Google tagged website as hacked

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
lillianfidler
Joomla! Explorer
Joomla! Explorer
Posts: 411
Joined: Mon Mar 31, 2008 8:28 pm
Location: St. John's, Newfoundland, Canada
Contact:

Google tagged website as hacked

Post by lillianfidler » Wed Mar 21, 2018 11:59 am

Hi:

I've looked through everything and had the hosting company do a scan without turning up anything... I'd like to submit for reconsideration but would like for the Joomla experts to please have a look to see what might be causing the tagging by google. This is the page they singled out but said that it is not exclusively this page:

Code: Select all

http://www.spiritualgenome.com/docs/vy2a9.php?knyd=dc-generator-problems-and-solutions-pdf

here's the results from the FPA (split into to posts as the maximum number of characters was exceeded)
Problem Description :: Forum Post Assistant (v1.3.9) : 21st March 2018 wrote:Google has targeted the website as hacked
Log/Error Message :: Forum Post Assistant (v1.3.9) : 21st March 2018 wrote:They listed this page specifically, but not exclusively: hxxp://www.spiritualgenome.com/docs/vy2a9.php? ... utions-pdf
Log/Error Message :: Forum Post Assistant (v1.3.9) : 21st March 2018 wrote:no errors, also scanned by the hosting company with no indication of hacking
Actions Taken To Resolve by Forum Post Assistant (v1.3.9) 21st March 2018 wrote:Before submitting for reconsideration I'd like to get the experts to have a look!
Forum Post Assistant (v1.3.9) : 21st March 2018 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.8.6-Stable (Amani) 13-March-2018
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.8
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 1 | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: 0 | FTP Layer: 0 | Proxy: 0 | LiveSite: hxxp://www.spiritualgenome.com | Session lifetime: 15 | Session handler: database | Shared sessions: 0 | SSL: 2 | FrontEdit: 1 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | dbConnection Type: mysqli | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 3.14.52-vs2.3.6.15-1 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 1663.16 GiB |

PHP Configuration :: Version: 5.6.34 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 500M | Max. POST Size: 505M | Max. Input Time: 1000 | Max. Execution Time: 1000 | Memory Limit: 512M

