Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

joomla 1.5 site hacked with Viagra hack but only on the google page read

Posted on 2013-05-26
10
Medium Priority
?
1,596 Views
Last Modified: 2013-06-23
Were does google get this information from, from the site,  i have looked in the DB and it not there that is the viagra stuff text
so it must be on one of the site php pages.
I am not upgrading to a later version so i am only interested in finding this rubbish and were it is any ideas were they put it
thanks in advance


Cheap Viagra 100mg In The Uk (Sildenafil ...
www.xxxx.com/¿
Erectile Dysfunction :: buy very cheap viagra, Viagra.
Live - Work - Agent - About Us
0
Comment
Question by:sydneyguy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 9

Assisted Solution

by:Rowby Goren
Rowby Goren earned 1000 total points
ID: 39197791
When I am trying to find a mysterious spam type link and am not sure what page it would be one, one thing I do is download the entire site (via ftp) and use the windows based free search utility Grep, which will quickly search every word in a folder.

http://www.wingrep.com/

That would find it on any php pages.  If you think it is in your mysql database, you'd log into your site's cpanel and use phpmyadmin to search for the offending link.

OF course I suggest you backup your site, using akeeba backup or similar before doing any of this.

Rowby
0
 
LVL 53

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 332 total points
ID: 39197894
First thing is to make sure to disavow bad links in google webmaster tools.  I had something similar happen to one of my client's wordpress site.  It's just one of the plug in's leaves a security hole open and I couldn't actually see it in wordpress.  Since I don't host the site and can't get to the server, I am just creating a new site without wordpress on my own cms that I host.  

I would look on the server for any files you did not create or an updated htaccess file with items you did not add on your own.
0
 

Author Comment

by:sydneyguy
ID: 39198405
thats what i was going to do, do you know of some text file searcher that i could use on the server at the moment i use agent ransak and that works fine on the local comp but not up on the server, do you know of any open source cause it takes so much to down load all the file to look on the local drive
thanks for the help so far
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 9

Assisted Solution

by:Rowby Goren
Rowby Goren earned 1000 total points
ID: 39199025
Hi I don't know of an online text searcher that will check your online folder.

Maybe there is a tool in your site's control panel that would search your files.  If you have a friendly hosting company you could ask them.

But keep in mind Akeeba backup compresses your files and you could use that for a faster download than ftp.   Akeeba also lets you exclude folders, such as large image folders, for example.

Akeeba is free so you might want to check it out -- it's also good for overall backup of your site -- one of the first components I install when I create a joomla site.

Rowby
0
 
LVL 11

Assisted Solution

by:RedLondon
RedLondon earned 332 total points
ID: 39210082
Using Google Chrome, start a new Incognito tab (CTRL+SHIFT+N) and search for your site.  

Press F12 to open the Developer Tools pane (you might find it easier to toggle it to a new window).  Click onto the Network tab.

Click the result from Google's search results to visit your site.  As you're in Incognito mode, your previous visits' cookies are ignored so you often see things that such hacks hide to repeat visitors.

Every image, iframe, javascript and CSS file that your browser downloads will appear in the Network view.  That often helps you find where stuff is coming from when it doesn't appear on your own site.  

Knowing what has served the odd content helps you go locate where in your code it appears.  It's probably a javascript file being called from an iframe.
0
 

Author Comment

by:sydneyguy
ID: 39254678
have been getting the site checked by  the ip providers they still have not got back to me yet
0
 
LVL 9

Assisted Solution

by:Rowby Goren
Rowby Goren earned 1000 total points
ID: 39254801
Hopefully it's just a few files which were hacked.

One file to look at is your htacess file.   Compare it to a "virgin" version of the joomla htaccess file.   You can easily see the malware in that file, if it was infected.

Another file to look at is the index.php file in your default template folder.  Again, look for multi-lines of code that is not in a clean version of the same file.

And once you get your site cleaned, then look into upgrading the site to at least Joomla 2.5 and install Akeebabackup.com's admin tools.  It will lock down your site with many easy to use built in tools, as well as some advanced tools if you care to use them.

Rowby
0
 
LVL 29

Accepted Solution

by:
chilternPC earned 336 total points
ID: 39265856
you may find it. but it will happen again on old Joomla systems.
if you can delete the website files and restore them from a backup before the problem then install extra security such as admin tools by akeeba.
if you can't delete the website folders then you will have to search every folder and sub folder and compare every file with the original joomla file and or extension you have installed.
several of my joomla sites got hack in the same way and nealry every system file had extra code inserted. - I found by copyingthe files down onto my PC my antivirus system deleted them so telling my what was infected.
0
 

Author Closing Comment

by:sydneyguy
ID: 39269894
thanks have located it through my ip thnaks for the help
0
 
LVL 9

Expert Comment

by:Rowby Goren
ID: 39269967
Good.  Now go to akeebabackup.com  and download the akeeba backup system as well as admintools.

They will help you keep your site clean.  Back up with akeeba regularly.  Admin tools minimum joomla requirement is Joomla 1.5.25, as I recall.  So do a backup and then try upgrading to joomla 1.5.  It's important you do a backup first in case Joomla 1 5.25 breaks your site or your template.

Rowby
0

Featured Post

Learn by Doing. Anytime. Anywhere.

Do you like to learn by doing?
Our labs and exercises give you the chance to do just that: Learn by performing actions on real environments.

Hands-on, scenario-based labs give you experience on real environments provided by us so you don't have to worry about breaking anything.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is meant to give a basic understanding of how to use R Sweave as a way to merge LaTeX and R code seamlessly into one presentable document.
A quick Powershell script I wrote to find old program installations and check versions of a specific file across the network.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question