Solved

Malware or Security Breach on Hosted Website

Posted on 2015-02-19
6
90 Views
Last Modified: 2015-03-11
I am using site5.com to host a joomla website and then a simple HTML website. This site has said that one of my sites with a  script may be compromised (only site that has any scripts is the joomla site). This site is version 2.5.28 -- I can't update it because when I do it screws up my site. So the question is how can I check these sites and/or the files and folders to see if indeed they are infected, or have been breached? I have downloaded all the files with filezilla to my local drive and scanned then with AVG and found nothing. So what is the best way to make sure there are no malicious scripts on my websites or that any of the scripts have been hijacked? They said that someone is using a valid username and password to send junk email but can't tell me how to remedy the situation and that it is my responsibility to get it fixed and so I need some help please--thank you.
0
Comment
Question by:lionelmm
  • 3
  • 2
6 Comments
 
LVL 61

Assisted Solution

by:btan
btan earned 333 total points
Comment Utility
Do note Joomla core product team released Joomla 2.5.28, the last planned release in the v2.5 series. It is officially declared End Of Life (EOL) as of 1st January 2015. https://docs.joomla.org/What_version_of_Joomla!_should_you_use%3F

The scanning is not necessary just file based as in normal malicious exe or payload and for web vulnerabilities, common ones like RFI and LFI (remote and local file inclusion) required a dynamic (real time) testing meaning http req and resp accordingly to even try out the cross site script and sql injection attacks...OWASP has listed top 10 vulnerability. Weak CMS is included - https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities

You may want to try the Joomla scanner https://www.owasp.org/index.php/OWASP_Joomla_Vulnerability_Scanner_Usage or simply from its equivalent online using the service scan to your online (staging preferred) site http://hackertarget.com/joomla-security-scan/ (noting it can trigger alerts as well so do pre-empt the necessary party in advance notice)
0
 
LVL 42

Assisted Solution

by:Davis McCarn
Davis McCarn earned 167 total points
Comment Utility
To scan, go to http://virustotal.com, select the URL tab, and have it scan your website.
For the email, go change everybody's password!
0
 
LVL 61

Assisted Solution

by:btan
btan earned 333 total points
Comment Utility
i also suggest Sucuri SiteCheck scanner that check the website for known malware, blacklisting status, website errors, and out-of-date software. http://sitecheck.sucuri.net/ with feature support (include CMS scanning for Joomla - http://sucuri.net/website-antivirus/signup).

Indeed do ask end user to change login and especially the administrators immediately and beware of phished email as supposedly, some may already fallen to the "trap" where your website may already become a "waterholed" site. For example, some symptom to be aware of...

- uploaded a few dozen admin tools to website, esp website admin console;
- uploaded applet or "additional" pages or link or injected "new" URL pointing to the graphic that end up pointing to a JavaScript redirection link (outside of your site) that can prompt visiting users to install malware.

As a whole, the changes has the URL to the actual payload which is not in your web folders and gotten (serves like a waterhole) to many thousands users inadvertently infected on their visit to your site...

But I reiterate that a clean scan does not necessarily mean you’re security bug free. It is still recommended for a manual security review by engaging your web app security professional in the organisation or someone whom know of such folks...
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 24

Accepted Solution

by:
lionelmm earned 0 total points
Comment Utility
Thanks for all the help and some of the above suggestions were helpful in pointing me in the right direction, by showing which sites were questionable. The actual solution was to do a full hosting account backup, download the backup to my local system and use my anti virus and malware software to clean it up and then restore the cleaned up files to the hosting company. That did not help me find any "bad" scripts on the websites but the provided suggestions prompted me to get rid of a questionable site. Thanks for all the help.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Sure that is always the case regardless if the malware is found or not, as long as website suspected compromise, it need to be clean up and refurnished. Below is list of resources for info
A short overview:

http://sitecheck.sucuri.net/
You can use Sucuri's SiteCheck to quickly spot if they detect any malware, see if you're blacklisted and, the most useful part in this case is to check whether or not you have any outdated plugin or CMS running - as well as a list of links.

http://aw-snap.info/file-viewer/
Use Redleg's file viewer to easily see if any malicious iframes have been injected - you can even choose which Referrer and User Agent should be used (some malware requires you to visit the site via a specific Referrer or User Agent).

http://www.rexswain.com/httpview.html
Useful additional tool to Redleg's file viewer. Allows you to only fetch headers of a website, or fetch both header and content.

http://jsunpack.jeek.org/
Excellent tool in case any malicious Javascript (iframe) is injected into any of your web server files. Less intuitive, but provides a great overview.

http://urlquery.net/
Excellent tool and more graphical as opposed to JSunpack - especially useful is to see if any IDS was triggered as well as JavaScript and HTTP Transactions.

https://www.virustotal.com/
As usual, VirusTotal is a great resource as well - it can pinpoint which Antivirus (if any) is triggering an alert related to your website.
http://bartblaze.blogspot.sg/2015/03/c99shell-not-dead.html
0
 
LVL 24

Author Closing Comment

by:lionelmm
Comment Utility
Already explained in my last comment
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Most ColdFusion developers get confused between the CFSet, Duplicate, and Structcopy methods of copying a Structure, especially which one to use when. This Article will explain the differences in the approaches with examples; therefore, after readin…
One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
This video discusses moving either the default database or any database to a new volume.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now