Malicious HTML code

[Mindgem]

I noticed some malicious HTML code after my body tag:

Code: Select all

<body class="tm-sidebar-b-right tm-sidebars-1 tm-isblog"> <div id="jcgmvy"><a href="urlofspamsite" target="_blank">loco panda review</a>

And so on...

I cant seem to find the source of this. What I've done:

- Looked at the modules, but no changes
- Downloaded public_html folder and did a find and replace search with Dreamweaver on it (part of tekst above, base_64decode)
- Changed my default theme
- Downloaded SQL database and searched for part of string
- Uploaded parts of the Original joomla 3.3.1. source files

All came up with nothing. Any ideas?

[itoctopus]

- Have you checked your .htaccess file for something unnatural?
- Have you disabled JavaScript on your browser to see if the problem still exists?
- Have you checked the index.php file under your main template folder? (I know you have changed themes, but it could be anywhere)
- Have you cleared your Joomla cache (all the cache)?
- Have you tried disabling all the non-official plugins?
- Have you checked the application.php and the framework.php files?

There are many other things that you can do, but the above are the most important.

[Mindgem]

- Have you checked your .htaccess file for something unnatural?

Checked but nothing unnatural other then my own changes

- Have you disabled JavaScript on your browser to see if the problem still exists?

Checked. Problem still exists. The hidden malicious HTML now produces a link at the top of my site. Could not paste the javascript at the end of the HTML here in the code from my first post.

- Have you checked the index.php file under your main template folder? (I know you have changed themes, but it could be anywhere)

Yes. I installed a new theme yesterday to check this. Also checked the index.php from my original theme but nothing to see.

- Have you cleared your Joomla cache (all the cache)?

Yes. I did it first through Joomla and through FTP later. I have switched caching off.

- Have you tried disabling all the non-official plugins?

Did this now. Dont have that much non official plugins installed. Advanced module manager is one and some Yootheme Zoo stuff. No luck.

- Have you checked the application.php and the framework.php files?

I've overwriten most of the joomla core files with a clean download off 3.3.1. Complete libraries, plugins, components, includes, layouts folders.

Any more suggestions?

[mandville]

Run and post the fpa

[Mindgem]

Joomla! Instance :: Joomla! 3.3.1-Stable (Ember) 11-June-2014
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: site30 (uid: 1/gid: 1) | Group: site30 (gid: 1) | Valid For: 3.3
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 1 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-458.18.1.lve1.2.39.el6.x86_64 | Technology: x86_64 | Web Server: Apache/2 | Encoding: gzip, deflate | Doc Root: /home/site30/domains/mywebsite.nl/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.4.29 | PHP API: cgi-fcgi | Session Path Writable: No | Display Errors: 1 | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /home/site30/:/tmp:/var/tmp:/usr/local/lib/php/:/usr/local/php54/lib/ | Uploads: 1 | Max. Upload Size: 96M | Max. POST Size: 96M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 4G

MySQL Configuration :: Version: 5.6.19 (Client:mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 14.30 MiB | #of Tables: 95

PHP Extensions :: Core (5.4.29) | date (5.4.29) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7) | zlib (2.0) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | mbstring () | mcrypt () | standard (5.4.29) | mysqlnd (mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $) | mysqli (0.1) | mysql (1.0) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | Reflection ($Id: f6367cdb4e3f392af4a6d441a6641de87c2e50c4 $) | imap () | SimpleXML (0.1) | soap () | sockets () | exif (1.4 $Id$) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | htscanner (1.0.1) | mhash () | ionCube Loader () | Zend Guard Loader () | Zend Engine (2.4.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::

