The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Sat Apr 10, 2010 12:57 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Tue Oct 30, 2007 6:05 am
Posts: 203
after visiting my website today my avast scanner went crazy and warned me of a virus attack from almost every page of my website..

I opened the source of my index page and found this code there: (inserted * in script so it does not self execute somehow..)

[Mod edit - removed script]

now i contacted my server and they said that it is not their fault.. we are clean and your system must be infected.. but im using ubuntu : /

the problem is that this code has gotten into every index.php or index.html page of the entire server.. I have 2 joomla installations on that server and both have been infected.. I have 2 wordpress installation as well and they have been infected also..

I am really facing a problem here.. A joomla installation roughly has A LOT of folders.. and each of those folders has folders within them.. every folder has and index.html file in it.. and every index.html file has been infected..

I spent the last hour manually opening each folder and each file and removing the code.. and i have only done the components folder.. the rest of the installation is still infected.. the other installations remain

If I work on it non stop all day even then i wont be able to clean every file... :'(

I am looking for some help here... you guys must know of an easier way of doing this...

any help is seriously appreciated

I contacted my server and they basically said, " youre on your own" >:(

here are the joomla sites: (the main index.php pages have been cleaned by me.. )

[Mod edit: removed url to infected sites]

hoping to hear from you guys soon

_________________
"Our Sweetest songs are those that tell of saddest thought"


Top
 Profile  
 
PostPosted: Sat Apr 10, 2010 1:06 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Sun Oct 02, 2005 12:50 am
Posts: 18741
Location: Omaha, NE
Start here in security check list 7http://docs.joomla.org/Security_Checklist_7

_________________
Regards, Dave
http://www.kiwaniswest.org


Top
 Profile  
 
PostPosted: Sat Apr 10, 2010 2:17 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Tue Oct 30, 2007 6:05 am
Posts: 203
k thx for the link.. am reading that now,. but was this infection because i was still using joomla 1.0.x and did not update to 1.5

can this be the reason?


********** Update*********

K I used the script and here is its output from softmall.org server:

JTS-post Problem Description wrote:
My installation got infected via code injection
JTS-post Log/Error Message wrote:
my avast antivirus warns me of a virus attack every time i visit my website
JTS-post Actions Taken To Resolve wrote:
The code has been injected into every indes.php/index.html file. I have tried to manually open all files and delete the code then save those file but this is taking too long. I have cleaned about 20 files via this method

JTS-post Diagnostic Information wrote:
Joomla! Version: Joomla! 1.0.13 Stable [ Sunglow ] 21 July 2007 16:00 UTC
configuration.php: Writable (Mode: 755 ) | RG_EMULATION:
Architecture/Platform: Linux 2.6.18-164.11.1.el5 ( x86_64) | Web Server: Apache | PHP Version: 5.2.9
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): Yes | iconv Support (1.5 or above): Yes | save.session_path: Not Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.0.90-community-log ( Localhost via UNIX socket )

JTS-post Extended Information wrote:
SEF: Enabled | Legacy Mode: N/A | FTP Layer: N/A | htaccess: Implemented
PHP/suExec: User and Web Server accounts are the same. (PHP/suExec probably installed)
PHP Environment: API: cgi | MySQLi: Yes | Max. Memory: 40M | Max. Upload Size: 10M | Max. Post Size: 8M | Max. Input Time: 60 | Zend Version: 2.2.0
Disabled Functions: dl
MySQL Client: 5.0.90 ( latin1 )


and here is the output of limsedu.com installation:


JTS-post Diagnostic Information wrote:
Joomla! Version: Joomla! 1.0.15 Stable [ Daytime ] 22 February 2008 23:00 UTC
configuration.php: Writable (Mode: 755 ) | RG_EMULATION:
Architecture/Platform: Linux 2.6.18-164.11.1.el5 ( x86_64) | Web Server: Apache | PHP Version: 5.2.9
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): Yes | iconv Support (1.5 or above): Yes | save.session_path: Writable | Max.Execution Time: 60 seconds | File Uploads: Enabled
MySQL Version: 5.0.90-community-log ( Localhost via UNIX socket )

JTS-post Extended Information wrote:
SEF: Disabled | Legacy Mode: N/A | FTP Layer: N/A | htaccess: Implemented
PHP/suExec: User and Web Server accounts are the same. (PHP/suExec probably installed)
PHP Environment: API: cgi | MySQLi: Yes | Max. Memory: 96M | Max. Upload Size: 128M | Max. Post Size: 96M | Max. Input Time: 180 | Zend Version: 2.2.0
Disabled Functions: dl
MySQL Client: 5.0.90 ( latin1 )

_________________
"Our Sweetest songs are those that tell of saddest thought"


Top
 Profile  
 
PostPosted: Mon Apr 12, 2010 12:44 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12440
Location: The Girly Side of Joomla in Sussex
lets start here.
21 Feb 2008 ... The Joomla! project is proud to announce the immediate release of Joomla! 1.0.15.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Mon Apr 12, 2010 5:57 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Tue Oct 30, 2007 6:05 am
Posts: 203
lol.. yeah i know i messed up in the updates but thats what i want to fix here.. i want to update to 1.5.x but i dont want to do that with my infected files.. since i cant follow the usual method of download a fresh copy and rewrite since 1.0.x is no longer available for download.

I have mentioned an alternative to this in my other post.. ill quote it here:

Quote:
but just asking.... out of curiosity...

since i did not get a reply all day i thought i might try something myself.. what I did was I downloaded all of the files located in my public_html folder via an ftp program.. Now that i have all files in my local hard [drive] I can edit them easily..

Also since only index.html and index.php files have been infected with a script code.. my plan was to use a program like notepad++ that searches for a string within files. Id use that to seach for the code and replace it with something else..

and then reupload all of the files and overwrite all of the files on the server...

would that have worked?


so will that work here? once all files are clean I can use a migrator application like mtwMigrator

_________________
"Our Sweetest songs are those that tell of saddest thought"


Top
 Profile  
 
PostPosted: Mon Apr 12, 2010 7:45 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sun Feb 28, 2010 8:26 pm
Posts: 1036
Location: Burlington, NC
Do you have a backup of your sites prior to the hack? That could save you a lot of time...

_________________
Joomla! Production Leadership Team
http://www.babdev.com
Unsolicited PMs will be ignored
Follow me @mbabker


Top
 Profile  
 
PostPosted: Tue Apr 13, 2010 1:02 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12440
Location: The Girly Side of Joomla in Sussex
i cant remember who but someone on here has an archive of all the joomla versions. its in their signature line...

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 



Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group