Malicious record in body

[Beata]

My Joomla 3.10.6
I don’t know how that record came about, but I only noticed it today. He is on every page. It is in page sources, I see it:

Code: Select all

<object type="application/x-shockwave-flash" data="/templates/classyhome/images/pr.swf" width="12" height="12"><param name="allowscriptaccess" value="always"><param name="menu" value="false"><param name="wmode" value="transparent"><param name="flashvars" value="flsh"><a href="http://www.casino10top.com/jackpotcity-casino-review/" title="jackpotcity casino">all jackpotcity casino user reviews and ratings</a><param name="menu" value="false"></object>		
		       

I downloaded the template index.php, it's not there. How to find it and clear ?
Look an attachment

mainbody.jpg

[pe7er]

Could you test it with another browser? And from another computer?
Just to test if it's device related, maybe caused by a browser plugin or a computer virus.

If the problem persists on another computer, then your website might use some non-core extension that adds a backlink.

Or your website might be hacked. If so, check out this documentation: https://docs.joomla.org/Security_Checkl ... or_defaced

[pe7er]

I've visited your website. It's not PC/browser related because I see it as well.
It might be added by a 3rd party extension or your website might be hacked.

[Beata]

I've visited your website. It's not PC/browser related because I see it as well.
It might be added by a 3rd party extension or your website might be hacked.

AND How to clean it?

[pe7er]

See https://docs.joomla.org/Security_Checkl ... or_defaced

Or if you need a professional service provider to help you out,
find one here: https://community.joomla.org/service-pr ... directory/

[Beata]

I am no professional webmaster.
Should I use Forum Post assistant?

[Beata]

Joomla! Instance :: Joomla! 3.10.6-Stable (Daraja) 12-February-2022
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) |
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: false | .htaccess/web.config: No | GZip: false | Cache: false | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: false | SSL: 2 | Error Reporting: default | Site Debug: false | Language Debug: false | Default Access: Public | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 3.10.6: Yes | Database Supports J! 3.10.6: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 2.6.32-042stab145.3 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | System TMP Writable: Yes | Free Disk Space : 431.81 GiB |

PHP Configuration :: Version: 7.4.14 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 0 | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: 1 | Open Base: /home/bajorusa/:/tmp:/usr/share/pear | Uploads: 1 | Max. Upload Size: 64M | Max. POST Size: 64M | Max. Input Time: 300 | Max. Execution Time: 300 | Memory Limit: 256M

Database Configuration :: Version: 5.5.5-10.3.25-MariaDB-log (Client:mysqlnd 7.4.14) | Database Size: 24.97 MiB | #of Tables with config prefix: 114 | #of other Tables: 0 | User Privileges : GRANT SELECTUser Privileges : INSERTUser Privileges : UPDATEUser Privileges : DELETEUser Privileges : CREATEUser Privileges : DROPUser Privileges : REFERENCESUser Privileges : INDEXUser Privileges : ALTERUser Privileges : CREATE TEMPORARY TABLESUser Privileges : LOCK TABLESUser Privileges : EXECUTEUser Privileges : CREATE VIEWUser Privileges : SHOW VIEWUser Privileges : CREATE ROUTINEUser Privileges : ALTER ROUTINEUser Privileges : EVENTUser Privileges : TRIGGER

PHP Extensions :: Core (7.4.14) | date (7.4.14) | libxml (7.4.14) | openssl (7.4.14) | pcre (7.4.14) | sqlite3 (7.4.14) | zlib (7.4.14) | bcmath (7.4.14) | calendar (7.4.14) | ctype (7.4.14) | curl (7.4.14) | dom (20031129) | enchant (7.4.14) | hash (7.4.14) | fileinfo (7.4.14) | filter (7.4.14) | ftp (7.4.14) | gd (7.4.14) | gettext (7.4.14) | gmp (7.4.14) | SPL (7.4.14) | iconv (7.4.14) | session (7.4.14) | intl (7.4.14) | json (7.4.14) | mbstring (7.4.14) | standard (7.4.14) | mysqlnd (mysqlnd 7.4.14) | mysqli (7.4.14) | PDO (7.4.14) | pdo_mysql (7.4.14) | pdo_sqlite (7.4.14) | Phar (7.4.14) | pspell (7.4.14) | Reflection (7.4.14) | imap (7.4.14) | SimpleXML (7.4.14) | soap (7.4.14) | sockets (7.4.14) | exif (7.4.14) | tidy (7.4.14) | tokenizer (7.4.14) | xml (7.4.14) | xmlreader (7.4.14) | xmlwriter (7.4.14) | xsl (7.4.14) | zip (1.15.6) | cgi-fcgi (7.4.14) | mcrypt (1.0.3) | ionCube Loader (10.4.3) | Zend OPcache (7.4.14) | Zend Engine (3.4.0) |
Potential Missing Extensions ::
Disabled Functions :: link | symlink | exec | passthru | proc_close | proc_get_status | proc_open | shell_exec | system | popen | pclose |