Components :: SITE :: com_wrapper (3.0.0) | com_mailto (3.0.0) | WF_LINK_SEARCH_TITLE (2.3.4.4) | K2 Links for JCE Link (2.2) | WF_LINKS_JOOMLALINKS_TITLE (2.3.4.4) | WF_AGGREGATOR_GOOGLEMAPS_TITLE (2.3.4.4) | WF_AGGREGATOR_[youtube]_TITLE (2.3.4.4) | WF_AGGREGATOR_VIMEO_TITLE (2.3.4.4) | WF_AGGREGATOR_VINE_TITLE (2.3.4.4) | WF_POPUPS_WINDOW_TITLE (2.3.4.4) | WF_POPUPS_JCEMEDIABOX_TITLE (2.3.4.4) | WF_FILESYSTEM_JOOMLA_TITLE (2.3.4.4) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.3.4.4) | WF_CLEANUP_TITLE (2.3.4.4) | WF_IMGMANAGER_TITLE (2.3.4.4) | WF_CONTEXTMENU_TITLE (2.3.4.4) | WF_LAYER_TITLE (2.3.4.4) | WF_MEDIA_TITLE (2.3.4.4) | WF_CLIPBOARD_TITLE (2.3.4.4) | WF_ARTICLE_TITLE (2.3.4.4) | WF_TEXTCASE_TITLE (2.3.4.4) | WF_NONBREAKING_TITLE (2.3.4.4) | WF_LISTS_TITLE (2.3.4.4) | WF_TABLE_TITLE (2.3.4.4) | WF_CHARMAP_TITLE (2.3.4.4) | WF_AUTOSAVE_TITLE (2.3.4.4) | WF_VISUALBLOCKS_TITLE (2.3.4.4) | WF_INLINEPOPUPS_TITLE (2.3.4.4) | WF_VISUALCHARS_TITLE (2.3.4.4) | WF_KITCHENSINK_TITLE (2.3.4.4) | WF_FULLSCREEN_TITLE (2.3.4.4) | WF_LINK_TITLE (2.3.4.4) | WF_PREVIEW_TITLE (2.3.4.4) | WF_ANCHOR_TITLE (2.3.4.4) | WF_BROWSER_TITLE (2.3.4.4) | WF_SPELLCHECKER_TITLE (2.3.4.4) | WF_STYLE_TITLE (2.3.4.4) | WF_DIRECTIONALITY_TITLE (2.3.4.4) | WF_SEARCHREPLACE_TITLE (2.3.4.4) | WF_PRINT_TITLE (2.3.4.4) | WF_XHTMLXTRAS_TITLE (2.3.4.4) | WF_SOURCE_TITLE (2.3.4.4) |
Components :: ADMIN :: com_templates (3.0.0) | com_postinstall (3.2.0) | com_categories (3.0.0) | com_content (3.0.0) | com_finder (3.0.0) | com_login (3.0.0) | com_advancedmodules (4.16.2FREE) | Widgetkit (1.4. | com_users (3.0.0) | com_tags (3.1.0) | JMap (2.0.2) | com_languages (3.0.0) | com_banners (3.0.0) | com_installer (3.0.0) | com_contenthistory (3.2.0) | com_config (3.0.0) | com_media (3.0.0) | com_checkin (3.0.0) | com_newsfeeds (3.0.0) | Unknown (-) | JCE (2.3.4.4) | com_plugins (3.0.0) | com_joomlaupdate (3.0.0) | com_search (3.0.0) | com_admin (3.0.0) | com_ajax (3.2.0) | com_cpanel (3.0.0) | com_menus (3.0.0) | com_zoo (3.1.6) | com_modules (3.0.0) | com_weblinks (3.0.0) | com_redirect (3.0.0) | com_messages (3.0.0) | com_cache (3.0.0) |

Modules :: SITE :: mod_custom (3.0.0) | Nice Social Bookmark (3.0.2) | mod_menu (3.0.0) | mod_feed (3.0.0) | mod_wrapper (3.0.0) | mod_tags_popular (3.1.0) | mod_articles_categories (3.0.0) | mod_whosonline (3.0.0) | ZOO Comment (3.0.0) | mod_articles_news (3.0.0) | ZOO Category (3.0.0) | mod_related_items (3.0.0) | mod_articles_latest (3.0.0) | mod_articles_popular (3.0.0) | Widgetkit Twitter (1.0.0) | mod_finder (3.0.0) | mod_login (3.0.0) | mod_weblinks (3.0.0) | Widgetkit (1.0.0) | mod_tags_similar (3.1.0) | mod_syndicate (3.0.0) | mod_languages (3.0.0) | mod_footer (3.0.0) | mod_search (3.0.0) | ZOO Tag (3.0.0) | mod_random_image (3.0.0) | mod_articles_category (3.0.0) | mod_stats (3.0.0) | mod_banners (3.0.0) | mod_breadcrumbs (3.0.0) | ZOO Item (3.0.1) | mod_articles_archive (3.0.0) | mod_users_latest (3.0.0) |
Modules :: ADMIN :: mod_title (3.0.0) | mod_custom (3.0.0) | mod_menu (3.0.0) | mod_feed (3.0.0) | mod_popular (3.0.0) | mod_latest (3.0.0) | mod_stats_admin (3.0.0) | mod_logged (3.0.0) | mod_login (3.0.0) | mod_quickicon (3.0.0) | mod_version (3.0.0) | mod_multilangstatus (3.0.0) | mod_status (3.0.0) | mod_submenu (3.0.0) | ZOO Quick Icons (3.0.0) | mod_toolbar (3.0.0) |

