Outside advertisment is added to my site [virus?]

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
JFA
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 105
Joined: Tue Jun 24, 2014 10:49 pm

Outside advertisment is added to my site [virus?]

Post by JFA » Mon Mar 09, 2015 7:51 pm

my joomla site

Code: Select all

[url]http://www.masihiatchist.com[/url]
is displaying ad at the bottom of the page and sometimes if I click on a tab it takes me to external advertising pages. What is this and how do I get rid of it?

User avatar
numinousmedia
Joomla! Ace
Joomla! Ace
Posts: 1559
Joined: Fri Dec 16, 2011 6:13 pm
Location: Millersburg, OH
Contact:

Re: Outside advertisment is added to my site [virus?]

Post by numinousmedia » Tue Mar 10, 2015 1:31 am

There's definitely a lot of Google ad activity on your site. Did you intend to have Google Ads on your site?
Ryan
Frontend Developer and Joomla Professional
Ethode Website Development: http://www.ethode.com
Personal Site: http://www.numinousmedia.com

JFA
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 105
Joined: Tue Jun 24, 2014 10:49 pm

Re: Outside advertisment is added to my site [virus?]

Post by JFA » Wed Mar 18, 2015 10:16 pm

no never.

User avatar
numinousmedia
Joomla! Ace
Joomla! Ace
Posts: 1559
Joined: Fri Dec 16, 2011 6:13 pm
Location: Millersburg, OH
Contact:

Re: Outside advertisment is added to my site [virus?]

Post by numinousmedia » Thu Mar 19, 2015 12:44 am

There are a ton of scripts running on your site, many of them appear to be Google ad related. Most likely someone hacked your site and has added Google ads to your site. I would recommend working through the Joomla Security Checklist: https://docs.joomla.org/Security_Checkl ... or_defaced If you are uncomfortable working through the items on this list, you may need to hire a professional to take care of it for you.
Ryan
Frontend Developer and Joomla Professional
Ethode Website Development: http://www.ethode.com
Personal Site: http://www.numinousmedia.com

JFA
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 105
Joined: Tue Jun 24, 2014 10:49 pm

Joomla site hacked or it is defected

Post by JFA » Wed Apr 01, 2015 5:09 pm

I have run the the FPA
Problem Description :: Forum Post Assistant (v1.2.4) : 1st April 2015 wrote:Site defected/hacked
Forum Post Assistant (v1.2.4) : 1st April 2015 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.27-Stable (Ember) 30-September-2014
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: 1448565 (uid: /gid: ) | Group: 1660267 (gid: ) | Valid For: 2.5
Configuration Options :: Offline: 1 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 1 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32.39-grsec-3.mosso5.1.x86_64 | Technology: x86_64 | Web Server: Apache/2.2 | Encoding: gzip, deflate | Doc Root: /mnt/stor14-wc1-ord1/895923/www.masihiatchist.com/web/content | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.20 | PHP API: apache2handler | Session Path Writable: Yes | Display Errors: | Error Reporting: 30711 | Log Errors To: /mnt/stor14-wc1-ord1/895923/www.masihiatchist.com/logs/php_errors.log | Last Known Error: | Register Globals: | Magic Quotes: 0 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 8M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.1.70-log (Client:5.0.77) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 8.12 MiB | #of Tables: 86
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.20) | date (5.3.20) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bz2 () | calendar () | ctype () | hash (1.0) | filter (0.11.0) | ftp () | gettext () | gmp () | SPL (0.2) | iconv () | Reflection ($Id: 8b8b8869e3631d1798f2b512137a0efb22e9b7b8 $) | session () | standard (5.3.20) | shmop () | SimpleXML (0.1) | sockets () | exif (1.4 $Id$) | tokenizer (0.1) | xml () | apache2handler () | bcmath () | curl () | dba () | dom (20031129) | fileinfo (1.0.5-dev) | gd () | imagick (3.0.1) | imap () | intl (1.1.0) | json (1.2.1) | ldap () | pdf (2.2.0) | mbstring () | mcrypt () | memcache (2.2.6) | mongo (1.3.3) | mssql () | mysql (1.0) | mysqli (0.1) | odbc (1.0) | PDO (1.0.4dev) | pdo_dblib (1.0.1) | pdo_mysql (1.0.2) | PDO_ODBC (1.0.1) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | Phar (2.0.1) | posix () | pspell () | recode () | redis (2.0.11) | snmp () | soap () | sysvmsg () | sysvsem () | sysvshm () | tidy (2.0) | uploadprogress (1.0.3.1) | wddx () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | yaz (1.1.3) | zip (1.11.0) | ionCube Loader () | Zend Guard Loader () | XCache (1.3.2) | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe

Apache Modules :: core | itk | http_core | mod_so | mod_auth_basic | mod_authn_file | mod_authz_host | mod_authz_user | mod_authz_groupfile | mod_authz_default | mod_include | mod_log_config | mod_env | mod_expires | mod_headers | mod_setenvif | mod_mime | mod_status | mod_autoindex | mod_negotiation | mod_dir | mod_alias | mod_rewrite | mod_actions | mod_unique_id | mod_auth_mysql | mod_deflate | mod_nogzip | mod_rpaf-2 | mod_slotlimit | mod_php5 | Apache/2.2 |
Potential Missing Modules :: mod_security | mod_evasive | mod_dosevasive | mod_ssl | mod_qos | mod_userdir |
Folder Permissions :: wrote:Core Folders :: images/ (775) | components/ (775) | modules/ (775) | plugins/ (775) | language/ (775) | templates/ (775) | cache/ (775) | logs/ (775) | tmp/ (775) | administrator/components/ (775) | administrator/modules/ (775) | administrator/language/ (775) | administrator/templates/ (775) |

Elevated Permissions (First 10) :: administrator/ (775) | administrator/Masihiatchist/ (775) | administrator/Masihiatchist/install_53343d156b60f/ (775) | administrator/Masihiatchist/install_53343d156b60f/packages/ (775) | administrator/Masihiatchist/install_53343d156b60f/packages/install_53343d1588ef8/ (775) | administrator/Masihiatchist/install_53343d156b60f/packages/install_53343d1588ef8/admin/ (775) | administrator/Masihiatchist/install_53343d156b60f/packages/install_53343d1588ef8/admin/extensions/ (775) | administrator/Masihiatchist/install_53343d156b60f/packages/install_53343d1588ef8/admin/extensions/editors/ (775) | administrator/Masihiatchist/install_53343d156b60f/packages/install_53343d1588ef8/admin/extensions/editors/locales/ (775) | administrator/Masihiatchist/install_53343d156b60f/packages/install_53343d1588ef8/admin/extensions/editors/locales/en_gb/ (775) |
Extensions Discovered :: wrote:Components :: SITE :: WF_AGGREGATOR_VIMEO_TITLE (2.4.6) | WF_AGGREGATOR_VINE_TITLE (2.4.6) | WF_AGGREGATOR_[youtube]_TITLE (2.4.6) | WF_FILESYSTEM_JOOMLA_TITLE (2.4.6) | WF_LINKS_JOOMLALINKS_TITLE (2.4.6) | K2 Links for JCE Link (2.2) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.4.6) | WF_POPUPS_JCEMEDIABOX_TITLE (2.4.6) | WF_POPUPS_WINDOW_TITLE (2.4.6) | WF_LINK_SEARCH_TITLE (2.4.6) | WF_ANCHOR_TITLE (2.4.6) | WF_ARTICLE_TITLE (2.4.6) | WF_AUTOSAVE_TITLE (2.4.6) | WF_BROWSER_TITLE (2.4.6) | WF_CHARMAP_TITLE (2.4.6) | WF_CLEANUP_TITLE (2.4.6) | WF_CLIPBOARD_TITLE (2.4.6) | WF_CONTEXTMENU_TITLE (2.4.6) | WF_DIRECTIONALITY_TITLE (2.4.6) | WF_FULLSCREEN_TITLE (2.4.6) | WF_IMGMANAGER_TITLE (2.4.6) | WF_INLINEPOPUPS_TITLE (2.4.6) | WF_KITCHENSINK_TITLE (2.4.6) | WF_LAYER_TITLE (2.4.6) | WF_LINK_TITLE (2.4.6) | WF_LISTS_TITLE (2.4.6) | WF_MEDIA_TITLE (2.4.6) | WF_NONBREAKING_TITLE (2.4.6) | WF_PREVIEW_TITLE (2.4.6) | WF_PRINT_TITLE (2.4.6) | WF_SEARCHREPLACE_TITLE (2.4.6) | WF_SOURCE_TITLE (2.4.6) | WF_SPELLCHECKER_TITLE (2.4.6) | WF_STYLE_TITLE (2.4.6) | WF_TABLE_TITLE (2.4.6) | WF_TEXTCASE_TITLE (2.4.6) | WF_VISUALBLOCKS_TITLE (2.4.6) | WF_VISUALCHARS_TITLE (2.4.6) | WF_XHTMLXTRAS_TITLE (2.4.6) | WF_FONTCOLOR_TITLE (2.4.6) | WF_FONTSELECT_TITLE (2.4.6) | WF_FONTSIZESELECT_TITLE (2.4.6) | WF_FORMATSELECT_TITLE (2.4.6) | WF_STYLESELECT_TITLE (2.4.6) | com_mailto (2.5.0) | com_wrapper (2.5.0) |
Components :: ADMIN :: com_admin (2.5.0) | COM_ALFCONTACT (2.0.8) | com_banners (2.5.0) | com_cache (2.5.0) | com_categories (2.5.0) | com_checkin (2.5.0) | com_config (2.5.0) | com_content (2.5.0) | com_cpanel (2.5.0) | DM Helper (1.1.0) | COM_DMPINBOARDLITE (1.3.0) | com_finder (2.5.0) | com_installer (2.5.0) | Unknown (-) | JCE (2.4.6) | com_joomlaupdate (2.5.0) | com_languages (2.5.0) | com_login (2.5.0) | com_media (2.5.0) | com_menus (2.5.0) | com_messages (2.5.0) | com_modules (2.5.0) | com_newsfeeds (2.5.0) | com_plugins (2.5.0) | com_redirect (2.5.0) | com_search (2.5.0) | com_templates (2.5.0) | com_users (2.5.0) | com_weblinks (2.5.0) | FlexiContact (8.03) | COM_JANTIVIRUS (3.5) |

Modules :: SITE :: mod_articles_archive (2.5.0) | mod_articles_categories (2.5.0) | mod_articles_category (2.5.0) | mod_articles_latest (2.5.0) | mod_articles_news (2.5.0) | mod_articles_popular (2.5.0) | mod_banners (2.5.0) | mod_breadcrumbs (2.5.0) | mod_custom (2.5.0) | mod_feed (2.5.0) | mod_finder (2.5.0) | mod_footer (2.5.0) | mod_languages (2.5.0) | mod_login (2.5.0) | mod_menu (2.5.0) | mod_random_image (2.5.0) | mod_related_items (2.5.0) | Responsive CSS3 Slider (3.1) | mod_search (2.5.0) | Simple Email Form (1.8.5) | mod_stats (2.5.0) | mod_syndicate (2.5.0) | mod_users_latest (2.5.0) | mod_weblinks (2.5.0) | mod_whosonline (2.5.0) | mod_wrapper (2.5.0) | JSE Facebook Like Box (1.0) | Awesome Facebook Feeds Slider (1.0.0) |
Modules :: ADMIN :: mod_custom (2.5.0) | mod_feed (2.5.0) | mod_latest (2.5.0) | mod_logged (2.5.0) | mod_login (2.5.0) | mod_menu (2.5.0) | mod_multilangstatus (2.5.0) | mod_popular (2.5.0) | mod_quickicon (2.5.0) | mod_status (2.5.0) | mod_submenu (2.5.0) | mod_title (2.5.0) | mod_toolbar (2.5.0) | mod_version (2.5.0) | mod_jantivirus (2.5.0) |

