URGENT: Google Analytics show strange activities

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, PhilD, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
User avatar
dejansoftware
Joomla! Explorer
Joomla! Explorer
Posts: 388
Joined: Tue Jul 10, 2007 1:24 pm
Location: Banja Luka, Republic of Srpska
Contact:

URGENT: Google Analytics show strange activities

Postby dejansoftware » Fri Jun 16, 2017 12:23 pm

On my Joomla! 3.7.2 Google Analytics show pages that I don't have.

Is my site hacked or?

Please see attachement
google-analitycs.png


Any idea???

Thanks
You do not have the required permissions to view the files attached to this post.

User avatar
dejansoftware
Joomla! Explorer
Joomla! Explorer
Posts: 388
Joined: Tue Jul 10, 2007 1:24 pm
Location: Banja Luka, Republic of Srpska
Contact:

Re: URGENT: Google Analytics show strange activities

Postby dejansoftware » Sat Jun 17, 2017 9:30 am

Anyone???

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1316
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: URGENT: Google Analytics show strange activities

Postby fcoulter » Sat Jun 17, 2017 9:56 am

It is possible that your site is hacked, it is hard to tell based on the limited information that you have supplied, I think that is why you have not had any response.

If you think that you have been hacked, this is the standard advice: https://forum.joomla.org/viewtopic.php?f=714&t=946026

Also if someone is creating pages that should not be there, you should look for any suspicious accounts on your site which have the ability to create content (ie with permissions beyond that of a registered user.) If you find any, look for any content that they may have created, delete it, and delete the account.

If you require further assistance you can try the forum post assistant: https://forum.joomla.org/viewtopic.php?f=714&t=793531, post the results here.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator
VEL team member
"Wearing my tin foil hat with pride"

User avatar
dejansoftware
Joomla! Explorer
Joomla! Explorer
Posts: 388
Joined: Tue Jul 10, 2007 1:24 pm
Location: Banja Luka, Republic of Srpska
Contact:

Re: URGENT: Google Analytics show strange activities

Postby dejansoftware » Sat Jun 17, 2017 4:55 pm

I have found something in my rook directory.

Folder named .well-known
a
It contains 1 folder "acme-challenge" with 2 files.

Please see attachment

Capture.PNG

Capture1.PNG

Capture2.PNG


What is this?
You do not have the required permissions to view the files attached to this post.

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1316
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: URGENT: Google Analytics show strange activities

Postby fcoulter » Sat Jun 17, 2017 5:16 pm

It seems certain that your site has been hacked.

The link that I posted above explains how to clean up your site: https://forum.joomla.org/viewtopic.php?f=714&t=946026.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator
VEL team member
"Wearing my tin foil hat with pride"

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 33135
Joined: Sat Apr 05, 2008 9:58 pm

Re: URGENT: Google Analytics show strange activities

Postby Webdongle » Sat Jun 17, 2017 5:24 pm

fcoulter wrote:It is possible that your site is hacked, it is hard to tell based on the limited information that you have supplied, I think that is why you have not had any response.....
I haven't responded until now because I had EXTREMELY URGENT, VERY VERY URGENT and VERY URGENT things to do before I could respond to just plain URGENT.

Yes it looks like it's been hacked viewtopic.php?f=714&t=946026 is a summary and has links to further information.

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1316
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: URGENT: Google Analytics show strange activities

Postby fcoulter » Sat Jun 17, 2017 5:31 pm

We really could do with a sarcasm emoticon in these forums. :laugh:
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator
VEL team member
"Wearing my tin foil hat with pride"

Concave
Joomla! Apprentice
Joomla! Apprentice
Posts: 20
Joined: Tue Feb 14, 2017 8:07 am

Re: URGENT: Google Analytics show strange activities

Postby Concave » Sat Jun 17, 2017 8:47 pm

dejansoftware wrote:I have found something in my rook directory.

Folder named .well-known
a
It contains 1 folder "acme-challenge" with 2 files.

Please see attachment

Capture.PNG
Capture1.PNG
Capture2.PNG

What is this?


That looks like the directory structure created when using Let's Encrypt SSL Certificate.

Are you using a Let's Encrypt SSL Certificate?

User avatar
dejansoftware
Joomla! Explorer
Joomla! Explorer
Posts: 388
Joined: Tue Jul 10, 2007 1:24 pm
Location: Banja Luka, Republic of Srpska
Contact:

Re: URGENT: Google Analytics show strange activities

Postby dejansoftware » Sat Jun 17, 2017 9:28 pm

Yes, that is correct. Sorry about that.

So this is not the problem.

Any other ideas.

I try to search for the article from print screen but there is nothing like that.

Also, i removed all users from site but me.

What else???