Plugins :: SITE :: plg_content_vote (3.0.0) | Content - Widgetkit (1.0.0) | Content - ZOO Shortcode (3.0.0) | plg_content_finder (3.0.0) | plg_content_emailcloak (3.0.0) | plg_content_pagenavigation (3.0.0) | plg_content_pagebreak (3.0.0) | plg_content_loadmodule (3.0.0) | plg_content_joomla (3.0.0) | plg_search_content (3.0.0) | plg_search_newsfeeds (3.0.0) | plg_search_categories (3.0.0) | plg_search_tags (3.0.0) | plg_search_contacts (3.0.0) | Search - ZOO (3.0.0) | plg_search_weblinks (3.0.0) | plg_captcha_recaptcha (3.0.0) | plg_user_contactcreator (3.0.0) | plg_user_profile (3.0.0) | plg_user_joomla (3.0.0) | plg_extension_joomla (3.0.0) | plg_twofactorauth_totp (3.2.0) | plg_twofactorauth_yubikey (3.2.0) | plg_editors_jce (2.3.4.4) | plg_editors_tinymce (4.0.22) | plg_editors_codemirror (3.15) | plg_finder_content (3.0.0) | plg_finder_newsfeeds (3.0.0) | plg_finder_categories (3.0.0) | plg_finder_tags (3.0.0) | Smart Search - ZOO (2.5.0) | plg_finder_contacts (3.0.0) | plg_finder_weblinks (3.0.0) | plg_quickicon_jcefilebrowser (2.3.4.4) | plg_quickicon_extensionupdate (3.0.0) | plg_quickicon_joomlaupdate (3.0.0) | plg_authentication_gmail (3.0.0) | plg_authentication_ldap (3.0.0) | plg_authentication_cookie (3.0.0) | plg_authentication_joomla (3.0.0) | PLG_SYSTEM_NNFRAMEWORK (14.6.11) | plg_system_log (3.0.0) | plg_system_highlight (3.0.0) | plg_system_debug (3.0.0) | System - Widgetkit (1.0.0) | plg_system_cache (3.0.0) | plg_system_remember (3.0.0) | plg_system_sef (3.0.0) | plg_system_languagecode (3.0.0) | plg_system_p3p (3.0.0) | PLG_SYSTEM_ADVANCEDMODULES (4.16.2FREE) | System - Widgetkit Joomla (1.0.0) | PLG_SYS_BYEBYEGENERATOR (1.11) | System - ZOO Event (3.0.0) | plg_system_redirect (3.0.0) | plg_system_joomlaoverride (2.5.5) | plg_system_logout (3.0.0) | plg_system_languagefilter (3.0.0) | System - Widgetkit ZOO (3.1.0) | plg_installer_webinstaller (1.0.5) | plg_editors-xtd_image (3.0.0) | plg_editors-xtd_article (3.0.0) | plg_editors-xtd_readmore (3.0.0) | plg_editors-xtd_pagebreak (3.0.0) |

Templates :: SITE :: apicloudnature (1.0.0) | mytheme (1.0.10) | protostar (1.0) | beez3 (3.1.0) |
Templates :: ADMIN :: isis (1.0) | hathor (3.0.0) |

[Bernard T]

No suspicious extensions that I can see.

If you have some PHP and code understanding you could use JAMSS to assist you in code search.

Also:
[ ] Ensure you have the latest versions of extensions

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list. http://vel.joomla.org/

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps. http://docs.joomla.org/Security_Checklist_7

[kenmcd]

 
The links could come from malware in your browser/system.
Can anyone else see these links?


 

[Mindgem]

Thnx for the replies.

To respond to BernardT:

I will read the two links you gave me. Maybe they will help.
After that I'm going to make a test site for myself and delete all the Yootheme stuff to see if that helps. If that doesn't work i'll try your suggestion of JAMSS.

To respond to kenmcd:

Tried it on my work laptop and same code in my HTML.

Keep you informed!

[Mindgem]

Oke ended up upgrading my components / plugins to latest versions and that seems to do the trick. Changed passwords and added a few ip's to my .htaccess. Let's see what happens

[leolam]

added a few ip's to my .htaccess.

THAT won't help at all. I can use for instance any IP to login to any site without any issue..... Called proxy-servers......

Let's see what happens

You will be hacked again


Leo

[Mindgem]

I know but something is better then nothing

[leolam]

Ha, you drive on a highway where 80 miles are restricted and you drive 140 miles so it is better than not driving?

Leo Just a question

[Mindgem]

Depends on what is waiting at the end of the journey :-)

[leolam]

Bad luck since police is throwing a spike-strip half-way

Leo

[Bernard T]

Oke ended up upgrading my components / plugins to latest versions and that seems to do the trick.

If you followed ALL instructions on links provided to you, checked your extensions against VEL, and did the proper website cleanup, you should be on the bright side.

Any shortcuts - you're a cannon meat for script kiddies, again. Do your homework

[dutchweb]

Thanks for posting that, I thought I was the only sucker spending days trying to figure out this exact same problem.

I immediately noticed that you have PLG_SYS_BYEBYEGENERATOR (1.11) as well. Even though I couldn't find any malicious code in there directly I disabled it and the code was gone right away.

I switched it back on after that and it was still gone, so I'm still clueless but for now it's gone.

[Bernard T]

@dutchweb: the same as for original poster - if you don't follow the procedures suggested in sticky topics you have NOT solved your issue, despite you don't see it anymore in the HTML code