How do I find a hack?

marvaysCZ · Post by **marvaysCZ** » Wed Mar 13, 2019 3:20 pm

On my site you see a wonder with links to the Russian website. I found DIV by accident. It has an absolute and left position: -4800px.

I tested the site with all available scanners, including myjoomla.com. I have Admintools. I tried to search for text via TC at a given url address. I can't find anything anywhere. What else can I do?

It's an eshop. Joomla 3.9.4.

Code: Select all

<span style="position:absolute;left:-4800px;">Подробнее на сайте: <span><strong></strong></span><a href="https://yetimedicine.ru" title="https://yetimedicine.ru">https://yetimedicine.ru</a><em></em><em></em><ul><li></li></ul><a href="https://medicineway.ru" title="https://medicineway.ru">https://medicineway.ru</a> <!-- #menu-main --> <span></span><span></span><span></span><a href="https://rankmedicine.ru" title="https://rankmedicine.ru">https://rankmedicine.ru</a><span><strong></strong></span><em></em><a href="https://safemedicine.ru" title="https://safemedicine.ru">https://safemedicine.ru</a><ul><li></li></ul><ul><li></li></ul><!-- List Begin Here --><a href="https://whitemedicine.ru" title="https://whitemedicine.ru">https://whitemedicine.ru</a><!-- Here starts the main contents pane --> <span></span><span></span><span></span><span></span><span></span><a href="https://keepmedicine.ru" title="https://keepmedicine.ru">https://keepmedicine.ru</a><!-- Begin Comment List --><!-- Comments Are Editable --><a href="https://chinese-medicine.ru" title="https://chinese-medicine.ru">https://chinese-medicine.ru</a><!-- #end-section --> <span></span><span></span> <a href="https://bravemedicine.ru" title="https://bravemedicine.ru">https://bravemedicine.ru</a><!-- .post-single --><!-- Begin Comment List --><a href="https://focmedicine.ru" title="https://focmedicine.ru">https://focmedicine.ru</a><!-- Simple Comment --><!-- Comments Are Editable --><a href="https://medicinego.ru" title="https://medicinego.ru">https://medicinego.ru</a> <!-- #menu-main --> <!-- Head Support --><a href="https://enjoymedicine.ru" title="https://enjoymedicine.ru">https://enjoymedicine.ru</a><!-- Simple Comment --> <!-- This is a comment. Comments are not displayed in the browser --> <a href="https://natural-cure.ru" title="https://natural-cure.ru">https://natural-cure.ru</a><b></b><b></b> <!--site-inner--> <a href="https://washealth.ru" title="https://washealth.ru">https://washealth.ru</a><!-- Comments are in the browser --><!-- Comments Are Editable --><a href="https://dearmedicine.ru" title="https://dearmedicine.ru">https://dearmedicine.ru</a> <span></span> <!-- Head Support --><a href="https://indianmedicine.ru" title="https://indianmedicine.ru">https://indianmedicine.ru</a><ul><li></li></ul></span>[size=150][/size]

I try Asistent Joomla Forum Post Asistent, but i have two errors.

Code: Select all

Warning: file_exists(): open_basedir restriction in effect. File(/data/logfiles/php.log) is not within the allowed path(s): (/data/www/22549/vybaveniprovozu_cz) in /data/www/22549/vybaveniprovozu_cz/www/fpa-en.php on line 556

Warning: is_writable(): open_basedir restriction in effect. File(/data/www/22549/tmp) is not within the allowed path(s): (/data/www/22549/vybaveniprovozu_cz) in /data/www/22549/vybaveniprovozu_cz/www/fpa-en.php on line 1561

Fatal error: Maximum execution time of 30 seconds exceeded in /data/www/22549/vybaveniprovozu_cz/www/fpa-en.php on line 1803

PhilTaylor-Prazgod · Post by **PhilTaylor-Prazgod** » Wed Mar 13, 2019 3:33 pm

If you were concerned that myJoomla.com (which is an audit tool, an not a scanner) did not find what you were looking for, then you should have sought support from me using the contact links in the service. This support forum is not for discussing the pitfalls of myJoomla.com or seeking support for its service.

