Joomla Download Hacked?

Discussion regarding Joomla! 3.x security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
sd_joomla
Joomla! Intern
Joomla! Intern
Posts: 92
Joined: Sun Mar 29, 2015 5:23 pm

Joomla Download Hacked?

Post by sd_joomla » Mon Oct 23, 2017 4:25 pm

Hi everyone.

I'm working on a new web site build and discovered what appears to be malicious code.

I thought maybe this code was inserted by an Extension.

So I did a fresh install of Joomla on my computer using WAMP.

I created a new, empty database. Downloaded 3.8.1. Installed 3.8.1. Removed the install directory.

That's it.

When I Inspect the code in Chrome, this is what I find:
Capture.PNG
Capture2.PNG
Clearly that's malicious as you can see the links in image 2 are for porn sites.

What's even more interesting is that I don't see that same code when I View Source.

Again, this is a fresh install of Joomla. No Extensions, plugins or templates have been installed.

Can anyone provide feedback?

I'm reluctant to use 3.8.1!
You do not have the required permissions to view the files attached to this post.
Last edited by toivo on Mon Oct 23, 2017 5:02 pm, edited 1 time in total.
Reason: mod note: moved to 3.x Security

sd_joomla
Joomla! Intern
Joomla! Intern
Posts: 92
Joined: Sun Mar 29, 2015 5:23 pm

Re: Joomla Download Hacked?

Post by sd_joomla » Mon Oct 23, 2017 4:29 pm

Here's the source code from my browser:
view-source.PNG
You do not have the required permissions to view the files attached to this post.

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17304
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: Joomla Download Hacked?

Post by toivo » Mon Oct 23, 2017 5:06 pm

Where did you download the install package from?

Do you run an anti virus application on your workstation and is it uptodate?
Toivo Talikka, Global Moderator

sd_joomla
Joomla! Intern
Joomla! Intern
Posts: 92
Joined: Sun Mar 29, 2015 5:23 pm

Re: Joomla Download Hacked?

Post by sd_joomla » Mon Oct 23, 2017 5:16 pm

I did the download from here:

https://downloads.joomla.org/

I haven't yet run a scan on my computer but I will do so.

My antivirus is up to date.

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Joomla Download Hacked?

Post by fcoulter » Mon Oct 23, 2017 5:54 pm

You have a script and a stylesheet from Kaspersky labs in your source - could this be from a plugin? It is not part of Joomla.

A scan of your PC is definitely a good idea, also I suggest checking your browser for any malicious or hacked extensions.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 43967
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla Download Hacked?

Post by Webdongle » Mon Oct 23, 2017 5:56 pm

http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

sd_joomla
Joomla! Intern
Joomla! Intern
Posts: 92
Joined: Sun Mar 29, 2015 5:23 pm

Re: Joomla Download Hacked?

Post by sd_joomla » Mon Oct 23, 2017 6:22 pm

The Kaspersky references are from my Anti virus. It tries to block things like banner ads. I'll shut off Kaspersky on my next test.

I ran a quick scan with Kaspersky. Nothing found. Running another scan now.

Working on FPA also.

sd_joomla
Joomla! Intern
Joomla! Intern
Posts: 92
Joined: Sun Mar 29, 2015 5:23 pm

Re: Joomla Download Hacked?

Post by sd_joomla » Mon Oct 23, 2017 6:46 pm

Last PHP Error(s) Reported :: Forum Post Assistant (v1.3.4) : 23rd October 2017 wrote:[20-Oct-2017 16:56:26 UTC] PHP 8. require() C:\Users\standard\Documents\www\pragma\live\libraries\joomla\document\html.php:578
Forum Post Assistant (v1.3.4) : 23rd October 2017 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.8.1-Stable (Amani) 4-October-2017
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Writable (666) | Owner: 0 (uid: /gid: ) | Group: 0 (gid: ) | Valid For: 3.8
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: 0 | FTP Layer: 0 | Proxy: N/A | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: 0 | SSL: N/A | FrontEdit: N/A | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Windows NT | OS Version: 10.0 | Technology: AMD64 | Web Server: Apache/2.4.23 (Win64) PHP/5.6.25 | Encoding: gzip, deflate | Doc Root: C:/Users/standard/Documents/www/joomla/three-eight-one | System TMP Writable: Yes

PHP Configuration :: Version: 5.6.25 | PHP API: apache2handler | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 32767 | Log Errors To: c:/wamp64/logs/php_error.log | Last Known Error: 20th October 2017 16:56:26. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 800M | Max. POST Size: 850M | Max. Input Time: 60 | Max. Execution Time: 5000 | Memory Limit: 828M

