Link to home
Start Free TrialLog in
Avatar of Tony McCreath
Tony McCreathFlag for Australia

asked on

Google Chrome flags Joomla website as Malware

An NGO website I am helping has recently been flagged as Malware by the Chrome browser.

After some investigation I found the website was causing requests to the following website:

google-annalytics dot com

(It is also denoted as Malware so I advise you don't go there)

Note that its a miss spelling of analytics.

The thing is I can't find where this request is coming from. Firebug does not even register its happening and it does not obviously show in any code.

I'm guessing its in some obfuscated javascript code, maybe in one of the javascript includes. It has quite a few modules included.

Does anyone know about this one or have any advice on how to find what's causing it.
Avatar of j-b-t
j-b-t
Flag of Australia image

Hmm I think yes some java / malicious code - have you been hacked maybe?
Otehrwise it could be related to an addon (added on extension)
Hello,

If your server does requests to this website and your is not hacked, you could search the url in the code of your addons. Did you installed some nulled scripts?

To search the url, copy all your code localy and search the url in the content. For example use simple search-replace soft.

http://www.rjlsoftware.com/software/utility/search/





Avatar of Tony McCreath

ASKER

What's a nulled script?

I've already searched all the files involved in a page that gets flagged with no match. That's why I think its obfuscated.

I'm currently downloading the website and will focus on files that have their modified date different to their peers.

I do think its a hack or maybe they included a dodgy or compromised module/extension.

ASKER CERTIFIED SOLUTION
Avatar of j-b-t
j-b-t
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The owner is currently going back in time, first backup was still hacked :-(
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
We found the problem.

It was a plugin called highslide

A file had been modified which pointed us to it. Changing it back to the original fixed the issue.

The mod also changed its owner/group setting to 1317 1317

Could this indicate how they hacked it?

I've told him to change his ftp password
Whne you install an addon - it can makes core changes - doesn't usually need a chaneg in permissions to do this - I guess when it installs itself it can access its own permissions.

It's interesting though - because I have highslide on one of my sites and no porbelm that I am aware of.

Hmm I'll take another peek at it though!

It would be useful if you let eth developers know - it may not be malicious by intent and may be a bug they are willing to fix.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for helping me through it. I will inform the host