Site hacked, malicious code on website..

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
brecha
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Thu Jan 15, 2009 8:40 pm

Site hacked, malicious code on website..

Post by brecha » Thu Jan 04, 2018 8:25 pm

After trying several times to clean the site, deleting infected files, trying to locate the issue on the database and extensions, i can't seem to find the source.. all passwords changed, Database re created and verified. More information below to see anyone can help.

this Malicious virus is calling a Favicon_XXXX.ICO file and generating index.html.bak.bak in my website.

Thank you for the help in advance.

Problem Description :: Forum Post Assistant (v1.3.7) : 4th January 2018 wrote:Maliciuous virus on website
Log/Error Message :: Forum Post Assistant (v1.3.7) : 4th January 2018 wrote:blocked by hosting provider
Actions Taken To Resolve by Forum Post Assistant (v1.3.7) 4th January 2018 wrote:cleaned filed but they get infected again and blocked by the hosting provider
Forum Post Assistant (v1.3.7) : 4th January 2018 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.8.3-Stable (Amani) 12-December-2017
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.8
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 1 | Cache: 0 | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: N/A | FTP Layer: 0 | Proxy: 0 | LiveSite: | Session lifetime: 1500 | Session handler: database | Shared sessions: N/A | SSL: 0 | FrontEdit: 1 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | dbConnection Type: mysqli | Database Credentials Present: Yes

Host Configuration :: OS: Linux info 3.0 #1337 SMP Tue Jan 01 00:00:00 CEST 2000 all GNU/Linux | OS Version: Linux info 3.0 #1337 SMP Tue Jan 01 00:00:00 CEST 2000 all GNU/Linux | Technology: Linux info 3.0 #1337 SMP Tue Jan 01 00:00:00 CEST 2000 all GNU/Linux | Web Server: Apache | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 696.53 GiB |

PHP Configuration :: Version: 5.6.32 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 22517 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 64M | Max. POST Size: 64M | Max. Input Time: -1 | Max. Execution Time: 50000 | Memory Limit: 256M

MySQL Configuration :: Version: 5.5.58-0+deb7u1-log (Client:mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | Host: --protected-- (--protected--) | Collation: latin1_general_ci (Character Set: latin1) | Database Size: 15.33 MiB | #of Tables:  187
Detailed Environment :: wrote:PHP Extensions :: Core (5.6.32) | date (5.6.32) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (2.0) | bcmath () | bz2 () | calendar () | ctype () | curl () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | mbstring () | mcrypt () | standard (5.6.32) | mysqlnd (mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.2) | posix () | Reflection ($Id: 5f15287237d5f78d75b19c26915aa7bd83dee8b8 $) | imap () | shmop () | SimpleXML (0.1) | soap () | mysqli (0.1) | exif (1.4 $Id: 1c8772f76be691b7b3f77ca31eb788a2abbcefe5 $) | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.12.5) | mysql (1.0) | cgi-fcgi () | Zend Engine (2.6.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (705) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 3675068 | Threads: 10 | Questions: 1842278529 | Slow queries: 1676 | Opens: 21100787 | Flush tables: 1 | Open tables: 600 | Queries per second avg: 501.291 |
Extensions Discovered :: wrote:Components :: SITE :: WF_AGGREGATOR_[youtube]_TITLE (2.4.2) 1 | WF_AGGREGATOR_VINE_TITLE (2.4.2) 1 | WF_AGGREGATOR_VIMEO_TITLE (2.4.2) 1 | WF_FILESYSTEM_JOOMLA_TITLE (2.4.2) 1 | K2 Links for JCE Link (2.2) 1 | WF_LINKS_JOOMLALINKS_TITLE (2.4.2) 1 | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.4.2) 1 | WF_POPUPS_WINDOW_TITLE (2.4.2) 1 | WF_POPUPS_JCEMEDIABOX_TITLE (2.4.2) 1 | WF_LINK_SEARCH_TITLE (2.4.2) 1 | WF_ANCHOR_TITLE (2.4.2) 1 | WF_ARTICLE_TITLE (2.4.2) 1 | WF_AUTOSAVE_TITLE (2.4.2) 1 | WF_BROWSER_TITLE (2.4.2) 1 | WF_CHARMAP_TITLE (2.4.2) 1 | WF_CLEANUP_TITLE (2.4.2) 1 | WF_CLIPBOARD_TITLE (2.4.2) 1 | WF_CONTEXTMENU_TITLE (2.4.2) 1 | WF_DIRECTIONALITY_TITLE (2.4.2) 1 | WF_FONTCOLOR_TITLE (2.4.2) 1 | WF_FONTSELECT_TITLE (2.4.2) 1 | WF_FONTSIZESELECT_TITLE (2.4.2) 1 | WF_FORMATSELECT_TITLE (2.4.2) 1 | WF_FULLSCREEN_TITLE (2.4.2) 1 | WF_IMGMANAGER_TITLE (2.4.2) 1 | WF_INLINEPOPUPS_TITLE (2.4.2) 1 | WF_KITCHENSINK_TITLE (2.4.2) 1 | WF_LAYER_TITLE (2.4.2) 1 | WF_LINK_TITLE (2.4.2) 1 | WF_LISTS_TITLE (2.4.2) 1 | WF_MEDIA_TITLE (2.4.2) 1 | WF_NONBREAKING_TITLE (2.4.2) 1 | WF_PREVIEW_TITLE (2.4.2) 1 | WF_PRINT_TITLE (2.4.2) 1 | WF_SEARCHREPLACE_TITLE (2.4.2) 1 | WF_SOURCE_TITLE (2.4.2) 1 | WF_SPELLCHECKER_TITLE (2.4.2) 1 | WF_STYLE_TITLE (2.4.2) 1 | WF_STYLESELECT_TITLE (2.4.2) 1 | WF_TABLE_TITLE (2.4.2) 1 | WF_TEXTCASE_TITLE (2.4.2) 1 | WF_VISUALBLOCKS_TITLE (2.4.2) 1 | WF_VISUALCHARS_TITLE (2.4.2) 1 | WF_XHTMLXTRAS_TITLE (2.4.2) 1 | com_mailto (3.0.0) 1 | com_wrapper (3.0.0) 1 |
Components :: ADMIN :: com_admin (3.0.0) 1 | com_ajax (3.2.0) 1 | Akeeba (3.10.2) 1 | COM_AZURAPAGEBUILDER (2.2.1) 1 | com_banners (3.0.0) 1 | com_cache (3.0.0) 1 | com_categories (3.0.0) 1 | com_checkin (3.0.0) 1 | com_config (3.0.0) 1 | com_content (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_cpanel (3.0.0) 1 | com_finder (3.0.0) 1 | com_installer (3.0.0) 1 | JCE (2.4.2) 1 | Unknown (-) 1 | com_joomlaupdate (3.6.2) 1 | COM_K2 (2.6.8) 1 | mod_k2_comments (-) 1 | mod_k2_comments (-) 1 | com_languages (3.0.0) 1 | com_login (3.0.0) 1 | com_media (3.0.0) 1 | com_menus (3.0.0) 1 | com_messages (3.0.0) 1 | com_modules (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_plugins (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_redirect (3.0.0) 1 | com_search (3.0.0) 1 | com_tags (3.1.0) 1 | com_templates (3.0.0) 1 | com_uniterevolution2 (4.6) 1 | com_users (3.0.0) 1 | com_weblinks (3.0.0) 1 | com_associations (3.7.0) 1 | com_fields (3.7.0) 1 |