MySQL Configuration :: Version: 5.7.14 (Client:mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 3.95 MiB | #of Tables:  72
Detailed Environment :: wrote:PHP Extensions :: Core (5.6.25) | bcmath () | calendar () | ctype () | date (5.6.25) | ereg () | filter (0.11.0) | ftp () | hash (1.0) | iconv () | json (1.2.1) | mcrypt () | SPL (0.2) | odbc (1.0) | pcre () | Reflection ($Id: 5f15287237d5f78d75b19c26915aa7bd83dee8b8 $) | session () | standard (5.6.25) | mysqlnd (mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | tokenizer (0.1) | zip (1.12.5) | zlib (2.0) | libxml () | dom (20031129) | PDO (1.0.4dev) | bz2 () | SimpleXML (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | apache2handler () | openssl () | curl () | com_dotnet (0.1) | fileinfo (1.0.5) | gd () | gettext () | gmp () | intl (1.1.0) | imap () | ldap () | mbstring () | exif (1.4 $Id: 657a2cc1f26ea75651108ab93b352771f6690ffe $) | mysql (1.0) | mysqli (0.1) | Phar (2.0.2) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | soap () | sockets () | sqlite3 (0.7-dev) | xmlrpc (0.51) | xsl (0.1) | mhash () | Zend OPcache (7.0.6-devFE) | xdebug (2.4.1) | Zend Engine (2.6.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Apache Modules :: core | mod_win32 | mpm_winnt | http_core | mod_so | mod_access_compat | mod_actions | mod_alias | mod_allowmethods | mod_asis | mod_auth_basic | mod_auth_digest | mod_authn_core | mod_authn_file | mod_authz_core | mod_authz_groupfile | mod_authz_host | mod_authz_user | mod_autoindex | mod_cache | mod_cache_disk | mod_cgi | mod_dir | mod_env | mod_file_cache | mod_include | mod_isapi | mod_log_config | mod_mime | mod_negotiation | mod_rewrite | mod_setenvif | mod_userdir | mod_vhost_alias | mod_php5 | Apache/2.4.23 (Win64) PHP/5.6.25 |
Potential Missing Modules :: mod_expires | mod_deflate | mod_security | mod_evasive | mod_dosevasive | mod_ssl | mod_qos | mod_userdir |
Folder Permissions :: wrote:Core Folders :: images/ (777) | components/ (777) | modules/ (777) | plugins/ (777) | language/ (777) | templates/ (777) | cache/ (777) | logs/ (---) | tmp/ (777) | administrator/components/ (777) | administrator/modules/ (777) | administrator/language/ (777) | administrator/templates/ (777) |

Elevated Permissions (First 10) :: administrator/ (777) | administrator/cache/ (777) | administrator/components/ (777) | administrator/components/com_admin/ (777) | administrator/components/com_admin/controllers/ (777) | administrator/components/com_admin/helpers/ (777) | administrator/components/com_admin/helpers/html/ (777) | administrator/components/com_admin/models/ (777) | administrator/components/com_admin/models/forms/ (777) | administrator/components/com_admin/postinstall/ (777) |
Database Information :: wrote:Database statistics :: Uptime: 959 | Threads: 1 | Questions: 689 | Slow queries: 0 | Opens: 493 | Flush tables: 1 | Open tables: 486 | Queries per second avg: 0.718 |
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (3.0.0) 1 | com_wrapper (3.0.0) 1 |
Components :: ADMIN :: com_admin (3.0.0) 1 | com_ajax (3.2.0) 1 | com_associations (3.7.0) 1 | com_banners (3.0.0) 1 | com_cache (3.0.0) 1 | com_categories (3.0.0) 1 | com_checkin (3.0.0) 1 | com_config (3.0.0) 1 | com_content (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_cpanel (3.0.0) 1 | com_fields (3.7.0) 1 | com_finder (3.0.0) 1 | com_installer (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_languages (3.0.0) 1 | com_login (3.0.0) 1 | com_media (3.0.0) 1 | com_menus (3.0.0) 1 | com_messages (3.0.0) 1 | com_modules (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_plugins (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_redirect (3.0.0) 1 | com_search (3.0.0) 1 | com_tags (3.1.0) 1 | com_templates (3.0.0) 1 | com_users (3.0.0) 1 |

Modules :: SITE :: mod_articles_archive (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_search (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_tags_similar (3.1.0) 1 | mod_users_latest (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_wrapper (3.0.0) 1 |
Modules :: ADMIN :: mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_stats_admin (3.0.0) 1 | mod_status (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_title (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_version (3.0.0) 1 |

