RocketTheme - TOPIC: Weird redirect to IP 78.157.142.58 (1/2)

Welcome Guest! Login

0 items Join Now

- Dusan Vukasinovic
- Rocketeer
- Posts: 61
- Thanks: 0
Weird redirect to IP 78.157.142.58

Posted 16 years 4 days ago
- Hi,
  
  I am experiencing a big problem. All of my Joomla! sites are taking forever to load, and there is a weird IP showing in the address bar - 78.157.142.58.
  I googled this IP, and I found people with this issues, but no one with the solution. This IP is registered to somebody in Amsterdam.
  
  If somebody has an idea where the redirect is generated or which file may be attacked.
  
  Please advise
  
  These are some of the links that describe this problem:
  
  www.phorum.org/phorum5/read.php?61,134670,134670
  
  www.bleepingcomputer.com/forums/lofivers...dex.php/t175838.html
  
  -Thanks
#243675
- prim
- Preeminent Rocketeer
- Posts: 17290
- Thanks: 217
Re: Weird redirect to IP 78.157.142.58

Posted 16 years 4 days ago
- Sounds like you got hacked. Get the latest Joomla and restore your data from a backup
- Please reply with a direct link to the issue & create a new thread for each new issue.
  
  A template is only as good as the content that goes into it - DanG
#243722
- Dusan Vukasinovic
- Rocketeer
- Posts: 61
- Thanks: 0
Re: Weird redirect to IP 78.157.142.58

Posted 16 years 4 days ago
- That was the first thing that I did, but for some reason I am still having this IP being loaded. On some of the sites I did not modified any of the Joomla! core file, and on those sites, I reinstalled new Joomla!, but still no success.
  
  One thing that all this sites have in common is that they all use Rockettheme templates and RokSlideshow, which I do not think is the problem, but I am looking into that right now.
  
  I will reply as soon as I find something, but if someone have an idea in the meantime please advise.
  
  Thanks
#243730
- Ben Lee
- Elite Rocketeer
- Posts: 4193
- Thanks: 42
Re: Weird redirect to IP 78.157.142.58

Posted 16 years 4 days ago
- If you can, you may want to start from scratch with a fresh install and a fresh database. If the site is smaller and you can cut and paste stuff over to a new install, that would be a good bet for getting rid of any issues. You may also be able to retrieve your images directory, just make sure there's not weird files there either (images and index.html with the minimum html to show a blank white page should be it).
  
  If you do this and cut and paste over from you old site, assuming you can get to any of the admin side of things, paste everything into a text editor first and keep an eye out for any "iframe" tags or others that would not be a part of your page. Then copy and past from the text editor into the new site.
#243755
- Dusan Vukasinovic
- Rocketeer
- Posts: 61
- Thanks: 0
Re: Weird redirect to IP 78.157.142.58

Posted 16 years 4 days ago
- Thanks Ben,
  
  That is what I did with one of my accounts, but unfortunately that is not a solution for long term. Couple of the sites are really big, and this will not work for them.
  
  But I will continue digging, hopefully I will be able to find corrupted file(s) soon.
  
  I will keep you posted.
  
  Thanks
#243807
- Dusan Vukasinovic
- Rocketeer
- Posts: 61
- Thanks: 0
Re: Weird redirect to IP 78.157.142.58

Posted 16 years 3 days ago
- It is definitely been hacked. So far I found this code in both RokSlideshow and in RokkBox (I believe that attacked only 3rd party extensions) , but only Javascript files. I uninstalled both but it did not helped. On another site that is also been hacked I found this code in different 3rd party extensions - even though that site also have RokSlideshow and RokBox running and they are not affected.
  
  It is still connecting to this weird IP 78.157.142.58
  
  This is the code that I found (see attached image) - I did not wanted to post the actual code, but as I said still can not locate there is the code that is connecting to this IP address.
  
  This is the link to the site that I am having problems with:
  
  www.boulevardcaffe.com/index.php
  
  There are no third party modules installed. Just Joomla! and Elemental template. Maybe somebody can see something I can't.
  
  Thanks
- Last Edit: 16 years 3 days ago by Dusan Vukasinovic.
#244250
- Yves
- Preeminent Rocketeer
- Posts: 9214
- Thanks: 5
Re: Weird redirect to IP 78.157.142.58

Posted 16 years 3 days ago
- Can you attach your template index.php ?
- Yves
#244253
- Dusan Vukasinovic
- Rocketeer
- Posts: 61
- Thanks: 0
Re: Weird redirect to IP 78.157.142.58

Posted 16 years 3 days ago
- Definitely. It loads this code right after the footer, but there is nothing in index.php file.
#244256
- prim
- Preeminent Rocketeer
- Posts: 17290
- Thanks: 217
Re: Weird redirect to IP 78.157.142.58

Posted 16 years 3 days ago
- Can you give me an admin login so i can take a look?
- Please reply with a direct link to the issue & create a new thread for each new issue.
  
  A template is only as good as the content that goes into it - DanG
#244261
- Dusan Vukasinovic
- Rocketeer
- Posts: 61
- Thanks: 0
Re: Weird redirect to IP 78.157.142.58

Posted 16 years 3 days ago
- I just sent you PM.
  
  Thanks
#244264