Joomla! Forum - community, help and support

Posted: **Sun Jan 17, 2010 11:11 am**

It's not an extension, it's a manual script that is very specific in it's usage and requirements.

[I've removed the rest of my post as it was offensive to others]

Posted: **Sun Jan 17, 2010 11:21 am**

brad wrote:It's not an extension, it's a manual script that is very specific in it's usage and requirements.

I already noticed you do not read. I asked you to add the Keepass to the initial post and you just bully yourself onto something different....

It's not an extension, it's a manual script that is very specific in it's usage and requirements.

What is the difference with the Joomla Forum Asisstant Tools (excellent) which is a stand alone script as well? That is posted in JED and heavy promoted (look in the top of your screen) (http://extensions.joomla.org/extensions ... tools/1734) Argument is not valid.....Consistency and transparency in decision making are though....

Good call Brad...Glad to see you active again (http://www.alltogetherasawhole.org might do you some good! ....amongst other things....)

Leo

Posted: **Sun Jan 17, 2010 12:49 pm**

As was pointed out before, JTS does not alter files in the way that the suggested cleaning script does.
--
edit to add : i will add the password tool to the checklist 7 as a suggested ftp security tool

Posted: **Sun Jan 17, 2010 1:09 pm**

mandville wrote:I will add the password tool to the checklist 7 as a suggested ftp security tool

Broomla is a virtual broom for cleaning (scripted) iframe injections in Joomla. It is intended for those who do not have a good backup to restore and who do not know how to manually repair a Joomla 1.5 website compromised by a (scripted) iframe injection FTP Trojan.

It is therefore not an ftp security tool at all. It belongs into recovery or whatever but definitely not in ftp security...Nothing to do with ftp-security I am afraid but appreciate the intension

Leo

Posted: **Sun Jan 17, 2010 1:40 pm**

it was keepass i was talking about - the password reminder tool that helps prevent ftp passwords being stored in the ftp prog.

Posted: **Sun Jan 17, 2010 1:49 pm**

misunderstanding...tnx but it is already mentioned in that I think

Posted: **Sun Jan 17, 2010 2:06 pm**

yes - just added it today to Local Security
* Don't store user name/password in ftp program
o Use a password manager such as the free keepass
after your comments on it

Posted: **Tue Jan 19, 2010 2:39 pm**

anybody help me how to use this

Thanks

Posted: **Tue Jan 19, 2010 3:23 pm**

fraz wrote:anybody help me how to use this

Hello, You might want to explain where you point at? What s the issue, what are your problems , where you need help, what is the error you get, what is your platform......just to mention a few?

Please be good and use http://forum.joomla.org/viewtopic.php?f=428&t=272481 so we know what is your environment and psot detailed info so we can help you?

Cheers

Leo

Posted: **Tue Jan 26, 2010 5:06 am**

http://www.iss.net/threats/gumblar.html or one of it's variants. Possibly when you used your FTP client, your ftp login details were logged and then used but the virus/trojan.

Hi just thought I would share. I have 24 sites. 16 have been hit with this. Cleaning joomla is bad enough but the whole server was hit so the server admin tools are all corrupt also. Of the 16 sites ALL had Joomla installed somewhere. 4 of the sites were not on my FTP client, no passwords stored on my computer anywhere. The remainder of my sites that were not hit, were listed on the ftp client. So for now I am ruling out the virus ftp thingy.

I changed computers Dec 09 and I have not added some of the affected sites passwords and user id's to my new computer. The old computer has not been in use (fried hard drive). The attacks all happened on the 23rd and 24th of Jan. 2010 on all of my sites.

None of my WP sites were affected. None of my hand coded sites either unless they also contained and instance of joomla 1.5 or 1.0. It did not matter what flavor or version. Three sites were recently upgraded to the latest release. I also have some social networking sites that use elgg. They were not affected unless joomla was there somewhere. So I am thinking it's something to do with Joomla. I am on a designated server not shared service so I am at a loss and just waiting on support to go through the logs. I have joomla installed with php and ftp. Made no difference.

I have been all over the net today and it seems like there is a real uptick in this thing. http://justcoded.com/article/gumblar-fa ... oval-tool/ this site has a removal tool I have used it, the script is called curevir.php but it is somewhat limited because of file permissions, it does work though, if you can work around that it may be good for you.

Note: There have been 109 entries on this subject at justcoded, a lot of them in January 2010 and 39 of them in the last few days. Just sayin...

Posted: **Sat Jan 30, 2010 8:09 am**

These attacks are discussed here as an individual. However, these collective solutions must joomla. If we use this script.

Posted: **Thu Feb 18, 2010 11:03 am**

I read the full post and I would like to share with you our preventing security strategy .

Use the FTP File System Layer
With this mode you don't need directory with the 777 CHMOD

Use a strong .htaccess
Orginal .htacess : http://docs.joomla.org/Preconfigured_.htaccess
We add:

Code: Select all

### Deny access to the .htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>

### only allow the browser to access index.php
DirectoryIndex index.php

In some case we add a filter again bad-bot : http://www.bg-pro.com/?goto=badbot

Install http:BL Plugin

http:BL System Plugin allows you to verify IP addresses of clients connecting to your website against the Project Honey Pot database. It check whether your visitor is an email harvester, a comment spammer or any other malicious client. Communication with verification server is done via DNS request mechanism. Now, thanks to http:BL System Plugin any potentially harmful clients are denied from accessing your website and therefore abusing it.

http://extensions.joomla.org/extensions ... ccess/2786

Install a monitoring system

We develop JMonitoring. It check the integrity of the main files of joomla like all the index.php (joomla and templates), configuration.php etc...

