Joomla 3.8.5 site injected with malware / Please help
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
-
- Joomla! Enthusiast
- Posts: 164
- Joined: Thu Feb 10, 2011 12:53 pm
Joomla 3.8.5 site injected with malware / Please help
Hi guys, I have an urgent problem my Joomla site has been repeatedly reinjected with malware each time I restore it.
I have finally found the source of the problem appears to be an outdated plugin. I have of course now removed this plugin. My webhost also did a scan of my files and found several files they believe suspicious (to be honest, I don't agree with the file list they gave me, but I removed all of those too).
Please see below a copy of the scan result from Sucuri.net
[ redacted ]
Is there any known methods of cleaning up the database from this sort of Malware attack now that I believe I have gotten rid of the source?
Any urgent help appreciated before this completely wipes out the google ranks I spent 7 years getting.
PS: Want to know what the malware was actually doing? Redirecting people to a "Firefox update" and downloading a firefox.js file (Can't remember if it was named that or firefox-patch.js)
PPS I have been trying to search for the code string you see mentioned on the bottom of the image to get it out of the database, but I am unable to find it. My web hosts will not assist, as they are not security specials anymore than I am. I'm just hoping I'm not entirely off course in thinking that now the source files are gone, if I can clean the crap out of the DB I might be ok.
I have finally found the source of the problem appears to be an outdated plugin. I have of course now removed this plugin. My webhost also did a scan of my files and found several files they believe suspicious (to be honest, I don't agree with the file list they gave me, but I removed all of those too).
Please see below a copy of the scan result from Sucuri.net
[ redacted ]
Is there any known methods of cleaning up the database from this sort of Malware attack now that I believe I have gotten rid of the source?
Any urgent help appreciated before this completely wipes out the google ranks I spent 7 years getting.
PS: Want to know what the malware was actually doing? Redirecting people to a "Firefox update" and downloading a firefox.js file (Can't remember if it was named that or firefox-patch.js)
PPS I have been trying to search for the code string you see mentioned on the bottom of the image to get it out of the database, but I am unable to find it. My web hosts will not assist, as they are not security specials anymore than I am. I'm just hoping I'm not entirely off course in thinking that now the source files are gone, if I can clean the crap out of the DB I might be ok.
Last edited by toivo on Fri Feb 09, 2018 7:56 am, edited 2 times in total.
Reason: mod note: moved to 3.x Security, image with URL of infected site removed
Reason: mod note: moved to 3.x Security, image with URL of infected site removed
-
- Joomla! Champion
- Posts: 5929
- Joined: Tue Aug 23, 2005 1:56 pm
- Location: South coast, UK
- Contact:
Re: Joomla 3.8.5 site injected with malware / Please help
There is a guide here viewtopic.php?f=714&t=946026
also check out myjoomla.com where the first scan is free
also check out myjoomla.com where the first scan is free
https://gadsolutions.biz Electrical services
https://electrical-testing-safety.co.uk Testing services
https://electrical-testing-safety.co.uk Testing services
-
- Joomla! Enthusiast
- Posts: 164
- Joined: Thu Feb 10, 2011 12:53 pm
Re: Joomla 3.8.5 site injected with malware / Please help
Thanks for your reply, already used both securi and siteguard scans to get the image I posted (that got removed..)
I have found and removed source files and other suspicious files. My web hosts have just finished their latest scan and it appears now to be clean, they find no suspicious files where previously they did.
I now just need to sort my database out, but I'm not very good at finding and deleting things in databases. I guess I am trying to find the string that Securi refers to as the malwares "payload" in the DB and get rid of it so it doesn't re-assert itself? or were the codes never in the DB? only in certain files? how do these things normally work?
I have found and removed source files and other suspicious files. My web hosts have just finished their latest scan and it appears now to be clean, they find no suspicious files where previously they did.
I now just need to sort my database out, but I'm not very good at finding and deleting things in databases. I guess I am trying to find the string that Securi refers to as the malwares "payload" in the DB and get rid of it so it doesn't re-assert itself? or were the codes never in the DB? only in certain files? how do these things normally work?
-
- Joomla! Enthusiast
- Posts: 164
- Joined: Thu Feb 10, 2011 12:53 pm
Re: Joomla 3.8.5 site injected with malware / Please help
This is what Securi scan said was the known details of the Malware
my assumption is I need to find this code and get it out of the database right? Although some of it doesn't seem to be found. some was found in the comprofiler part of the table. I'm thinking of just backing up the DB as per the guide, then chopping that part of the code out of comprofiler and hoping the site still works. Any confirmation as to whether I'm barking up the right or wrong tree?
my assumption is I need to find this code and get it out of the database right? Although some of it doesn't seem to be found. some was found in the comprofiler part of the table. I'm thinking of just backing up the DB as per the guide, then chopping that part of the code out of comprofiler and hoping the site still works. Any confirmation as to whether I'm barking up the right or wrong tree?
Last edited by mandville on Fri Feb 09, 2018 1:03 pm, edited 1 time in total.
Reason: Removed hack code again.
Reason: Removed hack code again.
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: Joomla 3.8.5 site injected with malware / Please help
It is more common for malicious scripts to be embedded in files, if you really have cleaned out all malicious files from your site then it should be gone.
If you want to check the database you can download it and open the sql file in a text editor, eg Notepad, and search for the code, eg you could just do a search for the string "eval(function" - there is no good reason for that to be in the database. Then if you find it you will know which table and row it is in.
