3.1.5 Site infected with malware

Discussion regarding Joomla! 3.x security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
someone1
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Fri Jul 12, 2013 1:43 am

3.1.5 Site infected with malware

Post by someone1 » Sun Oct 13, 2013 3:46 pm

leolam,

I am a new joomla 3.1.5 beginner. I have been hacked and the most difficult things for me to understand when trying to dehack my site are knowing how to do and/or how to find certain things/files.

What do you mean by this...."Delete all files in your Joomla installation, saving a copy of the configuration.php file."

All of what files in my joomla installation? To me that sound like wiping out my entire site.
Top
User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:
Contact leolam

Re: Site infected with malware

Post by leolam » Sun Oct 13, 2013 3:51 pm

someone1 wrote:All of what files in my joomla installation? To me that sound like wiping out my entire site.
You do not wipe out your entire site. You replace the actual files and folders with clean and proper ones. Simple a matter of reloading the default stuff

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
Top
someone1
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Fri Jul 12, 2013 1:43 am

Re: Site infected with malware

Post by someone1 » Sun Oct 13, 2013 7:58 pm

Thank you for responding.

I wish it were simple.

I do not seem to have a public_html to put the FPA into.
hack.jpg
You do not have the required permissions to view the files attached to this post.
Top
someone1
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Fri Jul 12, 2013 1:43 am

Re: Site infected with malware

Post by someone1 » Sun Oct 13, 2013 8:21 pm

Ok, I think I have used the FPA correctly. Here are the results.
Actions Taken To Resolve by Forum Post Assistant (v1.2.3) 13th October 2013 wrote:I've only taken my site offline. I do not know how to do it the htaccess method.
Forum Post Assistant (v1.2.3) : 13th October 2013 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.1.5-Stable (Ember) 01-August-2013
Joomla! Platform :: Joomla Platform 12.2.0-Stable (Neil Armstrong) 21-September-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: snbrown (uid: 1/gid: 1) | Group: pg4727688 (gid: 1) | Valid For: 3.1
Configuration Options :: Offline: 1 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32.36-hardened | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/snbrown/homestest.dreamhosters.com | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.13 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 30711 | Log Errors To: | Last Known Error: | Register Globals: 0 | Magic Quotes: 0 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 7M | Max. POST Size: 7M | Max. Input Time: -1 | Max. Execution Time: 30 | Memory Limit: 90M

