Discussion - Malicious Javascript in your site
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
- brad
- Joomla! Master
- Posts: 13272
- Joined: Fri Aug 12, 2005 12:38 am
- Location: Australia
- Contact:
Re: Malicious Javascript in your site
It's not an extension, it's a manual script that is very specific in it's usage and requirements.
[I've removed the rest of my post as it was offensive to others]
[I've removed the rest of my post as it was offensive to others]
Brad Baker
https://xyzuluhosting.com
https://xyzuluhosting.com
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Malicious Javascript in your site
I already noticed you do not read. I asked you to add the Keepass to the initial post and you just bully yourself onto something different....brad wrote:It's not an extension, it's a manual script that is very specific in it's usage and requirements.
What is the difference with the Joomla Forum Asisstant Tools (excellent) which is a stand alone script as well? That is posted in JED and heavy promoted (look in the top of your screen) (http://extensions.joomla.org/extensions ... tools/1734) Argument is not valid.....Consistency and transparency in decision making are though....It's not an extension, it's a manual script that is very specific in it's usage and requirements.
Good call Brad...Glad to see you active again (http://www.alltogetherasawhole.org might do you some good! ....amongst other things....)
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
As was pointed out before, JTS does not alter files in the way that the suggested cleaning script does.
--
edit to add : i will add the password tool to the checklist 7 as a suggested ftp security tool
--
edit to add : i will add the password tool to the checklist 7 as a suggested ftp security tool
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Malicious Javascript in your site
Broomla is a virtual broom for cleaning (scripted) iframe injections in Joomla. It is intended for those who do not have a good backup to restore and who do not know how to manually repair a Joomla 1.5 website compromised by a (scripted) iframe injection FTP Trojan.mandville wrote:I will add the password tool to the checklist 7 as a suggested ftp security tool
It is therefore not an ftp security tool at all. It belongs into recovery or whatever but definitely not in ftp security...Nothing to do with ftp-security I am afraid but appreciate the intension
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
it was keepass i was talking about - the password reminder tool that helps prevent ftp passwords being stored in the ftp prog.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Malicious Javascript in your site
misunderstanding...tnx but it is already mentioned in that I think
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
yes - just added it today to Local Security
* Don't store user name/password in ftp program
o Use a password manager such as the free keepass
after your comments on it
* Don't store user name/password in ftp program
o Use a password manager such as the free keepass
after your comments on it
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
-
- Joomla! Fledgling
- Posts: 2
- Joined: Tue Jan 19, 2010 2:09 pm
Re: Malicious Javascript in your site
anybody help me how to use this
Thanks
Thanks
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Malicious Javascript in your site
Hello, You might want to explain where you point at? What s the issue, what are your problems , where you need help, what is the error you get, what is your platform......just to mention a few?fraz wrote:anybody help me how to use this
Please be good and use http://forum.joomla.org/viewtopic.php?f=428&t=272481 so we know what is your environment and psot detailed info so we can help you?
Cheers
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
-
- Joomla! Fledgling
- Posts: 1
- Joined: Tue Jan 26, 2010 4:26 am
Re: Malicious Javascript in your site
Hi just thought I would share. I have 24 sites. 16 have been hit with this. Cleaning joomla is bad enough but the whole server was hit so the server admin tools are all corrupt also. Of the 16 sites ALL had Joomla installed somewhere. 4 of the sites were not on my FTP client, no passwords stored on my computer anywhere. The remainder of my sites that were not hit, were listed on the ftp client. So for now I am ruling out the virus ftp thingy.http://www.iss.net/threats/gumblar.html or one of it's variants. Possibly when you used your FTP client, your ftp login details were logged and then used but the virus/trojan.
I changed computers Dec 09 and I have not added some of the affected sites passwords and user id's to my new computer. The old computer has not been in use (fried hard drive). The attacks all happened on the 23rd and 24th of Jan. 2010 on all of my sites.
None of my WP sites were affected. None of my hand coded sites either unless they also contained and instance of joomla 1.5 or 1.0. It did not matter what flavor or version. Three sites were recently upgraded to the latest release. I also have some social networking sites that use elgg. They were not affected unless joomla was there somewhere. So I am thinking it's something to do with Joomla. I am on a designated server not shared service so I am at a loss and just waiting on support to go through the logs. I have joomla installed with php and ftp. Made no difference.
I have been all over the net today and it seems like there is a real uptick in this thing. http://justcoded.com/article/gumblar-fa ... oval-tool/ this site has a removal tool I have used it, the script is called curevir.php but it is somewhat limited because of file permissions, it does work though, if you can work around that it may be good for you.
Note: There have been 109 entries on this subject at justcoded, a lot of them in January 2010 and 39 of them in the last few days. Just sayin...
- hcdmkr
- Joomla! Fledgling
- Posts: 4
- Joined: Thu Nov 19, 2009 9:40 am
Re: Malicious Javascript in your site
These attacks are discussed here as an individual. However, these collective solutions must joomla. If we use this script.
