Script hack

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
senojeel
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 134
Joined: Fri Dec 15, 2006 6:52 pm
Location: Indianapolis, IN

Script hack

Post by senojeel » Wed Feb 18, 2015 3:35 am

I cannot find the source of this hack. I have tried Jamss. I have made sure the site is update to last 2.version. The hack only appears for a few seconds on page load and hen disappears.

Here is a screenshot: https://www.dropbox.com/s/7pti1uuxdfasx ... 6.png?dl=0

Link: https://www.dropbox.com/s/7pti1uuxdfasx ... 6.png?dl=0

Below is from the forum post assistant. Not exactly sure what I am supposed to do with it...

Any tips on getting rid of this hacK?

Thanks!
Shawn
Problem Description :: Forum Post Assistant (v1.2.4) : 17th February 2015 wrote:Script hack
Forum Post Assistant (v1.2.4) : 17th February 2015 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.28-Stable (Ember) 10-December-2014
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: 10005 (uid: /gid: ) | Group: 505 (gid: ) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-042stab093.5 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /var/www/vhosts/dancekal.org/httpdocs | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.3 | PHP API: cgi-fcgi | Session Path Writable: No | Display Errors: | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /var/www/vhosts/dancekal.org/:/tmp/ | Uploads: 1 | Max. Upload Size: 256M | Max. POST Size: 256M | Max. Input Time: 60 | Max. Execution Time: 60 | Memory Limit: 128M

MySQL Configuration :: Version: 5.0.95 (Client:5.0.95) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 31.31 MiB | #of Tables:  97
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.3) | date (5.3.3) | ereg () | libxml () | openssl () | pcre () | zlib (1.1) | bz2 () | calendar () | ctype () | hash (1.0) | filter (0.11.0) | ftp () | gettext () | gmp () | session () | iconv () | pcntl () | Reflection ($Revision: 300393 $) | standard (5.3.3) | shmop () | SPL (0.2) | SimpleXML (0.1) | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | tokenizer (0.1) | xml () | cgi-fcgi () | curl () | dom (20031129) | fileinfo (1.0.5-dev) | gd () | imap () | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | odbc (1.0) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | PDO_ODBC (1.0.1) | pdo_sqlite (1.0.1) | Phar (2.0.1) | snmp () | SQLite (2.0-dev) | wddx () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.9.1) | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (2.5.0) | com_wrapper (2.5.0) | WF_STYLESELECT_TITLE (2.4.6) | WF_VISUALBLOCKS_TITLE (2.4.6) | WF_LINK_TITLE (2.4.6) | WF_PREVIEW_TITLE (2.4.6) | WF_ANCHOR_TITLE (2.4.6) | WF_FULLSCREEN_TITLE (2.4.6) | WF_XHTMLXTRAS_TITLE (2.4.6) | WF_STYLE_TITLE (2.4.6) | WF_TEXTCASE_TITLE (2.4.6) | WF_LAYER_TITLE (2.4.6) | WF_IMGMANAGER_TITLE (2.4.6) | WF_CLEANUP_TITLE (2.4.6) | WF_VISUALCHARS_TITLE (2.4.6) | WF_KITCHENSINK_TITLE (2.4.6) | WF_DIRECTIONALITY_TITLE (2.4.6) | WF_SOURCE_TITLE (2.4.6) | WF_CONTEXTMENU_TITLE (2.4.6) | WF_FONTSIZESELECT_TITLE (2.4.6) | WF_AUTOSAVE_TITLE (2.4.6) | WF_SPELLCHECKER_TITLE (2.4.6) | WF_BROWSER_TITLE (2.4.6) | WF_TABLE_TITLE (2.4.6) | WF_NONBREAKING_TITLE (2.4.6) | WF_SEARCHREPLACE_TITLE (2.4.6) | WF_CHARMAP_TITLE (2.4.6) | WF_INLINEPOPUPS_TITLE (2.4.6) | WF_FORMATSELECT_TITLE (2.4.6) | WF_PRINT_TITLE (2.4.6) | WF_MEDIA_TITLE (2.4.6) | WF_FONTSELECT_TITLE (2.4.6) | WF_ARTICLE_TITLE (2.4.6) | WF_LISTS_TITLE (2.4.6) | WF_CLIPBOARD_TITLE (2.4.6) | WF_FONTCOLOR_TITLE (2.4.6) | WF_FILESYSTEM_JOOMLA_TITLE (2.4.6) | WF_LINK_SEARCH_TITLE (2.4.6) | WF_LINKS_JOOMLALINKS_TITLE (2.4.6) | WF_POPUPS_WINDOW_TITLE (2.4.6) | WF_POPUPS_JCEMEDIABOX_TITLE (2.4.6) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.4.6) | WF_AGGREGATOR_[youtube]_TITLE (2.4.6) | WF_AGGREGATOR_VIMEO_TITLE (2.4.6) | WF_AGGREGATOR_VINE_TITLE (2.4.6) |
Components :: ADMIN :: Admintools (3.4.4) | com_cache (2.5.0) | com_modules (2.5.0) | com_checkin (2.5.0) | com_config (2.5.0) | com_content (2.5.0) | com_languages (2.5.0) | com_cpanel (2.5.0) | com_redirect (2.5.0) | com_users (2.5.0) | com_admin (2.5.0) | com_search (2.5.0) | com_finder (2.5.0) | Widgetkit (1.0.0 BETA 8) | com_weblinks (2.5.0) | com_newsfeeds (2.5.0) | com_phocadownload (2.1.9) | com_login (2.5.0) | com_banners (2.5.0) | com_templates (2.5.0) | Akeeba (3.9.1) | com_media (2.5.0) | com_installer (2.5.0) | com_messages (2.5.0) | com_menus (2.5.0) | com_joomlaupdate (2.5.0) | com_plugins (2.5.0) | Widgetkit (1.4.7) | JCE (2.4.6) | Unknown (-) | com_categories (2.5.0) |

