Page 1 of 1

Joomla 1.5.22 site hacked

Posted: Thu Apr 21, 2011 4:23 pm
by Dougj
one of my sites was hacked this morning. Its an advanced hack. Somehow they have injected a DB script that causes a redirect to a known malicious site.

The sites home page loads and then is redirected to a popup indicating a virus has been found and when you click on OK on that popup (no other options available. Can't even right click the popup to close it) you are sent to" which shows your system as infected. However a second load of the webpage never shows the vulnerability again.

The code injects a script in the root index.php file at the very first line. Once removed from the index.php file the issue clears (once server cache is cleared)

On first visit the page source shows the following near the bottom of the page

<script src="">

There seems to be very little in the forums about this other than the fact that it has been affecting Joomla sites for several weeks now. Does anyone have any further information, such as how this script gets embeeded??

Thanks D.

Re: Joomla 1.5.22 site hacked by globalpoweringgathering

Posted: Thu Apr 21, 2011 4:33 pm
by 219jondn
Unfortunately I don't have more information about it, but this sounds like something that needs to get to the Security lists so that the experts there can jump on it. Here's a link to the 1.5 Security Forum

Re: Joomla 1.5.22 site hacked by globalpoweringgathering

Posted: Thu Apr 21, 2011 4:46 pm
by Dougj
am i missing something or did I not already post this in the security forum?


Re: Joomla 1.5.22 site hacked by globalpoweringgathering

Posted: Thu Apr 21, 2011 4:48 pm
by 219jondn
wow - am I not paying attention today or what :) - sorry about that - you're one step ahead :)

Re: Joomla 1.5.22 site hacked by globalpoweringgathering

Posted: Thu Apr 21, 2011 4:54 pm
by Dougj worries ;)

Re: Joomla 1.5.22 site hacked

Posted: Thu Apr 21, 2011 5:09 pm
by mandville
an askgooglebing search would have provided loads of warnings about that site and its actions

It would help us to help you if before you post your security/been hacked topic

Tell us if you have done the following, try copy and paste to use as a posting guide if needed

[ ] Did you use the forum search box for a similar error?

[ ] Run the forum post assistant and security tool Instructions available here

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

If you feel none of the above applies to you read these admin tips and the what went wrong post
What happened when Google visited this site?

Of the 26 pages we tested on the site over the past 90 days, 0 page (s) contained (n) resulted in malicious software being downloaded and installed without user consent. Google visited this site was last 21/04/2011, and suspicious content was found on this site was last 21/04/2011.

Malicious software includes 26 scripting exploit (s).

This site hosted on 1 WAS network (s) including AS25190 (KIS) .

Has this site acted as an intermediary resulting in further distribution of malware?

During the past 90 days, it seems that globalpoweringgathering;com function as an intermediary for the infection of 66 site (s), among which are included theoctopusproject;com / , jamesalt;com / , acro-china;com / .

Has this site hosted malware?

Yes, the site has hosted malicious software over the past 90 days. Infected 1238 domain (s), among which are included clonestop;com / , warseer;com / , showbiz411;com /

Re: Joomla 1.5.22 site hacked

Posted: Fri Apr 22, 2011 1:18 pm
by Dougj
Well I am not sure if your response was intented to be terse or not, but it reads that way to me. My only question was if anyone had discovered the source (app or whatever) of this issue.

Anyways it may just be the way I read it

Yes I went thru that Joomla page before contacting this forum and considered all those items. I find none of my extensions on the vulnerability list and when I searched the Joomla search box for that location I continually got a message that the words "globalpoweringgathering" and "global" "powering" and "gathering" were too common and had been stripped from the search phrase. That made that search of little consequence. While searching google, as i already stated, several of us came up with little that actually helped find the root cause of the infection.

We have cleaned and rebuilt the site with new code ompletely and so far no issues. However we are still using 1.5.22 as the move at this point is too cumbersome for the customers needs.
All directories and files have correct permissions, paswords have all been changed and are regularily and we find no logs indicating any issues.

I also notice you stripped the name of the exploit from my subject. That was put there in the first place on purpose to increase the search results for the next person trying to find info on this??? Not sure why you changed that??


Re: Joomla 1.5.22 site hacked

Posted: Fri Apr 22, 2011 6:15 pm
by mandville
my post was the standard copy and paste from ... 3#p2480983 to cover a multitiude of scenarios.

the information i provided on it was confirmation it was malicious, and none of the links were clickable to prevent people from following it and getting infected (which some WILL do!)

The fact is you were hacked, your host was hacked or you had your ftp credentials used. how that happened is not know, and for others with a similar situation on next weeks a help to resolve it.

The script actually infected not just joomla sites,

Re: Joomla 1.5.22 site hacked

Posted: Mon Apr 25, 2011 1:30 pm
by sucuri
Note that this infection you mentioned is not specific to Joomla. We first saw it on WordPress sites and now we are seeing on Joomla too. In fact, the first time it happened, it was due to a Godaddy mass infection on their shared hosts...

As far as the infection, it comes in two ways (when not caused by a shared server compromise):

1-Through vulnerable web applications (are you using old versions of Joomla or WordPress)
2-Stolen passwords.

And it doesn't matter if your site is updated now (after the fact). Because the attackers probably left backdoors and even if you just upgraded your site, they can come back easily. Same thing for passwords... If your desktop is infected with a virus, it can be easily stolen too (no matter how many times you change it).

So, update your sites, change your passwords, clean up your desktops, remove backdoors, use strong passwords, follow mandville recommendations (IMPORTANT) and you should be good.