site hacked japanese in search result

Discussion regarding Joomla! 2.5 security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
angelob
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Mon Feb 26, 2018 2:54 am

site hacked japanese in search result

Post by angelob » Mon Feb 26, 2018 3:02 am

Hello!

Thanks for the previous information, I had the same issue as the website was running still Joomla 2.5.24 (!).

In my case the infected files were:
  • mb_s.png
    logo_s.png
    log_s.png
These files were in system/media/images and were actually not .png but contained PHP code.

What I did to solve was:
1. Updating Joomla and PHP version

2. Because index.php changes from one version of Joomla to the other, the hack - which was constantly reverting index.php back to one with injected php code, cause the site to malfunction - with a 500 server error. If I replaced index.php with the default one for the fresh version of Joomla, it worked - but few minutes later the original faulty index.php - containing a part about logo_s.png, came back.

3. Deleting those .png files was not enough - they came back. What worked was setting read only permissions to system/media/images after having deleted them, and read only permissions for .htaccess and index.php.

I hope this works for you too!

Cheers,
Angelo

User avatar
JAVesey
Joomla! Hero
Joomla! Hero
Posts: 2612
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: site hacked japanese in search result

Post by JAVesey » Mon Feb 26, 2018 8:01 am

Congratulations! You win today's "Lazarus Award" for resurrecting old threads :laugh:
angelob wrote:3. Deleting those .png files was not enough - they came back. What worked was setting read only permissions to system/media/images after having deleted them, and read only permissions for .htaccess and index.php.
All you have done is paper over the cracks. The hack is still on your system and your site is still infected. There will be more to the hack than just those files...

Don't believe me? Submit your site for a free scan/audit at myjoomla.com and see what it reveals to you.

There is only one way to reliably clean your site:
viewtopic.php?f=714&t=946026
John V
Cardiff, Wales, UK
Joomla 5.0.3 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.0.3 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28


Locked

Return to “Security in Joomla! 2.5”