Modules :: SITE :: mod_articles_archive (2.5.0) | mod_menu (2.5.0) | mod_footer (2.5.0) | Widgetkit (1.0.0) | mod_breadcrumbs (2.5.0) | mod_weblinks (2.5.0) | mod_related_items (2.5.0) | mod_languages (2.5.0) | mod_articles_news (2.5.0) | mod_search (2.5.0) | mod_login (2.5.0) | Widgetkit Twitter (1.0.0) | mod_banners (2.5.0) | mod_finder (2.5.0) | mod_random_image (2.5.0) | mod_wrapper (2.5.0) | mod_stats (2.5.0) | mod_syndicate (2.5.0) | mod_articles_popular (2.5.0) | mod_whosonline (2.5.0) | mod_feed (2.5.0) | mod_articles_categories (2.5.0) | mod_custom (2.5.0) | mod_users_latest (2.5.0) | mod_articles_category (2.5.0) | mod_articles_latest (2.5.0) |
Modules :: ADMIN :: mod_latest (2.5.0) | mod_menu (2.5.0) | mod_status (2.5.0) | mod_multilangstatus (2.5.0) | mod_title (2.5.0) | mod_login (2.5.0) | mod_toolbar (2.5.0) | mod_popular (2.5.0) | mod_logged (2.5.0) | mod_feed (2.5.0) | mod_submenu (2.5.0) | mod_version (2.5.0) | mod_quickicon (2.5.0) | mod_custom (2.5.0) |

Plugins :: SITE :: plg_editors_jce (2.4.6) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.5.11) | plg_search_newsfeeds (2.5.0) | plg_search_weblinks (2.5.0) | plg_search_contacts (2.5.0) | plg_search_content (2.5.0) | plg_search_categories (2.5.0) | PLG_EDITORS-XTD_MODULESANYWHER (1.13.3) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_phocadownload (2.0.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_readmore (2.5.0) | System - Google Analytics 4 Jo (1.0) | System - Widgetkit ZOO (3.1.0) | plg_system_xcalendar (1.5.0) | plg_system_highlight (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_p3p (2.5.0) | plg_system_debug (2.5.0) | plg_system_logout (2.5.0) | plg_system_log (2.5.0) | PLG_SYSTEM_MODULESANYWHERE (1.13.3) | System - Widgetkit (1.0.0) | plg_system_remember (2.5.0) | System - Widgetkit Joomla (1.0.0) | plg_system_languagecode (2.5.0) | PLG_SYSTEM_NNFRAMEWORK (11.11.3) | plg_system_sef (2.5.0) | plg_system_redirect (2.5.0) | System - Admin Tools (3.4.4) | plg_system_cache (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_gmail (2.5.0) | plg_authentication_joomla (2.5.0) | plg_captcha_recaptcha (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | PLG_EOSNOTIFY (2.5.0) | plg_quickicon_jcefilebrowser (2.4.6) | plg_finder_newsfeeds (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_content (2.5.0) | plg_finder_categories (2.5.0) | plg_user_profile (2.5.0) | plg_user_joomla (2.5.0) | plg_user_contactcreator (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_emailcloak (2.5.0) | Content - JPlayer (1.6.2) | plg_content_geshi (2.5.0) | plg_content_finder (2.5.0) | Content - Widgetkit (1.0.0) | plg_content_phocadownload (2.0.1) | plg_content_pagebreak (2.5.0) | plg_content_joomla (2.5.0) | plg_content_vote (2.5.0) | plg_content_loadmodule (2.5.0) | plg_extension_joomla (2.5.0) |
Templates Discovered :: wrote:Templates :: SITE :: atomic (2.5.0) | beez_20 (2.5.0) | yoo_dance (1.0) | beez5 (2.5.0) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |

itoctopus
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4026
Joined: Mon Nov 25, 2013 4:35 pm
Location: Montreal, Canada
Contact:

Re: Script hack

Post by itoctopus » Wed Feb 18, 2015 6:23 am

Check your JavaScript files - particularly check any mootools*.js file (these tend to be hacked a lot). Most likely the problem is there.
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter

User avatar
senojeel
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 134
Joined: Fri Dec 15, 2006 6:52 pm
Location: Indianapolis, IN

Re: Script hack

Post by senojeel » Wed Feb 18, 2015 1:24 pm

Thanks. I will check those. Although I thought I replaced all of them with clean versions.

PS...Sorry for my horrible typos up in my first post.

User avatar
senojeel
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 134
Joined: Fri Dec 15, 2006 6:52 pm
Location: Indianapolis, IN

Re: Script hack

Post by senojeel » Wed Feb 18, 2015 1:47 pm

OK. I have replaced all of the javascript files for Joomla and my template. I went though and look at js files for components and didn't see anything out of the ordinary. I have also searched through my db for eval code and some other strings.

Anymore ideas? It is still there when I switch templates too.


Locked

Return to “Security in Joomla! 2.5”