Site hacked by XXXX

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
jgodek
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Thu Jan 10, 2008 4:42 pm

Site hacked by XXXX

Postby jgodek » Sat Nov 15, 2008 6:12 pm

Hi there
after hitting save or cancel when editing anythin in the backend, my browser crashes and relaunches to a page where it attempts a fake virus scan.

This also hapens on the front end when clicking a page.

Must have come thru a component - the only one I had was Chronoforms, an old version of.
Any ideas? theres no rogue HTACCESS file and I cant search for that code (pro-scan-online.com) anywhere on my local site.

dragonrider
Joomla! Ace
Joomla! Ace
Posts: 1049
Joined: Mon Aug 22, 2005 7:53 pm
Location: Ilkley, West Yorkshire, UK
Contact:

Re: Site hacked by Malware - pro-scan-online.com

Postby dragonrider » Sat Nov 15, 2008 7:56 pm

Could be a browser hack, check your internet settings in IE, or download hijack this and run it on your pc, see if it comes up with any think like pro-scan in it's report.

Just in case it's not on your Joomla site, but local to your PC/Browser.

josbar742
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Sat Nov 15, 2008 9:34 pm

Re: Site hacked by Malware - pro-scan-online.com

Postby josbar742 » Sat Nov 15, 2008 9:40 pm

I have a site that is experiencing this issue too. I have scanned my entire system for malware, viruses etc. Nothing found. I experience this from every computer I access my site from. At this point, I believe there is something in the site, but I am not sure where. At first I thought it was an XSS iframe hack done to my site, but I am not sure what is going on. Does anyone have any idea how to fix this problem?

Here is the reference to the iframe vulnerability:
http://www.getacoder.com/projects/remov ... 92482.html

~JB

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14039
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Site hacked by Malware - pro-scan-online.com

Postby mandville » Sun Nov 16, 2008 12:36 am

if you use the jts tool then we can see what version etc of joomla you have
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

jgodek
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Thu Jan 10, 2008 4:42 pm

Re: Site hacked by XXXX

Postby jgodek » Mon Nov 17, 2008 10:32 am

Why was the name of the malware removed from my post? Now no ne can find it if they search. It wasnt hacked by XXXX

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14039
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Site hacked by XXXX

Postby mandville » Mon Nov 17, 2008 5:05 pm

jgodek - thiss forum not only frowns upon the practice of hacking/defacing sites.
if you notice in all the "hacked" posts, there is also a common theme of not promoting the people or practices that cause these annoyances.
If you feel that this idea is wrong, please raise it with a forum moderator.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

josbar742
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Sat Nov 15, 2008 9:34 pm

Re: Site hacked by XXXX

Postby josbar742 » Mon Nov 17, 2008 5:45 pm

Hi All,

Just wanted to update anyone who is having this issue. It looks like this may be due to the servers of the host getting hacked... it turns out somehow (on all of my sites at this host) a .htaccess file got created which triggers the redirection. Removing this file clears up the issue. Note that I already have a htaccess.txt which contained my data for Joomla so I could remove the .htaccess file. If you have the same issue, you may need to remove the entry that the hacker put in, or remove the file if you have the other version (htaccess.txt) Hope this helps someone.

Regards,
JB

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14039
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Site hacked by XXXX

Postby mandville » Mon Nov 17, 2008 6:27 pm

you will also notice a large number of log entries for an IP in the range of either 66. or 66. that are NOT google.

Ban this IP ASAP it will revisit your site and try the hack/defacement again

do a forum search for numeric php and you should find the IP to ban


josbar742 wrote:Hi All,

Just wanted to update anyone who is having this issue. It looks like this may be due to the servers of the host getting hacked... it turns out somehow (on all of my sites at this host) a .htaccess file got created which triggers the redirection. Removing this file clears up the issue. Note that I already have a htaccess.txt which contained my data for Joomla so I could remove the .htaccess file. If you have the same issue, you may need to remove the entry that the hacker put in, or remove the file if you have the other version (htaccess.txt) Hope this helps someone.

Regards,
JB
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

binks2001
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Mon Nov 17, 2008 6:29 pm

Re: Site hacked by XXXX

Postby binks2001 » Mon Nov 17, 2008 6:31 pm

Thanks for the info!

I just installed the new version and this issue happened.
Now I know what to do!

In addition, I did a search for numeric php and did not find anything. Do you have the direct link to the thread?

Thanks,
Binks2001

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14039
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Site hacked by XXXX

Postby mandville » Mon Nov 17, 2008 7:37 pm

if you have only just installed it then it could be you left the folders open with 777 perms,
here are the topics
viewtopic.php?f=432&t=317680&p=1386581&hilit=numeric#p1386581
viewtopic.php?f=432&t=301389&hilit=numeric

they may be a bit long but worth reading
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

jgodek
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Thu Jan 10, 2008 4:42 pm

Re: Site hacked by XXXX

Postby jgodek » Tue Nov 18, 2008 12:05 pm

I have searched and found nothing strange in my HTACCESS file even removed it. Theres no other web site on the webserver that has been hacked. Any other ideas?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14039
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Site hacked by XXXX

Postby mandville » Tue Nov 18, 2008 1:34 pm

jgodek wrote:I have searched and found nothing strange in my HTACCESS file even removed it. Theres no other web site on the webserver that has been hacked. Any other ideas?

#

are you sure your host hasnt done any SSI on your site?

if you use the post assistant viewtopic.php?f=428&t=272481
it might help people get to the bottom of the problem..
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}


Return to “Security - 1.0.x”

Who is online

Users browsing this forum: No registered users and 3 guests