Site Hacked - Google results takes the user to some hacked page Topic is solved

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, PhilD, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
ourequation
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Fri Apr 17, 2009 7:26 am

Site Hacked - Google results takes the user to some hacked page

Post by ourequation » Sat Jan 12, 2019 6:45 am

My site is www.

Code: Select all

examsample.com
, currently on version 3.5 I got an alert from google about site hack. If i type directly my site name it downloads my site. However when it comes from search result it takes the user to a viagara site. Seeing various help i did ran FPA Tool and below are the results. Any help would really be appreciated
Forum Post Assistant (v1.4.7 (litoralis)) : 11th January 2019 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.5.0-Stable (Unicorn) 21-March-2016
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: /gid: ) | Group: --protected-- (gid: ) | Valid For: 3.5
Configuration Options :: Offline: false | SEF: true | SEF Suffix: true | SEF ReWrite: true | .htaccess/web.config: Yes | GZip: false | Cache: false | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: N/A | SSL: 0 | Error Reporting: default | Site Debug: false | Language Debug: false | Default Access: 1 | Unicode Slugs: true | dbConnection Type: mysqli | PHP Supports J! 3.5.0: Yes | Database Supports J! 3.5.0: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 2.6.32-896.16.1.lve1.4.51.el6.nfsfixes.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 4881.41 GiB |

PHP Configuration :: Version: 5.4.19 | PHP API: cgi-fcgi | Session Path Writable: No | Display Errors: 1 | Error Reporting: 32759 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 32M | Max. POST Size: 33M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M

Database Configuration :: Version: 5.5.43-37.2-log (Client:5.5.19) | Host: --protected-- (--protected--) | default Collation: latin1_swedish_ci (default Character Set: latin1) | Database Size: 81.16 MiB | #of Tables:  76
Detailed Environment :: wrote:PHP Extensions :: Core (5.4.19) | date (5.4.19) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7) | zlib (2.0) | apc (3.1.13) | bcmath () | calendar () | ctype () | curl () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | session () | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | standard (5.4.19) | pspell () | Reflection ($Id: 6c4d8062369898a397e4b128348042f5c01b4427 $) | Phar (2.0.1) | SimpleXML (0.1) | soap () | exif (1.4 $Id$) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | Zend Engine (2.4.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 10437128 | Threads: 35 | Questions: 10217708775 | Slow queries: 22075 | Opens: 361289544 | Flush tables: 19 | Open tables: 10000 | Queries per second avg: 978.977 |
Extensions Discovered :: wrote:Components :: SITE ::
Core :: com_mailto (3.0.0) 1 | com_wrapper (3.0.0) 1 |
3rd Party::

Components :: ADMIN ::
Core :: com_admin (3.0.0) 1 | com_ajax (3.2.0) 1 | com_banners (3.0.0) 1 | com_cache (3.0.0) 1 | com_categories (3.0.0) 1 | com_checkin (3.0.0) 1 | com_config (3.0.0) 1 | com_content (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_cpanel (3.0.0) 1 | com_finder (3.0.0) 1 | com_installer (3.0.0) 1 | com_joomlaupdate (3.0.0) 1 | com_languages (3.0.0) 1 | com_login (3.0.0) 1 | com_media (3.0.0) 1 | com_menus (3.0.0) 1 | com_messages (3.0.0) 1 | com_modules (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_plugins (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_redirect (3.0.0) 1 | com_search (3.0.0) 1 | com_tags (3.1.0) 1 | com_templates (3.0.0) 1 | com_users (3.0.0) 1 |
3rd Party:: JMap (3.8) 1 | COM_SPUPGRADE (4.1.1) ? |

Modules :: SITE ::
Core :: mod_articles_archive (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_languages (3.0.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_search (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_tags_similar (3.1.0) 1 | mod_users_latest (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_wrapper (3.0.0) 1 |
3rd Party:: JSitemap module (3.8) 1 |

Modules :: ADMIN ::
Core :: mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_status (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_title (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_version (3.0.0) 1 |
3rd Party:: JSitemap Quickicons (3.8) 1 |

Libraries :: SITE ::
Core ::
3rd Party::

