unwanted adverts

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
mschwab
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Wed May 06, 2015 10:41 am

unwanted adverts

Post by mschwab » Wed May 06, 2015 10:47 am

Hello,

I have the same problem, seems like. My website was hacked it seems and redirects to onclickads.net every first click when someone visits.

I have tried to fix this, but I can't...

Anyone an idea how to fix this? What's the problem with my site?

The website:

Code: Select all

www.schloss-cafe.at

Thank you for helping!

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Pop up ads on our site?

Post by Bernard T » Wed May 06, 2015 11:34 am

Hi,

you didn't read the stickies: http://forum.joomla.org/viewtopic.php?f=714&t=757645

Come back after that
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

mschwab
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Wed May 06, 2015 10:41 am

Re: Pop up ads on our site?

Post by mschwab » Wed May 06, 2015 12:11 pm

Hello again,

here is the report:
Problem Description :: Forum Post Assistant (v1.2.4) : 6th May 2015 wrote:Site redirects to onclickads.net when first clicked
Log/Error Message :: Forum Post Assistant (v1.2.4) : 6th May 2015 wrote:-
Log/Error Message :: Forum Post Assistant (v1.2.4) : 6th May 2015 wrote:-
Actions Taken To Resolve by Forum Post Assistant (v1.2.4) 6th May 2015 wrote:checked ftp directories for unusual files, coding, etc. Found a suspicious javascript and php file which where removed.
Forum Post Assistant (v1.2.4) : 6th May 2015 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.28-Stable (Ember) 10-December-2014
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: (uid: /gid: ) | Group: (gid: ) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 2 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: FreeBSD | OS Version: 8.2-RELEASE | Technology: i386 | Web Server: Apache/1.3.41 MicroRack (Unix) PHP/4.4.4 mod_ssl/2.8.31 OpenSSL/1.0.0a | Encoding: gzip, deflate | Doc Root: /htdocs | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.18 | PHP API: cgi-fcgi | Session Path Writable: No | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: 0 | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: -1 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.0.45-log (Client:5.0.45) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 14.72 MiB | #of Tables:  87
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.18) | date (5.3.18) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | standard (5.3.18) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | Reflection ($Id: 593a0506b01337cfaf9f63ebc12cd60523fc2c41 $) | imap () | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: images/bildergalerie/ (775) | images/bildergalerie/cafe_sommer/ (775) | images/bildergalerie/cafe_sommer/thumbs/ (775) | images/bildergalerie/cafe_winter/ (775) | images/bildergalerie/schloss/ (775) | images/bildergalerie/schloss/thumbs/ (775) | images/jch-optimize/ (775) | images/veranstaltungen/ (775) | libraries/simplepie/ (775) | libraries/simplepie/idn/ (775) |
Database Information :: wrote:Database _FPA_STATS :: Uptime: 1738798 | Threads: 2 | Questions: 4038601 | Slow queries: 0 | Opens: 101604 | Flush tables: 1 | Open tables: 64 | Queries per second avg: 2.323 |
Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (2.5.0) | WF_PREVIEW_TITLE (2.4.6) | WF_SEARCHREPLACE_TITLE (2.4.6) | WF_AUTOSAVE_TITLE (2.4.6) | WF_DIRECTIONALITY_TITLE (2.4.6) | WF_XHTMLXTRAS_TITLE (2.4.6) | WF_LINK_TITLE (2.4.6) | WF_VISUALCHARS_TITLE (2.4.6) | WF_KITCHENSINK_TITLE (2.4.6) | WF_FULLSCREEN_TITLE (2.4.6) | WF_BROWSER_TITLE (2.4.6) | WF_PRINT_TITLE (2.4.6) | WF_SPELLCHECKER_TITLE (2.4.6) | WF_STYLESELECT_TITLE (2.4.6) | WF_STYLE_TITLE (2.4.6) | WF_FONTCOLOR_TITLE (2.4.6) | WF_FONTSELECT_TITLE (2.4.6) | WF_TEXTCASE_TITLE (2.4.6) | WF_FORMATSELECT_TITLE (2.4.6) | WF_MEDIA_TITLE (2.4.6) | WF_ARTICLE_TITLE (2.4.6) | WF_SOURCE_TITLE (2.4.6) | WF_VISUALBLOCKS_TITLE (2.4.6) | WF_NONBREAKING_TITLE (2.4.6) | WF_CLIPBOARD_TITLE (2.4.6) | WF_IMGMANAGER_TITLE (2.4.6) | WF_CHARMAP_TITLE (2.4.6) | WF_LISTS_TITLE (2.4.6) | WF_FONTSIZESELECT_TITLE (2.4.6) | WF_CONTEXTMENU_TITLE (2.4.6) | WF_LAYER_TITLE (2.4.6) | WF_TABLE_TITLE (2.4.6) | WF_CLEANUP_TITLE (2.4.6) | WF_INLINEPOPUPS_TITLE (2.4.6) | WF_ANCHOR_TITLE (2.4.6) | WF_FILESYSTEM_JOOMLA_TITLE (2.4.6) | WF_POPUPS_JCEMEDIABOX_TITLE (2.4.6) | WF_POPUPS_WINDOW_TITLE (2.4.6) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.4.6) | WF_AGGREGATOR_VIMEO_TITLE (2.4.6) | WF_AGGREGATOR_VINE_TITLE (2.4.6) | WF_AGGREGATOR_[youtube]_TITLE (2.4.6) | WF_LINK_SEARCH_TITLE (2.4.6) | K2 Links for JCE Link (2.2) | WF_LINKS_JOOMLALINKS_TITLE (2.4.6) | com_mailto (2.5.0) |
Components :: ADMIN :: com_languages (2.5.0) | com_checkin (2.5.0) | com_plugins (2.5.0) | com_users (2.5.0) | com_banners (2.5.0) | com_cache (2.5.0) | COM_JANTIVIRUS (4.0) | com_installer (2.5.0) | com_joomlaupdate (2.5.0) | Unknown (-) | JCE (2.4.6) | Akeeba (4.1.2) | com_finder (2.5.0) | com_categories (2.5.0) | com_modules (2.5.0) | com_admin (2.5.0) | com_content (2.5.0) | com_media (2.5.0) | com_login (2.5.0) | com_config (2.5.0) | com_redirect (2.5.0) | Securitycheck (2.7.8) | com_weblinks (2.5.0) | com_menus (2.5.0) | com_messages (2.5.0) | com_search (2.5.0) | com_newsfeeds (2.5.0) | BreezingForms (1.7.3 Stable ) | com_templates (2.5.0) | com_cpanel (2.5.0) |

