A Virus Script in my Joomla website.. pasted code here..

[faraz_k86]

after visiting my website today my avast scanner went crazy and warned me of a virus attack from almost every page of my website..

I opened the source of my index page and found this code there: (inserted * in script so it does not self execute somehow..)

[Mod edit - removed script]

now i contacted my server and they said that it is not their fault.. we are clean and your system must be infected.. but im using ubuntu : /

the problem is that this code has gotten into every index.php or index.html page of the entire server.. I have 2 joomla installations on that server and both have been infected.. I have 2 wordpress installation as well and they have been infected also..

I am really facing a problem here.. A joomla installation roughly has A LOT of folders.. and each of those folders has folders within them.. every folder has and index.html file in it.. and every index.html file has been infected..

I spent the last hour manually opening each folder and each file and removing the code.. and i have only done the components folder.. the rest of the installation is still infected.. the other installations remain

If I work on it non stop all day even then i wont be able to clean every file...

I am looking for some help here... you guys must know of an easier way of doing this...

any help is seriously appreciated

I contacted my server and they basically said, " youre on your own"

here are the joomla sites: (the main index.php pages have been cleaned by me.. )

[Mod edit: removed url to infected sites]

hoping to hear from you guys soon

[dhuelsmann]

Start here in security check list 7http://docs.joomla.org/Security_Checklist_7

[faraz_k86]

k thx for the link.. am reading that now,. but was this infection because i was still using joomla 1.0.x and did not update to 1.5

can this be the reason?


********** Update*********

K I used the script and here is its output from softmall.org server:

[quote="JTS-post Problem Description"]My installation got infected via code injection[/quote][quote="JTS-post Log/Error Message"]my avast antivirus warns me of a virus attack every time i visit my website[/quote][quote="JTS-post Actions Taken To Resolve"]The code has been injected into every indes.php/index.html file. I have tried to manually open all files and delete the code then save those file but this is taking too long. I have cleaned about 20 files via this method[/quote]

Joomla! Version: Joomla! 1.0.13 Stable [ Sunglow ] 21 July 2007 16:00 UTC
configuration.php: Writable (Mode: 755 ) | RG_EMULATION:
Architecture/Platform: Linux 2.6.18-164.11.1.el5 ( x86_64) | Web Server: Apache | PHP Version: 5.2.9
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): Yes | iconv Support (1.5 or above): Yes | save.session_path: Not Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.0.90-community-log ( Localhost via UNIX socket )

SEF: Enabled | Legacy Mode: N/A | FTP Layer: N/A | htaccess: Implemented
PHP/suExec: User and Web Server accounts are the same. (PHP/suExec probably installed)
PHP Environment: API: cgi | MySQLi: Yes | Max. Memory: 40M | Max. Upload Size: 10M | Max. Post Size: 8M | Max. Input Time: 60 | Zend Version: 2.2.0
Disabled Functions: dl
MySQL Client: 5.0.90 ( latin1 )

and here is the output of limsedu.com installation:

Joomla! Version: Joomla! 1.0.15 Stable [ Daytime ] 22 February 2008 23:00 UTC
configuration.php: Writable (Mode: 755 ) | RG_EMULATION:
Architecture/Platform: Linux 2.6.18-164.11.1.el5 ( x86_64) | Web Server: Apache | PHP Version: 5.2.9
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): Yes | iconv Support (1.5 or above): Yes | save.session_path: Writable | Max.Execution Time: 60 seconds | File Uploads: Enabled
MySQL Version: 5.0.90-community-log ( Localhost via UNIX socket )

SEF: Disabled | Legacy Mode: N/A | FTP Layer: N/A | htaccess: Implemented
PHP/suExec: User and Web Server accounts are the same. (PHP/suExec probably installed)
PHP Environment: API: cgi | MySQLi: Yes | Max. Memory: 96M | Max. Upload Size: 128M | Max. Post Size: 96M | Max. Input Time: 180 | Zend Version: 2.2.0
Disabled Functions: dl
MySQL Client: 5.0.90 ( latin1 )

[mandville]

lets start here.
21 Feb 2008 ... The Joomla! project is proud to announce the immediate release of Joomla! 1.0.15.

[faraz_k86]

lol.. yeah i know i messed up in the updates but thats what i want to fix here.. i want to update to 1.5.x but i dont want to do that with my infected files.. since i cant follow the usual method of download a fresh copy and rewrite since 1.0.x is no longer available for download.

I have mentioned an alternative to this in my other post.. ill quote it here:

but just asking.... out of curiosity...

since i did not get a reply all day i thought i might try something myself.. what I did was I downloaded all of the files located in my public_html folder via an ftp program.. Now that i have all files in my local hard drive I can edit them easily..

Also since only index.html and index.php files have been infected with a script code.. my plan was to use a program like notepad++ that searches for a string within files. Id use that to seach for the code and replace it with something else..

and then reupload all of the files and overwrite all of the files on the server...

would that have worked?

so will that work here? once all files are clean I can use a migrator application like mtwMigrator

[deleted user]

Do you have a backup of your sites prior to the hack? That could save you a lot of time...

[mandville]

i cant remember who but someone on here has an archive of all the joomla versions. its in their signature line...