Page 1 of 1

possible sql injection?

Posted: Tue Mar 07, 2017 10:48 am
by tonytimms
When trying to access my site I get the following message from Google - 'The site ahead contains malware and is potentially unsafe'. I have been hacked once before on another site and was able to view the infected files on that one (of which there were hundreds), however this time I have trawled through all the folders and cannot find any suspicious looking files. I have accessed the database and it looks normal. I am able to enter the administrator section of the site and make changes as normal but this warning still comes up. If it is a sql injection what should I be looking for? I haven't done this kind of thing before.
Regards

Re: possible sql injection?

Posted: Tue Mar 07, 2017 3:24 pm
by itoctopus
Your website is hacked - when Google displays this message than you can be assured that it is not a false positive (unlike these "security" companies that have more false positives than real positives). When Google displays this message, then this means that it is sure that the website is hacked.

It is rare for someone to manually locate all hacked files - you can locate some manually, but, in most cases you won't be able to locate all. Additionally, just "deleting" or "cleaning up" hacked files is not the solution to this problem, you will need to cleanup your website and secure it.

Follow robust guides for cleaning your Joomla website (there are some on the forum and elsewhere), and then secure your website.

Re: possible sql injection?

Posted: Wed Mar 08, 2017 2:00 pm
by tonytimms
I have run a scan on the system and this has identified 19 malicious files as inserted JavaScript - /media/system/js/statf82></script>]]. The file itself has a lot of obfuscated code and I have managed to isolate this file in various locations. Looking at the page source of each article I can see that it is embedded there also. My problem is knowing how to get rid of it from there, when I open the article I cannot find it.
Regards

Re: possible sql injection?

Posted: Wed Mar 08, 2017 5:36 pm
by toivo
The cleaning and securing instructions are in a sticky post at the top of the Security forum:

viewtopic.php?f=621&t=582854

Re: possible sql injection?

Posted: Thu Mar 09, 2017 7:06 am
by tonytimms
I have run the fpa script and everything looks normal with no errors or warnings. Which part of the database holds the content information?

Re: possible sql injection?

Posted: Thu Mar 09, 2017 8:48 am
by toivo
The idea behind the FPA is to post it so that others can check it and give advice about possible issues in the configuration.

Please note that Joomla 2.5 which has been out of support for years and it is therefore vulnerable. It is best to follow the cleaning instructions and also upgrade to the latest, supported version.

Re: possible sql injection?

Posted: Thu Mar 09, 2017 9:40 am
by tonytimms
I have tried to post the results of the fpa file here but get the message - 'Your message contains 25258 characters.
The maximum number of allowed characters is 20000.'

I know I have to upgrade to the latest version but for the moment I am trying to rescue my site.

Re: possible sql injection?

Posted: Thu Mar 09, 2017 11:08 am
by mandville
Spread it over 2 posts?

Re: possible sql injection?

Posted: Thu Mar 09, 2017 12:35 pm
by fcoulter
I think that actually the standard advice in the sticky topic doesn't include instructions for cleaning the database. So here is my 2 cents worth:

Firstly, this is why you are strongly encouraged to make regular backups of your database, this basically is your site. Then if it is ever hacked you can simply restore from a backup.

I assume that you have not done this. In this particular case it should not be too difficult to clear it up though. In the database admin (eg using PHPMyAdmin), you can export a copy of it as a text file and use a text editor to do a search and replace on the malicious code. Make sure you save with utf-8 encoding.

Then import the cleaned version of the database.

Re: possible sql injection?

Posted: Sat Mar 11, 2017 8:41 am
by tonytimms
Hi fcoulter, followed your instruction and database found to be clean. Then found that the JavaScript file had been inserted into the template/index.php as well as In a number of other files, that's why it was showing up in the HTML source of every page, these were then removed. All usernames and passwords were changed and now everything is ok and Google have removed the warning! Thanks for your help.

Re: possible sql injection?

Posted: Sat Mar 11, 2017 9:00 am
by toivo
tonytimms wrote:now everything is ok and Google have removed the warning!
The vulnerability that allowed hacking may still be there, especially because your site uses still Joomla 2.5. The cleaning and securing instructions are in a sticky post at the top of the Security forum: viewtopic.php?f=621&t=582854