possible sql injection?

Discussion regarding Joomla! 2.5 security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
tonytimms
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 210
Joined: Wed Jan 06, 2010 2:19 pm

possible sql injection?

Post by tonytimms » Tue Mar 07, 2017 10:48 am

When trying to access my site I get the following message from Google - 'The site ahead contains malware and is potentially unsafe'. I have been hacked once before on another site and was able to view the infected files on that one (of which there were hundreds), however this time I have trawled through all the folders and cannot find any suspicious looking files. I have accessed the database and it looks normal. I am able to enter the administrator section of the site and make changes as normal but this warning still comes up. If it is a sql injection what should I be looking for? I haven't done this kind of thing before.
Regards
Last edited by toivo on Tue Mar 07, 2017 2:00 pm, edited 1 time in total.
Reason: mod note: moved to 2.5 Security

itoctopus
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4025
Joined: Mon Nov 25, 2013 4:35 pm
Location: Montreal, Canada
Contact:

Re: possible sql injection?

Post by itoctopus » Tue Mar 07, 2017 3:24 pm

Your website is hacked - when Google displays this message than you can be assured that it is not a false positive (unlike these "security" companies that have more false positives than real positives). When Google displays this message, then this means that it is sure that the website is hacked.

It is rare for someone to manually locate all hacked files - you can locate some manually, but, in most cases you won't be able to locate all. Additionally, just "deleting" or "cleaning up" hacked files is not the solution to this problem, you will need to cleanup your website and secure it.

Follow robust guides for cleaning your Joomla website (there are some on the forum and elsewhere), and then secure your website.
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter

tonytimms
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 210
Joined: Wed Jan 06, 2010 2:19 pm

Re: possible sql injection?

Post by tonytimms » Wed Mar 08, 2017 2:00 pm

I have run a scan on the system and this has identified 19 malicious files as inserted JavaScript - /media/system/js/statf82></script>]]. The file itself has a lot of obfuscated code and I have managed to isolate this file in various locations. Looking at the page source of each article I can see that it is embedded there also. My problem is knowing how to get rid of it from there, when I open the article I cannot find it.
Regards

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17350
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: possible sql injection?

Post by toivo » Wed Mar 08, 2017 5:36 pm

The cleaning and securing instructions are in a sticky post at the top of the Security forum:

viewtopic.php?f=621&t=582854
Toivo Talikka, Global Moderator

tonytimms
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 210
Joined: Wed Jan 06, 2010 2:19 pm

Re: possible sql injection?

Post by tonytimms » Thu Mar 09, 2017 7:06 am

I have run the fpa script and everything looks normal with no errors or warnings. Which part of the database holds the content information?

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17350
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: possible sql injection?

Post by toivo » Thu Mar 09, 2017 8:48 am

The idea behind the FPA is to post it so that others can check it and give advice about possible issues in the configuration.

Please note that Joomla 2.5 which has been out of support for years and it is therefore vulnerable. It is best to follow the cleaning instructions and also upgrade to the latest, supported version.
Toivo Talikka, Global Moderator

tonytimms
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 210
Joined: Wed Jan 06, 2010 2:19 pm

Re: possible sql injection?

Post by tonytimms » Thu Mar 09, 2017 9:40 am

I have tried to post the results of the fpa file here but get the message - 'Your message contains 25258 characters.
The maximum number of allowed characters is 20000.'

I know I have to upgrade to the latest version but for the moment I am trying to rescue my site.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: possible sql injection?

Post by mandville » Thu Mar 09, 2017 11:08 am

Spread it over 2 posts?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: possible sql injection?

Post by fcoulter » Thu Mar 09, 2017 12:35 pm

I think that actually the standard advice in the sticky topic doesn't include instructions for cleaning the database. So here is my 2 cents worth:

Firstly, this is why you are strongly encouraged to make regular backups of your database, this basically is your site. Then if it is ever hacked you can simply restore from a backup.

I assume that you have not done this. In this particular case it should not be too difficult to clear it up though. In the database admin (eg using PHPMyAdmin), you can export a copy of it as a text file and use a text editor to do a search and replace on the malicious code. Make sure you save with utf-8 encoding.

Then import the cleaned version of the database.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

tonytimms
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 210
Joined: Wed Jan 06, 2010 2:19 pm

Re: possible sql injection?

Post by tonytimms » Sat Mar 11, 2017 8:41 am

Hi fcoulter, followed your instruction and database found to be clean. Then found that the JavaScript file had been inserted into the template/index.php as well as In a number of other files, that's why it was showing up in the HTML source of every page, these were then removed. All usernames and passwords were changed and now everything is ok and Google have removed the warning! Thanks for your help.

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17350
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: possible sql injection?

Post by toivo » Sat Mar 11, 2017 9:00 am

tonytimms wrote:now everything is ok and Google have removed the warning!
The vulnerability that allowed hacking may still be there, especially because your site uses still Joomla 2.5. The cleaning and securing instructions are in a sticky post at the top of the Security forum: viewtopic.php?f=621&t=582854
Toivo Talikka, Global Moderator


Locked

Return to “Security in Joomla! 2.5”