IFrame - Google Analytics Hack

[DeadPoetic]

Hi, so i got problem with some iframe hack, dont know really how it comes, only thing i know is that every morning when i wake up, my website show a unexpect error in the index.php and my administrator panel show,

Warning: Unterminated comment starting line 84 in /home/fran8600/public_html/siteweb/administrator/index.php on line 84

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/f............

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/joom............

Warning: Cannot modify header information - headers already sent by (output started at /home/joom/public_html/siteweb/admini............

The thing is that i only need to change my files from a back up i did, and things come back to normal, but now every mornings its coming back and its annoying, on each index.php, there is an iframe at the bottom, iframe linking to some pepsixx web site, that finally aint a pepsi's site. Anyone know how i can stop this?

Thx

[DeadPoetic]

ho and now on my admin panel, there is an iframe linking to lotwager . cn (ps do not go on this website) and now, even if I put back my old files, it still stay there. help?

[fw116]

start here:

http://docs.joomla.org/Category:Security_Checklist

then search for:

iframe injection

[DeadPoetic]

I've delete and replace all the files, upload jsecure, joomsuite defender, but still each day im getting a php injection or iframe, and i didnt find anything about php injection, or iframe injection in the doc. My joomla platform is 1.5.11, well im getting tired to replace all file each time. Anyone got a solution.

[fw116]

well, you should check for modifiyed cron jobs ..

maybe (if your are on shared hosting) another site has been hacked any everybody now get's in touch with the result...

[DeadPoetic]

so there's my problem, i've search on the internet and it looks like i'm not the only one getting problem with the index.php in the past few days, every night this code is getting back in my index.php at line 89

<?php echo '<script type="text/javascript">

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");

document.write(unescape("%3Cscript sr?='" + gaJsHost + "google-analytics.com/ga.js' " + ') + "' type='text/javascript'%3E%3C/script%3E"));

</script>

<script type="text/javascript">

try {

var pageTracker = _gat._getTracker("UA-xxxxxxx-xx");

pageTracker._trackPageview();

} catch(err) {}</script>'; ?>

[DeadPoetic]

I've search on the internet, and it seem that thousand of people are having the same problem it the past few days, some are with joomla, other with wordpress, it is related to Google Analytics, it might be a hack, since i don't think no one knows what to do, I'll keep up with news if it ever happen to some of you.

[Rochen-Adam]

Hi DeadPoetic,

Have you verified that your host is secure as fw116 mentioned above? He's already covered most of the other possibilities as well. At least 25% of the posts in this Security forum relate directly to your problem.

This isn't related to Google Analytics or Joomla, it's a security problem with your site, host, or passwords. Malware distributors have been doing this for years, not just the past few days. The only difference in the past few days is that they have been modifying/replacing google analytics javascript instead of inserting their own iframe in order to obfuscate what they are doing.

As long as you follow the recommendations on the official security checklist and these basic Joomla! security recommendations your site will be secure without the need for things like jsecure or joomsuite defender.

[pfl0r1n]

i have the same problem with my wordpress and my smf forum .. both got infected ... please if you kow a way to get rid of this hijacking let me know.

thank you