MySQL Configuration :: Version: 5.6.34-log (Client:mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 17.11 MiB | #of Tables:  102
Detailed Environment :: wrote:PHP Extensions :: Core (5.6.34) | date (5.6.34) | ereg () | libxml () | pcre () | sqlite3 (0.7-dev) | filter (0.11.0) | mbstring () | SPL (0.2) | PDO (1.0.4dev) | Reflection ($Id: 5f15287237d5f78d75b19c26915aa7bd83dee8b8 $) | pdo_sqlite (1.0.1) | hash (1.0) | session () | cgi-fcgi () | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | standard (5.6.34) | ftp () | gd () | gettext () | exif (1.4 $Id: 1c8772f76be691b7b3f77ca31eb788a2abbcefe5 $) | iconv () | imap () | json (1.2.1) | mcrypt () | mysqlnd (mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | mysqli (0.1) | openssl () | pcntl () | pdo_mysql (1.0.2) | posix () | pspell () | mysql (1.0) | SimpleXML (0.1) | soap () | sockets () | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.12.5) | zlib (2.0) | imagick (3.4.3) | memcached (2.2.0) | mhash () | Zend OPcache (7.0.6-devFE) | Zend Engine (2.6.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 11814057 | Threads: 12 | Questions: 3392664749 | Slow queries: 336089614 | Opens: 102268621 | Flush tables: 33 | Open tables: 2048 | Queries per second avg: 287.171 |
Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 | WF_XHTMLXTRAS_TITLE (2.6.12) 1 | WF_VISUALCHARS_TITLE (2.6.12) 1 | WF_VISUALBLOCKS_TITLE (2.6.12) 1 | WF_TEXTCASE_TITLE (2.6.12) 1 | WF_TABLE_TITLE (2.6.12) 1 | WF_STYLESELECT_TITLE (2.6.12) 1 | WF_STYLE_TITLE (2.6.12) 1 | WF_SPELLCHECKER_TITLE (2.6.12) 1 | WF_SOURCE_TITLE (2.6.12) 1 | WF_SEARCHREPLACE_TITLE (2.6.12) 1 | WF_PRINT_TITLE (2.6.12) 1 | WF_PREVIEW_TITLE (2.6.12) 1 | WF_NONBREAKING_TITLE (2.6.12) 1 | WF_MEDIA_TITLE (2.6.12) 1 | WF_LISTS_TITLE (2.6.12) 1 | WF_LINK_TITLE (2.6.12) 1 | WF_LAYER_TITLE (2.6.12) 1 | WF_KITCHENSINK_TITLE (2.6.12) 1 | WF_INLINEPOPUPS_TITLE (2.6.12) 1 | WF_IMGMANAGER_TITLE (2.6.12) 1 | WF_HR_TITLE (2.6.12) 1 | WF_FULLSCREEN_TITLE (2.6.12) 1 | WF_FORMATSELECT_TITLE (2.6.12) 1 | WF_FONTSIZESELECT_TITLE (2.6.12) 1 | WF_FONTSELECT_TITLE (2.6.12) 1 | WF_FONTCOLOR_TITLE (2.6.12) 1 | WF_EMOTIONS_TITLE (2.6.12) 1 | WF_DIRECTIONALITY_TITLE (2.6.12) 1 | WF_CONTEXTMENU_TITLE (2.6.12) 1 | WF_CLIPBOARD_TITLE (2.6.12) 1 | WF_CLEANUP_TITLE (2.6.12) 1 | WF_CHARMAP_TITLE (2.6.12) 1 | WF_BROWSER_TITLE (2.6.12) 1 | WF_AUTOSAVE_TITLE (2.6.12) 1 | WF_ARTICLE_TITLE (2.6.12) 1 | WF_ANCHOR_TITLE (2.6.12) 1 | WF_LINK_SEARCH_TITLE (2.6.12) 1 | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.12) 1 | WF_POPUPS_WINDOW_TITLE (2.6.12) 1 | WF_LINKS_JOOMLALINKS_TITLE (2.6.12) 1 | WF_FILESYSTEM_JOOMLA_TITLE (2.6.12) 1 | WF_AGGREGATOR_DAILYMOTION_TITL (2.6.12) 1 | WF_AGGREGATOR_VIMEO_TITLE (2.6.12) 1 | WF_AGGREGATOR_VINE_TITLE (2.6.12) 1 | WF_AGGREGATOR_[youtube]_TITLE (2.6.12) 1 |
Components :: ADMIN :: com_weblinks (3.5.0) 1 | com_users (3.0.0) 1 | com_templates (3.0.0) 1 | com_tags (3.1.0) 1 | com_search (3.0.0) 1 | RokSprocket (2.1.21) 1 | RokCandy (2.0.2) 1 | com_redirect (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_plugins (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_modules (3.0.0) 1 | com_messages (3.0.0) 1 | com_menus (3.0.0) 1 | com_media (3.0.0) 1 | com_login (3.0.0) 1 | com_languages (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | JComments (3.0.0) 1 | COM_JCE (2.6.12) 1 | com_installer (3.0.0) 1 | COM_GANTRY (4.1.34) 1 | com_finder (3.0.0) 1 | com_fields (3.7.0) 1 | COM_CREATIVECONTACTFORM (4.5.0) 1 | com_cpanel (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_content (3.0.0) 1 | com_config (3.0.0) 1 | COM_CMC (4.1.0) 1 | com_checkin (3.0.0) 1 | com_categories (3.0.0) 1 | com_cache (3.0.0) 1 | com_banners (3.0.0) 1 | com_associations (3.7.0) 1 | Akeeba (6.0.1) 1 | com_ajax (3.2.0) 1 | com_admin (3.0.0) 1 |

