Malware or Security Breach on Hosted Website

I am using to host a joomla website and then a simple HTML website. This site has said that one of my sites with a  script may be compromised (only site that has any scripts is the joomla site). This site is version 2.5.28 -- I can't update it because when I do it screws up my site. So the question is how can I check these sites and/or the files and folders to see if indeed they are infected, or have been breached? I have downloaded all the files with filezilla to my local drive and scanned then with AVG and found nothing. So what is the best way to make sure there are no malicious scripts on my websites or that any of the scripts have been hijacked? They said that someone is using a valid username and password to send junk email but can't tell me how to remedy the situation and that it is my responsibility to get it fixed and so I need some help please--thank you.
LVL 26
Lionel MMSmall Business IT ConsultantAsked:
Who is Participating?
Lionel MMConnect With a Mentor Small Business IT ConsultantAuthor Commented:
Thanks for all the help and some of the above suggestions were helpful in pointing me in the right direction, by showing which sites were questionable. The actual solution was to do a full hosting account backup, download the backup to my local system and use my anti virus and malware software to clean it up and then restore the cleaned up files to the hosting company. That did not help me find any "bad" scripts on the websites but the provided suggestions prompted me to get rid of a questionable site. Thanks for all the help.
btanConnect With a Mentor Exec ConsultantCommented:
Do note Joomla core product team released Joomla 2.5.28, the last planned release in the v2.5 series. It is officially declared End Of Life (EOL) as of 1st January 2015.!_should_you_use%3F

The scanning is not necessary just file based as in normal malicious exe or payload and for web vulnerabilities, common ones like RFI and LFI (remote and local file inclusion) required a dynamic (real time) testing meaning http req and resp accordingly to even try out the cross site script and sql injection attacks...OWASP has listed top 10 vulnerability. Weak CMS is included -

You may want to try the Joomla scanner or simply from its equivalent online using the service scan to your online (staging preferred) site (noting it can trigger alerts as well so do pre-empt the necessary party in advance notice)
Davis McCarnConnect With a Mentor OwnerCommented:
To scan, go to, select the URL tab, and have it scan your website.
For the email, go change everybody's password!
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

btanConnect With a Mentor Exec ConsultantCommented:
i also suggest Sucuri SiteCheck scanner that check the website for known malware, blacklisting status, website errors, and out-of-date software. with feature support (include CMS scanning for Joomla -

Indeed do ask end user to change login and especially the administrators immediately and beware of phished email as supposedly, some may already fallen to the "trap" where your website may already become a "waterholed" site. For example, some symptom to be aware of...

- uploaded a few dozen admin tools to website, esp website admin console;
- uploaded applet or "additional" pages or link or injected "new" URL pointing to the graphic that end up pointing to a JavaScript redirection link (outside of your site) that can prompt visiting users to install malware.

As a whole, the changes has the URL to the actual payload which is not in your web folders and gotten (serves like a waterhole) to many thousands users inadvertently infected on their visit to your site...

But I reiterate that a clean scan does not necessarily mean you’re security bug free. It is still recommended for a manual security review by engaging your web app security professional in the organisation or someone whom know of such folks...
btanExec ConsultantCommented:
Sure that is always the case regardless if the malware is found or not, as long as website suspected compromise, it need to be clean up and refurnished. Below is list of resources for info
A short overview:
You can use Sucuri's SiteCheck to quickly spot if they detect any malware, see if you're blacklisted and, the most useful part in this case is to check whether or not you have any outdated plugin or CMS running - as well as a list of links.
Use Redleg's file viewer to easily see if any malicious iframes have been injected - you can even choose which Referrer and User Agent should be used (some malware requires you to visit the site via a specific Referrer or User Agent).
Useful additional tool to Redleg's file viewer. Allows you to only fetch headers of a website, or fetch both header and content.
Excellent tool in case any malicious Javascript (iframe) is injected into any of your web server files. Less intuitive, but provides a great overview.
Excellent tool and more graphical as opposed to JSunpack - especially useful is to see if any IDS was triggered as well as JavaScript and HTTP Transactions.
As usual, VirusTotal is a great resource as well - it can pinpoint which Antivirus (if any) is triggering an alert related to your website.
Lionel MMSmall Business IT ConsultantAuthor Commented:
Already explained in my last comment
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.