Joomla Download Hacked?
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
-
- Joomla! Intern
- Posts: 92
- Joined: Sun Mar 29, 2015 5:23 pm
Joomla Download Hacked?
Hi everyone.
I'm working on a new web site build and discovered what appears to be malicious code.
I thought maybe this code was inserted by an Extension.
So I did a fresh install of Joomla on my computer using WAMP.
I created a new, empty database. Downloaded 3.8.1. Installed 3.8.1. Removed the install directory.
That's it.
When I Inspect the code in Chrome, this is what I find:
Clearly that's malicious as you can see the links in image 2 are for porn sites.
What's even more interesting is that I don't see that same code when I View Source.
Again, this is a fresh install of Joomla. No Extensions, plugins or templates have been installed.
Can anyone provide feedback?
I'm reluctant to use 3.8.1!
I'm working on a new web site build and discovered what appears to be malicious code.
I thought maybe this code was inserted by an Extension.
So I did a fresh install of Joomla on my computer using WAMP.
I created a new, empty database. Downloaded 3.8.1. Installed 3.8.1. Removed the install directory.
That's it.
When I Inspect the code in Chrome, this is what I find:
Clearly that's malicious as you can see the links in image 2 are for porn sites.
What's even more interesting is that I don't see that same code when I View Source.
Again, this is a fresh install of Joomla. No Extensions, plugins or templates have been installed.
Can anyone provide feedback?
I'm reluctant to use 3.8.1!
You do not have the required permissions to view the files attached to this post.
Last edited by toivo on Mon Oct 23, 2017 5:02 pm, edited 1 time in total.
Reason: mod note: moved to 3.x Security
Reason: mod note: moved to 3.x Security
-
- Joomla! Intern
- Posts: 92
- Joined: Sun Mar 29, 2015 5:23 pm
Re: Joomla Download Hacked?
Here's the source code from my browser:
You do not have the required permissions to view the files attached to this post.
- toivo
- Joomla! Master
- Posts: 17304
- Joined: Thu Feb 15, 2007 5:48 am
- Location: Sydney, Australia
Re: Joomla Download Hacked?
Where did you download the install package from?
Do you run an anti virus application on your workstation and is it uptodate?
Do you run an anti virus application on your workstation and is it uptodate?
Toivo Talikka, Global Moderator
-
- Joomla! Intern
- Posts: 92
- Joined: Sun Mar 29, 2015 5:23 pm
Re: Joomla Download Hacked?
I did the download from here:
https://downloads.joomla.org/
I haven't yet run a scan on my computer but I will do so.
My antivirus is up to date.
https://downloads.joomla.org/
I haven't yet run a scan on my computer but I will do so.
My antivirus is up to date.
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: Joomla Download Hacked?
You have a script and a stylesheet from Kaspersky labs in your source - could this be from a plugin? It is not part of Joomla.
A scan of your PC is definitely a good idea, also I suggest checking your browser for any malicious or hacked extensions.
A scan of your PC is definitely a good idea, also I suggest checking your browser for any malicious or hacked extensions.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
- Webdongle
- Joomla! Master
- Posts: 43967
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla Download Hacked?
viewtopic.php?f=621&t=582860 please
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Intern
- Posts: 92
- Joined: Sun Mar 29, 2015 5:23 pm
Re: Joomla Download Hacked?
The Kaspersky references are from my Anti virus. It tries to block things like banner ads. I'll shut off Kaspersky on my next test.
I ran a quick scan with Kaspersky. Nothing found. Running another scan now.
Working on FPA also.
I ran a quick scan with Kaspersky. Nothing found. Running another scan now.
Working on FPA also.
-
- Joomla! Intern
- Posts: 92
- Joined: Sun Mar 29, 2015 5:23 pm
Re: Joomla Download Hacked?
