Joomla 3.8.5 site injected with malware / Please help

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
ywncyber
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 158
Joined: Thu Feb 10, 2011 12:53 pm

Joomla 3.8.5 site injected with malware / Please help

Postby ywncyber » Fri Feb 09, 2018 7:38 am

Hi guys, I have an urgent problem my Joomla site has been repeatedly reinjected with malware each time I restore it.

I have finally found the source of the problem appears to be an outdated plugin. I have of course now removed this plugin. My webhost also did a scan of my files and found several files they believe suspicious (to be honest, I don't agree with the file list they gave me, but I removed all of those too).

Please see below a copy of the scan result from Sucuri.net

[ redacted ]

Is there any known methods of cleaning up the database from this sort of Malware attack now that I believe I have gotten rid of the source?

Any urgent help appreciated before this completely wipes out the google ranks I spent 7 years getting.

PS: Want to know what the malware was actually doing? Redirecting people to a "Firefox update" and downloading a firefox.js file (Can't remember if it was named that or firefox-patch.js)

PPS I have been trying to search for the code string you see mentioned on the bottom of the image to get it out of the database, but I am unable to find it. My web hosts will not assist, as they are not security specials anymore than I am. I'm just hoping I'm not entirely off course in thinking that now the source files are gone, if I can clean the crap out of the DB I might be ok.
Last edited by toivo on Fri Feb 09, 2018 7:56 am, edited 2 times in total.
Reason: mod note: moved to 3.x Security, image with URL of infected site removed

gws
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3346
Joined: Tue Aug 23, 2005 1:56 pm
Location: Kent / Sussex / Surrey border UK
Contact:

Re: Joomla 3.8.5 site injected with malware / Please help

Postby gws » Fri Feb 09, 2018 7:46 am

There is a guide here viewtopic.php?f=714&t=946026
also check out myjoomla.com where the first scan is free

ywncyber
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 158
Joined: Thu Feb 10, 2011 12:53 pm

Re: Joomla 3.8.5 site injected with malware / Please help

Postby ywncyber » Fri Feb 09, 2018 8:33 am

Thanks for your reply, already used both securi and siteguard scans to get the image I posted (that got removed..)

I have found and removed source files and other suspicious files. My web hosts have just finished their latest scan and it appears now to be clean, they find no suspicious files where previously they did.

I now just need to sort my database out, but I'm not very good at finding and deleting things in databases. I guess I am trying to find the string that Securi refers to as the malwares "payload" in the DB and get rid of it so it doesn't re-assert itself? or were the codes never in the DB? only in certain files? how do these things normally work?

ywncyber
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 158
Joined: Thu Feb 10, 2011 12:53 pm

Re: Joomla 3.8.5 site injected with malware / Please help

Postby ywncyber » Fri Feb 09, 2018 8:42 am

This is what Securi scan said was the known details of the Malware



my assumption is I need to find this code and get it out of the database right? Although some of it doesn't seem to be found. some was found in the comprofiler part of the table. I'm thinking of just backing up the DB as per the guide, then chopping that part of the code out of comprofiler and hoping the site still works. Any confirmation as to whether I'm barking up the right or wrong tree? >:(
Last edited by mandville on Fri Feb 09, 2018 1:03 pm, edited 1 time in total.
Reason: Removed hack code again.

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1582
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Joomla 3.8.5 site injected with malware / Please help

Postby fcoulter » Fri Feb 09, 2018 11:44 am

It is more common for malicious scripts to be embedded in files, if you really have cleaned out all malicious files from your site then it should be gone.

If you want to check the database you can download it and open the sql file in a text editor, eg Notepad, and search for the code, eg you could just do a search for the string "eval(function" - there is no good reason for that to be in the database. Then if you find it you will know which table and row it is in.