MySQL Configuration :: Version: 5.1.56-log (Client:5.0.51a) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 5.69 MiB | #of Tables:  141
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.13) | date (5.3.13) | ereg () | libxml () | pcre () | sqlite3 (0.7-dev) | filter (0.11.0) | mbstring () | SPL (0.2) | PDO (1.0.4dev) | Reflection ($Id: 522fef1e5100f848a5e2059d98b3a880a3143e9a $) | pdo_sqlite (1.0.1) | hash (1.0) | cgi-fcgi () | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | session () | ftp () | gd () | gettext () | standard (5.3.13) | iconv () | imap () | json (1.2.1) | mcrypt () | mysql (1.0) | mysqli (0.1) | openssl () | pcntl () | pdo_mysql (1.0.2) | posix () | pspell () | exif (1.4 $Id$) | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | suhosin (0.9.32.1) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.9.1) | zlib (1.1) | mhash () | Zend Engine (2.3.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (3.0.0) | com_wrapper (3.0.0) | WF_LINKS_JOOMLALINKS_TITLE (2.3.3.2) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.3.3.2) | WF_LINK_SEARCH_TITLE (2.3.3.2) | WF_FILESYSTEM_JOOMLA_TITLE (2.3.3.2) | WF_POPUPS_WINDOW_TITLE (2.3.3.2) | WF_POPUPS_JCEMEDIABOX_TITLE (2.3.3.2) | WF_AGGREGATOR_[youtube]_TITLE (2.3.3.2) | WF_AGGREGATOR_VINE_TITLE (2.3.3.2) | WF_AGGREGATOR_GOOGLEMAPS_TITLE (2.3.3.2) | WF_AGGREGATOR_VIMEO_TITLE (2.3.3.2) | WF_CLIPBOARD_TITLE (2.3.3.2) | WF_ANCHOR_TITLE (2.3.3.2) | WF_LAYER_TITLE (2.3.3.2) | WF_TEXTCASE_TITLE (2.3.3.2) | WF_TABLE_TITLE (2.3.3.2) | WF_ARTICLE_TITLE (2.3.3.2) | WF_IMGMANAGER_TITLE (2.3.3.2) | WF_VISUALCHARS_TITLE (2.3.3.2) | WF_PRINT_TITLE (2.3.3.2) | WF_XHTMLXTRAS_TITLE (2.3.3.2) | WF_NONBREAKING_TITLE (2.3.3.2) | WF_PREVIEW_TITLE (2.3.3.2) | WF_CLEANUP_TITLE (2.3.3.2) | WF_AUTOSAVE_TITLE (2.3.3.2) | WF_INLINEPOPUPS_TITLE (2.3.3.2) | WF_MEDIA_TITLE (2.3.3.2) | WF_STYLE_TITLE (2.3.3.2) | WF_BROWSER_TITLE (2.3.3.2) | WF_SPELLCHECKER_TITLE (2.3.3.2) | WF_KITCHENSINK_TITLE (2.3.3.2) | WF_CHARMAP_TITLE (2.3.3.2) | WF_FULLSCREEN_TITLE (2.3.3.2) | WF_VISUALBLOCKS_TITLE (2.3.3.2) | WF_SOURCE_TITLE (2.3.3.2) | WF_LISTS_TITLE (2.3.3.2) | WF_DIRECTIONALITY_TITLE (2.3.3.2) | WF_CONTEXTMENU_TITLE (2.3.3.2) | WF_SEARCHREPLACE_TITLE (2.3.3.2) | WF_LINK_TITLE (2.3.3.2) |
Components :: ADMIN :: Akeeba (3.8.2) | com_joomlaupdate (3.0.0) | mod_kunenamenu (3.0.2) | plg_system_kunena (-) | plg_kunena_joomla (3.0.2) | plg_kunena_gravatar (3.0.2) | plg_kunena_alphauserpoints (3.0.2) | plg_kunena_kunena (3.0.2) | plg_kunena_community (3.0.2) | plg_kunena_finder (3.0.2) | plg_finder_kunena (3.0.2) | plg_kunena_uddeim (3.0.2) | plg_kunena_comprofiler (3.0.2) | com_kunena (3.0.2) | com_newsfeeds (3.0.0) | com_search (3.0.0) | com_login (3.0.0) | com_weblinks (3.0.0) | Contentbuilder (0.9.4 (build ) | ContentBuilder - Submit - Samp (1.0) | ContentBuilder - Validation - (1.0) | ContentBuilder - Validation - (1.0) | ContentBuilder - Themes - Joom (1.0) | ContentBuilder - Themes - Blan (1.0) | ContentBuilder - Validation - (1.0) | ContentBuilder - Themes - Khep (1.0) | ContentBuilder Permission Obse (1.0) | ContentBuilder - Verify (1.0) | ContentBuilder - List Action - (1.0) | ContentBuilder System (1.1) | ContentBuilder - Content - Ima (1.0) | ContentBuilder - Validation - (1.0) | ContentBuilder - Verify - PayP (1.0) | ContentBuilder - List Action - (1.0) | ContentBuilder - Content - Dow (1.0) | ContentBuilder - Validation - (1.0) | ContentBuilder - Verify - Pass (1.0) | ContentBuilder - Content - Rat (1.0) | Gantry (4.1.17) | com_users (3.0.0) | com_plugins (3.0.0) | COM_GCALENDAR (3.1.5) | com_languages (3.0.0) | com_cpanel (3.0.0) | com_menus (3.0.0) | com_templates (3.0.0) | com_cache (3.0.0) | com_tags (3.1.0) | Unknown (-) | Unknown (-) | BreezingForms (1.8.4 Stable ) | com_banners (3.0.0) | com_media (3.0.0) | com_checkin (3.0.0) | com_messages (3.0.0) | com_finder (3.0.0) | com_categories (3.0.0) | com_redirect (3.0.0) | com_installer (3.0.0) | Admintools (2.5.8) | Unknown (-) | JCE (2.3.3.2) | com_modules (3.0.0) | com_config (3.0.0) | com_admin (3.0.0) | com_content (3.0.0) | Quick Logout (1.8.0) |

