IFrame - Google Analytics Hack

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
DeadPoetic
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Thu Mar 12, 2009 12:49 am

IFrame - Google Analytics Hack

Postby DeadPoetic » Fri Jun 12, 2009 12:40 pm

Hi, so i got problem with some iframe hack, dont know really how it comes, only thing i know is that every morning when i wake up, my website show a unexpect error in the index.php and my administrator panel show,

Warning: Unterminated comment starting line 84 in /home/fran8600/public_html/siteweb/administrator/index.php on line 84

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/f............

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/joom............

Warning: Cannot modify header information - headers already sent by (output started at /home/joom/public_html/siteweb/admini............

The thing is that i only need to change my files from a back up i did, and things come back to normal, but now every mornings its coming back and its annoying, on each index.php, there is an iframe at the bottom, iframe linking to some pepsixx web site, that finally aint a pepsi's site. Anyone know how i can stop this?

Thx
Last edited by DeadPoetic on Mon Jun 15, 2009 5:35 pm, edited 2 times in total.

DeadPoetic
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Thu Mar 12, 2009 12:49 am

Re: IFrame

Postby DeadPoetic » Fri Jun 12, 2009 12:46 pm

ho and now on my admin panel, there is an iframe linking to lotwager . cn (ps do not go on this website) and now, even if I put back my old files, it still stay there. help?

User avatar
fw116
Joomla! Ace
Joomla! Ace
Posts: 1365
Joined: Tue Sep 06, 2005 11:18 am
Location: Germany

Re: IFrame

Postby fw116 » Fri Jun 12, 2009 1:07 pm

start here:

http://docs.joomla.org/Category:Security_Checklist

then search for:

iframe injection

DeadPoetic
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Thu Mar 12, 2009 12:49 am

Re: IFrame

Postby DeadPoetic » Sun Jun 14, 2009 4:23 am

I've delete and replace all the files, upload jsecure, joomsuite defender, but still each day im getting a php injection or iframe, and i didnt find anything about php injection, or iframe injection in the doc. My joomla platform is 1.5.11, well im getting tired to replace all file each time. Anyone got a solution.

User avatar
fw116
Joomla! Ace
Joomla! Ace
Posts: 1365
Joined: Tue Sep 06, 2005 11:18 am
Location: Germany

Re: IFrame

Postby fw116 » Sun Jun 14, 2009 1:11 pm

well, you should check for modifiyed cron jobs ..

maybe (if your are on shared hosting) another site has been hacked any everybody now get's in touch with the result...

DeadPoetic
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Thu Mar 12, 2009 12:49 am

Re: IFrame

Postby DeadPoetic » Mon Jun 15, 2009 2:32 pm

so there's my problem, i've search on the internet and it looks like i'm not the only one getting problem with the index.php in the past few days, every night this code is getting back in my index.php at line 89

<?php echo '<script type="text/javascript">

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");

document.write(unescape("%3Cscript sr?='" + gaJsHost + "google-analytics.com/ga.js' " + ') + "' type='text/javascript'%3E%3C/script%3E"));

</script>

<script type="text/javascript">

try {

var pageTracker = _gat._getTracker("UA-xxxxxxx-xx");

pageTracker._trackPageview();

} catch(err) {}</script>'; ?>
Last edited by ianmac on Tue Jul 21, 2009 2:58 pm, edited 1 time in total.
Reason: removing hacker credits

DeadPoetic
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Thu Mar 12, 2009 12:49 am

Re: IFrame

Postby DeadPoetic » Mon Jun 15, 2009 5:35 pm

I've search on the internet, and it seem that thousand of people are having the same problem it the past few days, some are with joomla, other with wordpress, it is related to Google Analytics, it might be a hack, since i don't think no one knows what to do, I'll keep up with news if it ever happen to some of you.

Rochen-Adam
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 135
Joined: Thu May 28, 2009 6:05 pm
Location: California, USA
Contact:

Re: IFrame - Google Analytics Hack

Postby Rochen-Adam » Mon Jun 15, 2009 6:52 pm

Hi DeadPoetic,

Have you verified that your host is secure as fw116 mentioned above? He's already covered most of the other possibilities as well. At least 25% of the posts in this Security forum relate directly to your problem.

This isn't related to Google Analytics or Joomla, it's a security problem with your site, host, or passwords. Malware distributors have been doing this for years, not just the past few days. The only difference in the past few days is that they have been modifying/replacing google analytics javascript instead of inserting their own iframe in order to obfuscate what they are doing.

As long as you follow the recommendations on the official security checklist and these basic Joomla! security recommendations your site will be secure without the need for things like jsecure or joomsuite defender.
http://www.rochen.com - Performance Joomla Hosting Solutions - Make your Joomla! install fly.
http://blog.rochen.com - Great security tips and more for Joomla!
Follow us on Twitter @rochenhost

pfl0r1n
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Jul 21, 2009 2:44 pm

Re: IFrame - Google Analytics Hack

Postby pfl0r1n » Tue Jul 21, 2009 2:53 pm

i have the same problem with my wordpress and my smf forum .. both got infected ... please if you kow a way to get rid of this hijacking let me know.

thank you


Return to “Security in Joomla! 1.5”

Who is online

Users browsing this forum: No registered users and 4 guests