I would worry more about whether you really have cleaned out all the malicious files, I suggest reviewing Webdongle's advice here: https://forum.joomla.org/viewtopic.php?f=714&t=946026
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

ywncyber
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 158
Joined: Thu Feb 10, 2011 12:53 pm

Re: Joomla 3.8.5 site injected with malware / Please help

Postby ywncyber » Fri Feb 09, 2018 11:51 am

Thanks for your reply. Based on the advice of webdongle's post I have already overwritten all the joomla files with fresh ones, removed the vulnerable plugin which I believe caused all this ins the first place, deleted LOADS of dodgy files detected by my hosts, and removed a huge amount of database entries with horrible codes in. Sucuri now comes back clean, as does siteguard. I will keep an eye on it

The sad thing is I thought I'd scan my other three joomla sites and my little wordpress site just to make sure, 3 were clean but one joomla site is infected, with something ENTIReLY different - hidden links to pharmaceutical sites?! Absolutely out of this world.... I deleted all the malicious payloads but this time it broke that site entirely. Just getting it restored then will post the info here.

ywncyber
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 158
Joined: Thu Feb 10, 2011 12:53 pm

Re: Joomla 3.8.5 site injected with malware / Please help

Postby ywncyber » Fri Feb 09, 2018 12:04 pm

Here is my other sites problem according to sucuri. Any idea how I can remove all this from the DB without destroying the whole site as i did previously? What could have been compromised in order for this to be hidden on all my articles, categories?

spam-seo.hidden_content?71.4
It's basically a div class with size 0 font and hidden links to pharmaceutical sites etc.

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1582
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Joomla 3.8.5 site injected with malware / Please help

Postby fcoulter » Fri Feb 09, 2018 6:54 pm

As before, download the sql, open in a text editor, do a search and replace.

Also follow Webdongle's advice as before for the cleanup. Make sure that your extensions are up to date, and remove any that you are not using.

I suggest posting the results of the forum post assistant if you want further advice (the link is at the top of this forum).
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3544
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: Joomla 3.8.5 site injected with malware / Please help

Postby abernyte » Sun Feb 11, 2018 11:19 am

Based on the advice of webdongle's post I have already overwritten all the joomla files with fresh ones

That was not the advice in the referenced post. It was
c. Delete all the files on the server


The only sure way to be rid of your infection is to replace the files not edit or overwrite them.
It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so. Twain

User avatar
prem726
Joomla! Intern
Joomla! Intern
Posts: 87
Joined: Sat May 15, 2010 10:27 am
Location: Korat, THAILAND
Contact:

Re: Joomla 3.8.5 site injected with malware / Please help

Postby prem726 » Sat Mar 31, 2018 4:59 am

i m currently has a problem like this too.

index.php in my website has been insert a base64 code of virus.

how can i prevent from them

this is my website

[code]lamphuonline.com[/code]
Last edited by fcoulter on Sat Mar 31, 2018 8:58 am, edited 1 time in total.
Reason: broke link to possibly hacked file, please do not create live links to hacked site

gws
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3346
Joined: Tue Aug 23, 2005 1:56 pm
Location: Kent / Sussex / Surrey border UK
Contact:

Re: Joomla 3.8.5 site injected with malware / Please help

Postby gws » Sat Mar 31, 2018 7:20 am

Follow the advice in viewtopic.php?f=714&t=946026

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 34445
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla 3.8.5 site injected with malware / Please help

Postby Webdongle » Mon Apr 02, 2018 9:21 am

ywncyber wrote:...Based on the advice of webdongle's post I have already overwritten all the joomla files with fresh ones, .., deleted LOADS of dodgy files detected by my hosts, and removed a huge amount of database entries with horrible codes in. ...
Where in viewtopic.php?f=714&t=946026 does it advise overwriting Joomla files and cherry picking suspect files for deletion ? You need to delete everything.

ywncyber wrote:...Based on the advice of webdongle's post I have already overwritten all the joomla files with fresh ones, .., deleted LOADS of dodgy files detected by my hosts, and removed a huge amount of database entries with horrible codes in. ...

The sad thing is I thought I'd scan my other three joomla sites and my little wordpress site just to make sure, 3 were clean but one joomla site is infected, ....
"Delete all the files on the server" means everything on the server !!!

You need to follow the steps on viewtopic.php?f=714&t=946026 again.


Return to “Security in Joomla! 3.x”

Who is online

Users browsing this forum: No registered users and 4 guests