You are correct that ordinarily myJoomla.com would not look for, and therefore not find, a list of links in HTML because although this is unwanted spammy links, they are perfectly valid HTML and not at all "hack" like in content.

However, I have added specific rules to the myJoomla.com detection engine, which is crowd sourced and pattern matching, and started a new audit in your myJoomla.com account for free for you. Hopefully this will then highlight files of interest in the suspect content tool for you to review. If it still finds nothing then these links will be in your database hiding somewhere.

As for you open_basedir issue, thats just plain incorrect server configuration or you are overwriting the defaults with insane values in a custom php.ini or .user.ini file.

marvaysCZ · Post by **marvaysCZ** » Wed Mar 13, 2019 3:39 pm

Thanks for your reaction. I'm sorry, but my English isn't good. I tried a free scan on myjoomla. I'm already desperate, so I try everything I can think of:

leolam · Post by **leolam** » Fri Mar 15, 2019 4:15 pm

PhilTaylor-Prazgod wrote: ↑
Wed Mar 13, 2019 3:33 pm
If it still finds nothing then these links will be in your database hiding somewhere.

which is correct but it won't help the user find the reason why he is having all these links and where the dirt is coming from.

@marvaysCZ did you read what Phil mentioned? He mentioned he has started an additional free of any charges (which is goodwill) a new audit for you. You should login in myJoomla and look at the reports. If that does not help you connect with Phil in the ctrl-panel of myjoomla and ask his help. Your problem should be easy discovered and resolved

Leo

marvaysCZ · Post by **marvaysCZ** » Fri Mar 15, 2019 7:16 pm

leolam wrote: ↑
Fri Mar 15, 2019 4:15 pm
He mentioned he has started an additional free of any charges (which is goodwill) a new audit for you. You should login in myJoomla and look at the reports.

Hi. I used a free tariff that has already ended. Any page after signing in: Subscription Cancelled!

sozzled · Post by **sozzled** » Fri Mar 15, 2019 7:38 pm

marvaysCZ wrote: ↑
Wed Mar 13, 2019 3:20 pm
What else can I do?

There is a lot more that you can do:

marvaysCZ · Post by **marvaysCZ** » Fri Mar 15, 2019 9:05 pm

sozzled wrote: ↑
Fri Mar 15, 2019 7:38 pm

marvaysCZ wrote: ↑

Wed Mar 13, 2019 3:20 pm

I try Forum Post Asistent, but i have two errors.

Code: Select all

Warning: file_exists(): open_basedir restriction in effect. File(/data/logfiles/php.log) is not within the allowed path(s): (/data/www/22549/vybaveniprovozu_cz) in /data/www/22549/vybaveniprovozu_cz/www/fpa-en.php on line 556

Warning: is_writable(): open_basedir restriction in effect. File(/data/www/22549/tmp) is not within the allowed path(s): (/data/www/22549/vybaveniprovozu_cz) in /data/www/22549/vybaveniprovozu_cz/www/fpa-en.php on line 1561

Fatal error: Maximum execution time of 30 seconds exceeded in /data/www/22549/vybaveniprovozu_cz/www/fpa-en.php on line 1803

sozzled · Post by **sozzled** » Fri Mar 15, 2019 11:38 pm

As Phil also observed,

PhilTaylor-Prazgod wrote: ↑
Wed Mar 13, 2019 3:33 pm
... you [have an] open_basedir issue, thats just plain incorrect server configuration or you are overwriting the defaults with insane values in a custom php.ini or .user.ini file.

You should remove the open_basedir setting or discuss this with your webhosting provider. This "feature" is not needed.

The Joomla! Forum™

How do I find a hack?

How do I find a hack?

Re: How do I find a hack?

Re: How do I find a hack?

Re: How do I find a hack?

Re: How do I find a hack?

Re: How do I find a hack?

Re: How do I find a hack?

Re: How do I find a hack?