Offensive Links across bottom of all templates!

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, PhilD, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
medrevco
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Nov 13, 2017 4:23 pm

Offensive Links across bottom of all templates!

Postby medrevco » Mon Nov 13, 2017 4:56 pm

I am new to Joomla, but trying to help someone who has 11 offensive links populating on the very bottom of every webpage. When I view the preview on each of the templates loaded (version 1.0 Prostar & version 3.1.0 Beez3), they each show the links. We need to get these off the site asap. One of the links opens a .php file within the journal folder (which I renamed so at least it would not open)... :eek:

When I delete the 'debug' position, they just populate in the Footer position...

<a href="http://[offensive link]/6sxmk.php">[offensive act]</a>
Last edited by toivo on Mon Nov 13, 2017 5:23 pm, edited 1 time in total.
Reason: mod note: moved to 3.x Security

User avatar
dhuelsmann
Joomla! Master
Joomla! Master
Posts: 19628
Joined: Sun Oct 02, 2005 12:50 am
Location: Omaha, NE
Contact:

Re: Offensive Links across bottom of all templates!

Postby dhuelsmann » Mon Nov 13, 2017 6:01 pm

You have been hacked and there really is only one sure way to ensure you really have cleaned up your site.

Webdongle wrote:Your database is your site ... first and foremost make a backup of your database.

All the files do is put/get data to/from the database and display the data on the screen.

Cleaning the site is easy ... just delete all the folders/files. Rebuilding the site is easy ... just install a fresh Joomla to a empty database and install 3rd party extensions then edit the configuration.php.

Before you ask what other users ask. No there is no real alternative ... you need to delete all folders/files.

Here is a summary of what you need to do


  1. Run the fpa and post the results in this forum
  2. Uninstall any untrusted/unwanted 3rd party extensions and Templates https://vel.joomla.org/live-vel
  3. Delete all the files on the server
  4. Scan your computer and all computers that have server or Joomla admin access
  5. Change Passwords
  6. Install Joomla (of the same version) to a new database. Install up to date 3rd party extensions (that are not on the VEL) then edit the configuration.php to connect to the original database. Update Joomla if you have and old version
  7. Change your Joomla SU/Admin Passwords and check the users/groups/access levels are correct and not been tampered with. Update your Joomla and run the fpa again

Step #f is simply installing Joomla and 3rd party extensions to an empty database so you get fresh files. Then connect the files to the database that has your data. That gives you your site back. The rest cleans the site and helps keep it secure.

Full details http://forum.joomla.org/viewtopic.php?f=714&t=757645
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org

medrevco
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Nov 13, 2017 4:23 pm

Re: Offensive Links across bottom of all templates!

Postby medrevco » Tue Nov 14, 2017 9:09 pm

Joomla Version 3.8

Problem Description :: Forum Post Assistant (v1.3.5) : 14th November 2017 wrote:offensive links on each page (found on multiple templates)
Forum Post Assistant (v1.3.5) : 14th November 2017 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.6.5-Stable (Noether) 1-December-2016
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: /gid: ) | Group: --protected-- (gid: ) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: 0 | FTP Layer: 0 | Proxy: 0 | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: N/A | SSL: 0 | FrontEdit: 1 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-604.30.3.lve1.3.63.el6.nfsfixes.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes

PHP Configuration :: Version: 5.4.19 | PHP API: cgi-fcgi | Session Path Writable: No | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 32M | Max. POST Size: 33M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M

MySQL Configuration :: Version: 5.5.43-37.2-log (Client:5.5.19) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 10.02 MiB | #of Tables: 105
Detailed Environment :: wrote:PHP Extensions :: Core (5.4.19) | date (5.4.19) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7) | zlib (2.0) | apc (3.1.13) | bcmath () | calendar () | ctype () | curl () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | session () | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | standard (5.4.19) | pspell () | Reflection ($Id: 6c4d8062369898a397e4b128348042f5c01b4427 $) | Phar (2.0.1) | SimpleXML (0.1) | soap () | exif (1.4 $Id$) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | Zend Engine (2.4.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:Core Folders :: --protected-- (705) | --protected-- (705) | --protected-- (705) | --protected-- (705) | --protected-- (705) | --protected-- (705) | --protected-- (705) | --protected-- (---) | --protected-- (755) | --protected-- (705) | --protected-- (705) | --protected-- (705) | --protected-- (705) |

Elevated Permissions (First 10) :: --protected-- (707) | --protected-- (707) | --protected-- (707) | --protected-- (707) | --protected-- (707) | --protected-- (707) | --protected-- (707) | --protected-- (707) | --protected-- (707) | --protected-- (707) |
Database Information :: wrote:Database statistics :: Uptime: 807509 | Threads: 20 | Questions: 614885624 | Slow queries: 6326 | Opens: 2466534 | Flush tables: 3 | Open tables: 10000 | Queries per second avg: 761.459 |
Extensions Discovered :: wrote:Strict Information Privacy was selected. Nothing to display.
Templates Discovered :: wrote:Strict Information Privacy Nothing to display.
[/size]
[/quote]

User avatar
sozzled
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3499
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Offensive Links across bottom of all templates!

Postby sozzled » Tue Nov 14, 2017 9:21 pm

The FPA report shows that the target website uses J! 3.6.5 (not J! 3.8.2 as claimed by the OP).

Further, the FPA report shows that the site owner is not using the recommended folder permissions—should be 755 not 707—and an outdated version of PHP.

The FPA report also does not provide any clues about other Joomla extensions (including third-party extensions) that may have permitted these "offensive links" to appear on the website.

Quite simply, however, if a website displays "offensive links" then the most likely conclusion is that someone (or something) other than the site owner created these things. It's indicative of site hacking (probably across multiple sites) and, if other sites present with these characteristics, then the site owner's assets across several sites have also been compromised. If other sites also present with non-recommended folder permissions then the site owner should take immediate steps to remediate several sites, not just the one mentioned in this topic.
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?


Return to “Security in Joomla! 3.x”

Who is online

Users browsing this forum: No registered users and 3 guests