Plugins :: SITE :: plg_authentication_gmail (2.5.0) | plg_authentication_joomla (2.5.0) | plg_authentication_ldap (2.5.0) | plg_captcha_recaptcha (2.5.0) | plg_content_cdlockarticle (2.5.x.2.0.5) | ContactUs Form (2.5.1) | plg_content_emailcloak (2.5.0) | plg_content_finder (2.5.0) | plg_content_geshi (2.5.0) | plg_content_imgresizecache (1.1.4) | plg_content_joomla (2.5.0) | Simple Image Gallery (by Jooml (3.0.1) | Simple Image Gallery (by Jooml (3.0.1) | plg_content_loadmodule (2.5.0) | plg_content_mavikthumbnails (1.0) | plg_content_pagebreak (2.5.0) | plg_content_pagenavigation (2.5.0) | Simple Picture Slideshow (1.5.8) | plg_content_vote (2.5.0) | HM Tube (1.1) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_image (2.5.0) | PLG_EDITORS-XTD_MODULESANYWHER (3.6.0FREE) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_readmore (2.5.0) | PLG_EDITORS-XTD_SOURCERER (4.4.9FREE) | plg_editors_codemirror (1.0) | plg_editors_jce (2.4.6) | plg_editors_tinymce (3.5.4.1) | plg_extension_joomla (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_content (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_weblinks (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_jcefilebrowser (2.4.6) | plg_quickicon_joomlaupdate (2.5.0) | plg_search_categories (2.5.0) | plg_search_contacts (2.5.0) | plg_search_content (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_weblinks (2.5.0) | plg_system_cache (2.5.0) | Community Builder (1.8) | JA Comment (2.5.0) | K2 (2.5.5) | Widgetkit (1.0.5) | ZOO (2.5.17) | Google Libraries API (unknown) | YT Warp Theme Framework (6.1.6) | plg_system_cdscriptegrator (2.5.x.2.3.6) | plg_system_debug (2.5.0) | plg_system_highlight (2.5.0) | plg_system_languagecode (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_log (2.5.0) | plg_system_logout (2.5.0) | PLG_SYSTEM_MODULESANYWHERE (3.6.0FREE) | PLG_SYSTEM_NNFRAMEWORK (15.2.11) | plg_system_p3p (2.5.0) | plg_system_redirect (2.5.0) | plg_system_remember (2.5.0) | plg_system_sef (2.5.0) | PLG_SYSTEM_SOURCERER (4.4.9FREE) | PLG_SYSTEM_VIDEOBOX (4.0.0 RC4) | aiRedirectWww (1.0.4) | plg_user_contactcreator (2.5.0) | plg_user_joomla (2.5.0) | plg_user_profile (2.5.0) |
Templates Discovered :: wrote:Templates :: SITE :: atomic (2.5.0) | beez5 (2.5.0) | beez_20 (2.5.0) | Eclipse (3.1) | iFreedom-FJT (2.5.0) | JustBusiness-FJT (2.5.0) | Malita-FJT (2.5.0) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |
Last edited by mandville on Wed Apr 01, 2015 5:38 pm, edited 1 time in total.
Reason: disbled smilies for clarity.

User avatar
sitesrus
Joomla! Ace
Joomla! Ace
Posts: 1431
Joined: Mon Nov 12, 2012 10:48 pm

Re: Joomla site hacked or it is defected

Post by sitesrus » Thu Apr 02, 2015 8:02 pm

I HATE when people just say "i've been hacked". Explain clearly exactly what happened, what you mean, and what's going on to give some perspective.

And I don't recall but shouldn't folder perms be 755 and files 644...unless I'm wrong?

But anyways, my mind reading powers have been temporarily suspended and my special vision goggles that allow me to see everything you see and saw are broken right now and my special reading/hearing skills that automatically translate your lack of information into crystal clear information don't seem to be working...So use your gift of writing to help us help you!