Plugins :: SITE :: plg_authentication_cookie (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_captcha_recaptcha (3.4.0) 0 | plg_content_emailcloak (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_finder (3.0.0) 0 | plg_content_joomla (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_vote (3.0.0) 0 | plg_editors_codemirror (5.28) 1 | plg_editors_tinymce (4.5.7) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_tags (3.0.0) 1 | plg_system_cache (3.0.0) 0 | plg_system_debug (3.0.0) 1 | plg_system_fields (3.7.0) 1 | plg_system_highlight (3.0.0) 1 | plg_system_languagecode (3.0.0) 0 | plg_system_languagefilter (3.0.0) 0 | plg_system_log (3.0.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_p3p (3.0.0) 0 | plg_system_redirect (3.0.0) 0 | plg_system_remember (3.0.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_user_contactcreator (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_profile (3.0.0) 0 |
Templates Discovered :: wrote:Templates :: SITE :: beez3 (3.1.0) 1 | protostar (1.0) 1 |
Templates :: ADMIN :: hathor (3.0.0) 1 | isis (1.0) 1 |

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Joomla Download Hacked?

Post by fcoulter » Mon Oct 23, 2017 7:14 pm

I cannot see anything wrong with your Joomla site, and I do not believe that this is a Joomla issue. Joomla 3.8.1 is not infected with porn links.

My hunch is that this is a browser infection. I suggest that you check your browser as I recommended above. Try disabling all browser extensions, and resetting it to the default settings. Or try uninstalling it and re-installing a clean version. Or doing this with a different browser from the one that you normally use, eg Firefox.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

sd_joomla
Joomla! Intern
Joomla! Intern
Posts: 92
Joined: Sun Mar 29, 2015 5:23 pm

Re: Joomla Download Hacked?

Post by sd_joomla » Mon Oct 23, 2017 7:16 pm

Looks like this may be a false alarm.

I tried enabling and disabling my antivirus. When I disable antivirus, the malicious code goes away. When I enable antivirus the malicious code comes back.

I confirmed that this also happens on other web sites running locally.

So this doesn't appear to be a Joomla problem.

I apologize for the error. I appreciate the feedback and help offered so far.

If anyone has additional suggestions, I'd like to hear them.

Really strange that this appears to be an issue with my antivirus inserting code!!

sd_joomla
Joomla! Intern
Joomla! Intern
Posts: 92
Joined: Sun Mar 29, 2015 5:23 pm

Re: Joomla Download Hacked?

Post by sd_joomla » Mon Oct 23, 2017 7:25 pm

I believe this is the answer:

https://forum.kaspersky.com/index.php?/ ... ed-by-kis/

Waiting for confirmation from Kaspersky Support.

itoctopus
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4025
Joined: Mon Nov 25, 2013 4:35 pm
Location: Montreal, Canada
Contact:

Re: Joomla Download Hacked?

Post by itoctopus » Tue Oct 24, 2017 8:27 am

This is one twisted way of "protecting" the end user. There are literally millions of malicious sites on the Internet, will Kaspersky add them all to the CSS, and then add a "display: none" next to them? This is one weird product.
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Joomla Download Hacked?

Post by fcoulter » Tue Oct 24, 2017 10:24 am

I totally agree Mr Octopus, I did suspect that the Kaspersky script might be responsible, but didn't suggest it outright because it just seemed too daft.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 43967
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla Download Hacked?

Post by Webdongle » Tue Oct 24, 2017 12:17 pm

Avira used to (not sure if it still does) put a tracking cookie on the computer. My favourite is Avast
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
Jaydot
Joomla! Guru
Joomla! Guru
Posts: 651
Joined: Sun Jun 04, 2017 12:11 pm
Location: The Netherlands
Contact:

Re: Joomla Download Hacked?

Post by Jaydot » Wed Oct 25, 2017 11:42 am

Interesting, this.

I recently had a moment of total panic when I discovered unknown weird code in one of my sites (not porn, thankfully, but weird all the same). Only visible in Inspect, not in Page Source.

Turned out I had accidentally switched on a Symantec Norton Antivirus browser bar, and it was injecting code.

(I do things accidentally because my cursor tends to jump around the screen if I'm not very careful about keeping my hands clear of the mousepad).
The fact that an opinion is widely held is no evidence whatsoever that it is not utterly absurd.
Personal website: https://jaydot.nl


Locked

Return to “Security in Joomla! 3.x”