code in .htaccess files are not the source of the hacks they are the result of the hack.
The code Posted by the OP is associated with wordpress ... googling the code shows that.

As for mentioning your website ... you used your site as an example and therefore introduced it into the thread. And by doing so you demonstrated a perfect example of how Hackers keep gaining access to the server.

All on topic ... all facts ... all posted in a civil manor without conclusions. That way the OP (and users viewing this thread) can make their own minds up.

[itoctopus]

@Webdongle When was our website used as an example? I said we fixed a website with a higher directory hacked .htaccess before - and that was a client's Joomla 3.5.1 website. Please explain why you believe our website was mentioned. I have no idea why you have a bone to pick with our website. I am sorry the website is using an old version of PHP and WordPress and I apologize for that. Are you satisfied now?

As for facts, you really believe you are posting facts? Which facts are you talking about? The fact that our website is using WordPress? How is this related? No sir, you are just posting a generic opinion (most of your security answers are generic, by the way, especially that link you post on every security question), and you are confusing your generic opinion with a fact, and then you are blaming the OP for not wiping out his whole website because it's hacked. Really? It's like telling someone infected with a virus to just kill himself in order to get rid of the virus. Most businesses won't even take that route, and guess what, these businesses get their websites fixed without going through this whole mess.

As for insisting that the hack that the OP is experiencing is a WordPress hack - I guess you just copied and pasted the string he's seeing in Google and you saw the first result and then you came to a conclusion that this can be solely associated with WordPress. While this feeble theory may be correct, it is not the only theory. The same hack can infect a WordPress and a Joomla website - but let's think about this, why is the hack infecting a single area of the Joomla website when it's a WordPress hack - seems to me like it's targeting the Joomla website - but hey, you know better, you know everything, right? If you say you googled it and the first link that you saw was WordPress, then it must be WordPress, and all the other theories are wrong.

I know that the hacked .htaccess file is the result of the hack, but fixing it is a step in the right direction.

I am here to help people, and not get stuck in endless arguments with you about our "WordPress Website". If you're here to pick fights, then I suggest you go elsewhere. Please don't defame our website/business again.

Thank you.