Page 1 of 1

Is my site still infected? How can I tell?

Posted: Sat Feb 23, 2019 7:08 am
by scifivision
I'm using Joomla 3.8.1 currently. I know the first suggestion is going to be to update it. As of the last time I checked, the template program that I spent a lot of money on has not been updated yet to work with the new updates, so I can't do that.

Earlier my front end started showing up blank, but the backend was fine. A friend tried to access it and she actually got a norton virus popup.

My site tech support wasn't much help, but they did say that something was preventing it from displaying (at least what I got out of what he said) because it was acting like there was nothing in the folder even though there was).

There were a bunch of php files added into my main folder. I deleted those. I also found code added to index.php and include/framework.php with the following:

/[ redacted ]/

The code has been deleted and suddenly the site is displayed. I've tried external scans from sites which before weren't working since they were just returning 500 errors, but now show clean. Do I truly have it clean? More importantly, I'm assuming it's vulnerable to another attack. What is the best thing to do?

Thanks

Re: Is my site still infected? How can I tell?

Posted: Sat Feb 23, 2019 7:40 am
by annahersh
It's possibly not clean as hackers tend to place files deep with directories, and those deep files has the purpose of either recreating anything you delete, or giving the hacker perpetual access to your host root.

You will need to run an extension which knows Joomla structure and properly scan all files. One such extension is RS Firewall, it's very good at finding malware, and monitoring for future attacks.

Alternatively you could hire Sucuri, the experts who will track the source and thoroughly clean your system.

Once you do get it all cleaned, be sure to get the core and all third party extensions updated, and stay updated.

Re: Is my site still infected? How can I tell?

Posted: Sat Feb 23, 2019 8:34 am
by scifivision
Thanks. 2 things. First, is there a good one that's free or cheap at least?

I don't think I will likely have the money to buy this, but in case I decide to later, under highlights for that extension it says this:
"Automatically drop dangerous files when they're uploaded - such as .php, .js, .exe, .com, .bat, .cmd"
Is that an option to turn off? I update files manually on occasion and I know when I do that at some point I'll probably forget why it isn't updating if that's the case.

Re: Is my site still infected? How can I tell?

Posted: Sat Feb 23, 2019 10:02 am
by toivo
You can also use the myJoomla.com service, where the first audit is free.

Re: Is my site still infected? How can I tell?

Posted: Sun Mar 31, 2019 8:04 pm
by Slackervaara
I think Joomla now has a protection against loading up files by visitors. Only logged in can do this. Earlier JHackguard an security extension had this feature also and still have.

Re: Is my site still infected? How can I tell?

Posted: Sun Mar 31, 2019 10:02 pm
by Webdongle