- paimages
- Joomla! Intern
- Posts: 55
- Joined: Thu Aug 18, 2005 2:22 pm
- Location: Switzerland
- Contact:
Re: Malicious Javascript in your site
I read the full post and I would like to share with you our preventing security strategy .
Use the FTP File System Layer
With this mode you don't need directory with the 777 CHMOD
Use a strong .htaccess
Orginal .htacess : http://docs.joomla.org/Preconfigured_.htaccess
We add:
In some case we add a filter again bad-bot : http://www.bg-pro.com/?goto=badbot
Install http:BL Plugin
Install a monitoring system
We develop JMonitoring. It check the integrity of the main files of joomla like all the index.php (joomla and templates), configuration.php etc...
Finally subscribe the RSS Vulnerable Extensions List
http://feeds.joomla.org/JoomlaSecurityV ... Extensions and check with your monitoring tools if you have installed one of this extension.
Actually we use it on more than 40 joomla website with good results.
PA
Use the FTP File System Layer
With this mode you don't need directory with the 777 CHMOD
Use a strong .htaccess
Orginal .htacess : http://docs.joomla.org/Preconfigured_.htaccess
We add:
Code: Select all
### Deny access to the .htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
### only allow the browser to access index.php
DirectoryIndex index.php
Install http:BL Plugin
http://extensions.joomla.org/extensions ... ccess/2786http:BL System Plugin allows you to verify IP addresses of clients connecting to your website against the Project Honey Pot database. It check whether your visitor is an email harvester, a comment spammer or any other malicious client. Communication with verification server is done via DNS request mechanism. Now, thanks to http:BL System Plugin any potentially harmful clients are denied from accessing your website and therefore abusing it.
Install a monitoring system
We develop JMonitoring. It check the integrity of the main files of joomla like all the index.php (joomla and templates), configuration.php etc...
http://extensions.joomla.org/extensions ... urity/9787Checking a list of websites is a complicated task and that is why JMonitoring has been developped.
JMonitoring helps you to keep an eye on every Joomla websites you manage and let you know if they were errors on them or if they have been hacked.
Finally subscribe the RSS Vulnerable Extensions List
http://feeds.joomla.org/JoomlaSecurityV ... Extensions and check with your monitoring tools if you have installed one of this extension.
Actually we use it on more than 40 joomla website with good results.
PA
www.inetis.ch - Joomla integrator and member of the Joomla.fr Team
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
#slight off topic but how are you finding the new format feed, is it working for you?paimages wrote:Finally subscribe the RSS Vulnerable Extensions List
http://feeds.joomla.org/JoomlaSecurityV ... Extensions and check with your monitoring tools if you have installed one of this extension.
Actually we use it on more than 40 joomla website with good results.
PA
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
removing the code does not get to the root of the problem - why/how did it get there in the first place.
warning before running any scripts posted by users, make sure you have a suitable back up of your site.
warning before running any scripts posted by users, make sure you have a suitable back up of your site.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
on deeper checking of that script you would also need to edit some of the code of the script to match your site.
without more instructions provided by the coder, i would not recommend people who are not familiar with php to use it.
fabiomazzo - thank you for the effort but can you please expand on the script-instructions etc.
my advice still is, cleaning the code does not cure the reason it arose
without more instructions provided by the coder, i would not recommend people who are not familiar with php to use it.
fabiomazzo - thank you for the effort but can you please expand on the script-instructions etc.
my advice still is, cleaning the code does not cure the reason it arose
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Malicious Javascript in your site
Which i definitely support 100%. Prevention is better than seeing the doctor the morning after....mandville wrote: my advice still is, cleaning the code does not cure the reason it arose
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
-
- Joomla! Fledgling
- Posts: 3
- Joined: Tue Feb 23, 2010 3:59 am
Re: Malicious Javascript in your site
My intention was not to promote myself, only developed a solution to my problem and decided to share. Ok Sorry, I think I'm in the wrong community. Bye
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
Did you read any of the other comments and suggestion over your script?fabiomazzo wrote:.
fabiomazzo - thank you for the effort but can you please expand on the script-instructions etc.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
-
- Joomla! Fledgling
- Posts: 3
- Joined: Tue Feb 23, 2010 3:59 am
Re: Malicious Javascript in your site
I have not mentioned about your comment, but on the edition of my post.
With a little more detailed documentation : http://innoit.com.br/phpantivir
With a little more detailed documentation : http://innoit.com.br/phpantivir
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
thank you , that will assist those who think they can just upload and run the script and it will solve all their issues.
see this full depth explanation from PhilD
http://forum.joomla.org/viewtopic.php?p ... 0#p2052210
see this full depth explanation from PhilD
http://forum.joomla.org/viewtopic.php?p ... 0#p2052210
Last edited by mandville on Wed Feb 24, 2010 2:42 pm, edited 1 time in total.
