possible sql injection?
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Enthusiast
- Posts: 210
- Joined: Wed Jan 06, 2010 2:19 pm
possible sql injection?
When trying to access my site I get the following message from Google - 'The site ahead contains malware and is potentially unsafe'. I have been hacked once before on another site and was able to view the infected files on that one (of which there were hundreds), however this time I have trawled through all the folders and cannot find any suspicious looking files. I have accessed the database and it looks normal. I am able to enter the administrator section of the site and make changes as normal but this warning still comes up. If it is a sql injection what should I be looking for? I haven't done this kind of thing before.
Regards
Regards
Last edited by toivo on Tue Mar 07, 2017 2:00 pm, edited 1 time in total.
Reason: mod note: moved to 2.5 Security
Reason: mod note: moved to 2.5 Security
-
- Joomla! Virtuoso
- Posts: 4025
- Joined: Mon Nov 25, 2013 4:35 pm
- Location: Montreal, Canada
- Contact:
Re: possible sql injection?
Your website is hacked - when Google displays this message than you can be assured that it is not a false positive (unlike these "security" companies that have more false positives than real positives). When Google displays this message, then this means that it is sure that the website is hacked.
It is rare for someone to manually locate all hacked files - you can locate some manually, but, in most cases you won't be able to locate all. Additionally, just "deleting" or "cleaning up" hacked files is not the solution to this problem, you will need to cleanup your website and secure it.
Follow robust guides for cleaning your Joomla website (there are some on the forum and elsewhere), and then secure your website.
It is rare for someone to manually locate all hacked files - you can locate some manually, but, in most cases you won't be able to locate all. Additionally, just "deleting" or "cleaning up" hacked files is not the solution to this problem, you will need to cleanup your website and secure it.
Follow robust guides for cleaning your Joomla website (there are some on the forum and elsewhere), and then secure your website.
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter
https://twitter.com/itoctopus - Follow us on Twitter
-
- Joomla! Enthusiast
- Posts: 210
- Joined: Wed Jan 06, 2010 2:19 pm
Re: possible sql injection?
I have run a scan on the system and this has identified 19 malicious files as inserted JavaScript - /media/system/js/statf82></script>]]. The file itself has a lot of obfuscated code and I have managed to isolate this file in various locations. Looking at the page source of each article I can see that it is embedded there also. My problem is knowing how to get rid of it from there, when I open the article I cannot find it.
Regards
Regards
- toivo
- Joomla! Master
- Posts: 17467
- Joined: Thu Feb 15, 2007 5:48 am
- Location: Sydney, Australia
Re: possible sql injection?
The cleaning and securing instructions are in a sticky post at the top of the Security forum:
viewtopic.php?f=621&t=582854
viewtopic.php?f=621&t=582854
Toivo Talikka, Global Moderator
-
- Joomla! Enthusiast
- Posts: 210
- Joined: Wed Jan 06, 2010 2:19 pm
Re: possible sql injection?
I have run the fpa script and everything looks normal with no errors or warnings. Which part of the database holds the content information?
- toivo
- Joomla! Master
- Posts: 17467
- Joined: Thu Feb 15, 2007 5:48 am
- Location: Sydney, Australia
Re: possible sql injection?
The idea behind the FPA is to post it so that others can check it and give advice about possible issues in the configuration.
Please note that Joomla 2.5 which has been out of support for years and it is therefore vulnerable. It is best to follow the cleaning instructions and also upgrade to the latest, supported version.
Please note that Joomla 2.5 which has been out of support for years and it is therefore vulnerable. It is best to follow the cleaning instructions and also upgrade to the latest, supported version.
Toivo Talikka, Global Moderator
-
- Joomla! Enthusiast
- Posts: 210
- Joined: Wed Jan 06, 2010 2:19 pm
Re: possible sql injection?
I have tried to post the results of the fpa file here but get the message - 'Your message contains 25258 characters.
The maximum number of allowed characters is 20000.'
I know I have to upgrade to the latest version but for the moment I am trying to rescue my site.
The maximum number of allowed characters is 20000.'
I know I have to upgrade to the latest version but for the moment I am trying to rescue my site.
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: possible sql injection?
Spread it over 2 posts?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: possible sql injection?
I think that actually the standard advice in the sticky topic doesn't include instructions for cleaning the database. So here is my 2 cents worth:
Firstly, this is why you are strongly encouraged to make regular backups of your database, this basically is your site. Then if it is ever hacked you can simply restore from a backup.
I assume that you have not done this. In this particular case it should not be too difficult to clear it up though. In the database admin (eg using PHPMyAdmin), you can export a copy of it as a text file and use a text editor to do a search and replace on the malicious code. Make sure you save with utf-8 encoding.
Then import the cleaned version of the database.
Firstly, this is why you are strongly encouraged to make regular backups of your database, this basically is your site. Then if it is ever hacked you can simply restore from a backup.
I assume that you have not done this. In this particular case it should not be too difficult to clear it up though. In the database admin (eg using PHPMyAdmin), you can export a copy of it as a text file and use a text editor to do a search and replace on the malicious code. Make sure you save with utf-8 encoding.
Then import the cleaned version of the database.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
-
- Joomla! Enthusiast
- Posts: 210
- Joined: Wed Jan 06, 2010 2:19 pm
Re: possible sql injection?
Hi fcoulter, followed your instruction and database found to be clean. Then found that the JavaScript file had been inserted into the template/index.php as well as In a number of other files, that's why it was showing up in the HTML source of every page, these were then removed. All usernames and passwords were changed and now everything is ok and Google have removed the warning! Thanks for your help.
- toivo
- Joomla! Master
- Posts: 17467
- Joined: Thu Feb 15, 2007 5:48 am
- Location: Sydney, Australia
Re: possible sql injection?
The vulnerability that allowed hacking may still be there, especially because your site uses still Joomla 2.5. The cleaning and securing instructions are in a sticky post at the top of the Security forum: viewtopic.php?f=621&t=582854tonytimms wrote:now everything is ok and Google have removed the warning!
Toivo Talikka, Global Moderator