Malware or Security Breach on Hosted Website

Posted on 2015-02-19
Last Modified: 2015-03-11
I am using to host a joomla website and then a simple HTML website. This site has said that one of my sites with a  script may be compromised (only site that has any scripts is the joomla site). This site is version 2.5.28 -- I can't update it because when I do it screws up my site. So the question is how can I check these sites and/or the files and folders to see if indeed they are infected, or have been breached? I have downloaded all the files with filezilla to my local drive and scanned then with AVG and found nothing. So what is the best way to make sure there are no malicious scripts on my websites or that any of the scripts have been hijacked? They said that someone is using a valid username and password to send junk email but can't tell me how to remedy the situation and that it is my responsibility to get it fixed and so I need some help please--thank you.
Question by:Lionel MM
  • 3
  • 2
LVL 63

Assisted Solution

btan earned 333 total points
ID: 40620512
Do note Joomla core product team released Joomla 2.5.28, the last planned release in the v2.5 series. It is officially declared End Of Life (EOL) as of 1st January 2015.!_should_you_use%3F

The scanning is not necessary just file based as in normal malicious exe or payload and for web vulnerabilities, common ones like RFI and LFI (remote and local file inclusion) required a dynamic (real time) testing meaning http req and resp accordingly to even try out the cross site script and sql injection attacks...OWASP has listed top 10 vulnerability. Weak CMS is included -

You may want to try the Joomla scanner or simply from its equivalent online using the service scan to your online (staging preferred) site (noting it can trigger alerts as well so do pre-empt the necessary party in advance notice)
LVL 43

Assisted Solution

by:Davis McCarn
Davis McCarn earned 167 total points
ID: 40620959
To scan, go to, select the URL tab, and have it scan your website.
For the email, go change everybody's password!
LVL 63

Assisted Solution

btan earned 333 total points
ID: 40621050
i also suggest Sucuri SiteCheck scanner that check the website for known malware, blacklisting status, website errors, and out-of-date software. with feature support (include CMS scanning for Joomla -

Indeed do ask end user to change login and especially the administrators immediately and beware of phished email as supposedly, some may already fallen to the "trap" where your website may already become a "waterholed" site. For example, some symptom to be aware of...

- uploaded a few dozen admin tools to website, esp website admin console;
- uploaded applet or "additional" pages or link or injected "new" URL pointing to the graphic that end up pointing to a JavaScript redirection link (outside of your site) that can prompt visiting users to install malware.

As a whole, the changes has the URL to the actual payload which is not in your web folders and gotten (serves like a waterhole) to many thousands users inadvertently infected on their visit to your site...

But I reiterate that a clean scan does not necessarily mean you’re security bug free. It is still recommended for a manual security review by engaging your web app security professional in the organisation or someone whom know of such folks...
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

LVL 25

Accepted Solution

Lionel MM earned 0 total points
ID: 40649772
Thanks for all the help and some of the above suggestions were helpful in pointing me in the right direction, by showing which sites were questionable. The actual solution was to do a full hosting account backup, download the backup to my local system and use my anti virus and malware software to clean it up and then restore the cleaned up files to the hosting company. That did not help me find any "bad" scripts on the websites but the provided suggestions prompted me to get rid of a questionable site. Thanks for all the help.
LVL 63

Expert Comment

ID: 40650401
Sure that is always the case regardless if the malware is found or not, as long as website suspected compromise, it need to be clean up and refurnished. Below is list of resources for info
A short overview:
You can use Sucuri's SiteCheck to quickly spot if they detect any malware, see if you're blacklisted and, the most useful part in this case is to check whether or not you have any outdated plugin or CMS running - as well as a list of links.
Use Redleg's file viewer to easily see if any malicious iframes have been injected - you can even choose which Referrer and User Agent should be used (some malware requires you to visit the site via a specific Referrer or User Agent).
Useful additional tool to Redleg's file viewer. Allows you to only fetch headers of a website, or fetch both header and content.
Excellent tool in case any malicious Javascript (iframe) is injected into any of your web server files. Less intuitive, but provides a great overview.
Excellent tool and more graphical as opposed to JSunpack - especially useful is to see if any IDS was triggered as well as JavaScript and HTTP Transactions.
As usual, VirusTotal is a great resource as well - it can pinpoint which Antivirus (if any) is triggering an alert related to your website.
LVL 25

Author Closing Comment

by:Lionel MM
ID: 40658210
Already explained in my last comment

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question