Joomla 3.8.5 site injected with malware / Please help

[ywncyber]

Hi guys, I have an urgent problem my Joomla site has been repeatedly reinjected with malware each time I restore it.

I have finally found the source of the problem appears to be an outdated plugin. I have of course now removed this plugin. My webhost also did a scan of my files and found several files they believe suspicious (to be honest, I don't agree with the file list they gave me, but I removed all of those too).

Please see below a copy of the scan result from Sucuri.net

[ redacted ]

Is there any known methods of cleaning up the database from this sort of Malware attack now that I believe I have gotten rid of the source?

Any urgent help appreciated before this completely wipes out the google ranks I spent 7 years getting.

PS: Want to know what the malware was actually doing? Redirecting people to a "Firefox update" and downloading a firefox.js file (Can't remember if it was named that or firefox-patch.js)

PPS I have been trying to search for the code string you see mentioned on the bottom of the image to get it out of the database, but I am unable to find it. My web hosts will not assist, as they are not security specials anymore than I am. I'm just hoping I'm not entirely off course in thinking that now the source files are gone, if I can clean the crap out of the DB I might be ok.

[gws]

There is a guide here viewtopic.php?f=714&t=946026
also check out myjoomla.com where the first scan is free

[ywncyber]

Thanks for your reply, already used both securi and siteguard scans to get the image I posted (that got removed..)

I have found and removed source files and other suspicious files. My web hosts have just finished their latest scan and it appears now to be clean, they find no suspicious files where previously they did.

I now just need to sort my database out, but I'm not very good at finding and deleting things in databases. I guess I am trying to find the string that Securi refers to as the malwares "payload" in the DB and get rid of it so it doesn't re-assert itself? or were the codes never in the DB? only in certain files? how do these things normally work?

[ywncyber]

This is what Securi scan said was the known details of the Malware



my assumption is I need to find this code and get it out of the database right? Although some of it doesn't seem to be found. some was found in the comprofiler part of the table. I'm thinking of just backing up the DB as per the guide, then chopping that part of the code out of comprofiler and hoping the site still works. Any confirmation as to whether I'm barking up the right or wrong tree?

[fcoulter]

It is more common for malicious scripts to be embedded in files, if you really have cleaned out all malicious files from your site then it should be gone.

If you want to check the database you can download it and open the sql file in a text editor, eg Notepad, and search for the code, eg you could just do a search for the string "eval(function" - there is no good reason for that to be in the database. Then if you find it you will know which table and row it is in.

I would worry more about whether you really have cleaned out all the malicious files, I suggest reviewing Webdongle's advice here: viewtopic.php?f=714&t=946026

[ywncyber]

Thanks for your reply. Based on the advice of webdongle's post I have already overwritten all the joomla files with fresh ones, removed the vulnerable plugin which I believe caused all this ins the first place, deleted LOADS of dodgy files detected by my hosts, and removed a huge amount of database entries with horrible codes in. Sucuri now comes back clean, as does siteguard. I will keep an eye on it

The sad thing is I thought I'd scan my other three joomla sites and my little wordpress site just to make sure, 3 were clean but one joomla site is infected, with something ENTIReLY different - hidden links to pharmaceutical sites?! Absolutely out of this world.... I deleted all the malicious payloads but this time it broke that site entirely. Just getting it restored then will post the info here.

[ywncyber]

Here is my other sites problem according to sucuri. Any idea how I can remove all this from the DB without destroying the whole site as i did previously? What could have been compromised in order for this to be hidden on all my articles, categories?

spam-seo.hidden_content?71.4
It's basically a div class with size 0 font and hidden links to pharmaceutical sites etc.

[fcoulter]

As before, download the sql, open in a text editor, do a search and replace.

Also follow Webdongle's advice as before for the cleanup. Make sure that your extensions are up to date, and remove any that you are not using.

I suggest posting the results of the forum post assistant if you want further advice (the link is at the top of this forum).

[abernyte]

Based on the advice of webdongle's post I have already overwritten all the joomla files with fresh ones

That was not the advice in the referenced post. It was

c. Delete all the files on the server

The only sure way to be rid of your infection is to replace the files not edit or overwrite them.

[prem726]

i m currently has a problem like this too.

index.php in my website has been insert a base64 code of virus.

how can i prevent from them

this is my website

[code]lamphuonline.com[/code]

[gws]

Follow the advice in viewtopic.php?f=714&t=946026

[Webdongle]

...Based on the advice of webdongle's post I have already overwritten all the joomla files with fresh ones, .., deleted LOADS of dodgy files detected by my hosts, and removed a huge amount of database entries with horrible codes in. ...

Where in viewtopic.php?f=714&t=946026 does it advise overwriting Joomla files and cherry picking suspect files for deletion ? You need to delete everything.

...Based on the advice of webdongle's post I have already overwritten all the joomla files with fresh ones, .., deleted LOADS of dodgy files detected by my hosts, and removed a huge amount of database entries with horrible codes in. ...

The sad thing is I thought I'd scan my other three joomla sites and my little wordpress site just to make sure, 3 were clean but one joomla site is infected, ....

"Delete all the files on the server" means everything on the server !!!

You need to follow the steps on viewtopic.php?f=714&t=946026 again.