Phishing Website

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
Brian55
Joomla! Apprentice
Joomla! Apprentice
Posts: 26
Joined: Sat Feb 25, 2012 12:21 am

Phishing Website

Post by Brian55 » Wed May 06, 2015 4:31 pm

Hi,
The company I have my domain name with sent me the following email:

"Your domain name has been reported as redirecting to a phishing website:

Code: Select all

http://www.dancefactorstudios. com/administrator/help/../documents/index.htm

Code: Select all

http://www.dancefactorstudios. com/administrator/help/../documents/index.htm
We realize that you may not be aware of this activity, but we do request that you take the necessary steps in order have any abusive content disbanded.

Thank you for your cooperation in this matter."

What can I do to solve this? I am using Joomla 2.5.28.
Thanks,
Brian.
Last edited by mandville on Wed May 06, 2015 6:13 pm, edited 2 times in total.
Reason: broke link. posting a complete link to a hack site can be irresponsible and dangerous.

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Phishing Website

Post by Bernard T » Wed May 06, 2015 4:42 pm

  • Read the sticky post: http://forum.joomla.org/viewtopic.php?f=621&t=582854
  • Post the FPA result
  • Start the check with your .htaccess file (download to your local pc, watch for text tabbed right)
  • then check the contents of index.php
  • if you use freeware or warezware templates and/or extensions - those are the usual suspects
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

Brian55
Joomla! Apprentice
Joomla! Apprentice
Posts: 26
Joined: Sat Feb 25, 2012 12:21 am

Re: Phishing Website

Post by Brian55 » Wed May 06, 2015 8:52 pm

Problem Description :: Forum Post Assistant (v1.2.4) : 6th May 2015 wrote:Your domain name has been reported as redirecting to a phishing website
Forum Post Assistant (v1.2.4) : 6th May 2015 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.28-Stable (Ember) 10-December-2014
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: brian55 (uid: 1/gid: 1) | Group: vusers (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 1 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 2 | FTP Layer: 0 | SSL: 0 | Error Reporting: none | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 3.10.66-xeon-hst-xeon-hst | Technology: x86_64 | Web Server: Apache mod_fcgid/2.3.7 mod_auth_pgsql/2.0.3 | Encoding: gzip, deflate | Doc Root: /home/www/joomla2.5.28.us.tempcloudsite.com | System TMP Writable: Yes

