How do I find a hack?

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, PhilD, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
marvaysCZ
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Thu Jan 13, 2011 7:06 pm

How do I find a hack?

Post by marvaysCZ » Wed Mar 13, 2019 3:20 pm

On my site you see a wonder with links to the Russian website. I found DIV by accident. It has an absolute and left position: -4800px.

I tested the site with all available scanners, including myjoomla.com. I have Admintools. I tried to search for text via TC at a given url address. I can't find anything anywhere. What else can I do?

It's an eshop. Joomla 3.9.4.

Code: Select all

<span style="position:absolute;left:-4800px;">Подробнее на сайте: <span><strong></strong></span><a href="https://yetimedicine.ru" title="https://yetimedicine.ru">https://yetimedicine.ru</a><em></em><em></em><ul><li></li></ul><a href="https://medicineway.ru" title="https://medicineway.ru">https://medicineway.ru</a> <!-- #menu-main --> <span></span><span></span><span></span><a href="https://rankmedicine.ru" title="https://rankmedicine.ru">https://rankmedicine.ru</a><span><strong></strong></span><em></em><a href="https://safemedicine.ru" title="https://safemedicine.ru">https://safemedicine.ru</a><ul><li></li></ul><ul><li></li></ul><!-- List Begin Here --><a href="https://whitemedicine.ru" title="https://whitemedicine.ru">https://whitemedicine.ru</a><!-- Here starts the main contents pane --> <span></span><span></span><span></span><span></span><span></span><a href="https://keepmedicine.ru" title="https://keepmedicine.ru">https://keepmedicine.ru</a><!-- Begin Comment List --><!-- Comments Are Editable --><a href="https://chinese-medicine.ru" title="https://chinese-medicine.ru">https://chinese-medicine.ru</a><!-- #end-section --> <span></span><span></span> <a href="https://bravemedicine.ru" title="https://bravemedicine.ru">https://bravemedicine.ru</a><!-- .post-single --><!-- Begin Comment List --><a href="https://focmedicine.ru" title="https://focmedicine.ru">https://focmedicine.ru</a><!-- Simple Comment --><!-- Comments Are Editable --><a href="https://medicinego.ru" title="https://medicinego.ru">https://medicinego.ru</a> <!-- #menu-main --> <!-- Head Support --><a href="https://enjoymedicine.ru" title="https://enjoymedicine.ru">https://enjoymedicine.ru</a><!-- Simple Comment --> <!-- This is a comment. Comments are not displayed in the browser --> <a href="https://natural-cure.ru" title="https://natural-cure.ru">https://natural-cure.ru</a><b></b><b></b> <!--site-inner--> <a href="https://washealth.ru" title="https://washealth.ru">https://washealth.ru</a><!-- Comments are in the browser --><!-- Comments Are Editable --><a href="https://dearmedicine.ru" title="https://dearmedicine.ru">https://dearmedicine.ru</a> <span></span> <!-- Head Support --><a href="https://indianmedicine.ru" title="https://indianmedicine.ru">https://indianmedicine.ru</a><ul><li></li></ul></span>[size=150][/size]
I try Asistent Joomla Forum Post Asistent, but i have two errors.

Code: Select all

Warning: file_exists(): open_basedir restriction in effect. File(/data/logfiles/php.log) is not within the allowed path(s): (/data/www/22549/vybaveniprovozu_cz) in /data/www/22549/vybaveniprovozu_cz/www/fpa-en.php on line 556

Warning: is_writable(): open_basedir restriction in effect. File(/data/www/22549/tmp) is not within the allowed path(s): (/data/www/22549/vybaveniprovozu_cz) in /data/www/22549/vybaveniprovozu_cz/www/fpa-en.php on line 1561

Fatal error: Maximum execution time of 30 seconds exceeded in /data/www/22549/vybaveniprovozu_cz/www/fpa-en.php on line 1803

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1188
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: How do I find a hack?

Post by PhilTaylor-Prazgod » Wed Mar 13, 2019 3:33 pm

If you were concerned that myJoomla.com (which is an audit tool, an not a scanner) did not find what you were looking for, then you should have sought support from me using the contact links in the service. This support forum is not for discussing the pitfalls of myJoomla.com or seeking support for its service.

