Finding a hidden link

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
rustyrainbow
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Tue Apr 28, 2015 6:30 pm

Finding a hidden link

Post by rustyrainbow » Tue Apr 28, 2015 7:25 pm

I've recently taken over the website for my work, and discovered that the main page is blocked on a couple different antivirus programs because of a hidden link.

This ONLY shows on the main page. I have scoured the active template code and been unable to find it in the php files. I only found it using the web developer tool for google chrome, by disabling embedded styles. It seems to be located in the wrapper, but I have found no correlating code. It seems to be located in the wrapper but like I said I've dug through the template and found nothing but the author code which is NOT the hidden link.

This is the line of code I've located via the web developer:

Code: Select all

function dnnViewState() {......}dnnViewState();</script>
<style undefined="">.dnn{...}</style>
<p class="dnn"><a href="http://www.freetemplatespot.com/">free joomla templates</a></p>
<p class="dnn">tu </p>

I've googled and know what to delete, but can't locate it. But then, I can only find the index.php but not header.php or footer.php but I've dug through all the php files. I think. I must be missing something. Any ideas? I am starting to wonder if maybe it is attached to the featured page, but again, don't know where to look for the code.
Last edited by mandville on Tue Apr 28, 2015 9:25 pm, edited 1 time in total.
Reason: wrapped in code tags

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37565
Joined: Sat Apr 05, 2008 9:58 pm

Re: Finding a hidden link

Post by Webdongle » Tue Apr 28, 2015 7:33 pm

Your other post http://forum.joomla.org/viewtopic.php?f=615&p=3297084 says you have more problems. It may be a case of installing a fresh J3.4.1 without sample data and rebuilding the site from scratch. Suggest you use xampp(or mamp on mac) to provide a localhost on your computer.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14850
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Finding a hidden link

Post by mandville » Tue Apr 28, 2015 9:27 pm

let me guess you have one of these ...
- Autson Skitter Slideshow (mod_AutsonSlideShow)
The malicious code is located in the "tmpl" folder, in the php file(s).

- Share This for Joomla! (mod_JoomlaShare This)
The malicious code is located in mod_JoomlaShare This.php.

- VirtueMart Advanced Search (mod_virtuemart_advsearch)
The malicious code is located in mod_virtuemart_advsearch.php.

- AddThis For Joomla (mod_AddThisForJoomla)
The malicious code is located in mod_AddThisForJoomla.php.

- Plimun Nivo Slider (mod_PlimunNivoSlider)
The malicious code is located in the "tmpl" folder, in the php file(s).



http://forum.joomla.org/viewtopic.php?t=795946
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

rustyrainbow
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Tue Apr 28, 2015 6:30 pm

Re: Finding a hidden link

Post by rustyrainbow » Mon May 04, 2015 3:13 pm

There is an addthis in the template, but all I can find is a socialbuttons.php which doesn't seem to have anything malicious.

I think I've made progress though. I found something in the function.php which held a link to what I thought was the site generating the link, and deleted it, but it is still there.

This is the line I deleted:

Code: Select all

$source = "http://fuina.com/b/tu.php";
I also found this code in the active template from freshjoomlatemplates. The hidden link is to freetemplatespot where a different, inactive template is from. Are these sites from the same people?

((The forum keeps telling me something in my post is blacklisted and giving me an error. Anybody know why this keeps happening when I'm adding nothing but regular text?))

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Finding a hidden link

Post by Bernard T » Mon May 04, 2015 5:12 pm

Start with this topics:
http://vel.joomla.org/articles/844-spot ... sions.html
http://forum.joomla.org/viewtopic.php?t=795946

Tip: Ditch the templates from sources metioned and go find more trustworthy source of templates. Or you will be again in situations like this.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak


Locked

Return to “Security in Joomla! 2.5”