Modules :: SITE :: mod_wrapper (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_weblinks (3.5.0) 1 | mod_users_latest (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_tags_popular (3.1.0) 1 | mod_syndicate (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_search (3.0.0) 1 | RokSprocket Module (2.1.21) 1 | RokNavMenu (2.0.9) 1 | RokAjaxSearch (2.0.4) 1 | mod_related_items (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_login (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_footer (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_custom (3.0.0) 1 | MOD_CREATIVECONTACTFORM_NAME (4.5.0) 1 | mod_cmc (4.1.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | ARI Image Slider (1.7.0) 1 | System (1.0.0) 1 |
Modules :: ADMIN :: mod_sampledata (3.8.0) 0 | mod_version (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_title (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_status (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_login (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_custom (3.0.0) 1 | CMC - Update (1.4) 1 | CMC - Newsfeed (1.4) 1 | CMC - Mailchimp (1.4) 1 | CMC - Icons (1.4) 1 |
Last edited by fcoulter on Mon Mar 26, 2018 4:38 pm, edited 3 times in total.
Reason: broke link in fpa

lillianfidler
Joomla! Explorer
Joomla! Explorer
Posts: 411
Joined: Mon Mar 31, 2008 8:28 pm
Location: St. John's, Newfoundland, Canada
Contact:

Google tagged website as hacked (FPA part 2)

Post by lillianfidler » Wed Mar 21, 2018 12:00 pm

This is the second part of the FPA:

Plugins :: SITE :: plg_user_profile (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_jcomments (1.0) 0 | plg_user_contactcreator (3.0.0) 0 | User - CMC Registration plugin (-) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_twofactorauth_totp (3.2.0) 0 | plg_system_updatenotification (3.5.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_sef (3.0.0) 1 | System - RokUpdater (1.0.8) 1 | System - RokSprocket (2.1.21) 1 | System - RokExtender (2.0.0) 1 | System - RokCommon (3.2.5) 1 | System - RokCandy (2.0.2) 1 | System - RokBox (2.0.13) 1 | System - RokBooster (1.1.17) 0 | plg_system_remember (3.0.0) 1 | plg_system_redirect (3.0.0) 1 | plg_system_p3p (3.0.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_log (3.0.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_languagecode (3.0.0) 0 | plg_system_jcomments (1.0) 0 | plg_system_jce (2.6.12) 1 | plg_system_highlight (3.0.0) 1 | System - Gantry 4 (4.1.34) 1 | plg_system_fields (3.7.0) 1 | System - CMC Ecom360 Virtuemar (4.1.0) 1 | System - CMC Ecom360 Redshop (4.1.0) 0 | System - CMC Ecom360 Payplans (4.1.0) 0 | System - CMC ecom360 Matukio (4.1.0) 0 | CMC - Ecom360 Hika (4.1.0) 0 | System - CMC Ecom360 Akeebasub (4.1.0) 1 | System - CMC Mailchimp ecommer (4.1.0) 1 | plg_system_debug (3.0.0) 1 | Creative Contact Form (4.5.0) 1 | plg_system_cache (3.0.0) 0 | PLG_SYSTEM_BACKUPONUPDATE_TITL (3.7) 1 | PLG_SYSTEM_AKEEBAUPDATECHECK_T (1.1) 1 | System - Google Analytics (4.6.1) 1 | plg_system_sessiongc (3.8.6) 1 | plg_search_weblinks (3.5.0) 1 | plg_search_tags (3.0.0) 0 | plg_search_newsfeeds (3.0.0) 1 | plg_search_jcomments (1.0) 0 | plg_search_content (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_categories (3.0.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_jcomments (1.0) 0 | plg_quickicon_jce (2.6.0-pro-bet) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_akeebabackup (1.0) 1 | plg_installer_webinstaller (1.1.1) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | plg_installer_jce (2.6.12) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_finder_weblinks (3.5.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_extension_jce (2.6.12) 1 | plg_editors_tinymce (4.5.8) 1 | Editor - RokPad (2.1.9) 1 | plg_editors_jce (2.6.12) 1 | plg_editors_codemirror (5.34.0) 1 | Button - RokCandy (2.0.2) 1 | Button - RokBox (2.0.13) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_jcommentson (1.0) 0 | plg_editors-xtd_jcommentsoff (1.0) 0 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_content_vote (3.0.0) 1 | Content - RokInjectModule (1.7) 1 | Content - RokBox (2.0.13) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | AllVideos (by JoomlaWorks) (4.8.0) 1 | AllVideos (by JoomlaWorks) (4.8.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_jcomments (1.0) 0 | plg_content_jce (2.6.12) 1 | Content - InstantPaypal (1.1) 1 | plg_content_finder (3.0.0) 0 | plg_content_fields (3.7.0) 1 | plg_content_emailcloak (3.0.0) 1 | Community - CMC Registration p (4.1.0) 1 | plg_captcha_recaptcha (3.4.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_cookie (3.0.0) 1 | [/size][/quote]
Templates Discovered :: wrote:Templates :: SITE :: rt_hadron (1.0) 1 | protostar (1.0) 1 | beez3 (3.1.0) 1 |
Templates :: ADMIN :: isis (1.0) 1 | hathor (3.0.0) 1 |
[/quote]
Last edited by toivo on Wed Mar 21, 2018 12:07 pm, edited 1 time in total.
Reason: mod note: disabled smilies in Options for readability