PHP Configuration :: Version: 5.4.39 | PHP API: cgi-fcgi | Session Path Writable: No | Display Errors: 1 | Error Reporting: 32759 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.38 (Client:mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $) | Host: --protected-- (--protected--) | Collation: utf8_unicode_ci (Character Set: utf8) | Database Size: 82.95 MiB | #of Tables: 522
Detailed Environment :: wrote:PHP Extensions :: Core (5.4.39) | date (5.4.39) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7) | zlib (2.0) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | standard (5.4.39) | PDO (1.0.4dev) | mysqlnd (mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | Phar (2.0.1) | posix () | Reflection ($Id: f6367cdb4e3f392af4a6d441a6641de87c2e50c4 $) | imap () | SimpleXML (0.1) | soap () | sockets () | pdo_mysql (1.0.2) | exif (1.4 $Id: 7f95ff43ea7cc9a2c41a912863ed70069c0e34c5 $) | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | mysqli (0.1) | cgi-fcgi () | mhash () | Zend Engine (2.4.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: WF_LINK_SEARCH_TITLE (2.4.6) | WF_LINKS_JOOMLALINKS_TITLE (2.4.6) | WF_AGGREGATOR_[youtube]_TITLE (2.4.6) | WF_AGGREGATOR_VINE_TITLE (2.4.6) | WF_AGGREGATOR_VIMEO_TITLE (2.4.6) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.4.6) | WF_POPUPS_JCEMEDIABOX_TITLE (2.4.6) | WF_POPUPS_WINDOW_TITLE (2.4.6) | WF_FILESYSTEM_JOOMLA_TITLE (2.4.6) | WF_DIRECTIONALITY_TITLE (2.4.6) | WF_IMGMANAGER_TITLE (2.4.6) | WF_NONBREAKING_TITLE (2.4.6) | WF_CLIPBOARD_TITLE (2.4.6) | WF_CHARMAP_TITLE (2.4.6) | WF_LISTS_TITLE (2.4.6) | WF_SOURCE_TITLE (2.4.6) | WF_STYLESELECT_TITLE (2.4.6) | WF_SEARCHREPLACE_TITLE (2.4.6) | WF_VISUALCHARS_TITLE (2.4.6) | WF_CLEANUP_TITLE (2.4.6) | WF_TABLE_TITLE (2.4.6) | WF_LAYER_TITLE (2.4.6) | WF_KITCHENSINK_TITLE (2.4.6) | WF_INLINEPOPUPS_TITLE (2.4.6) | WF_CONTEXTMENU_TITLE (2.4.6) | WF_LINK_TITLE (2.4.6) | WF_FONTSELECT_TITLE (2.4.6) | WF_PREVIEW_TITLE (2.4.6) | WF_STYLE_TITLE (2.4.6) | WF_TEXTCASE_TITLE (2.4.6) | WF_PRINT_TITLE (2.4.6) | WF_SPELLCHECKER_TITLE (2.4.6) | WF_BROWSER_TITLE (2.4.6) | WF_FULLSCREEN_TITLE (2.4.6) | WF_FORMATSELECT_TITLE (2.4.6) | WF_FONTSIZESELECT_TITLE (2.4.6) | WF_MEDIA_TITLE (2.4.6) | WF_XHTMLXTRAS_TITLE (2.4.6) | WF_ANCHOR_TITLE (2.4.6) | WF_VISUALBLOCKS_TITLE (2.4.6) | WF_AUTOSAVE_TITLE (2.4.6) | WF_FONTCOLOR_TITLE (2.4.6) | WF_ARTICLE_TITLE (2.4.6) | com_wrapper (2.5.0) | com_mailto (2.5.0) |
Components :: ADMIN :: com_modules (2.5.0) | com_config (2.5.0) | com_finder (2.5.0) | com_menus (2.5.0) | com_content (2.5.0) | com_search (2.5.0) | com_newsfeeds (2.5.0) | com_cpanel (2.5.0) | com_templates (2.5.0) | JEvents (2.1.20) | com_media (2.5.0) | com_login (2.5.0) | mod_k2_comments (-) | mod_k2_comments (-) | COM_K2 (2.6.9) | K2 (2.5.7) | com_admin (2.5.0) | com_redirect (2.5.0) | JCE (2.4.6) | Unknown (-) | com_checkin (2.5.0) | com_languages (2.5.0) | com_categories (2.5.0) | com_banners (2.5.0) | com_cache (2.5.0) | com_plugins (2.5.0) | Admintools (3.4.4) | Akeeba (4.1.2) | com_users (2.5.0) | jDownloads (1.9.0 Stable ) | com_joomlaupdate (2.5.0) | com_messages (2.5.0) | Fox Contact Joomla 1.5 (-) | COM_FOXCONTACT (2.0.14) | com_weblinks (2.5.0) | com_installer (2.5.0) |

Modules :: SITE :: sigplus (1.4.2.10) | K2 Comments (2.6.9) | mod_footer (2.5.0) | mod_banners (2.5.0) | MOD_FUOFB_XML_TITLE (1.4.2) | mod_articles_popular (2.5.0) | mod_related_items (2.5.0) | Fox Contact (2.0.14) | mod_random_image (2.5.0) | mod_articles_category (2.5.0) | JoomlaXTC Countdown Module (1.0.1) | mod_articles_news (2.5.0) | mod_feed (2.5.0) | Simple Marquee (1.6) | VS Image Rotator (1.0.1) | K2 Users (2.6.9) | mod_weblinks (2.5.0) | mod_users_latest (2.5.0) | mod_stats (2.5.0) | JEvents Calendar (2.1.3) | mod_articles_archive (2.5.0) | mod_finder (2.5.0) | mod_login (2.5.0) | mod_syndicate (2.5.0) | K2 Tools (2.6.9) | mod_languages (2.5.0) | mod_menu (2.5.0) | K2 Content (2.6.9) | Facebook FanBox (2.0) | Facebook FanBox (2.0) | JEvents Legend (2.1.13) | mod_breadcrumbs (2.5.0) | mod_articles_categories (2.5.0) | K2 User (2.6.9) | MOD_SMARTCOUNTDOWN (2.3.2) | showplus (1.0.4.3) | mod_wrapper (2.5.0) | JEvents Filter (2.1.14) | mod_custom (2.5.0) | mod_whosonline (2.5.0) | MOD_RANDOM_IMAGE_EXTENDED (2.5-4) | K2 Login (2.5.7) | JCountDown (1.5.1) | mod_articles_latest (2.5.0) | Latest JEvents (2.1.6b) | mod_search (2.5.0) |
Modules :: ADMIN :: mod_title (2.5.0) | mod_login (2.5.0) | mod_status (2.5.0) | mod_multilangstatus (2.5.0) | mod_feed (2.5.0) | Reset Hits module (2.0.2) | mod_version (2.5.0) | mod_latest (2.5.0) | mod_logged (2.5.0) | K2 Stats (admin) (2.6.9) | mod_quickicon (2.5.0) | mod_menu (2.5.0) | mod_popular (2.5.0) | K2 Quick Icons (admin) (2.6.9) | mod_submenu (2.5.0) | mod_custom (2.5.0) | mod_toolbar (2.5.0) |