Modules :: SITE :: mod_users_latest (2.5.0) | mod_articles_categories (2.5.0) | mod_breadcrumbs (2.5.0) | mod_feed (2.5.0) | mod_footer (2.5.0) | mod_articles_category (2.5.0) | mod_banners (2.5.0) | mod_whosonline (2.5.0) | mod_articles_popular (2.5.0) | supersized3 (3.2) | mod_wrapper (2.5.0) | BreezingForms (1.7.3) | mod_custom (2.5.0) | mod_related_items (2.5.0) | mod_search (2.5.0) | mod_articles_archive (2.5.0) | mod_weblinks (2.5.0) | mod_random_image (2.5.0) | mod_stats (2.5.0) | mod_login (2.5.0) | mod_articles_news (2.5.0) | mod_menu (2.5.0) | mod_finder (2.5.0) | mod_syndicate (2.5.0) | mod_articles_latest (2.5.0) | mod_languages (2.5.0) |
Modules :: ADMIN :: mod_title (2.5.0) | mod_login (2.5.0) | mod_menu (2.5.0) | mod_jantivirus (2.5.0) | mod_version (2.5.0) | mod_custom (2.5.0) | mod_multilangstatus (2.5.0) | mod_submenu (2.5.0) | mod_toolbar (2.5.0) | mod_quickicon (2.5.0) | mod_status (2.5.0) | mod_popular (2.5.0) | mod_logged (2.5.0) | mod_latest (2.5.0) | mod_feed (2.5.0) |

