Solved

Joomla hack redirects article saves to malware

Posted on 2011-03-01
6
1,109 Views
Last Modified: 2012-05-11
I have a 2 y/o Joomla site.  Using Joomla 1.5.2.  Has worked fine until today.  Attempted to edit the article home page.  Made the change and clicked on Save. Was immediately redirected to a site declaring i was infected ...  great fireworks showing phony scans indicating many infections. X'd out of all and end processed the offending tab ..   went to site to see if my change had taken.  It hadn't.  Went back to admin and it appears that once in an article if I attempt to save or close or apply I am immediately redirected to an unbranded Search site with Facebook themed hits.  This happens on any computer.  Verio is my host and it happened to my tech support rep.
There has been no impact on the site itself ...  it's just admin so far that is affected/infected.   THere is only an htaccess.txt file in the site root.  The files licenses.php, license.php, install.php,index.php credits.php, configuration.php and changelog.php all have dates of 2/23/2011 ..  I made no changes on that day.
Welcome suggestions ..
0
Comment
Question by:bborner
6 Comments
 
LVL 3

Expert Comment

by:thomasd04
ID: 35012987
Hi bborner. Are you asking for how this may have happened or how to fix the problem?
Are you using any forms on the website? If so perhaps a possible SQL Injection.
Or do you use unsecured FTP to transfer files or install extensions?

0
 

Author Comment

by:bborner
ID: 35013032
attached are the last 200 lines of my logfile ... says morpheus strikes again
 logfiles.txt
0
 
LVL 28

Expert Comment

by:chilternPC
ID: 35013117
have you every backed up the system? if I would restore the source files (not the database - leave that)
if no backup then I would back up the site first (use http://www.akeebabackup.com/download.html)
then I would reupload your original Joomla source files (except for the installation directory)
if that doesn't fix it  re-install any extensions you have iinstalled.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 8

Expert Comment

by:austega
ID: 35014036
Mmmm... Take a deep breath and don't rush into anything, in order to avoid making things worse.

Then follow the path that others have found safest and most useful - see the one on the Joomla doc site at http://docs.joomla.org/Security_and_Performance_FAQs#Help.21_My_site.27s_been_compromised._Now_what.3F .

From what you have said I would think that a complete new install - either via Akeeba's Kickstart script if you have an Akeeba backup from before the hack or using a Joomla 1.5.22 install will be required. Probably your database is okay.

Remember to review your backup and security arrangements while you are motivated to put them in place!
0
 

Accepted Solution

by:
bborner earned 0 total points
ID: 35071708
Thank you all for your comments ...  
I found the obscure code in each of the files; licenses.php, changelog.php, configuration.php, copyright.php, credits.php, index.php immediately after the first <?php...

All is well .. thanks again
0
 

Author Closing Comment

by:bborner
ID: 35120648
Found the incriminating code causing the problem
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Admin File Share Access 9 82
PHP in Apache server 20 88
Redirect and Rewrite URL using .htaccess 38 114
How to access multiple local hosts from phone on network 5 68
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …

937 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now