Plugins :: SITE ::
Core :: plg_authentication_cookie (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_captcha_recaptcha (3.4.0) 0 | plg_content_emailcloak (3.0.0) 1 | plg_content_finder (3.0.0) 0 | plg_content_joomla (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_finder_categories (3.0.0) 0 | plg_finder_contacts (3.0.0) 0 | plg_finder_content (3.0.0) 0 | plg_finder_newsfeeds (3.0.0) 0 | plg_finder_tags (3.0.0) 0 | plg_installer_webinstaller (1.1.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_search_categories (3.0.0) 0 | plg_search_contacts (3.0.0) 0 | plg_search_content (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 0 | plg_search_tags (3.0.0) 0 | plg_system_cache (3.0.0) 0 | plg_system_debug (3.0.0) 1 | plg_system_highlight (3.0.0) 1 | plg_system_languagecode (3.0.0) 0 | plg_system_languagefilter (3.0.0) 0 | plg_system_log (3.0.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_p3p (3.0.0) 0 | plg_system_redirect (3.0.0) 1 | plg_system_remember (3.0.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_user_contactcreator (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_profile (3.0.0) 0 |
3rd Party:: Content - JSitemap Pingomatic (3.8) 1 | plg_editors_codemirror (5.12) 1 | plg_editors_tinymce (4.3.3) 1 | System - JSitemap utilities (3.8) 1 |
Templates Discovered :: wrote:Templates :: SITE :: beez3 (3.1.0) 1 | protostar (1.0) 1 |
Templates :: ADMIN :: hathor (3.0.0) 1 | isis (1.0) 1 |

gws
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3609
Joined: Tue Aug 23, 2005 1:56 pm
Location: South coast, UK
Contact:

Re: Site Hacked - Google results takes the user to some hacked page

Post by gws » Sat Jan 12, 2019 10:24 am

You have probably been hacked, joomla 3.5.0 is old and vulnerable you must update to the latest version 3.9.1. Try myjoomla.com the first scan is free, to determine what is the problem with your site.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19434
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Site Hacked - Google results takes the user to some hacked page

Post by leolam » Sun Jan 13, 2019 10:10 am

He has been hacked https://sitecheck.sucuri.net/results/www.examsample.com

I would hire Phil Taylor from myjoomla.com to restore your site. All the methods mentioned on these forums take ages of time. Since this is again of a GoDaddy server (every GoDaddy server get's hacked) I strongly advise you to move away from Nodaddy once your site is repaired and you have learned a lesson. Always keep Joomla and your extensions Up-To-Date

Also and mea culpa.... What a crap! Version: 5.4.19 | PHP API: cgi-fcgi | Session Path Writable: No PHP5.4? Excuse me? What on earth you drive a Joomla 3.x site on PHP5.4? You should run on PHP7.1 the least. Get away from NoDaddy!

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
Member Joomla Bug Squad & Joomla CMS Release Team

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36595
Joined: Sat Apr 05, 2008 9:58 pm

Re: Site Hacked - Google results takes the user to some hacked page

Post by Webdongle » Sun Jan 13, 2019 12:23 pm

If you can afford professional help then myjoomla.com and pay a professional to monitor the site. But if you can't afford it then spend the time fixing it viewtopic.php?f=714&t=946026

But definitely move from gddy
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19434
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Site Hacked - Google results takes the user to some hacked page

Post by leolam » Sun Jan 13, 2019 3:15 pm

Webdongle wrote:
Sun Jan 13, 2019 12:23 pm
But definitely move from gddy
Kevin, wrong spelling 'nddy'

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
Member Joomla Bug Squad & Joomla CMS Release Team

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36595
Joined: Sat Apr 05, 2008 9:58 pm

Re: Site Hacked - Google results takes the user to some hacked page

Post by Webdongle » Sun Jan 13, 2019 4:55 pm

Yep because I don't want to give them a proper mention.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

ourequation
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Fri Apr 17, 2009 7:26 am

Re: Site Hacked - Google results takes the user to some hacked page

Post by ourequation » Wed Jan 16, 2019 10:05 pm

Thanks everyone.I have removed the hack (Hopefully) Everything looks good now. Can you advice me on affordable hosting services where I can host joomla.I know this is a different topic but since it originated from hack info i am posting it over here.

annahersh
Joomla! Guru
Joomla! Guru
Posts: 555
Joined: Wed Aug 15, 2018 8:23 pm

Re: Site Hacked - Google results takes the user to some hacked page

Post by annahersh » Wed Jan 16, 2019 11:38 pm

ourequation wrote:
Wed Jan 16, 2019 10:05 pm
Thanks everyone.I have removed the hack (Hopefully) Everything looks good now. Can you advice me on affordable hosting services where I can host joomla.I know this is a different topic but since it originated from hack info i am posting it over here.
If your website is with Godaddy, all is well, you don't need to change. I have 8 Joomla sites at that host for 11 years and none have ever been hacked.