Modules :: SITE :: CTHthemes Twitter (1.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | CTHContact (1.0.0) 1 | CTH Gmap (1.0.0) 1 | CTHthemes Flickr (1.0.0) 1 | mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_footer (3.0.0) 1 | K2 Comments (2.6.8) 1 | K2 Content (2.6.8) 1 | K2 Tools (2.6.8) 1 | K2 User (2.6.8) 1 | K2 Users (2.6.8) 1 | mod_languages (3.5.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_search (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_tags_similar (3.1.0) 1 | Unite Revolution Slider 2 (4.6) 1 | mod_users_latest (3.0.0) 1 | mod_weblinks (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_wrapper (3.0.0) 1 |
Modules :: ADMIN :: mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | K2 Quick Icons (admin) (2.6.8) 1 | K2 Stats (admin) (2.6.8) 1 | mod_latest (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_login (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_status (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_title (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_version (3.0.0) 1 | mod_sampledata (3.8.0) 0 |

Plugins :: SITE :: plg_authentication_cookie (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_captcha_recaptcha (3.4.0) 0 | plg_content_azuracontent (2.2.1) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_finder (3.0.0) 0 | plg_content_joomla (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_editors_codemirror (5.30.0) 1 | plg_editors_jce (2.4.2) 1 | plg_editors_tinymce (4.5.8) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_k2 (2.6.8) 0 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_weblinks (3.0.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_jcefilebrowser (2.4.2) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_search_azurasearch (2.2.1) 1 | plg_search_categories (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_content (3.0.0) 1 | Search - K2 (2.6.8) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_tags (3.0.0) 1 | plg_search_weblinks (3.0.0) 1 | plg_system_cache (3.0.0) 0 | CTHthemes Mega Menu (2.0.0) 1 | plg_system_debug (3.0.0) 1 | plg_system_highlight (3.0.0) 1 | System - K2 (2.6.8) 1 | plg_system_languagecode (3.0.0) 0 | plg_system_languagefilter (3.0.0) 0 | plg_system_log (3.0.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_p3p (3.0.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_remember (3.0.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_fields (3.7.0) 1 | plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_user_contactcreator (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | User - K2 (2.6.8) 1 | plg_user_profile (3.0.0) 0 | plg_azura_azuraoption (2.2.1) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_installer_webinstaller (1.1.1) 1 | Josetta - K2 Categories (2.6.8) 1 | Josetta - K2 Items (2.6.8) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 |
Templates Discovered :: wrote:Templates :: SITE :: beez3 (3.1.0) 1 | Hoxa (2.0.0) 1 | protostar (1.0) 1 |
Templates :: ADMIN :: hathor (3.0.0) 1 | isis (1.0) 1 |
Last edited by toivo on Fri Jan 05, 2018 8:10 pm, edited 1 time in total.
Reason: mod note: disabled smilies for readability

User avatar
sozzled
Joomla! Master
Joomla! Master
Posts: 10178
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: Site hacked, malicious code on website..