Switch User Environment :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) ::

Database statistics :: Uptime: 14800727 | Threads: 16 | Questions: 5480390123 | Slow queries: 9478 | Opens: 38499173 | Flush tables: 1 | Open tables: 2048 | Queries per second avg: 370.278 |

Components :: Site ::
Core :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 |
3rd Party:: WF_HELP_TITLE (2.9.20) ? | WF_ATTRIBUTES_TITLE (2.9.11) ? | WF_CLIPBOARD_TITLE (2.9.20) ? | WF_IMGMANAGER_TITLE (2.9.20) ? | WF_LAYER_TITLE (2.8.2) ? | WF_NONBREAKING_TITLE (2.9.20) ? | WF_VISUALBLOCKS_TITLE (2.9.20) ? | WF_SOURCE_TITLE (2.9.20) ? | WF_STYLE_TITLE (2.9.20) ? | WF_LINK_TITLE (2.9.20) ? | WF_EMOTIONS_TITLE (2.9.20) ? | WF_FULLSCREEN_TITLE (2.9.20) ? | WF_HR_TITLE (2.9.20) ? | WF_BROWSER_TITLE (2.9.20) ? | WF_DIRECTIONALITY_TITLE (2.9.20) ? | WF_CHARMAP_TITLE (2.9.20) ? | WF_TEXTCASE_TITLE (2.9.20) ? | WF_AUTOSAVE_TITLE (2.9.20) ? | WF_MEDIA_TITLE (2.9.20) ? | WF_PRINT_TITLE (2.9.20) ? | WF_CONTEXTMENU_TITLE (2.9.20) ? | WF_LISTS_TITLE (2.9.20) ? | WF_FONTSELECT_TITLE (2.9.20) ? | WF_PREVIEW_TITLE (2.9.20) ? | WF_XHTMLXTRAS_TITLE (2.9.20) ? | WF_VISUALCHARS_TITLE (2.9.20) ? | WF_KITCHENSINK_TITLE (2.9.20) ? | WF_FONTCOLOR_TITLE (2.9.20) ? | WF_REFERENCE_TITLE (2.9.11) ? | WF_SPELLCHECKER_TITLE (2.9.20) ? | WF_SEARCHREPLACE_TITLE (2.9.20) ? | WF_FORMATSELECT_TITLE (2.9.20) ? | WF_FONTSIZESELECT_TITLE (2.9.20) ? | JCE - Noneditable (1.0.0) ? | WF_STYLESELECT_TITLE (2.9.20) ? | WF_TABLE_TITLE (2.9.20) ? | WF_CLEANUP_TITLE (2.9.20) ? | WF_ANCHOR_TITLE (2.9.20) ? | WF_ARTICLE_TITLE (2.9.20) ? | WF_WORDCOUNT_TITLE (2.9.20) ? | WF_LINK_SEARCH_TITLE (2.9.20) ? | WF_FILESYSTEM_JOOMLA_TITLE (2.9.20) ? | WF_POPUPS_JCEMEDIABOX_TITLE (2.9.20) ? | WF_LINKS_JOOMLALINKS_TITLE (2.9.20) ? | WF_AGGREGATOR_VIDEO_TITLE (2.9.20) ? | WF_AGGREGATOR_VIMEO_TITLE (2.9.20) ? | WF_AGGREGATOR_[youtube]_TITLE (2.9.20) ? | WF_AGGREGATOR_AUDIO_TITLE (2.9.20) ? | WF_AGGREGATOR_DAILYMOTION_TITLE (2.9.20) ? |