Last PHP Error(s) Reported :: Forum Post Assistant (v1.3.4) : 23rd October 2017 wrote:[20-Oct-2017 16:56:26 UTC] PHP 8. require() C:\Users\standard\Documents\www\pragma\live\libraries\joomla\document\html.php:578
Forum Post Assistant (v1.3.4) : 23rd October 2017 wrote:Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.8.1-Stable (Amani) 4-October-2017
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Writable (666) | Owner: 0 (uid: /gid: ) | Group: 0 (gid: ) | Valid For: 3.8
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: 0 | FTP Layer: 0 | Proxy: N/A | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: 0 | SSL: N/A | FrontEdit: N/A | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes
Host Configuration :: OS: Windows NT | OS Version: 10.0 | Technology: AMD64 | Web Server: Apache/2.4.23 (Win64) PHP/5.6.25 | Encoding: gzip, deflate | Doc Root: C:/Users/standard/Documents/www/joomla/three-eight-one | System TMP Writable: Yes
PHP Configuration :: Version: 5.6.25 | PHP API: apache2handler | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 32767 | Log Errors To: c:/wamp64/logs/php_error.log | Last Known Error: 20th October 2017 16:56:26. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 800M | Max. POST Size: 850M | Max. Input Time: 60 | Max. Execution Time: 5000 | Memory Limit: 828M
MySQL Configuration :: Version: 5.7.14 (Client:mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 3.95 MiB | #of Tables: 72Detailed Environment :: wrote:PHP Extensions :: Core (5.6.25) | bcmath () | calendar () | ctype () | date (5.6.25) | ereg () | filter (0.11.0) | ftp () | hash (1.0) | iconv () | json (1.2.1) | mcrypt () | SPL (0.2) | odbc (1.0) | pcre () | Reflection ($Id: 5f15287237d5f78d75b19c26915aa7bd83dee8b8 $) | session () | standard (5.6.25) | mysqlnd (mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | tokenizer (0.1) | zip (1.12.5) | zlib (2.0) | libxml () | dom (20031129) | PDO (1.0.4dev) | bz2 () | SimpleXML (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | apache2handler () | openssl () | curl () | com_dotnet (0.1) | fileinfo (1.0.5) | gd () | gettext () | gmp () | intl (1.1.0) | imap () | ldap () | mbstring () | exif (1.4 $Id: 657a2cc1f26ea75651108ab93b352771f6690ffe $) | mysql (1.0) | mysqli (0.1) | Phar (2.0.2) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | soap () | sockets () | sqlite3 (0.7-dev) | xmlrpc (0.51) | xsl (0.1) | mhash () | Zend OPcache (7.0.6-devFE) | xdebug (2.4.1) | Zend Engine (2.6.0) |
Potential Missing Extensions :: suhosin |
Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Apache Modules :: core | mod_win32 | mpm_winnt | http_core | mod_so | mod_access_compat | mod_actions | mod_alias | mod_allowmethods | mod_asis | mod_auth_basic | mod_auth_digest | mod_authn_core | mod_authn_file | mod_authz_core | mod_authz_groupfile | mod_authz_host | mod_authz_user | mod_autoindex | mod_cache | mod_cache_disk | mod_cgi | mod_dir | mod_env | mod_file_cache | mod_include | mod_isapi | mod_log_config | mod_mime | mod_negotiation | mod_rewrite | mod_setenvif | mod_userdir | mod_vhost_alias | mod_php5 | Apache/2.4.23 (Win64) PHP/5.6.25 |
Potential Missing Modules :: mod_expires | mod_deflate | mod_security | mod_evasive | mod_dosevasive | mod_ssl | mod_qos | mod_userdir |
Folder Permissions :: wrote:Core Folders :: images/ (777) | components/ (777) | modules/ (777) | plugins/ (777) | language/ (777) | templates/ (777) | cache/ (777) | logs/ (---) | tmp/ (777) | administrator/components/ (777) | administrator/modules/ (777) | administrator/language/ (777) | administrator/templates/ (777) |
Elevated Permissions (First 10) :: administrator/ (777) | administrator/cache/ (777) | administrator/components/ (777) | administrator/components/com_admin/ (777) | administrator/components/com_admin/controllers/ (777) | administrator/components/com_admin/helpers/ (777) | administrator/components/com_admin/helpers/html/ (777) | administrator/components/com_admin/models/ (777) | administrator/components/com_admin/models/forms/ (777) | administrator/components/com_admin/postinstall/ (777) |Database Information :: wrote:Database statistics :: Uptime: 959 | Threads: 1 | Questions: 689 | Slow queries: 0 | Opens: 493 | Flush tables: 1 | Open tables: 486 | Queries per second avg: 0.718 |Extensions Discovered :: wrote:Components :: SITE :: com_mailto (3.0.0) 1 | com_wrapper (3.0.0) 1 |
Components :: ADMIN :: com_admin (3.0.0) 1 | com_ajax (3.2.0) 1 | com_associations (3.7.0) 1 | com_banners (3.0.0) 1 | com_cache (3.0.0) 1 | com_categories (3.0.0) 1 | com_checkin (3.0.0) 1 | com_config (3.0.0) 1 | com_content (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_cpanel (3.0.0) 1 | com_fields (3.7.0) 1 | com_finder (3.0.0) 1 | com_installer (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_languages (3.0.0) 1 | com_login (3.0.0) 1 | com_media (3.0.0) 1 | com_menus (3.0.0) 1 | com_messages (3.0.0) 1 | com_modules (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_plugins (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_redirect (3.0.0) 1 | com_search (3.0.0) 1 | com_tags (3.1.0) 1 | com_templates (3.0.0) 1 | com_users (3.0.0) 1 |
Modules :: SITE :: mod_articles_archive (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_search (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_tags_similar (3.1.0) 1 | mod_users_latest (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_wrapper (3.0.0) 1 |
Modules :: ADMIN :: mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_stats_admin (3.0.0) 1 | mod_status (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_title (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_version (3.0.0) 1 |
Plugins :: SITE :: plg_authentication_cookie (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_captcha_recaptcha (3.4.0) 0 | plg_content_emailcloak (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_finder (3.0.0) 0 | plg_content_joomla (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_vote (3.0.0) 0 | plg_editors_codemirror (5.28) 1 | plg_editors_tinymce (4.5.7) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_tags (3.0.0) 1 | plg_system_cache (3.0.0) 0 | plg_system_debug (3.0.0) 1 | plg_system_fields (3.7.0) 1 | plg_system_highlight (3.0.0) 1 | plg_system_languagecode (3.0.0) 0 | plg_system_languagefilter (3.0.0) 0 | plg_system_log (3.0.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_p3p (3.0.0) 0 | plg_system_redirect (3.0.0) 0 | plg_system_remember (3.0.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_user_contactcreator (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_profile (3.0.0) 0 |Templates Discovered :: wrote:Templates :: SITE :: beez3 (3.1.0) 1 | protostar (1.0) 1 |
Templates :: ADMIN :: hathor (3.0.0) 1 | isis (1.0) 1 |
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: Joomla Download Hacked?
