?
Solved

Google Chrome flags Joomla website as Malware

Posted on 2010-01-12
10
Medium Priority
?
899 Views
Last Modified: 2013-11-22
An NGO website I am helping has recently been flagged as Malware by the Chrome browser.

After some investigation I found the website was causing requests to the following website:

google-annalytics dot com

(It is also denoted as Malware so I advise you don't go there)

Note that its a miss spelling of analytics.

The thing is I can't find where this request is coming from. Firebug does not even register its happening and it does not obviously show in any code.

I'm guessing its in some obfuscated javascript code, maybe in one of the javascript includes. It has quite a few modules included.

Does anyone know about this one or have any advice on how to find what's causing it.
0
Comment
Question by:Tony McCreath
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 11

Expert Comment

by:j-b-t
ID: 26300692
Hmm I think yes some java / malicious code - have you been hacked maybe?
Otehrwise it could be related to an addon (added on extension)
0
 
LVL 5

Expert Comment

by:Luis Clara Fernandes
ID: 26301635
Hello,

If your server does requests to this website and your is not hacked, you could search the url in the code of your addons. Did you installed some nulled scripts?

To search the url, copy all your code localy and search the url in the content. For example use simple search-replace soft.

http://www.rjlsoftware.com/software/utility/search/





0
 
LVL 23

Author Comment

by:Tony McCreath
ID: 26303315
What's a nulled script?

I've already searched all the files involved in a page that gets flagged with no match. That's why I think its obfuscated.

I'm currently downloading the website and will focus on files that have their modified date different to their peers.

I do think its a hack or maybe they included a dodgy or compromised module/extension.

0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 11

Accepted Solution

by:
j-b-t earned 750 total points
ID: 26303748
Yes I normally look through the dates to search for hacked files - hmm also consider - do you or server have a back up of site? and go back in time, maybe...
0
 
LVL 23

Author Comment

by:Tony McCreath
ID: 26303891
The owner is currently going back in time, first backup was still hacked :-(
0
 
LVL 5

Assisted Solution

by:Luis Clara Fernandes
Luis Clara Fernandes earned 750 total points
ID: 26303957
A nulled script is a illegal copy of a script that you find in fileshare or megaupload. If you installed this kind of scripts, for sure your server will request strange stuff.

What extensions do you are using?
0
 
LVL 23

Author Comment

by:Tony McCreath
ID: 26307460
We found the problem.

It was a plugin called highslide

A file had been modified which pointed us to it. Changing it back to the original fixed the issue.

The mod also changed its owner/group setting to 1317 1317

Could this indicate how they hacked it?

I've told him to change his ftp password
0
 
LVL 11

Expert Comment

by:j-b-t
ID: 26309037
Whne you install an addon - it can makes core changes - doesn't usually need a chaneg in permissions to do this - I guess when it installs itself it can access its own permissions.

It's interesting though - because I have highslide on one of my sites and no porbelm that I am aware of.

Hmm I'll take another peek at it though!

It would be useful if you let eth developers know - it may not be malicious by intent and may be a bug they are willing to fix.
0
 
LVL 5

Assisted Solution

by:Luis Clara Fernandes
Luis Clara Fernandes earned 750 total points
ID: 26321624
Hello,

By default, the owner of the file is your ftp user  and the group culd be your ftp user or some group like site8712 for example.

If your owner has changed, it means you have been hacked or somebody has change it. Changing your ftp account is not enough depending on the malicious code.

 Contact your hosting provider to clean the server.

I hope it helps.
Luis C. Fernandes


0
 
LVL 23

Author Closing Comment

by:Tony McCreath
ID: 31676477
Thanks for helping me through it. I will inform the host
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question