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14286
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: URGENT: Google Analytics show strange activities

Postby mandville » Sat Jun 17, 2017 9:31 pm

https://community.letsencrypt.org/t/can ... lenge/5822
Can I remove the folders .well-known/acme-challenge?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
sozzled
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3420
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: URGENT: Google Analytics show strange activities

Postby sozzled » Sat Jun 17, 2017 10:03 pm

dejansoftware wrote:On my Joomla! 3.7.2 Google Analytics show pages that I don't have.
I don't know why this is happening in your case and I don't know how GA has detected the information. As you described in your topic subject, you consider the matter to be urgent. If the matter is urgent and important to you then there are some fairly established procedures you can use within this forum. The forum may be one way to help you resolve your problems—as long as you're prepared to work with us in helping you—and sometimes you may have to find alternative means to resolve your problems, particularly if GA is important to your business and finding the source of these problems means that you prevent your website assets from being compromised.

Having said that, @fcoulter suggested a couple of ideas earlier (in msg #3 of this topic). You chose to not take her advice: that's OK, you can ignore her advice or the advice of anyone who's trying to assist you. Unfortunately, the longer you do nothing the longer you'll continue to experience this urgent matter. The question really is not whether the problem is urgent but, rather, whether the matter is important. That's something you'll have to determine for yourself.
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

User avatar
dejansoftware
Joomla! Explorer
Joomla! Explorer
Posts: 388
Joined: Tue Jul 10, 2007 1:24 pm
Location: Banja Luka, Republic of Srpska
Contact:

Re: URGENT: Google Analytics show strange activities

Postby dejansoftware » Mon Jun 19, 2017 7:26 am

mandville wrote:https://community.letsencrypt.org/t/can-i-remove-the-folders-well-known-acme-challenge/5822
Can I remove the folders .well-known/acme-challenge?


Thanks.

User avatar
dejansoftware
Joomla! Explorer
Joomla! Explorer
Posts: 388
Joined: Tue Jul 10, 2007 1:24 pm
Location: Banja Luka, Republic of Srpska
Contact:

Re: URGENT: Google Analytics show strange activities

Postby dejansoftware » Mon Jun 19, 2017 7:32 am

fcoulter wrote:It is possible that your site is hacked, it is hard to tell based on the limited information that you have supplied, I think that is why you have not had any response.

If you think that you have been hacked, this is the standard advice: https://forum.joomla.org/viewtopic.php?f=714&t=946026

Also if someone is creating pages that should not be there, you should look for any suspicious accounts on your site which have the ability to create content (ie with permissions beyond that of a registered user.) If you find any, look for any content that they may have created, delete it, and delete the account.

If you require further assistance you can try the forum post assistant: https://forum.joomla.org/viewtopic.php?f=714&t=793531, post the results here.


Just to confirm what I did so far:

1. I have removed all accounts but mine on my web site
2. Look for content from other users before I delete them. There were not such kind of content.
3. I downloaded and scanned localy all joomla files with antivirus Kaspersky. It is clean.
4. Google analytics shows again similar activities. I don't know if my Joomla is hacked, because it is not 1000 users or 1M users form pages that doesn't exist. It is just one or 2.

Any other ideas?

Thanks

User avatar
sozzled
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3420
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: URGENT: Google Analytics show strange activities

Postby sozzled » Mon Jun 19, 2017 7:35 am

dejansoftware wrote:Any other ideas?
Just to confirm: you're not interested in using the Forum Post Assistant, correct?
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

User avatar
dejansoftware
Joomla! Explorer
Joomla! Explorer
Posts: 388
Joined: Tue Jul 10, 2007 1:24 pm
Location: Banja Luka, Republic of Srpska
Contact:

Re: URGENT: Google Analytics show strange activities

Postby dejansoftware » Mon Jun 19, 2017 10:18 am

Please see attachment.
ga4.png


I will look for Forum Post Assistant purpose.

Also> /anfrage/index.html ???

In this specific picture, the problem is in 2 users (50%) of desktop users from Germany.

or this one
ga4.png
You do not have the required permissions to view the files attached to this post.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 33135
Joined: Sat Apr 05, 2008 9:58 pm

Re: URGENT: Google Analytics show strange activities

Postby Webdongle » Mon Jun 19, 2017 12:17 pm

url ?

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1316
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: URGENT: Google Analytics show strange activities

Postby fcoulter » Mon Jun 19, 2017 12:43 pm

Does anything actually load when you try these URLs, or do they result in a 404 error?

If it just leads to an error it seems to me if this is just a few pages then this could be caused by a mistyped link somewhere, eg if there is a site with a similar domain name to yours, someone posted a link where they used your site name instead of the site that they meant.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator
VEL team member
"Wearing my tin foil hat with pride"

User avatar
dejansoftware
Joomla! Explorer
Joomla! Explorer
Posts: 388
Joined: Tue Jul 10, 2007 1:24 pm
Location: Banja Luka, Republic of Srpska
Contact:

Re: URGENT: Google Analytics show strange activities

Postby dejansoftware » Mon Jun 19, 2017 4:39 pm

Webdongle wrote:url ?


Code: Select all

Url of my web site is http://www.majkic.net
Last edited by fcoulter on Mon Jun 19, 2017 5:20 pm, edited 1 time in total.
Reason: broke link

User avatar
dejansoftware
Joomla! Explorer
Joomla! Explorer
Posts: 388
Joined: Tue Jul 10, 2007 1:24 pm
Location: Banja Luka, Republic of Srpska
Contact:

Re: URGENT: Google Analytics show strange activities

Postby dejansoftware » Mon Jun 19, 2017 4:42 pm

fcoulter wrote:Does anything actually load when you try these URLs, or do they result in a 404 error?