I cannot see anything wrong with your Joomla site, and I do not believe that this is a Joomla issue. Joomla 3.8.1 is not infected with porn links.
My hunch is that this is a browser infection. I suggest that you check your browser as I recommended above. Try disabling all browser extensions, and resetting it to the default settings. Or try uninstalling it and re-installing a clean version. Or doing this with a different browser from the one that you normally use, eg Firefox.
My hunch is that this is a browser infection. I suggest that you check your browser as I recommended above. Try disabling all browser extensions, and resetting it to the default settings. Or try uninstalling it and re-installing a clean version. Or doing this with a different browser from the one that you normally use, eg Firefox.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
-
- Joomla! Intern
- Posts: 92
- Joined: Sun Mar 29, 2015 5:23 pm
Re: Joomla Download Hacked?
Looks like this may be a false alarm.
I tried enabling and disabling my antivirus. When I disable antivirus, the malicious code goes away. When I enable antivirus the malicious code comes back.
I confirmed that this also happens on other web sites running locally.
So this doesn't appear to be a Joomla problem.
I apologize for the error. I appreciate the feedback and help offered so far.
If anyone has additional suggestions, I'd like to hear them.
Really strange that this appears to be an issue with my antivirus inserting code!!
I tried enabling and disabling my antivirus. When I disable antivirus, the malicious code goes away. When I enable antivirus the malicious code comes back.
I confirmed that this also happens on other web sites running locally.
So this doesn't appear to be a Joomla problem.
I apologize for the error. I appreciate the feedback and help offered so far.
If anyone has additional suggestions, I'd like to hear them.
Really strange that this appears to be an issue with my antivirus inserting code!!
-
- Joomla! Intern
- Posts: 92
- Joined: Sun Mar 29, 2015 5:23 pm
Re: Joomla Download Hacked?
I believe this is the answer:
https://forum.kaspersky.com/index.php?/ ... ed-by-kis/
Waiting for confirmation from Kaspersky Support.
https://forum.kaspersky.com/index.php?/ ... ed-by-kis/
Waiting for confirmation from Kaspersky Support.
-
- Joomla! Virtuoso
- Posts: 4025
- Joined: Mon Nov 25, 2013 4:35 pm
- Location: Montreal, Canada
- Contact:
Re: Joomla Download Hacked?
This is one twisted way of "protecting" the end user. There are literally millions of malicious sites on the Internet, will Kaspersky add them all to the CSS, and then add a "display: none" next to them? This is one weird product.
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter
https://twitter.com/itoctopus - Follow us on Twitter
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: Joomla Download Hacked?
I totally agree Mr Octopus, I did suspect that the Kaspersky script might be responsible, but didn't suggest it outright because it just seemed too daft.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
- Webdongle
- Joomla! Master
- Posts: 43967
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla Download Hacked?
Avira used to (not sure if it still does) put a tracking cookie on the computer. My favourite is Avast
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
- Jaydot
- Joomla! Guru
- Posts: 651
- Joined: Sun Jun 04, 2017 12:11 pm
- Location: The Netherlands
- Contact:
Re: Joomla Download Hacked?
Interesting, this.
I recently had a moment of total panic when I discovered unknown weird code in one of my sites (not porn, thankfully, but weird all the same). Only visible in Inspect, not in Page Source.
Turned out I had accidentally switched on a Symantec Norton Antivirus browser bar, and it was injecting code.
(I do things accidentally because my cursor tends to jump around the screen if I'm not very careful about keeping my hands clear of the mousepad).
I recently had a moment of total panic when I discovered unknown weird code in one of my sites (not porn, thankfully, but weird all the same). Only visible in Inspect, not in Page Source.
Turned out I had accidentally switched on a Symantec Norton Antivirus browser bar, and it was injecting code.
(I do things accidentally because my cursor tends to jump around the screen if I'm not very careful about keeping my hands clear of the mousepad).
The fact that an opinion is widely held is no evidence whatsoever that it is not utterly absurd.
Personal website: https://jaydot.nl
Personal website: https://jaydot.nl