Tony McCreath
asked on
Google Chrome flags Joomla website as Malware
An NGO website I am helping has recently been flagged as Malware by the Chrome browser.
After some investigation I found the website was causing requests to the following website:
google-annalytics dot com
(It is also denoted as Malware so I advise you don't go there)
Note that its a miss spelling of analytics.
The thing is I can't find where this request is coming from. Firebug does not even register its happening and it does not obviously show in any code.
I'm guessing its in some obfuscated javascript code, maybe in one of the javascript includes. It has quite a few modules included.
Does anyone know about this one or have any advice on how to find what's causing it.
After some investigation I found the website was causing requests to the following website:
google-annalytics dot com
(It is also denoted as Malware so I advise you don't go there)
Note that its a miss spelling of analytics.
The thing is I can't find where this request is coming from. Firebug does not even register its happening and it does not obviously show in any code.
I'm guessing its in some obfuscated javascript code, maybe in one of the javascript includes. It has quite a few modules included.
Does anyone know about this one or have any advice on how to find what's causing it.
Hello,
If your server does requests to this website and your is not hacked, you could search the url in the code of your addons. Did you installed some nulled scripts?
To search the url, copy all your code localy and search the url in the content. For example use simple search-replace soft.
http://www.rjlsoftware.com/software/utility/search/
If your server does requests to this website and your is not hacked, you could search the url in the code of your addons. Did you installed some nulled scripts?
To search the url, copy all your code localy and search the url in the content. For example use simple search-replace soft.
http://www.rjlsoftware.com/software/utility/search/
ASKER
What's a nulled script?
I've already searched all the files involved in a page that gets flagged with no match. That's why I think its obfuscated.
I'm currently downloading the website and will focus on files that have their modified date different to their peers.
I do think its a hack or maybe they included a dodgy or compromised module/extension.
I've already searched all the files involved in a page that gets flagged with no match. That's why I think its obfuscated.
I'm currently downloading the website and will focus on files that have their modified date different to their peers.
I do think its a hack or maybe they included a dodgy or compromised module/extension.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The owner is currently going back in time, first backup was still hacked :-(
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We found the problem.
It was a plugin called highslide
A file had been modified which pointed us to it. Changing it back to the original fixed the issue.
The mod also changed its owner/group setting to 1317 1317
Could this indicate how they hacked it?
I've told him to change his ftp password
It was a plugin called highslide
A file had been modified which pointed us to it. Changing it back to the original fixed the issue.
The mod also changed its owner/group setting to 1317 1317
Could this indicate how they hacked it?
I've told him to change his ftp password
Whne you install an addon - it can makes core changes - doesn't usually need a chaneg in permissions to do this - I guess when it installs itself it can access its own permissions.
It's interesting though - because I have highslide on one of my sites and no porbelm that I am aware of.
Hmm I'll take another peek at it though!
It would be useful if you let eth developers know - it may not be malicious by intent and may be a bug they are willing to fix.
It's interesting though - because I have highslide on one of my sites and no porbelm that I am aware of.
Hmm I'll take another peek at it though!
It would be useful if you let eth developers know - it may not be malicious by intent and may be a bug they are willing to fix.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for helping me through it. I will inform the host
Otehrwise it could be related to an addon (added on extension)