Is my site still infected? How can I tell?

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
scifivision
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 149
Joined: Mon Jun 01, 2009 5:24 am

Is my site still infected? How can I tell?

Post by scifivision » Sat Feb 23, 2019 7:08 am

I'm using Joomla 3.8.1 currently. I know the first suggestion is going to be to update it. As of the last time I checked, the template program that I spent a lot of money on has not been updated yet to work with the new updates, so I can't do that.

Earlier my front end started showing up blank, but the backend was fine. A friend tried to access it and she actually got a norton virus popup.

My site tech support wasn't much help, but they did say that something was preventing it from displaying (at least what I got out of what he said) because it was acting like there was nothing in the folder even though there was).

There were a bunch of php files added into my main folder. I deleted those. I also found code added to index.php and include/framework.php with the following:

/[ redacted ]/

The code has been deleted and suddenly the site is displayed. I've tried external scans from sites which before weren't working since they were just returning 500 errors, but now show clean. Do I truly have it clean? More importantly, I'm assuming it's vulnerable to another attack. What is the best thing to do?

Thanks
Last edited by toivo on Sat Feb 23, 2019 7:50 am, edited 1 time in total.
Reason: mod note: hack code removed

annahersh
Joomla! Guru
Joomla! Guru
Posts: 557
Joined: Wed Aug 15, 2018 8:23 pm

Re: Is my site still infected? How can I tell?

Post by annahersh » Sat Feb 23, 2019 7:40 am

It's possibly not clean as hackers tend to place files deep with directories, and those deep files has the purpose of either recreating anything you delete, or giving the hacker perpetual access to your host root.

You will need to run an extension which knows Joomla structure and properly scan all files. One such extension is RS Firewall, it's very good at finding malware, and monitoring for future attacks.

Alternatively you could hire Sucuri, the experts who will track the source and thoroughly clean your system.

Once you do get it all cleaned, be sure to get the core and all third party extensions updated, and stay updated.

scifivision
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 149
Joined: Mon Jun 01, 2009 5:24 am

Re: Is my site still infected? How can I tell?

Post by scifivision » Sat Feb 23, 2019 8:34 am

Thanks. 2 things. First, is there a good one that's free or cheap at least?

I don't think I will likely have the money to buy this, but in case I decide to later, under highlights for that extension it says this:
"Automatically drop dangerous files when they're uploaded - such as .php, .js, .exe, .com, .bat, .cmd"
Is that an option to turn off? I update files manually on occasion and I know when I do that at some point I'll probably forget why it isn't updating if that's the case.

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 11165
Joined: Thu Feb 15, 2007 5:48 am
Location: Oxford, UK

Re: Is my site still infected? How can I tell?

Post by toivo » Sat Feb 23, 2019 10:02 am

You can also use the myJoomla.com service, where the first audit is free.
Toivo Talikka, Global Moderator

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1001
Joined: Sat Aug 13, 2011 6:27 am

Re: Is my site still infected? How can I tell?

Post by Slackervaara » Sun Mar 31, 2019 8:04 pm

I think Joomla now has a protection against loading up files by visitors. Only logged in can do this. Earlier JHackguard an security extension had this feature also and still have.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37264
Joined: Sat Apr 05, 2008 9:58 pm

Re: Is my site still infected? How can I tell?

Post by Webdongle » Sun Mar 31, 2019 10:02 pm

http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein


Post Reply

Return to “Security in Joomla! 3.x”