Here's some info to start giving,

Hosting provider
Hosting plan (shared, dedicated, etc.)
Explanation of behaviours/clues to lead you to believe you've been hacked
Malicious files, embedded html, denial of service, something happen?
etc...
I like working with Joomla :)

JFA
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 105
Joined: Tue Jun 24, 2014 10:49 pm

Re: Joomla site hacked or it is defected

Post by JFA » Mon Apr 06, 2015 4:50 pm

Hello, here is a much detailed explanation of my issue

- My hosting provider is Rackspace Cloud Sites
- My site

Code: Select all

http://www.masihiatchist.com,
lately has started displaying adds at the bottom of the page, and the menu bar becomes disable and I can't click on it.
- Sometimes when I go to the sites, it doesn't load the site and it takes me to another advertising site.
- The site is using Joomla 2.5 and I would like to migrate it to 3.x but gives me errors about the template which I think it is because the template is not supported in 3.x
- I have changed the password on the account as well

JFA
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 105
Joined: Tue Jun 24, 2014 10:49 pm

Re: Outside advertisment is added to my site [virus?]

Post by JFA » Mon Apr 06, 2015 4:51 pm

I worked on the site security and generated the FPA . below is the post that I did with the result I got from FPA

http://forum.joomla.org/viewtopic.php?f=621&t=881622

User avatar
sitesrus
Joomla! Ace
Joomla! Ace
Posts: 1431
Joined: Mon Nov 12, 2012 10:48 pm

Re: Joomla site hacked or it is defected

Post by sitesrus » Mon Apr 06, 2015 5:06 pm

Did you pirate any software? For example did you download the template or extensions from any torrent sites?

I also see a javascript error on "nivooslider", NivooSlider.js:296 Uncaught TypeError: undefined is not a function

Best thing to do is disable all third party extensions, get your version of joomla off joomla.org and overwrite all core files, than only use legitimate plugins and re-install all extensions to get clean source/files. Clear your cache and re-visit the site. Change your passwords and clean up old ftp accounts and remove any ftp/ssh access and whatever accounts you leave update the passwords.

Check out free service from cloudflare, reverse proxy to resolve your DNS and give added security.

Fix your folder/file permissions.
I like working with Joomla :)

JFA
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 105
Joined: Tue Jun 24, 2014 10:49 pm

Re: Joomla site hacked or it is defected

Post by JFA » Mon Apr 06, 2015 5:36 pm

No I searched for Free Joomla templates and downloaded this template.
I will look into the extensions. Thank you for your help

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 25751
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Joomla site hacked or it is defected

Post by Per Yngve Berg » Mon Apr 06, 2015 7:54 pm

PHP API: apache2handler (Should be 'fcgi' and the server should run SUPhp) This server is not suited for running Joomla.

Elevated permissions. Flag folders 755 and files 644.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14781
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla site hacked or it is defected

Post by mandville » Tue Apr 07, 2015 12:54 am

[note merged topics for contiunity]

ok. i am not sure how to say this so i will let leolam say it.
http://forum.joomla.org/viewtopic.php?t=709358
leolam wrote:"FreshJoomlaTemplates" is a known malicious template site

Leo 8)
and

http://vel.joomla.org/articles/1250-malicious-templates
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
sitesrus
Joomla! Ace
Joomla! Ace
Posts: 1431
Joined: Mon Nov 12, 2012 10:48 pm

Re: Outside advertisment is added to my site [virus?]

Post by sitesrus » Tue Apr 07, 2015 7:03 pm

Doesn't have to be fcgi and doesn't need suphp, these are just more ideal settings for hardening and recommended. But I don't think it necessarily means you're compromised if you don't follow these.

But now we know you weren't hacked, you hacked yourself!!! Reputable software origins are very important, and shelling out a few bucks for a professional template isn't the end of the world.

PS. mandville is seeeeexy!
I like working with Joomla :)


Locked

Return to “Security in Joomla! 2.5”