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1684
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Google tagged website as hacked

Post by fcoulter » Wed Mar 21, 2018 12:50 pm

Looking at the page url you say that Google singled out:

Code: Select all

http://www.spiritualgenome.com/docs/vy2a9.php?knyd=dc-generator-problems-and-solutions-pdf
This is not a Joomla URL.

Joomla doesn't have a docs folder, and it does not have a script called vy2a9.php, Joomla is always accessed through the index.php file.

If it is not put there by you or your developer then it might have been put there by a hacker as a backdoor. Alternatively possibly it is a stand alone script that has been hacked. I think you need to check out what it is.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

lillianfidler
Joomla! Explorer
Joomla! Explorer
Posts: 411
Joined: Mon Mar 31, 2008 8:28 pm
Location: St. John's, Newfoundland, Canada
Contact:

Re: Google tagged website as hacked

Post by lillianfidler » Wed Mar 21, 2018 12:54 pm

When I go to the url there is nothing there - it's an error

I can't find a docs folder under the root....

User avatar
kitepascal
Joomla! Intern
Joomla! Intern
Posts: 53
Joined: Thu Aug 27, 2009 2:58 pm
Contact:

Re: Google tagged website as hacked

Post by kitepascal » Wed Mar 21, 2018 1:00 pm

Hi,

your error.php is faulty (perhaps only compatible with older Joomla versions).
Every not existant URL shows these errors.

The mentioned link should give an Error 404 - not found.

Some hints on how to fix that (if you can not simply update your template (framework)):
viewtopic.php?t=956021

You could also delete the template's error.php - then the default error.php (in core look) will be active.

Just make sure that

Code: Select all

http://www.spiritualgenome.com/docs/vy2a9.php?knyd=dc-generator-problems-and-solutions-pdf
throws a 404 - check it on https://httpstatus.io/
Google's reconsideration will be successful then.

lillianfidler
Joomla! Explorer
Joomla! Explorer
Posts: 411
Joined: Mon Mar 31, 2008 8:28 pm
Location: St. John's, Newfoundland, Canada
Contact:

Re: Google tagged website as hacked

Post by lillianfidler » Mon Mar 26, 2018 2:53 pm

Thanks for that. I've deleted the error.php file and will also upgrade the template.

I did get some further information in the google console that may be relevant:

URL injection
These pages appear to be created by a hacker with the intent of spamming search results.
Show details
Sample URLs Last detected

Code: Select all

http://www.spiritualgenome.com/docs/vy2a9.php?knyd=david-garrett-viva-la-vida-mp3-free-download 3/16/18
http://www.spiritualgenome.com/docs/vy2a9.php?knyd=isuzu-6hk1-workshop-manual-pdf 3/17/18
http://spiritualgenome.com/docs/vy2a9.php?knyd=nvidia-shield-android-tv-xda-developers 3/26/18
http://www.spiritualgenome.com/docs/vy2a9.php?knyd=android-reduce-file-size-programmatically 3/19/18
http://www.spiritualgenome.com/docs/vy2a9.php?knyd=wow-cataclysm-4.3-4-download-mac 3/15/18
http://www.spiritualgenome.com/docs/vy2a9.php?knyd=microsoft-store-won%27t-open-windows-10 3/17/18
http://www.spiritualgenome.com/docs/vy2a9.php?knyd=romantic-sms-for-wife-in-hindi 3/15/18
http://www.spiritualgenome.com/docs/vy2a9.php?knyd=9th-english-first-paper-2017 3/15/18
http://www.spiritualgenome.com/docs/vy2a9.php?knyd=download-patch-pes-2018 3/15/18

