Solved

joomla 1.5 site hacked with Viagra hack but only on the google page read

Posted on 2013-05-26
10
1,408 Views
Last Modified: 2013-06-23
Were does google get this information from, from the site,  i have looked in the DB and it not there that is the viagra stuff text
so it must be on one of the site php pages.
I am not upgrading to a later version so i am only interested in finding this rubbish and were it is any ideas were they put it
thanks in advance


Cheap Viagra 100mg In The Uk (Sildenafil ...
www.xxxx.com/¿
Erectile Dysfunction :: buy very cheap viagra, Viagra.
Live - Work - Agent - About Us
0
Comment
Question by:sydneyguy
10 Comments
 
LVL 9

Assisted Solution

by:Rowby Goren
Rowby Goren earned 250 total points
ID: 39197791
When I am trying to find a mysterious spam type link and am not sure what page it would be one, one thing I do is download the entire site (via ftp) and use the windows based free search utility Grep, which will quickly search every word in a folder.

http://www.wingrep.com/

That would find it on any php pages.  If you think it is in your mysql database, you'd log into your site's cpanel and use phpmyadmin to search for the offending link.

OF course I suggest you backup your site, using akeeba backup or similar before doing any of this.

Rowby
0
 
LVL 52

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 83 total points
ID: 39197894
First thing is to make sure to disavow bad links in google webmaster tools.  I had something similar happen to one of my client's wordpress site.  It's just one of the plug in's leaves a security hole open and I couldn't actually see it in wordpress.  Since I don't host the site and can't get to the server, I am just creating a new site without wordpress on my own cms that I host.  

I would look on the server for any files you did not create or an updated htaccess file with items you did not add on your own.
0
 

Author Comment

by:sydneyguy
ID: 39198405
thats what i was going to do, do you know of some text file searcher that i could use on the server at the moment i use agent ransak and that works fine on the local comp but not up on the server, do you know of any open source cause it takes so much to down load all the file to look on the local drive
thanks for the help so far
0
 
LVL 9

Assisted Solution

by:Rowby Goren
Rowby Goren earned 250 total points
ID: 39199025
Hi I don't know of an online text searcher that will check your online folder.

Maybe there is a tool in your site's control panel that would search your files.  If you have a friendly hosting company you could ask them.

But keep in mind Akeeba backup compresses your files and you could use that for a faster download than ftp.   Akeeba also lets you exclude folders, such as large image folders, for example.

Akeeba is free so you might want to check it out -- it's also good for overall backup of your site -- one of the first components I install when I create a joomla site.

Rowby
0
 
LVL 11

Assisted Solution

by:RedLondon
RedLondon earned 83 total points
ID: 39210082
Using Google Chrome, start a new Incognito tab (CTRL+SHIFT+N) and search for your site.  

Press F12 to open the Developer Tools pane (you might find it easier to toggle it to a new window).  Click onto the Network tab.

Click the result from Google's search results to visit your site.  As you're in Incognito mode, your previous visits' cookies are ignored so you often see things that such hacks hide to repeat visitors.

Every image, iframe, javascript and CSS file that your browser downloads will appear in the Network view.  That often helps you find where stuff is coming from when it doesn't appear on your own site.  

Knowing what has served the odd content helps you go locate where in your code it appears.  It's probably a javascript file being called from an iframe.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:sydneyguy
ID: 39254678
have been getting the site checked by  the ip providers they still have not got back to me yet
0
 
LVL 9

Assisted Solution

by:Rowby Goren
Rowby Goren earned 250 total points
ID: 39254801
Hopefully it's just a few files which were hacked.

One file to look at is your htacess file.   Compare it to a "virgin" version of the joomla htaccess file.   You can easily see the malware in that file, if it was infected.

Another file to look at is the index.php file in your default template folder.  Again, look for multi-lines of code that is not in a clean version of the same file.

And once you get your site cleaned, then look into upgrading the site to at least Joomla 2.5 and install Akeebabackup.com's admin tools.  It will lock down your site with many easy to use built in tools, as well as some advanced tools if you care to use them.

Rowby
0
 
LVL 28

Accepted Solution

by:
chilternPC earned 84 total points
ID: 39265856
you may find it. but it will happen again on old Joomla systems.
if you can delete the website files and restore them from a backup before the problem then install extra security such as admin tools by akeeba.
if you can't delete the website folders then you will have to search every folder and sub folder and compare every file with the original joomla file and or extension you have installed.
several of my joomla sites got hack in the same way and nealry every system file had extra code inserted. - I found by copyingthe files down onto my PC my antivirus system deleted them so telling my what was infected.
0
 

Author Closing Comment

by:sydneyguy
ID: 39269894
thanks have located it through my ip thnaks for the help
0
 
LVL 9

Expert Comment

by:Rowby Goren
ID: 39269967
Good.  Now go to akeebabackup.com  and download the akeeba backup system as well as admintools.

They will help you keep your site clean.  Back up with akeeba regularly.  Admin tools minimum joomla requirement is Joomla 1.5.25, as I recall.  So do a backup and then try upgrading to joomla 1.5.  It's important you do a backup first in case Joomla 1 5.25 breaks your site or your template.

Rowby
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

This tutorial will discuss the log-in process using WhizBase. In this article I assume you already know HTML. I will write the code using WhizBase Server Pages, so you need to know some basics in WBSP (you might look at some of my other articles abo…
In this tutorial I will show you how to make a simple HTML bar chart with the usage of WhizBase, If you want more information about WhizBase please read my previous articles at http://www.experts-exchange.com/ARTH_5123186.html (http://www.experts-ex…
Learn the basics of modules and packages in Python. Every Python file is a module, ending in the suffix: .py: Modules are a collection of functions and variables.: Packages are a collection of modules.: Module functions and variables are accessed us…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now