Components :: Admin ::
Core :: com_media (3.0.0) 1 | com_fields (3.7.0) 1 | com_menus (3.0.0) 1 | com_config (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_checkin (3.0.0) 1 | com_login (3.0.0) 1 | com_privacy (3.9.0) 1 | com_postinstall (3.2.0) 1 | com_cpanel (3.0.0) 1 | com_tags (3.1.0) 1 | com_weblinks (3.9.0) 1 | com_search (3.0.0) 1 | com_categories (3.0.0) 1 | com_templates (3.0.0) 1 | com_actionlogs (3.9.0) 1 | com_redirect (3.0.0) 1 | com_banners (3.0.0) 1 | com_modules (3.0.0) 1 | com_joomlaupdate (3.10.1) 1 | com_plugins (3.0.0) 1 | com_ajax (3.2.0) 1 | com_content (3.0.0) 1 | com_cache (3.0.0) 1 | com_users (3.0.0) 1 | com_languages (3.0.0) 1 | com_finder (3.0.0) 1 | com_installer (3.0.0) 1 | com_associations (3.7.0) 1 | com_contenthistory (3.2.0) 1 | com_admin (3.0.0) 1 | com_messages (3.0.0) 1 |
3rd Party:: COM_JCE (2.9.20) 1 | Securitycheck (3.4.4) 1 | Akeeba (8.1.1) 1 |

Modules :: Site ::
Core :: mod_articles_popular (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_weblinks (3.9.0) 1 | mod_articles_latest (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_login (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_finder (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_articles_category (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_search (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_users_latest (3.0.0) 1 |
3rd Party:: sigplus (1.4.2.18) 1 | AS ArtSlider (1.0.0) 1 | JE Camera Slideshow (2.5.1) 1 | AS Menu (1.0.1) 1 |

Modules :: Admin ::
Core :: mod_submenu (3.0.0) 1 | mod_login (3.0.0) 1 | mod_latestactions (3.9.0) 1 | mod_version (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_title (3.0.0) 1 | mod_status (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_privacy_dashboard (3.9.0) 1 | mod_feed (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_logged (3.0.0) 1 |
3rd Party::

Libraries ::
Core ::
3rd Party:: file_fof40 (4.1.0) ? | file_fof30 (3.6.2) ? |

Plugins ::
Core :: plg_quickicon_eos310 (3.10.0) 1 | plg_quickicon_privacycheck (3.9.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_repeatable (3.9.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_finder (3.0.0) 0 | plg_content_pagebreak (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_content_confirmconsent (3.9.0) 0 | plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_search_content (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_tags (3.0.0) 1 | plg_search_weblinks (3.9.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_captcha_recaptcha_invisible (3.8) 0 | plg_captcha_recaptcha (3.4.0) 1 | PLG_ACTIONLOG_JOOMLA (3.9.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | plg_installer_webinstaller (2.1.2) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_weblink (3.9.0) 0 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_weblinks (3.9.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_privacy_content (3.9.0) 1 | plg_privacy_actionlogs (3.9.0) 1 | plg_privacy_message (3.9.0) 1 | plg_privacy_consents (3.9.0) 1 | plg_privacy_user (3.9.0) 1 | plg_system_log (3.0.0) 1 | plg_system_fields (3.7.0) 1 | plg_system_logrotation (3.9.0) 1 | plg_system_stats (3.5.0) 1 | PLG_SYSTEM_ACTIONLOGS (3.9.0) 0 | plg_system_languagefilter (3.0.0) 1 | plg_system_languagecode (3.0.0) 1 | plg_system_remember (3.0.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_sef (3.0.0) 1 | plg_system_weblinks (3.9.0) 0 | plg_system_privacyconsent (3.9.0) 0 | plg_system_updatenotification (3.5.0) 1 | plg_system_debug (3.0.0) 1 | plg_system_p3p (3.0.0) 1 | plg_system_sessiongc (3.8.6) 1 | plg_system_cache (3.0.0) 0 | plg_system_highlight (3.0.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_user_profile (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_terms (3.9.0) 0 | plg_user_contactcreator (3.0.0) 0 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_cookie (3.0.0) 1 | plg_authentication_joomla (3.0.0) 1 |
3rd Party:: plg_quickicon_akeebabackup (8.1.1) 1 | plg_quickicon_jce (2.9.20) 1 | plg_fields_mediajce (2.9.20) 1 | Content - Image gallery - sigplus (1.4.2.18) 1 | RokBox (2.0.16) 1 | plg_content_jce (2.9.20) 1 | Content - Fast Social Share (1.0) 1 | plg_editors_tinymce (4.5.12) 1 | plg_editors_codemirror (5.60.0) 1 | plg_editors_jce (2.9.20) 1 | PLG_ACTIONLOG_AKEEBABACKUP (8.1.1) 1 | plg_installer_jce (2.9.20) 1 | Button - RokBox (2.0.16) 1 | System - Securitycheck Spam Protect (1.0.6) ? | System - Securitycheck (3.4.4) 1 | System - JU BlockIP (1.2) 1 | System - RokBox (2.0.16) 1 | PLG_SYS_BYEBYEGENERATOR (1.11) 1 | plg_system_jce (2.9.20) 1 | plg_system_jcemediabox (2.1.2) 1 | PLG_SYSTEM_BACKUPONUPDATE (8.1.1) 1 | PLG_SYS_ADMINEXILE (2.3.5) 1 | plg_extension_jce (2.9.20) 1 |