Modules :: SITE :: mod_banners (3.0.0) | mod_weblinks (3.0.0) | mod_whosonline (3.0.0) | mod_related_items (3.0.0) | mod_finder (3.0.0) | mod_menu (3.0.0) | MOD_GCALENDAR (3.1.5) | mod_articles_category (3.0.0) | mod_random_image (3.0.0) | ContentBuilder - Advanced List (1.5) | MOD_GCALENDAR_UPCOMING (3.1.5) | mod_footer (3.0.0) | mod_syndicate (3.0.0) | mod_articles_latest (3.0.0) | mod_login (3.0.0) | mod_articles_popular (3.0.0) | BreezingForms (1.8) | mod_stats (3.0.0) | mod_tags_similar (3.1.0) | mod_articles_archive (3.0.0) | mod_articles_news (3.0.0) | mod_custom (3.0.0) | mod_wrapper (3.0.0) | MOD_GCALENDAR_NEXT (3.1.5) | Breezing Slide Show (1.0) | mod_search (3.0.0) | mod_languages (3.0.0) | mod_articles_categories (3.0.0) | mod_users_latest (3.0.0) | mod_tags_popular (3.1.0) | RokNavMenu (2.0.5) | mod_feed (3.0.0) | mod_breadcrumbs (3.0.0) | Responsive Slide Show (1.0) |
Modules :: ADMIN :: mod_status (3.0.0) | mod_title (3.0.0) | mod_menu (3.0.0) | mod_logged (3.0.0) | MOD_AKADMIN_TITLE (3.8.2) | mod_multilangstatus (3.0.0) | mod_quickicon (3.0.0) | mod_login (3.0.0) | mod_stats_admin (3.0.0) | mod_custom (3.0.0) | mod_toolbar (3.0.0) | mod_feed (3.0.0) | mod_popular (3.0.0) | mod_version (3.0.0) | mod_latest (3.0.0) | mod_submenu (3.0.0) |