I'm unsure how to deal with this...
Last edited by mandville on Mon Mar 26, 2018 3:30 pm, edited 1 time in total.
Reason: Code wrapped

User avatar
kitepascal
Joomla! Intern
Joomla! Intern
Posts: 53
Joined: Thu Aug 27, 2009 2:58 pm
Contact:

Re: Google tagged website as hacked

Post by kitepascal » Mon Mar 26, 2018 3:08 pm

Hi,

the status code for these URLs is correct now - 404.

Did you delete the error.php today?

Because of..

Code: Select all

http://spiritualgenome.com/docs/vy2a9.php?knyd=nvidia-shield-android-tv-xda-developers 3/[b]26[/b]/18
..crawled today.
I hope you could remove all the malicous files and mods causing these pages.. Checked your .htaccess, compared with a backup or fresh install etc.
A myjoomla.com Audit is always useful too - don't rely on your webhoster's scan.

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3295
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: Google tagged website as hacked

Post by ribo » Mon Mar 26, 2018 4:19 pm

Your website is hacked for sure as google show your website as hacked.
Here is a sure way to clean your joomla website for sure.
viewtopic.php?f=714&t=946026#p3457071
Any other way if you are not expirienced in cleaning joomla hacked sites you will think that you will clean it but you will be infected again.
chat room spontes : http://www.spontes.com

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3295
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: Google tagged website as hacked

Post by ribo » Mon Mar 26, 2018 5:00 pm

You have out of dated third party extensions, like jce editor, ARI Image Slider, etc. Also your template is out of date. Pease check all your third party extensions. When you will clean your joomla website with the way that i posted then be sure that every time you must update your joomla, your third party extensions and your template, to not be vulnerable
chat room spontes : http://www.spontes.com

User avatar
JAVesey
Joomla! Ace
Joomla! Ace
Posts: 1779
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Google tagged website as hacked

Post by JAVesey » Tue Mar 27, 2018 4:31 pm

To add to what ribs has posts, please cross-reference all of your extensions with the Vulnerable Extensions List (https://vel.joomla.org/) to make sure there's not "current but vulnerable" extensions on your site.
John V
Cardiff, Wales, UK
Website: https://www.llanmon.org.uk (Joomla 3.8.13)

echopulse
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Fri Mar 13, 2009 7:51 pm

Re: Google tagged website as hacked

Post by echopulse » Wed Mar 28, 2018 8:32 pm

The same thing happened to me. The folloing URL's were tagged as spammy.

mysite.org/blog/w9ou9z2.php?yuco=save-video-telegram-bot
mysite.org/blog/w9ou9z2.php?yuco=how-to-get-gcp-certificate
mysite.org/blog/w9ou9z2.php?yuco=8v71-detroit-diesel-hp
mysite.org/blog/w9ou9z2.php?yuco=rashi-and-nakshatra-by-birth

When I went to the page, it was a page that looked like a blog comments section with spammy keywords. I do not use a blog on my site, and never installed a blog extention, so I don't know how it got there. I since deleted the blog folder, but I would like to know how it got there. It's not a normal part of Joomla, is it?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14694
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Google tagged website as hacked

Post by mandville » Wed Mar 28, 2018 9:03 pm

echopulse wrote: mysite.org/blog/w9ou9z2.php?yuco=save-video-telegram-bot

When I went to the page, it was a page that looked like a blog comments section with spammy keywords. I do not use a blog on my site, and never installed a blog extention, so I don't know how it got there. I since deleted the blog folder, but I would like to know how it got there. It's not a normal part of Joomla, is it?
no, the entire post smells of word pr ess. did you EVER have that blogging script on your site, did you have a previous site admin who might have installed that blogging script?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

echopulse
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Fri Mar 13, 2009 7:51 pm

Re: Google tagged website as hacked

Post by echopulse » Wed Mar 28, 2018 9:23 pm

No, not on that site. But I do have it installed on another site on the same server. It's exhibiting the same behavior, so I'm looking into it. But I don't know how it would jump from one site to the next.