Shared hosting will always have loopholes, regardless of the host. Just follow the rules of website maintenance "backup, backup , backup" periodically and keep all software up to date.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36595
Joined: Sat Apr 05, 2008 9:58 pm

Re: Site Hacked - Google results takes the user to some hacked page

Post by Webdongle » Thu Jan 17, 2019 1:06 am

ourequation wrote:
Wed Jan 16, 2019 10:05 pm
Thanks everyone.I have removed the hack (Hopefully) Everything looks good now. ...
How did you remove it ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36595
Joined: Sat Apr 05, 2008 9:58 pm

Re: Site Hacked - Google results takes the user to some hacked page

Post by Webdongle » Thu Jan 17, 2019 1:09 am

annahersh wrote:
Wed Jan 16, 2019 11:38 pm
... Just follow the rules of website maintenance "backup, backup , backup" periodically and keep all software up to date.
Hacks are placed on a server long before they are noticed. Backups can contain the original hack so are often useless when a server has been compromised.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

ourequation
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Fri Apr 17, 2009 7:26 am

Re: Site Hacked - Google results takes the user to some hacked page

Post by ourequation » Thu Jan 17, 2019 1:17 am

updated htaccess , config.php, component.php and also deleted some malacious code on the webserver

ourequation
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Fri Apr 17, 2009 7:26 am

Re: Site Hacked - Google results takes the user to some hacked page

Post by ourequation » Thu Jan 17, 2019 1:19 am

But i must tell you, webdongle, leo you guys are great asset for joomla commmunity. Your mere presence gives a lot of confidence to debug the code. Hope some day i can give the community back what I learn.

annahersh
Joomla! Guru
Joomla! Guru
Posts: 555
Joined: Wed Aug 15, 2018 8:23 pm

Re: Site Hacked - Google results takes the user to some hacked page

Post by annahersh » Thu Jan 17, 2019 2:17 am

Webdongle wrote:
Thu Jan 17, 2019 1:09 am
Hacks are placed on a server long before they are noticed. Backups can contain the original hack so are often useless when a server has been compromised.
You further confirm my logic that the host is not at all relevant. All shared hosting environments are vulnerable and having a periodic backup is always sensible.

Hackers tend to seek dormant sites, especially those with outdated frameworks and server side applications. Godaddy provides excellent tools to change PHP version and configure accordingly, and they also give tips on what is suitable for the user. I haven't yet found a reason to quit them.
gd-config.jpg
gd-php-selector.jpg
You do not have the required permissions to view the files attached to this post.

ourequation
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Fri Apr 17, 2009 7:26 am

Re: Site Hacked - Google results takes the user to some hacked page

Post by ourequation » Thu Jan 17, 2019 2:27 am

annahersh

I have been godaddy for last 10 years hosting various sites on them. Since my site was hacked i have been on a negative experience.

Here are few reasons I am now moving away from Godaddy.

1. You are correct that they provide various php options. However no matter how many hosting months you have you still have to buy new hosting if you want to upgrade it 7.0 else you remain on old server which has php 5.8 or 5.9. And more over in new server you have to manually configure everything. If i have to do it then why not try another host which at same rate provides SSL certificate as well and backups.

I had asked do you take regular backups.
The answer was no. I was surprised.

Anyways there are two sides of the coin. Currently your pleased customer of godaddy and I am not... Lets leave it here and enjoy.. But thanks for being so supportive in this forum.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19434
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Site Hacked - Google results takes the user to some hacked page

Post by leolam » Thu Jan 17, 2019 5:54 am

annahersh wrote:
Thu Jan 17, 2019 2:17 am
Godaddy provides excellent tools to change PHP version and configure accordingly, and they also give tips on what is suitable for the user.
Godaddy does not give tips....Since when do they provide excellent tools in their crooked control panel? For every fart you let go they ask money. It is not for nothing that nodaddy.com (you might remember that site which was bought by GD to get rid of it) was so huge and popular. I have only 100% bad experiences for our users and thankfully we have managed to move all away from this crooked comany (using a certain person's favorite way of expression since they fit well together)

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
Member Joomla Bug Squad & Joomla CMS Release Team

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36595
Joined: Sat Apr 05, 2008 9:58 pm

Re: Site Hacked - Google results takes the user to some hacked page

Post by Webdongle » Thu Jan 17, 2019 9:46 am

ourequation wrote:
Thu Jan 17, 2019 1:19 am
... Your mere presence gives a lot of confidence to debug the code. ...
Then your site is still hacked.

http://lmgtfy.com/?q=godaddy+hacked
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein


Post Reply

Return to “Security in Joomla! 3.x”