Plugins :: SITE :: ContentBuilder - Verify - PayP (1.0) | ContentBuilder - Verify - Pass (1.0) | plg_kunena_uddeim (3.0.2) | plg_kunena_kunena (3.0.2) | plg_kunena_alphauserpoints (3.0.2) | plg_kunena_gravatar (3.0.2) | plg_kunena_community (3.0.2) | plg_kunena_comprofiler (3.0.2) | plg_kunena_joomla (3.0.2) | plg_quickicon_kunena (3.0.2) | plg_quickicon_akeebabackup (1.0) | plg_quickicon_jcefilebrowser (2.3.3.2) | plg_quickicon_extensionupdate (3.0.0) | plg_quickicon_joomlaupdate (3.0.0) | plg_user_profile (3.0.0) | plg_user_contactcreator (3.0.0) | plg_user_joomla (3.0.0) | plg_finder_content (3.0.0) | plg_finder_weblinks (3.0.0) | plg_finder_contacts (3.0.0) | plg_finder_newsfeeds (3.0.0) | plg_finder_tags (3.0.0) | plg_finder_categories (3.0.0) | plg_search_content (3.0.0) | plg_search_weblinks (3.0.0) | plg_search_contacts (3.0.0) | plg_search_newsfeeds (3.0.0) | plg_search_gcalendar (3.1.5) | plg_search_categories (3.0.0) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) | ContentBuilder - Verify (1.0) | ContentBuilder - Content - Ima (1.0) | plg_content_finder (3.0.0) | BreezingForms - Content - Down (1.0) | ContentBuilder - Content - Vid (1.1) | plg_gcalendar_next (3.1.5) | ContentBuilder - Content - Rat (1.0) | ContentBuilder - Content - Dow (1.0) | plg_content_vote (3.0.0) | ContentBuilder - Content - Lin (1.1) | plg_content_loadmodule (3.0.0) | plg_content_pagebreak (3.0.0) | BreezingForms - Content - Imag (1.0) | plg_content_emailcloak (3.0.0) | plg_content_pagenavigation (3.0.0) | ContentBuilder Permission Obse (1.0) | BreezingForms (1.8) | plg_content_joomla (3.0.0) | BreezingForms - AddOns - GData (1.0) | ContentBuilder - Submit - Edit (1.1) | ContentBuilder - Submit - Samp (1.0) | plg_system_sef (3.0.0) | PLG_SYSTEM_BACKUPONUPDATE_TITL (3.7) | plg_system_kunena (3.0.2) | System - Admin Tools Joomla! U (1.0) | plg_system_redirect (3.0.0) | plg_system_highlight (3.0.0) | plg_system_languagecode (3.0.0) | plg_system_cache (3.0.0) | System - Admin Tools (2.5.8) | System - Gantry (4.1.17) | System - One Click Action (2.1) | System - RokExtender (2.0.0) | ContentBuilder System (1.1) | System - Admin Tools Update Em (1.0) | plg_system_debug (3.0.0) | PLG_SRP_TITLE (3.8.2) | plg_system_logout (3.0.0) | plg_system_remember (3.0.0) | plg_system_p3p (3.0.0) | plg_system_languagefilter (3.0.0) | PLG_SYSTEM_AKEEBAUPDATECHECK_T (1.1) | plg_system_log (3.0.0) | ContentBuilder - Validation - (1.0) | ContentBuilder - Validation - (1.0) | ContentBuilder - Validation - (1.0) | ContentBuilder - Validation - (1.0) | ContentBuilder - Validation - (1.0) | ContentBuilder - Themes - Joom (1.0) | ContentBuilder - Themes - Blan (1.0) | ContentBuilder - Themes - Khep (1.0) | ContentBuilder - Form Elements (1.3) | ContentBuilder - Form Elements (1.2) | ContentBuilder - List Action - (1.0) | ContentBuilder - List Action - (1.0) | plg_editors_jce (2.3.3.2) | plg_editors_codemirror (1.0) | plg_captcha_recaptcha (3.0.0) | plg_editors-xtd_readmore (3.0.0) | plg_editors-xtd_article (3.0.0) | plg_editors-xtd_pagebreak (3.0.0) | plg_editors-xtd_image (3.0.0) | plg_extension_joomla (3.0.0) | plg_authentication_gmail (3.0.0) | plg_authentication_ldap (3.0.0) | plg_authentication_joomla (3.0.0) |
Templates Discovered :: wrote:Templates :: SITE :: beez3 (3.1.0) | gantry (4.1.13) | protostar (1.0) |
Templates :: ADMIN :: isis (1.0) | hathor (3.0.0) |
Top
User avatar
rltv2011
Joomla! Apprentice
Joomla! Apprentice
Posts: 36
Joined: Mon Nov 04, 2013 10:00 pm
Location: Quito, Ecuador
Contact:
Contact rltv2011

Re: Site infected with malware

Post by rltv2011 » Wed Nov 06, 2013 11:33 pm

You can contact your hosting manager depending on your hosting company and package, if you are able to do this, your manager and the hosting company will remove the malware from your site in just minutes or hours ; )
Top
Locked

Return to “Security in Joomla! 3.x”