If it just leads to an error it seems to me if this is just a few pages then this could be caused by a mistyped link somewhere, eg if there is a site with a similar domain name to yours, someone posted a link where they used your site name instead of the site that they meant.


No, they don't lead nowhere. I try to follow link provided above, but nothing opened.

Hmmm...

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 33135
Joined: Sat Apr 05, 2008 9:58 pm

Re: URGENT: Google Analytics show strange activities

Postby Webdongle » Mon Jun 19, 2017 4:59 pm

Please check this list for unknown links on your website:

Code: Select all

https://bitcoin.org/en/  -->  'bitcoin'
http://www.businessinsider.com/  -->  'biznis insajder'
https://www.slideshare.net/dejansoftware  -->  'majkic.net

http://www.web-malware-removal.com/website-malware-virus-scanner/
Last edited by fcoulter on Mon Jun 19, 2017 5:28 pm, edited 1 time in total.

User avatar
JAVesey
Joomla! Ace
Joomla! Ace
Posts: 1381
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: URGENT: Google Analytics show strange activities

Postby JAVesey » Mon Jun 19, 2017 7:05 pm

fcoulter wrote:We really could do with a sarcasm emoticon in these forums. :laugh:
Some would use it more than others :laugh:

@OP
Go on.... post the output of the FPA.
John V
Cardiff, Wales, UK
Website: http://www.llanmon.org.uk (Joomla 3.8.1)

User avatar
sozzled
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3420
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: URGENT: Google Analytics show strange activities

Postby sozzled » Mon Jun 19, 2017 8:19 pm

After 3½ days of a so-called "urgent" problem, I don't think there's anything to see here.

When people ask questions on this forum we should treat those questions seriously because that's how we learn; when people ask questions they deserve to be given serious, thoughtful answers. That's what a forum is all about. @dejansoftware believes their questions are important—to help identify the source and cause of certain issues they're having—and has asked for our ideas. We've offered our ideas (several times, in fact). Our questions, in reply, are equally important to us (as well as to help @dejansoftware). I don't know what more can be said; the evidence is compelling.

I asked if @dejansoftware was interested in using the Forum Post Assistant. @dejansoftware chose to not answer that question ... just as we can likewise choose to consider this matter is not an urgent, serious problem, too.
Last edited by sozzled on Mon Jun 19, 2017 8:32 pm, edited 1 time in total.
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14286
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: URGENT: Google Analytics show strange activities

Postby mandville » Mon Jun 19, 2017 8:27 pm

perhaps its just referrer spam, but while here i suppose we should add the word "urgent" to the forum rule.
Choose an appropriate subject line. Try to summarise the problem briefly in the subject, and elaborate in the message itself. Repeat the subject in the body if it will make things clearer. Do not use all caps and do not add false information just to get attention (e.g. ;read this or you will be arrested;). An example of a bad subject would be "HELP ME". A good subject might be, "Foo crashes when I do bar". Do not use a URL as a thread title.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
dejansoftware
Joomla! Explorer
Joomla! Explorer
Posts: 388
Joined: Tue Jul 10, 2007 1:24 pm
Location: Banja Luka, Republic of Srpska
Contact:

Re: URGENT: Google Analytics show strange activities

Postby dejansoftware » Mon Jun 19, 2017 9:48 pm

Hey gays, I am just a four star explorer, I am not Ace, Hero or Maser, so take it easy.

About FPA that sozzled and others suggested, well, I don really not what is it, I thought you were spamming.

But if you all think that FPA is the right choice that might solve my "Urgent" problem, then ok, first thing morning, I will explore a little bit and then go on.

Thanks.

I will inform you when I solve the problem.

User avatar
sozzled
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3420
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: URGENT: Google Analytics show strange activities

Postby sozzled » Mon Jun 19, 2017 9:52 pm

As I wrote earlier, your questions are important to you and we have treated the matter seriously; therefore there should be no suggestion that we were "spamming" (as you have tried to characterise it). Our questions to you were also important (in our opinion, of course).

Fair enough. We've offered you our suggestions; you're not interested in our suggestions. You asked if we had "other ideas"; we have no other ideas for you at this time, sorry.

End of discussion, right?
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

User avatar
AMurray
Joomla! Hero
Joomla! Hero
Posts: 2843
Joined: Sat Feb 13, 2010 7:35 am
Location: Australia

Re: URGENT: Google Analytics show strange activities

Postby AMurray » Wed Jun 28, 2017 10:21 am

Being a "Four Star explorer" and 380-odd posts later, I think you ought to know by now what the FPA is! ;) :) 8).

In any case......FPA = Forum Post Assistant. Look for the link at the top of the forum page....in the pink/red box. the link says "Forum Post Assistant/FPA" .......

The FPA won't necessarily **solve** anything on the spot but it will help with progress towards suggestions for a solution.
Regards,
--------------------------------------------------------------
A Murray


Return to “Security in Joomla! 3.x”

Who is online

Users browsing this forum: No registered users and 6 guests