Malware or Security Breach on Hosted Website

Posted on 2015-02-19
Medium Priority
Last Modified: 2015-03-11
I am using site5.com to host a joomla website and then a simple HTML website. This site has said that one of my sites with a  script may be compromised (only site that has any scripts is the joomla site). This site is version 2.5.28 -- I can't update it because when I do it screws up my site. So the question is how can I check these sites and/or the files and folders to see if indeed they are infected, or have been breached? I have downloaded all the files with filezilla to my local drive and scanned then with AVG and found nothing. So what is the best way to make sure there are no malicious scripts on my websites or that any of the scripts have been hijacked? They said that someone is using a valid username and password to send junk email but can't tell me how to remedy the situation and that it is my responsibility to get it fixed and so I need some help please--thank you.
Question by:Lionel MM
  • 3
  • 2
LVL 66

Assisted Solution

btan earned 1332 total points
ID: 40620512
Do note Joomla core product team released Joomla 2.5.28, the last planned release in the v2.5 series. It is officially declared End Of Life (EOL) as of 1st January 2015. https://docs.joomla.org/What_version_of_Joomla!_should_you_use%3F

The scanning is not necessary just file based as in normal malicious exe or payload and for web vulnerabilities, common ones like RFI and LFI (remote and local file inclusion) required a dynamic (real time) testing meaning http req and resp accordingly to even try out the cross site script and sql injection attacks...OWASP has listed top 10 vulnerability. Weak CMS is included - https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities

You may want to try the Joomla scanner https://www.owasp.org/index.php/OWASP_Joomla_Vulnerability_Scanner_Usage or simply from its equivalent online using the service scan to your online (staging preferred) site http://hackertarget.com/joomla-security-scan/ (noting it can trigger alerts as well so do pre-empt the necessary party in advance notice)
LVL 44

Assisted Solution

by:Davis McCarn
Davis McCarn earned 668 total points
ID: 40620959
To scan, go to http://virustotal.com, select the URL tab, and have it scan your website.
For the email, go change everybody's password!
LVL 66

Assisted Solution

btan earned 1332 total points
ID: 40621050
i also suggest Sucuri SiteCheck scanner that check the website for known malware, blacklisting status, website errors, and out-of-date software. http://sitecheck.sucuri.net/ with feature support (include CMS scanning for Joomla - http://sucuri.net/website-antivirus/signup).

Indeed do ask end user to change login and especially the administrators immediately and beware of phished email as supposedly, some may already fallen to the "trap" where your website may already become a "waterholed" site. For example, some symptom to be aware of...

- uploaded a few dozen admin tools to website, esp website admin console;
- uploaded applet or "additional" pages or link or injected "new" URL pointing to the graphic that end up pointing to a JavaScript redirection link (outside of your site) that can prompt visiting users to install malware.

As a whole, the changes has the URL to the actual payload which is not in your web folders and gotten (serves like a waterhole) to many thousands users inadvertently infected on their visit to your site...

But I reiterate that a clean scan does not necessarily mean you’re security bug free. It is still recommended for a manual security review by engaging your web app security professional in the organisation or someone whom know of such folks...
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

LVL 26

Accepted Solution

Lionel MM earned 0 total points
ID: 40649772
Thanks for all the help and some of the above suggestions were helpful in pointing me in the right direction, by showing which sites were questionable. The actual solution was to do a full hosting account backup, download the backup to my local system and use my anti virus and malware software to clean it up and then restore the cleaned up files to the hosting company. That did not help me find any "bad" scripts on the websites but the provided suggestions prompted me to get rid of a questionable site. Thanks for all the help.
LVL 66

Expert Comment

ID: 40650401
Sure that is always the case regardless if the malware is found or not, as long as website suspected compromise, it need to be clean up and refurnished. Below is list of resources for info
A short overview:

You can use Sucuri's SiteCheck to quickly spot if they detect any malware, see if you're blacklisted and, the most useful part in this case is to check whether or not you have any outdated plugin or CMS running - as well as a list of links.

Use Redleg's file viewer to easily see if any malicious iframes have been injected - you can even choose which Referrer and User Agent should be used (some malware requires you to visit the site via a specific Referrer or User Agent).

Useful additional tool to Redleg's file viewer. Allows you to only fetch headers of a website, or fetch both header and content.

Excellent tool in case any malicious Javascript (iframe) is injected into any of your web server files. Less intuitive, but provides a great overview.

Excellent tool and more graphical as opposed to JSunpack - especially useful is to see if any IDS was triggered as well as JavaScript and HTTP Transactions.

As usual, VirusTotal is a great resource as well - it can pinpoint which Antivirus (if any) is triggering an alert related to your website.
LVL 26

Author Closing Comment

by:Lionel MM
ID: 40658210
Already explained in my last comment

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
The following information will get you familiar with your new DV server, including the (mt) Account Center, the Plesk Control Panel, our world-renowned support department and the rest of the (mt) tools that come with your new service.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question