Templates :: Site :: protostar (1.0) 1 | AS 002060 Free (1.2.0) ? | ClassyHome (1.0.1) 1 | beez3 (3.1.0) 1 | RealEstate (3.1) 1 |
Templates :: Admin :: hathor (3.0.0) 1 | isis (1.0) 1 |

[Beata]

Nobody know how to remove malicious records?

[pe7er]

Nobody know how to remove malicious records?

I'm sorry, but it's impossible to know how to remove the malicious code from your website without looking under the hood.

What I do to solve issues with hacked websites: I create a backup (using Akeeba Backup) of the hacked site and install it in a local environment. I use an IDE (I use PHPStorm) to inspect the code and find such hacks.

Another approach is to compare the code of a clean website with a hacked website with a diff tool like https://meldmerge.org/ That's an approach to find any hacks in the Joomla core files.

I hope that you can use one of these approaches to find the issue. Otherwise I'd recommend to find a professional service provider:
https://community.joomla.org/service-pr ... directory/

[brian]

As you have securitycheck extension installed why dont you use the tools they provide? If you get stuck their support is very good

[Beata]

Thank you for answer. The worse that I don't know when did this record appear, I have backup done in January of 2021, could restore.
How could securitycheck extension help me now?
My AdminExile is already saved a lot of ID which persons tried to do attack, they don't come back again.
My Security check extension has spam protection on 60 % and already 48931 logs pending. What to do else?
maybe I was too little interested ...
I see I need to leave until things get worse, then reinstall

[brian]

I guess the security check extension didnt work then

[Webdongle]

...
I see I need to leave until things get worse, then reinstall

viewtopic.php?f=714&t=946026
or
https://fix.mysites.guru/
or
viewforum.php?f=177

[Beata]

Understand, this is the easiest way, but
labor intensive

[Webdongle]

Doesn't take long. And not labour intensive for you if you take one of the two professional options.

[Beata]

Really I don't know how to use these professional options...
I have never used or tried...

[Webdongle]

Really I don't know how to use these professional options...
I have never used or tried...

Simple.
Click the link in https://fix.mysites.guru/ and follow the instructions
or
Place a post in viewforum.php?f=177 with you details. Then negotiate a price with whoever replies.

[Beata]

Could somebody say, could be those files suspicious in my root?

fsg3c5bd.txt
shopy.php
stockify.php

[brian]

100% they are suspicious

[Webdongle]

@Beata
You have 3 options for cleaning your site. There is no 'click one button to clean the site' option.

[Beata]

brian,
Thank you, I have deleted

[Beata]

@Beata
You have 3 options for cleaning your site. There is no 'click one button to clean the site' option.

Understood. These are paid services.
I had a different idea about how to use this link
https://community.joomla.org/service-pr ... directory/
previously suggested to me. Never saw it.
In total, I have never used paid services in my 20 years of my work activities. I'll handle it myself.
Thanks to all.

[Webdongle]

Yep that's a 4th option and also one you need to pay for.
So you have one option to do it yourself and three options you need to pay for. If anyone was going to offer to do it for free they most likely would of offered by now.

So you can either do it yourself or choose one of the three commercial options. But it is unlikely that continually posting on here will will get the job done.