Checking a list of websites is a complicated task and that is why JMonitoring has been developped.
JMonitoring helps you to keep an eye on every Joomla websites you manage and let you know if they were errors on them or if they have been hacked.

http://extensions.joomla.org/extensions ... urity/9787

Finally subscribe the RSS Vulnerable Extensions List
http://feeds.joomla.org/JoomlaSecurityV ... Extensions and check with your monitoring tools if you have installed one of this extension.

Actually we use it on more than 40 joomla website with good results.
PA

Posted: **Mon Feb 22, 2010 3:03 pm**

paimages wrote:Finally subscribe the RSS Vulnerable Extensions List
http://feeds.joomla.org/JoomlaSecurityV ... Extensions and check with your monitoring tools if you have installed one of this extension.

Actually we use it on more than 40 joomla website with good results.
PA

#slight off topic but how are you finding the new format feed, is it working for you?

Posted: **Tue Feb 23, 2010 4:36 am**

removing the code does not get to the root of the problem - why/how did it get there in the first place.

warning before running any scripts posted by users, make sure you have a suitable back up of your site.

Posted: **Tue Feb 23, 2010 4:54 am**

on deeper checking of that script you would also need to edit some of the code of the script to match your site.
without more instructions provided by the coder, i would not recommend people who are not familiar with php to use it.
fabiomazzo - thank you for the effort but can you please expand on the script-instructions etc.
my advice still is, cleaning the code does not cure the reason it arose

Posted: **Tue Feb 23, 2010 8:31 am**

mandville wrote: my advice still is, cleaning the code does not cure the reason it arose

Which i definitely support 100%. Prevention is better than seeing the doctor the morning after....

Leo

Posted: **Tue Feb 23, 2010 2:41 pm**

My intention was not to promote myself, only developed a solution to my problem and decided to share. Ok Sorry, I think I'm in the wrong community. Bye

Posted: **Tue Feb 23, 2010 3:04 pm**

fabiomazzo wrote:.

Did you read any of the other comments and suggestion over your script?

fabiomazzo - thank you for the effort but can you please expand on the script-instructions etc.

Posted: **Wed Feb 24, 2010 1:18 pm**

I have not mentioned about your comment, but on the edition of my post.
With a little more detailed documentation : http://innoit.com.br/phpantivir

Posted: **Wed Feb 24, 2010 2:12 pm**

thank you , that will assist those who think they can just upload and run the script and it will solve all their issues.

see this full depth explanation from PhilD
http://forum.joomla.org/viewtopic.php?p ... 0#p2052210

Posted: **Wed Feb 24, 2010 2:29 pm**

It's not a solution, not solve a lot of issues, just helps in ONE specific issue. Perhaps, it can help somebody.

Posted: **Wed Feb 24, 2010 5:14 pm**

Thank you for posting the solution. If it helps even only one single person it will put smiles on your face!!

Cheers!

Leo

Posted: **Tue Mar 09, 2010 5:52 pm**

Thanks for the informative post.
I found this great tool to detect malware on your site {self promotion deleted}

Posted: **Wed Mar 10, 2010 12:13 pm**

I got problem during installation any body guide me

Posted: **Wed Mar 10, 2010 3:40 pm**

what exactly are you having an issue with.? and i deleted your double post

Posted: **Thu May 06, 2010 6:24 am**

This type of infection is much more common with the password however. For that reason, you should follow these steps:

1. Scan your local computer, the clients computer, and any computer from which you have accessed the account using an up to date virus scanner such as http://malwarebytes.org CRITICAL!

2. Update the cPanel/FTP password with a password that is not easily guessable. Use 12-digits and something like example (!) &G5s#!K-|%H1

3. Submit your site for a rescan using your Google Webmaster account. If you do not already have an account please follow the instructions on this page to obtain one: http://www.google.com/support/webmaster ... swer=45432
thaks
4. Read the information provided below about this type of viral infection and how to further prevent it.

Posted: **Thu May 13, 2010 12:40 am**

Only for your information: Last week 05-06-10 and last night 05-12-10, several websites were attacked for this script. All of them are hosted in GoDaddy; Fortunately, there is a function call "Restore" so we could restore files from some days ago and they replace the "hacked" files. I know this is not enough, but at least is a fast (and temporary) solution.

Posted: **Thu May 13, 2010 12:54 am**

lrsv5 wrote:Only for your information: Last week 05-06-10 and last night 05-12-10, several websites were attacked for this script. All of them are hosted in GoDaddy; .

the godaddy conversation is here http://forum.joomla.org/viewtopic.php?f=432&t=515398

Posted: **Wed Jun 02, 2010 12:23 pm**

I agree that SFTP won't protect against a keylogger, although there is not much information regarding this latest trojan/exploit (keylogging or password sniffing?), the pattern does seem to be with FTP. If one can use SFTP VS FTP, it is certainly more secure.

Not sure about you, but personally I would not use FTP over an open un-trusted network.

Posted: **Sat Jun 05, 2010 3:28 pm**

Oh! I'm reading this article and I think It very good.

Joomla! Forum - community, help and support

Discussion - Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site

Re: Malicious Javascript in your site