Solved

Joomla site hijacked?

Posted on 2014-03-25
4
380 Views
Last Modified: 2014-03-31
I am logging into a Joomla administrator site.  As soon as I have successfully logged in, and the administration page starts to load, Malwarebytes pops up with a message the 174.137.132.45 is being blocked.  Certain functionality on the administrator home page does not have the functionality it should (i.e. some of the menu buttons do nothing).

Does this mean the Joomla site has been hijack?  If so, what can I do about it?

I have searched the internet for 174.137.132.45, and found many people having similar problems with this I.P. address.
0
Comment
Question by:rrhandle8
4 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 39954956
The IP resolves to a few 'Joomla' based sites that from what I can gather where hosting nulled themes/cracked plugins (they are all gone now)
Are you using any of these?
0
 

Author Comment

by:rrhandle8
ID: 39954959
I have no idea.  This is not my site.  I have been asked to make some changes on it.  How can I find out if I am using any of them?
0
 
LVL 25

Accepted Solution

by:
Tony Giangreco earned 250 total points
ID: 39955000
I've seen this before. Using an FTP program, download the entire site, run malwarebytes, superantispyware and an antivirus scan against the folder you download to. Allow the infected pages to be quarantined, repair the site and reload it back to the website overlaying all files.
0
 
LVL 52

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 250 total points
ID: 39955718
I wonder if you simply have some infected data.  You can look through your db and look for all script tags <script> and see if something is there that you did not add yourself.  Once you find that, you can do a search and replace.  

Before doing this, make sure you are using a back up of your database.  When you are done, before restoring, make sure you turn off ALL plug ins.  This will get your site back up and running.  Chances are if this is in the admin, it is also on your site.  If google fines links to malware, your site can be blocked until you clean.  You could be dark for a couple of weeks...

Then one by one, google your installed plug ins and see if others are having the same issue.  Make sure plug ins are up to date.  Anything that allows posting, sending notice, updates your db is going to be most suspect.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question