Google Chrome flags Joomla website as Malware

An NGO website I am helping has recently been flagged as Malware by the Chrome browser.

After some investigation I found the website was causing requests to the following website:

google-annalytics dot com

(It is also denoted as Malware so I advise you don't go there)

Note that its a miss spelling of analytics.

The thing is I can't find where this request is coming from. Firebug does not even register its happening and it does not obviously show in any code.

I'm guessing its in some obfuscated javascript code, maybe in one of the javascript includes. It has quite a few modules included.

Does anyone know about this one or have any advice on how to find what's causing it.
LVL 23
Tony McCreathTechnical SEO ConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hmm I think yes some java / malicious code - have you been hacked maybe?
Otehrwise it could be related to an addon (added on extension)
Luis Clara FernandesIAM CoordinatorCommented:

If your server does requests to this website and your is not hacked, you could search the url in the code of your addons. Did you installed some nulled scripts?

To search the url, copy all your code localy and search the url in the content. For example use simple search-replace soft.

Tony McCreathTechnical SEO ConsultantAuthor Commented:
What's a nulled script?

I've already searched all the files involved in a page that gets flagged with no match. That's why I think its obfuscated.

I'm currently downloading the website and will focus on files that have their modified date different to their peers.

I do think its a hack or maybe they included a dodgy or compromised module/extension.

Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

Yes I normally look through the dates to search for hacked files - hmm also consider - do you or server have a back up of site? and go back in time, maybe...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tony McCreathTechnical SEO ConsultantAuthor Commented:
The owner is currently going back in time, first backup was still hacked :-(
Luis Clara FernandesIAM CoordinatorCommented:
A nulled script is a illegal copy of a script that you find in fileshare or megaupload. If you installed this kind of scripts, for sure your server will request strange stuff.

What extensions do you are using?
Tony McCreathTechnical SEO ConsultantAuthor Commented:
We found the problem.

It was a plugin called highslide

A file had been modified which pointed us to it. Changing it back to the original fixed the issue.

The mod also changed its owner/group setting to 1317 1317

Could this indicate how they hacked it?

I've told him to change his ftp password
Whne you install an addon - it can makes core changes - doesn't usually need a chaneg in permissions to do this - I guess when it installs itself it can access its own permissions.

It's interesting though - because I have highslide on one of my sites and no porbelm that I am aware of.

Hmm I'll take another peek at it though!

It would be useful if you let eth developers know - it may not be malicious by intent and may be a bug they are willing to fix.
Luis Clara FernandesIAM CoordinatorCommented:

By default, the owner of the file is your ftp user  and the group culd be your ftp user or some group like site8712 for example.

If your owner has changed, it means you have been hacked or somebody has change it. Changing your ftp account is not enough depending on the malicious code.

 Contact your hosting provider to clean the server.

I hope it helps.
Luis C. Fernandes

Tony McCreathTechnical SEO ConsultantAuthor Commented:
Thanks for helping me through it. I will inform the host
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.