You are correct that ordinarily myJoomla.com would not look for, and therefore not find, a list of links in HTML because although this is unwanted spammy links, they are perfectly valid HTML and not at all "hack" like in content.

However, I have added specific rules to the myJoomla.com detection engine, which is crowd sourced and pattern matching, and started a new audit in your myJoomla.com account for free for you. Hopefully this will then highlight files of interest in the suspect content tool for you to review. If it still finds nothing then these links will be in your database hiding somewhere.

As for you open_basedir issue, thats just plain incorrect server configuration or you are overwriting the defaults with insane values in a custom php.ini or .user.ini file.
Phil Taylor - Full Time Joomla/PHP Security Expert
Blue Flame Digital Solutions Limited.
-- https://myJoomla.com/ Multi Award Winning Joomla Security & Auditing Service
-- https://www.phil-taylor.com/

marvaysCZ
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Thu Jan 13, 2011 7:06 pm

Re: How do I find a hack?

Post by marvaysCZ » Wed Mar 13, 2019 3:39 pm

Thanks for your reaction. I'm sorry, but my English isn't good. I tried a free scan on myjoomla. I'm already desperate, so I try everything I can think of:

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19441
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: How do I find a hack?

Post by leolam » Fri Mar 15, 2019 4:15 pm

PhilTaylor-Prazgod wrote:
Wed Mar 13, 2019 3:33 pm
If it still finds nothing then these links will be in your database hiding somewhere.
which is correct but it won't help the user find the reason why he is having all these links and where the dirt is coming from.

@marvaysCZ did you read what Phil mentioned? He mentioned he has started an additional free of any charges (which is goodwill) a new audit for you. You should login in myJoomla and look at the reports. If that does not help you connect with Phil in the ctrl-panel of myjoomla and ask his help. Your problem should be easy discovered and resolved

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
Member Joomla Bug Squad & Joomla CMS Release Team

marvaysCZ
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Thu Jan 13, 2011 7:06 pm

Re: How do I find a hack?

Post by marvaysCZ » Fri Mar 15, 2019 7:16 pm

leolam wrote:
Fri Mar 15, 2019 4:15 pm
He mentioned he has started an additional free of any charges (which is goodwill) a new audit for you. You should login in myJoomla and look at the reports.
Hi. I used a free tariff that has already ended. Any page after signing in: Subscription Cancelled!

User avatar
sozzled
Joomla! Champion
Joomla! Champion
Posts: 6761
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: How do I find a hack?

Post by sozzled » Fri Mar 15, 2019 7:38 pm

marvaysCZ wrote:
Wed Mar 13, 2019 3:20 pm
What else can I do?
There is a lot more that you can do:

Image
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

marvaysCZ
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Thu Jan 13, 2011 7:06 pm

Re: How do I find a hack?

Post by marvaysCZ » Fri Mar 15, 2019 9:05 pm

sozzled wrote:
Fri Mar 15, 2019 7:38 pm
Image
marvaysCZ wrote:
Wed Mar 13, 2019 3:20 pm
I try Forum Post Asistent, but i have two errors.

Code: Select all

Warning: file_exists(): open_basedir restriction in effect. File(/data/logfiles/php.log) is not within the allowed path(s): (/data/www/22549/vybaveniprovozu_cz) in /data/www/22549/vybaveniprovozu_cz/www/fpa-en.php on line 556

Warning: is_writable(): open_basedir restriction in effect. File(/data/www/22549/tmp) is not within the allowed path(s): (/data/www/22549/vybaveniprovozu_cz) in /data/www/22549/vybaveniprovozu_cz/www/fpa-en.php on line 1561

Fatal error: Maximum execution time of 30 seconds exceeded in /data/www/22549/vybaveniprovozu_cz/www/fpa-en.php on line 1803

User avatar
sozzled
Joomla! Champion
Joomla! Champion
Posts: 6761
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: How do I find a hack?

Post by sozzled » Fri Mar 15, 2019 11:38 pm

As Phil also observed,
PhilTaylor-Prazgod wrote:
Wed Mar 13, 2019 3:33 pm
... you [have an] open_basedir issue, thats just plain incorrect server configuration or you are overwriting the defaults with insane values in a custom php.ini or .user.ini file.
You should remove the open_basedir setting or discuss this with your webhosting provider. This "feature" is not needed.
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?


Post Reply

Return to “Security in Joomla! 3.x”