Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 914
  • Last Modified:

Google Chrome flags Joomla website as Malware

An NGO website I am helping has recently been flagged as Malware by the Chrome browser.

After some investigation I found the website was causing requests to the following website:

google-annalytics dot com

(It is also denoted as Malware so I advise you don't go there)

Note that its a miss spelling of analytics.

The thing is I can't find where this request is coming from. Firebug does not even register its happening and it does not obviously show in any code.

I'm guessing its in some obfuscated javascript code, maybe in one of the javascript includes. It has quite a few modules included.

Does anyone know about this one or have any advice on how to find what's causing it.
0
Tony McCreath
Asked:
Tony McCreath
  • 4
  • 3
  • 3
3 Solutions
 
j-b-tCommented:
Hmm I think yes some java / malicious code - have you been hacked maybe?
Otehrwise it could be related to an addon (added on extension)
0
 
Luis Clara FernandesIAM CoordinatorCommented:
Hello,

If your server does requests to this website and your is not hacked, you could search the url in the code of your addons. Did you installed some nulled scripts?

To search the url, copy all your code localy and search the url in the content. For example use simple search-replace soft.

http://www.rjlsoftware.com/software/utility/search/





0
 
Tony McCreathTechnical SEO ConsultantAuthor Commented:
What's a nulled script?

I've already searched all the files involved in a page that gets flagged with no match. That's why I think its obfuscated.

I'm currently downloading the website and will focus on files that have their modified date different to their peers.

I do think its a hack or maybe they included a dodgy or compromised module/extension.

0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
j-b-tCommented:
Yes I normally look through the dates to search for hacked files - hmm also consider - do you or server have a back up of site? and go back in time, maybe...
0
 
Tony McCreathTechnical SEO ConsultantAuthor Commented:
The owner is currently going back in time, first backup was still hacked :-(
0
 
Luis Clara FernandesIAM CoordinatorCommented:
A nulled script is a illegal copy of a script that you find in fileshare or megaupload. If you installed this kind of scripts, for sure your server will request strange stuff.

What extensions do you are using?
0
 
Tony McCreathTechnical SEO ConsultantAuthor Commented:
We found the problem.

It was a plugin called highslide

A file had been modified which pointed us to it. Changing it back to the original fixed the issue.

The mod also changed its owner/group setting to 1317 1317

Could this indicate how they hacked it?

I've told him to change his ftp password
0
 
j-b-tCommented:
Whne you install an addon - it can makes core changes - doesn't usually need a chaneg in permissions to do this - I guess when it installs itself it can access its own permissions.

It's interesting though - because I have highslide on one of my sites and no porbelm that I am aware of.

Hmm I'll take another peek at it though!

It would be useful if you let eth developers know - it may not be malicious by intent and may be a bug they are willing to fix.
0
 
Luis Clara FernandesIAM CoordinatorCommented:
Hello,

By default, the owner of the file is your ftp user  and the group culd be your ftp user or some group like site8712 for example.

If your owner has changed, it means you have been hacked or somebody has change it. Changing your ftp account is not enough depending on the malicious code.

 Contact your hosting provider to clean the server.

I hope it helps.
Luis C. Fernandes


0
 
Tony McCreathTechnical SEO ConsultantAuthor Commented:
Thanks for helping me through it. I will inform the host
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now