Post by sozzled » Thu Jan 04, 2018 8:36 pm

A couple of [immediately obvious] standout items:

1) The database collation method and character encoding (latin1_swedish_ci and latin1, respectively) are incorrect for J! 3.8. From J! 3.5 the update procedure changed the collation method and character encoding to utf8_general_ci and utf8, respectively. It appears that this site was created before J! 3.5 and the malicious code might have been injected before you updated to J! 3.8.3. You could install [the free version of] Akeeba Admin Tools which has a one-button fix to change the collation/character encoding.

2) Suggest that you rename the file htaccess.txt to .htaccess (note the "dot" in the filename) located in your Joomla site root folder. This will not provide much protection, but it's better than nothing.

3) There are a few general discussions about malware creating those index.html.bak.bak files (here's one: https://stackoverflow.com/questions/432 ... ow-do-i-ge); I don't know what help they may be.
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3490
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: Site hacked, malicious code on website..

Post by ribo » Thu Jan 04, 2018 8:44 pm

Here is a way to clean your joomla for sure viewtopic.php?t=946026
About your host account it s good to update your php version to the latest version of php 7.1 .
About joomla check if you have out of date third party extensions and template and to not be vulnerable.
Generally make all the steps of the topic that i posted.
chat room spontes : http://www.spontes.com

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15044
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Site hacked, malicious code on website..

Post by mandville » Thu Jan 04, 2018 8:56 pm

Also when you post the fpa. Ensure you follow the instructions properly. Disable smilies.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

brecha
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Thu Jan 15, 2009 8:40 pm

Re: Site hacked, malicious code on website..

Post by brecha » Thu Jan 04, 2018 9:02 pm

Thanks for pointing these details, i made all the changes hoping to see some progress on not getting infected again.
sozzled wrote:A couple of [immediately obvious] standout items:

1) The database collation method and character encoding (latin1_swedish_ci and latin1, respectively) are incorrect for J! 3.8. From J! 3.5 the update procedure changed the collation method and character encoding to utf8_general_ci and utf8, respectively. It appears that this site was created before J! 3.5 and the malicious code might have been injected before you updated to J! 3.8.3. You could install [the free version of] Akeeba Admin Tools which has a one-button fix to change the collation/character encoding.

2) Suggest that you rename the file htaccess.txt to .htaccess (note the "dot" in the filename) located in your Joomla site root folder. This will not provide much protection, but it's better than nothing.

3) There are a few general discussions about malware creating those index.html.bak.bak files (here's one: https://stackoverflow.com/questions/432 ... ow-do-i-ge); I don't know what help they may be.

User avatar
JAVesey
Joomla! Hero
Joomla! Hero
Posts: 2312
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Site hacked, malicious code on website..

Post by JAVesey » Fri Jan 05, 2018 10:21 am

ribo wrote:Here is a way to clean your joomla for sure viewtopic.php?t=946026
Semantics here (sorry!) but it's not "a" way, it's "the only" way to be sure that you've cleaned your site properly.

Have you done this exactly as described? If not then you have probably left an exploit or backdoor on your site and the problem will recur.
John V
Cardiff, Wales, UK
Uses Joomla 3.9.26 and PHP7.4.16

brecha
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Thu Jan 15, 2009 8:40 pm

Re: Site hacked, malicious code on website..

Post by brecha » Fri Jan 05, 2018 5:48 pm

mandville wrote:Also when you post the fpa. Ensure you follow the instructions properly. Disable smilies.

First time posting the FPA, but i will have it mind next time.. Thanks

brecha
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Thu Jan 15, 2009 8:40 pm

Re: Site hacked, malicious code on website..

Post by brecha » Wed Jan 10, 2018 5:21 pm

Thank you for the help guys, the site was up and running for a couple of days, now the backend doesn't want to login after 3.8 update. I tried to find some information in the forum and change error_reporting variable to maximum but no information of error is displayed.. It seems that there is no much info in the forum for this..

Should i provide the FPA again in order to find out the issue with the site?

I see a couple if errors in the browser using DEV mode.

Image


BTW, that index.php that is pointed in the error is the same accross 3.6 and 3.8 versions.. so no idea

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3490
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: Site hacked, malicious code on website..

Post by ribo » Wed Jan 10, 2018 6:25 pm

brecha wrote:
Should i provide the FPA again in order to find out the issue with the site?
No need to post fpa again. I said what you can do in your server and in your third party extensions and template. Please read and do the steps of the guide that i posted. Here is it again viewtopic.php?t=946026
chat room spontes : http://www.spontes.com


Locked

Return to “Security in Joomla! 3.x”