Plugins :: SITE :: plg_captcha_recaptcha (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_geshi (2.5.0) | BreezingForms (1.7.3) | plg_content_joomla (2.5.0) | plg_content_loadmodule (2.5.0) | Content - Simple Pop-Up (2.0) | plg_content_pagebreak (2.5.0) | plg_content_finder (2.5.0) | plg_content_vote (2.5.0) | PLG_CONTENT_SIGE (2.5-6) | plg_content_pagenavigation (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_jcefilebrowser (2.4.6) | plg_quickicon_extensionupdate (2.5.0) | PLG_EOSNOTIFY (2.5.0) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | PLG_EDITORS-XTD_MODULESANYWHER (1.11.8) | plg_authentication_joomla (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_gmail (2.5.0) | plg_extension_joomla (2.5.0) | plg_editors_codemirror (1.0) | plg_editors_jce (2.4.6) | plg_search_newsfeeds (2.5.0) | plg_search_weblinks (2.5.0) | plg_search_content (2.5.0) | plg_search_categories (2.5.0) | plg_search_contacts (2.5.0) | manage.myJoomla.com Secure Plu (n/a) | plg_system_logout (2.5.0) | plg_system_debug (2.5.0) | plg_system_cache (2.5.0) | System - jQuery Easy (1.5.4) | System - Title Manager (2.0) | plg_system_languagefilter (2.5.0) | plg_system_highlight (2.5.0) | PLG_SYSTEM_MODULESANYWHERE (1.11.8) | plg_system_languagecode (2.5.0) | plg_system_p3p (2.5.0) | plg_system_jch_optimize (2.0.0) | plg_system_redirect (2.5.0) | PLG_SYSTEM_NONUMBERELEMENTS (2.8.4) | plg_system_sef (2.5.0) | plg_system_log (2.5.0) | System - Securitycheck (2.7.8) | plg_system_remember (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_content (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_user_contactcreator (2.5.0) | plg_user_joomla (2.5.0) | plg_user_profile (2.5.0) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) |
Templates Discovered :: wrote:Templates :: SITE :: beez5 (2.5.0) | beez_20 (2.5.0) | atomic (2.5.0) | full_screen_2 (3.2) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |
Last edited by mandville on Wed May 06, 2015 6:31 pm, edited 1 time in total.
Reason: removed code tags for readability. disabled smilies

mschwab
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Wed May 06, 2015 10:41 am

Re: Pop up ads on our site?

Post by mschwab » Wed May 06, 2015 4:10 pm

Anyone an idea?

Thank you very much!

mschwab

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Pop up ads on our site?

Post by Bernard T » Wed May 06, 2015 4:28 pm

Please edit your post with FPA report and remove the Code BB tags you wrapped it in, so it displays correctly.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

mschwab
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Wed May 06, 2015 10:41 am

Re: Pop up ads on our site?

Post by mschwab » Wed May 06, 2015 7:27 pm

Oh, thanks to mandville for editing! :-[

:)

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: unwanted adverts

Post by Bernard T » Thu May 07, 2015 12:07 am

  • you have "Elevated Permissions" on your folders - instead of 775 it should read 755
  • I see several suspicious or known vulnerable extensions (Unknown (-), BreezingForms, NoNumber extensions etc) ... compare all your extensions and their versions to VEL lists (Live and Resolved), uninstall everything you don't use, upgrade everything you use
  • not a critical problem, but note you are hosted on a server with old unsupported operating system and old Apache version 1.3 with known vulnerabilities and old vulnerable OpenSSL version
  • check your .htaccess file (download to your local pc, watch for text tabbed right)
  • then check the contents of index.php
  • if you use freeware or warezware templates and/or extensions - those are the usual suspects
  • proceed with a cleanup following the sticky posts in this forum
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

mschwab
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Wed May 06, 2015 10:41 am

Re: unwanted adverts

Post by mschwab » Thu May 07, 2015 9:25 am

Thank you very much for the information Bernard. I will check this and get back here if I have a further question, or to reply a spam-free website...


Locked

Return to “Security in Joomla! 2.5”