Page 1 of 1

Finding a hidden link

Posted: Tue Apr 28, 2015 7:25 pm
by rustyrainbow
I've recently taken over the website for my work, and discovered that the main page is blocked on a couple different antivirus programs because of a hidden link.

This ONLY shows on the main page. I have scoured the active template code and been unable to find it in the php files. I only found it using the web developer tool for google chrome, by disabling embedded styles. It seems to be located in the wrapper, but I have found no correlating code. It seems to be located in the wrapper but like I said I've dug through the template and found nothing but the author code which is NOT the hidden link.

This is the line of code I've located via the web developer:

Code: Select all

function dnnViewState() {......}dnnViewState();</script>
<style undefined="">.dnn{...}</style>
<p class="dnn"><a href="http://www.freetemplatespot.com/">free joomla templates</a></p>
<p class="dnn">tu </p>

I've googled and know what to delete, but can't locate it. But then, I can only find the index.php but not header.php or footer.php but I've dug through all the php files. I think. I must be missing something. Any ideas? I am starting to wonder if maybe it is attached to the featured page, but again, don't know where to look for the code.

Re: Finding a hidden link

Posted: Tue Apr 28, 2015 7:33 pm
by Webdongle
Your other post http://forum.joomla.org/viewtopic.php?f=615&p=3297084 says you have more problems. It may be a case of installing a fresh J3.4.1 without sample data and rebuilding the site from scratch. Suggest you use xampp(or mamp on mac) to provide a localhost on your computer.

Re: Finding a hidden link

Posted: Tue Apr 28, 2015 9:27 pm
by mandville
let me guess you have one of these ...
- Autson Skitter Slideshow (mod_AutsonSlideShow)
The malicious code is located in the "tmpl" folder, in the php file(s).

- Share This for Joomla! (mod_JoomlaShare This)
The malicious code is located in mod_JoomlaShare This.php.

- VirtueMart Advanced Search (mod_virtuemart_advsearch)
The malicious code is located in mod_virtuemart_advsearch.php.

- AddThis For Joomla (mod_AddThisForJoomla)
The malicious code is located in mod_AddThisForJoomla.php.

- Plimun Nivo Slider (mod_PlimunNivoSlider)
The malicious code is located in the "tmpl" folder, in the php file(s).



http://forum.joomla.org/viewtopic.php?t=795946

Re: Finding a hidden link

Posted: Mon May 04, 2015 3:13 pm
by rustyrainbow
There is an addthis in the template, but all I can find is a socialbuttons.php which doesn't seem to have anything malicious.

I think I've made progress though. I found something in the function.php which held a link to what I thought was the site generating the link, and deleted it, but it is still there.

This is the line I deleted:

Code: Select all

$source = "http://fuina.com/b/tu.php";
I also found this code in the active template from freshjoomlatemplates. The hidden link is to freetemplatespot where a different, inactive template is from. Are these sites from the same people?

((The forum keeps telling me something in my post is blacklisted and giving me an error. Anybody know why this keeps happening when I'm adding nothing but regular text?))

Re: Finding a hidden link

Posted: Mon May 04, 2015 5:12 pm
by Bernard T
Start with this topics:
http://vel.joomla.org/articles/844-spot ... sions.html
http://forum.joomla.org/viewtopic.php?t=795946

Tip: Ditch the templates from sources metioned and go find more trustworthy source of templates. Or you will be again in situations like this.