Reason: to clarify that the script is not a "magic fix all script"
Reason: to clarify that the script is not a "magic fix all script"
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
-
- Joomla! Fledgling
- Posts: 3
- Joined: Tue Feb 23, 2010 3:59 am
Re: Malicious Javascript in your site
It's not a solution, not solve a lot of issues, just helps in ONE specific issue. Perhaps, it can help somebody.
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Malicious Javascript in your site
Thank you for posting the solution. If it helps even only one single person it will put smiles on your face!!
Cheers!
Leo
Cheers!
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
-
- Joomla! Fledgling
- Posts: 1
- Joined: Tue Mar 09, 2010 5:46 pm
Re: Malicious Javascript in your site
Thanks for the informative post.
I found this great tool to detect malware on your site {self promotion deleted}
I found this great tool to detect malware on your site {self promotion deleted}
Last edited by mandville on Tue Mar 09, 2010 6:58 pm, edited 1 time in total.
Reason: self promotion is against forum rules http://forum.joomla.org/viewtopic.php?f=8&t=65
Reason: self promotion is against forum rules http://forum.joomla.org/viewtopic.php?f=8&t=65
-
- Joomla! Fledgling
- Posts: 2
- Joined: Tue Jan 19, 2010 2:09 pm
Re: Malicious Javascript in your site
I got problem during installation any body guide me
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
what exactly are you having an issue with.? and i deleted your double post
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
-
- Joomla! Fledgling
- Posts: 1
- Joined: Thu May 06, 2010 2:52 am
Re: Malicious Javascript in your site
This type of infection is much more common with the password however. For that reason, you should follow these steps:
1. Scan your local computer, the clients computer, and any computer from which you have accessed the account using an up to date virus scanner such as http://malwarebytes.org CRITICAL!
2. Update the cPanel/FTP password with a password that is not easily guessable. Use 12-digits and something like example (!) &G5s#!K-|%H1
3. Submit your site for a rescan using your Google Webmaster account. If you do not already have an account please follow the instructions on this page to obtain one: http://www.google.com/support/webmaster ... swer=45432
thaks
4. Read the information provided below about this type of viral infection and how to further prevent it.
1. Scan your local computer, the clients computer, and any computer from which you have accessed the account using an up to date virus scanner such as http://malwarebytes.org CRITICAL!
2. Update the cPanel/FTP password with a password that is not easily guessable. Use 12-digits and something like example (!) &G5s#!K-|%H1
3. Submit your site for a rescan using your Google Webmaster account. If you do not already have an account please follow the instructions on this page to obtain one: http://www.google.com/support/webmaster ... swer=45432
thaks
4. Read the information provided below about this type of viral infection and how to further prevent it.
-
- Joomla! Fledgling
- Posts: 1
- Joined: Thu Jul 05, 2007 10:53 pm
Re: Malicious Javascript in your site
Only for your information: Last week 05-06-10 and last night 05-12-10, several websites were attacked for this script. All of them are hosted in GoDaddy; Fortunately, there is a function call "Restore" so we could restore files from some days ago and they replace the "hacked" files. I know this is not enough, but at least is a fast (and temporary) solution.
- mandville
- Joomla! Master
- Posts: 15153
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Malicious Javascript in your site
the godaddy conversation is here http://forum.joomla.org/viewtopic.php?f=432&t=515398lrsv5 wrote:Only for your information: Last week 05-06-10 and last night 05-12-10, several websites were attacked for this script. All of them are hosted in GoDaddy; .
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/
-
- Joomla! Fledgling
- Posts: 3
- Joined: Mon Mar 22, 2010 1:27 am
- Contact:
Re: Malicious Javascript in your site
I agree that SFTP won't protect against a keylogger, although there is not much information regarding this latest trojan/exploit (keylogging or password sniffing?), the pattern does seem to be with FTP. If one can use SFTP VS FTP, it is certainly more secure.
Not sure about you, but personally I would not use FTP over an open un-trusted network.
Not sure about you, but personally I would not use FTP over an open un-trusted network.
Last edited by mandville on Sat Jun 05, 2010 3:33 pm, edited 1 time in total.
Reason: signature against forum rules http://forum.joomla.org/viewtopic.php?f=8&t=65
Reason: signature against forum rules http://forum.joomla.org/viewtopic.php?f=8&t=65
-
- Joomla! Fledgling
- Posts: 2
- Joined: Sat Jun 05, 2010 3:18 pm
Re: Malicious Javascript in your site
Oh! I'm reading this article and I think It very good.
Last edited by mandville on Sat Jun 05, 2010 3:33 pm, edited 1 time in total.
Reason: signature against forum rules http://forum.joomla.org/viewtopic.php?f=8&t=65
Reason: signature against forum rules http://forum.joomla.org/viewtopic.php?f=8&t=65