User avatar
kitepascal
Joomla! Intern
Joomla! Intern
Posts: 53
Joined: Thu Aug 27, 2009 2:58 pm
Contact:

Re: Google tagged website as hacked

Post by kitepascal » Wed Mar 28, 2018 9:34 pm

But I don't know how it would jump from one site to the next.
If the (FTP) user is the same and one site has been hacked, all sites are vulnerable.
You can convince yourself by installing a file manager component like ProFiles and change the Base directory one level higher in the settings.

User avatar
sozzled
Joomla! Champion
Joomla! Champion
Posts: 5619
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Google tagged website as hacked

Post by sozzled » Wed Mar 28, 2018 9:36 pm

@echopulse: "it" ... being what's known in the game as referrer spam, yes?

The subject of this topic is "Google [has] tagged [my] website as [being] hacked". At least, I think that's what the subject of this discussion is.
echopulse wrote:The same thing happened to me ... when I went to the page, it was a page that looked like a blog comments section with spammy keywords.
And just exactly where was this "page" that you went to? Was this a "page" in your website and, if it was a "page" in your website, what does this have to do with Google?

As for referrer spam "jumping from one site to the next", that's exactly what happens with rogue 'bots trying to sniff for exploits in websites owned by the same hosting account. It works like this: something exists on one website (and there may or may not be a vulnerability there) so the spamdexing 'bot tries another website with a similar request (where this "something" doesn't exist) that usually results in a 404 Not Found error until, perhaps, further reconnaissance work by the 'bot reveals something worth further exploration. And so it goes, and so it goes.

And finally: the website referred to by the OP (where this discussion began) is not "tagged" by Google as hacked! Check it out for yourselves if you doubt it.
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

echopulse
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Fri Mar 13, 2009 7:51 pm

Re: Google tagged website as hacked

Post by echopulse » Wed Mar 28, 2018 11:36 pm

Google did tag my website as hacked, just like the OP. The page was in my website, I even posted the URL's, with the words mysite.org in them. Is that not clear?

User avatar
sozzled
Joomla! Champion
Joomla! Champion
Posts: 5619
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Google tagged website as hacked

Post by sozzled » Thu Mar 29, 2018 2:06 am

If Google tagged "mysite.org" (literally) then I'm not surprised (because I cannot find "mysite.org" in Google).

We don't know if there was any successful hack of any website. We only know that, at one time, Google had some doubts. My guess is that there was no successful hack. My guess is that this is a case of referrer spam. There are other topics on this forum that relate to referrer spam. I suggest you look for those other topics. This may help explain the situation in cases mentioned in this topic. :)
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

echopulse
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Fri Mar 13, 2009 7:51 pm

Re: Google tagged website as hacked

Post by echopulse » Thu Mar 29, 2018 3:34 am

mysite.org is just an example URL, not the real one. I assume somthing was most likely hacked, because there was a file in the blog folder that wasn't put there by me, unless it's part of the joomla install. The comments on the blog were referrer spam, but that wasn't really the issue. The issue is the w9ou9z2.php file that allowed the comments to be posted.

User avatar
sozzled
Joomla! Champion
Joomla! Champion
Posts: 5619
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Google tagged website as hacked

Post by sozzled » Thu Mar 29, 2018 9:04 am

https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35509
Joined: Sat Apr 05, 2008 9:58 pm

Re: Google tagged website as hacked

Post by Webdongle » Mon Apr 02, 2018 9:13 am

kitepascal wrote:
But I don't know how it would jump from one site to the next.
If the (FTP) user is the same and one site has been hacked, all sites are vulnerable.
You can convince yourself by installing a file manager component like ProFiles and change the Base directory one level higher in the settings.
Even if the ftp user is different ... once they hack one site they have access to your whole server. You have two choices
  1. Hire a professional
    or
  2. Delete all the files from the server
If you choose #2 please see viewtopic.php?f=714&t=946026
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein


Post Reply

Return to “Security in Joomla! 3.x”