SOLVED Site Compromised
-
-
- Tim Haverstick
- Jr. Rocketeer
- Posts: 22
- Thanks: 0
-
Need some help. It seems my site was compramised and Im not sure how or exactly where, but the showcase position of my site:
www.h3paint.com
uses a RockSprocket for the slider.changer or images, very simialr to the template. You can see there is a link embedded into the images but is not the link of the image itself. The link takes you to a site in Germany.
Any help would be tremendous.
Thanks
-
-
-
- DanG
- Preeminent Rocketeer
- Posts: 36750
- Thanks: 3229
- Custom work done
-
Hi
and welcome to the forumsThis image is hidden for guests.
Please log in or register to see it.
- In your
rt_templateName-custom.css <-{Click the LINK } file add this:#rt-footer-overlay .rt-grid-4.rt-omega .module-content { display: none; } - Get protection -> REMOVED
- Backup your site often with a free copy of Akeeba backup
- In your
- Last Edit: 8 years 11 months ago by Kat05.
-
The following users have thanked you: Tim Haverstick
-
-
-
- Joe Halleck
- Preeminent Rocketeer
- Posts: 5480
- Thanks: 67
- Never give up!
-
I took a look at the resulting html files from your site.
Looking like a common shared file in Joomla/Gantry/Template was edited as these links are in each page of your site.
I see this in a section of code that starts with this:
<div class="component-content">
You will need to do a text search to find ".de" in the source php files to locate the file with the edit.
If you have a backup of the site before this happened a text compare of the two files sets would be helpful to pinpoint the file.
Sometimes sorting by file change date can bring the compromised file to the top.
I would reach out to your hosting provider once you determine the file that was edited.
Then when you have a date/time of file edit you or your hosting provider should be able to look in access logs to determine the cause unless the files were cleared by the person responsible for the edit. - Last Edit: 10 years 5 months ago by Joe Halleck.
-
The following users have thanked you: Tim Haverstick
- Magento - phpBB3 - Kunena - RokBridge Specialist
No Secure Tab posts unless requested.
Use the Thank You and Life Preserver Buttons!
Your signature is also great place for setup details...help us help you!
-
-
-
- Tim Haverstick
- Jr. Rocketeer
- Posts: 22
- Thanks: 0
-
Thanks for the help. I do now have Akeeba and am backed up. I did create the custom css file.
I will get the protection also.
Thank you.
-
-
-
- Tim Haverstick
- Jr. Rocketeer
- Posts: 22
- Thanks: 0
-
@Joe:
Thanks for taking a deeper look at where this came from. I am trying to gain access to these files you are referring to, but am unaware of where these live in the server. Can you point me in a more direct location?
Thanks
-
-
-
- Joe Halleck
- Preeminent Rocketeer
- Posts: 5480
- Thanks: 67
- Never give up!
-
Most hosting setups give you FTP or SCP to your site.
That will be the the fastest way to review the files in your setup
Ask your provider for the details of gaining access.
Your hosting provider probably also gave you a web based admin console to your site.
Many of the web based console tools usually have a way for you to access the files from your browser.
You should be able to sort files by access date but having FTP or SCP would be the better way to review. - Magento - phpBB3 - Kunena - RokBridge Specialist
No Secure Tab posts unless requested.
Use the Thank You and Life Preserver Buttons!
Your signature is also great place for setup details...help us help you!
-
-
-
- Tim Haverstick
- Jr. Rocketeer
- Posts: 22
- Thanks: 0
- Thanks, yes, I have access to the files, I just need to know what the path I should look in is.
-
-
-
- DanG
- Preeminent Rocketeer
- Posts: 36750
- Thanks: 3229
- Custom work done
-
Tim Haverstick wrote:
@Joe:
Thanks for taking a deeper look at where this came from. I am trying to gain access to these files you are referring to, but am unaware of where these live in the server. Can you point me in a more direct location?
Thanks- Download your site******************.jpa to your HDD
- Grab a copy of Akeeba eXtract Wizard
- Extract your site to a folder on your HDD
- Grab a free copy of Windows GREP
- Once installed use it to scan your HDD site folder to look for ".de"
- The results will help you to track down the injected files
- Once you've identified ALL the files involved in the hack, use your Cpanel file manager or FTP client to remove them from your remote server.
-
The following users have thanked you: Tim Haverstick
-
-
-
- Joe Halleck
- Preeminent Rocketeer
- Posts: 5480
- Thanks: 67
- Never give up!
-
I would start at the root of your site "/httpdocs" and check each subdirectory.
Most apache site setups live in this dir for a given hosting account but it depends on your provider. -
The following users have thanked you: Tim Haverstick
- Magento - phpBB3 - Kunena - RokBridge Specialist
No Secure Tab posts unless requested.
Use the Thank You and Life Preserver Buttons!
Your signature is also great place for setup details...help us help you!
-
-
-
- Joe Halleck
- Preeminent Rocketeer
- Posts: 5480
- Thanks: 67
- Never give up!
-
Notepad++ can also do searches remote and local but local will be much faster.
notepad-plus-plus.org/ -
The following users have thanked you: Tim Haverstick
- Magento - phpBB3 - Kunena - RokBridge Specialist
No Secure Tab posts unless requested.
Use the Thank You and Life Preserver Buttons!
Your signature is also great place for setup details...help us help you!
-
Time to create page: 0.049 seconds