I would worry more about whether you really have cleaned out all the malicious files, I suggest reviewing Webdongle's advice here: viewtopic.php?f=714&t=946026
If you want to check the database you can download it and open the sql file in a text editor, eg Notepad, and search for the code, eg you could just do a search for the string "eval(function" - there is no good reason for that to be in the database. Then if you find it you will know which table and row it is in.
I would worry more about whether you really have cleaned out all the malicious files, I suggest reviewing Webdongle's advice here: viewtopic.php?f=714&t=946026
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
-
- Joomla! Enthusiast
- Posts: 164
- Joined: Thu Feb 10, 2011 12:53 pm
Re: Joomla 3.8.5 site injected with malware / Please help
Thanks for your reply. Based on the advice of webdongle's post I have already overwritten all the joomla files with fresh ones, removed the vulnerable plugin which I believe caused all this ins the first place, deleted LOADS of dodgy files detected by my hosts, and removed a huge amount of database entries with horrible codes in. Sucuri now comes back clean, as does siteguard. I will keep an eye on it
The sad thing is I thought I'd scan my other three joomla sites and my little wordpress site just to make sure, 3 were clean but one joomla site is infected, with something ENTIReLY different - hidden links to pharmaceutical sites?! Absolutely out of this world.... I deleted all the malicious payloads but this time it broke that site entirely. Just getting it restored then will post the info here.
The sad thing is I thought I'd scan my other three joomla sites and my little wordpress site just to make sure, 3 were clean but one joomla site is infected, with something ENTIReLY different - hidden links to pharmaceutical sites?! Absolutely out of this world.... I deleted all the malicious payloads but this time it broke that site entirely. Just getting it restored then will post the info here.
-
- Joomla! Enthusiast
- Posts: 164
- Joined: Thu Feb 10, 2011 12:53 pm
Re: Joomla 3.8.5 site injected with malware / Please help
Here is my other sites problem according to sucuri. Any idea how I can remove all this from the DB without destroying the whole site as i did previously? What could have been compromised in order for this to be hidden on all my articles, categories?
spam-seo.hidden_content?71.4
It's basically a div class with size 0 font and hidden links to pharmaceutical sites etc.
spam-seo.hidden_content?71.4
It's basically a div class with size 0 font and hidden links to pharmaceutical sites etc.
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: Joomla 3.8.5 site injected with malware / Please help
As before, download the sql, open in a text editor, do a search and replace.
Also follow Webdongle's advice as before for the cleanup. Make sure that your extensions are up to date, and remove any that you are not using.
I suggest posting the results of the forum post assistant if you want further advice (the link is at the top of this forum).
Also follow Webdongle's advice as before for the cleanup. Make sure that your extensions are up to date, and remove any that you are not using.
I suggest posting the results of the forum post assistant if you want further advice (the link is at the top of this forum).
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
- abernyte
- Joomla! Virtuoso
- Posts: 4189
- Joined: Fri May 15, 2009 2:01 pm
- Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड
Re: Joomla 3.8.5 site injected with malware / Please help
That was not the advice in the referenced post. It wasBased on the advice of webdongle's post I have already overwritten all the joomla files with fresh ones
The only sure way to be rid of your infection is to replace the files not edit or overwrite them.c. Delete all the files on the server
"Those who expect to reap the blessings of freedom must, like men, undergo the fatigue of supporting it." Thomas Paine
- prem726
- Joomla! Intern
- Posts: 89
- Joined: Sat May 15, 2010 10:27 am
- Location: Korat, THAILAND
Re: Joomla 3.8.5 site injected with malware / Please help
i m currently has a problem like this too.
index.php in my website has been insert a base64 code of virus.
how can i prevent from them
this is my website
[code]lamphuonline.com[/code]
index.php in my website has been insert a base64 code of virus.
how can i prevent from them
this is my website
[code]lamphuonline.com[/code]
Last edited by fcoulter on Sat Mar 31, 2018 8:58 am, edited 1 time in total.
Reason: broke link to possibly hacked file, please do not create live links to hacked site
Reason: broke link to possibly hacked file, please do not create live links to hacked site
-
- Joomla! Champion
- Posts: 5929
- Joined: Tue Aug 23, 2005 1:56 pm
- Location: South coast, UK
- Contact:
Re: Joomla 3.8.5 site injected with malware / Please help
Follow the advice in viewtopic.php?f=714&t=946026
https://gadsolutions.biz Electrical services
https://electrical-testing-safety.co.uk Testing services
https://electrical-testing-safety.co.uk Testing services
- Webdongle
- Joomla! Master
- Posts: 44070
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla 3.8.5 site injected with malware / Please help
Where in viewtopic.php?f=714&t=946026 does it advise overwriting Joomla files and cherry picking suspect files for deletion ? You need to delete everything.ywncyber wrote:...Based on the advice of webdongle's post I have already overwritten all the joomla files with fresh ones, .., deleted LOADS of dodgy files detected by my hosts, and removed a huge amount of database entries with horrible codes in. ...
"Delete all the files on the server" means everything on the server !!!ywncyber wrote:...Based on the advice of webdongle's post I have already overwritten all the joomla files with fresh ones, .., deleted LOADS of dodgy files detected by my hosts, and removed a huge amount of database entries with horrible codes in. ...
The sad thing is I thought I'd scan my other three joomla sites and my little wordpress site just to make sure, 3 were clean but one joomla site is infected, ....
You need to follow the steps on viewtopic.php?f=714&t=946026 again.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".