Plugins :: SITE :: plg_captcha_recaptcha (2.5.0) | plg_content_pagebreak (2.5.0) | Simple Image Gallery (by Jooml (2.2) | plg_content_geshi (2.5.0) | Content - Facebook Like Button (1.7.14) | Content - Image gallery - sigp (1.4.2.10) | plg_content_emailcloak (2.5.0) | plg_content_vote (2.5.0) | plg_content_pagenavigation (2.5.0) | googleMaps (2.5.19) | googleDirections (2.5.12) | plg_content_joomla (2.5.0) | Simple Image Gallery (by Jooml (3.0.1) | Simple Image Gallery (by Jooml (3.0.1) | googleDirections - To Here (2.58) | plg_content_finder (2.5.0) | plg_content_loadmodule (2.5.0) | plg_user_joomla (2.5.0) | plg_user_profile (2.5.0) | User - K2 (2.6.9) | plg_user_contactcreator (2.5.0) | plg_authentication_joomla (2.5.0) | plg_authentication_gmail (2.5.0) | plg_authentication_ldap (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_extension_joomla (2.5.0) | plg_search_weblinks (2.5.0) | Search - K2 (2.6.9) | Search - JEvents (2.1.3) | plg_search_newsfeeds (2.5.0) | plg_search_contacts (2.5.0) | plg_search_content (2.5.0) | plg_search_categories (2.5.0) | Josetta - K2 Items (2.6.9) | Josetta - K2 Categories (2.6.9) | plg_editors_codemirror (1.0) | plg_editors_jce (2.4.6) | plg_editors_tinymce (3.5.11) | plg_quickicon_jcefilebrowser (2.4.6) | PLG_EOSNOTIFY (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_finder_content (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_k2 (2.6.9) | plg_system_languagecode (2.5.0) | plg_system_remember (2.5.0) | plg_system_smartcountdown (2.0) | plg_system_redirect (2.5.0) | plg_system_highlight (2.5.0) | plg_system_sef (2.5.0) | plg_system_jdownloads (2.0.1) | plg_system_log (2.5.0) | System - Admin Tools (3.4.4) | plg_system_cache (2.5.0) | System - K2 (2.6.9) | plg_system_debug (2.5.0) | plg_system_logout (2.5.0) | JA T3 Framework (2.7.1) | plg_system_p3p (2.5.0) | plg_system_languagefilter (2.5.0) |
Templates Discovered :: wrote:Templates :: SITE :: rhuk_milkyway (1.0.2) | comaxium (1.0) | beez5 (2.5.0) | JA_Purity (1.2.0) | themza_j15_41 (1.0.0) | business3 (1.7.0) | beez_20 (2.5.0) | atomic (2.5.0) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Phishing Website

Post by Bernard T » Thu May 07, 2015 12:14 am

  • I see several suspicious or known vulnerable extensions (K2 (2.5.7), JEvents (2.1.20), jDownloads (1.9.0 Stable ) etc) ... compare all your extensions and their versions to VEL lists (Live and Resolved), uninstall everything (extensions + templates) you don't use, upgrade everything you use
  • not a critical problem, but note you are hosted on a server with old unsupported operating system and old Apache version 1.3 with known vulnerabilities and old vulnerable OpenSSL version
  • check your .htaccess file (download to your local pc, watch for text tabbed right)
  • then check the contents of index.php
  • if you use freeware or warezware templates and/or extensions - those are the usual suspects
  • proceed with a cleanup following the sticky posts in this forum
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak


Locked

Return to “Security in Joomla! 2.5”