A Virus Script in my Joomla website.. pasted code here..

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
faraz_k86
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 203
Joined: Tue Oct 30, 2007 6:05 am
Contact:

A Virus Script in my Joomla website.. pasted code here..

Postby faraz_k86 » Sat Apr 10, 2010 12:57 pm

after visiting my website today my avast scanner went crazy and warned me of a virus attack from almost every page of my website..

I opened the source of my index page and found this code there: (inserted * in script so it does not self execute somehow..)

[Mod edit - removed script]

now i contacted my server and they said that it is not their fault.. we are clean and your system must be infected.. but im using ubuntu : /

the problem is that this code has gotten into every index.php or index.html page of the entire server.. I have 2 joomla installations on that server and both have been infected.. I have 2 wordpress installation as well and they have been infected also..

I am really facing a problem here.. A joomla installation roughly has A LOT of folders.. and each of those folders has folders within them.. every folder has and index.html file in it.. and every index.html file has been infected..

I spent the last hour manually opening each folder and each file and removing the code.. and i have only done the components folder.. the rest of the installation is still infected.. the other installations remain

If I work on it non stop all day even then i wont be able to clean every file... :'(

I am looking for some help here... you guys must know of an easier way of doing this...

any help is seriously appreciated

I contacted my server and they basically said, " youre on your own" >:(

here are the joomla sites: (the main index.php pages have been cleaned by me.. )

[Mod edit: removed url to infected sites]

hoping to hear from you guys soon
"Our Sweetest songs are those that tell of saddest thought"

User avatar
dhuelsmann
Joomla! Master
Joomla! Master
Posts: 19226
Joined: Sun Oct 02, 2005 12:50 am
Location: Omaha, NE
Contact:

Re: A Virus Script in my Joomla website.. pasted code here..

Postby dhuelsmann » Sat Apr 10, 2010 1:06 pm

Start here in security check list 7http://docs.joomla.org/Security_Checklist_7
Regards, Dave
Past Treasurer Open Source Matters, Inc.
http://www.kiwaniswest.org

User avatar
faraz_k86
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 203
Joined: Tue Oct 30, 2007 6:05 am
Contact:

Re: A Virus Script in my Joomla website.. pasted code here..

Postby faraz_k86 » Sat Apr 10, 2010 2:17 pm

k thx for the link.. am reading that now,. but was this infection because i was still using joomla 1.0.x and did not update to 1.5

can this be the reason?


********** Update*********

K I used the script and here is its output from softmall.org server:

JTS-post Problem Description wrote:My installation got infected via code injection
JTS-post Log/Error Message wrote:my avast antivirus warns me of a virus attack every time i visit my website
JTS-post Actions Taken To Resolve wrote:The code has been injected into every indes.php/index.html file. I have tried to manually open all files and delete the code then save those file but this is taking too long. I have cleaned about 20 files via this method

JTS-post Diagnostic Information wrote:Joomla! Version: Joomla! 1.0.13 Stable [ Sunglow ] 21 July 2007 16:00 UTC
configuration.php: Writable (Mode: 755 ) | RG_EMULATION:
Architecture/Platform: Linux 2.6.18-164.11.1.el5 ( x86_64) | Web Server: Apache | PHP Version: 5.2.9
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): Yes | iconv Support (1.5 or above): Yes | save.session_path: Not Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.0.90-community-log ( Localhost via UNIX socket )

JTS-post Extended Information wrote:SEF: Enabled | Legacy Mode: N/A | FTP Layer: N/A | htaccess: Implemented
PHP/suExec: User and Web Server accounts are the same. (PHP/suExec probably installed)
PHP Environment: API: cgi | MySQLi: Yes | Max. Memory: 40M | Max. Upload Size: 10M | Max. Post Size: 8M | Max. Input Time: 60 | Zend Version: 2.2.0
Disabled Functions: dl
MySQL Client: 5.0.90 ( latin1 )


and here is the output of limsedu.com installation:


JTS-post Diagnostic Information wrote:Joomla! Version: Joomla! 1.0.15 Stable [ Daytime ] 22 February 2008 23:00 UTC
configuration.php: Writable (Mode: 755 ) | RG_EMULATION:
Architecture/Platform: Linux 2.6.18-164.11.1.el5 ( x86_64) | Web Server: Apache | PHP Version: 5.2.9
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): Yes | iconv Support (1.5 or above): Yes | save.session_path: Writable | Max.Execution Time: 60 seconds | File Uploads: Enabled
MySQL Version: 5.0.90-community-log ( Localhost via UNIX socket )

JTS-post Extended Information wrote:SEF: Disabled | Legacy Mode: N/A | FTP Layer: N/A | htaccess: Implemented
PHP/suExec: User and Web Server accounts are the same. (PHP/suExec probably installed)
PHP Environment: API: cgi | MySQLi: Yes | Max. Memory: 96M | Max. Upload Size: 128M | Max. Post Size: 96M | Max. Input Time: 180 | Zend Version: 2.2.0
Disabled Functions: dl
MySQL Client: 5.0.90 ( latin1 )
"Our Sweetest songs are those that tell of saddest thought"

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13750
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: A Virus Script in my Joomla website.. pasted code here..

Postby mandville » Mon Apr 12, 2010 12:44 am

lets start here.
21 Feb 2008 ... The Joomla! project is proud to announce the immediate release of Joomla! 1.0.15.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
faraz_k86
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 203
Joined: Tue Oct 30, 2007 6:05 am
Contact:

Re: A Virus Script in my Joomla website.. pasted code here..

Postby faraz_k86 » Mon Apr 12, 2010 5:57 pm

lol.. yeah i know i messed up in the updates but thats what i want to fix here.. i want to update to 1.5.x but i dont want to do that with my infected files.. since i cant follow the usual method of download a fresh copy and rewrite since 1.0.x is no longer available for download.

I have mentioned an alternative to this in my other post.. ill quote it here:

but just asking.... out of curiosity...

since i did not get a reply all day i thought i might try something myself.. what I did was I downloaded all of the files located in my public_html folder via an ftp program.. Now that i have all files in my local hard drive I can edit them easily..

Also since only index.html and index.php files have been infected with a script code.. my plan was to use a program like notepad++ that searches for a string within files. Id use that to seach for the code and replace it with something else..

and then reupload all of the files and overwrite all of the files on the server...

would that have worked?


so will that work here? once all files are clean I can use a migrator application like mtwMigrator
"Our Sweetest songs are those that tell of saddest thought"

User avatar
mbabker
Joomla! Ace
Joomla! Ace
Posts: 1587
Joined: Sun Feb 28, 2010 8:26 pm
Location: White Bear Lake, MN, USA
Contact:

Re: A Virus Script in my Joomla website.. pasted code here..

Postby mbabker » Mon Apr 12, 2010 7:45 pm

Do you have a backup of your sites prior to the hack? That could save you a lot of time...
Past: Release Lead, CMS Maintainer
Present: Framework Maintainer, Security Team Member, .org System Administrator, Bug Squad Member

Manually updating Joomla? See https://gist.github.com/mbabker/d7bfb4e1e2fbc6b7815a733607f89281

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13750
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: A Virus Script in my Joomla website.. pasted code here..

Postby mandville » Tue Apr 13, 2010 1:02 am

i cant remember who but someone on here has an archive of all the joomla versions. its in their signature line...
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}


Return to “Security - 1.0.x”

Who is online

Users browsing this forum: No registered users and 0 guests