Solved

Malware or Security Breach on Hosted Website

Posted on 2015-02-19
6
106 Views
Last Modified: 2015-03-11
I am using site5.com to host a joomla website and then a simple HTML website. This site has said that one of my sites with a  script may be compromised (only site that has any scripts is the joomla site). This site is version 2.5.28 -- I can't update it because when I do it screws up my site. So the question is how can I check these sites and/or the files and folders to see if indeed they are infected, or have been breached? I have downloaded all the files with filezilla to my local drive and scanned then with AVG and found nothing. So what is the best way to make sure there are no malicious scripts on my websites or that any of the scripts have been hijacked? They said that someone is using a valid username and password to send junk email but can't tell me how to remedy the situation and that it is my responsibility to get it fixed and so I need some help please--thank you.
0
Comment
Question by:Lionel MM
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 63

Assisted Solution

by:btan
btan earned 333 total points
ID: 40620512
Do note Joomla core product team released Joomla 2.5.28, the last planned release in the v2.5 series. It is officially declared End Of Life (EOL) as of 1st January 2015. https://docs.joomla.org/What_version_of_Joomla!_should_you_use%3F

The scanning is not necessary just file based as in normal malicious exe or payload and for web vulnerabilities, common ones like RFI and LFI (remote and local file inclusion) required a dynamic (real time) testing meaning http req and resp accordingly to even try out the cross site script and sql injection attacks...OWASP has listed top 10 vulnerability. Weak CMS is included - https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities

You may want to try the Joomla scanner https://www.owasp.org/index.php/OWASP_Joomla_Vulnerability_Scanner_Usage or simply from its equivalent online using the service scan to your online (staging preferred) site http://hackertarget.com/joomla-security-scan/ (noting it can trigger alerts as well so do pre-empt the necessary party in advance notice)
0
 
LVL 43

Assisted Solution

by:Davis McCarn
Davis McCarn earned 167 total points
ID: 40620959
To scan, go to http://virustotal.com, select the URL tab, and have it scan your website.
For the email, go change everybody's password!
0
 
LVL 63

Assisted Solution

by:btan
btan earned 333 total points
ID: 40621050
i also suggest Sucuri SiteCheck scanner that check the website for known malware, blacklisting status, website errors, and out-of-date software. http://sitecheck.sucuri.net/ with feature support (include CMS scanning for Joomla - http://sucuri.net/website-antivirus/signup).

Indeed do ask end user to change login and especially the administrators immediately and beware of phished email as supposedly, some may already fallen to the "trap" where your website may already become a "waterholed" site. For example, some symptom to be aware of...

- uploaded a few dozen admin tools to website, esp website admin console;
- uploaded applet or "additional" pages or link or injected "new" URL pointing to the graphic that end up pointing to a JavaScript redirection link (outside of your site) that can prompt visiting users to install malware.

As a whole, the changes has the URL to the actual payload which is not in your web folders and gotten (serves like a waterhole) to many thousands users inadvertently infected on their visit to your site...

But I reiterate that a clean scan does not necessarily mean you’re security bug free. It is still recommended for a manual security review by engaging your web app security professional in the organisation or someone whom know of such folks...
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 25

Accepted Solution

by:
Lionel MM earned 0 total points
ID: 40649772
Thanks for all the help and some of the above suggestions were helpful in pointing me in the right direction, by showing which sites were questionable. The actual solution was to do a full hosting account backup, download the backup to my local system and use my anti virus and malware software to clean it up and then restore the cleaned up files to the hosting company. That did not help me find any "bad" scripts on the websites but the provided suggestions prompted me to get rid of a questionable site. Thanks for all the help.
0
 
LVL 63

Expert Comment

by:btan
ID: 40650401
Sure that is always the case regardless if the malware is found or not, as long as website suspected compromise, it need to be clean up and refurnished. Below is list of resources for info
A short overview:

http://sitecheck.sucuri.net/
You can use Sucuri's SiteCheck to quickly spot if they detect any malware, see if you're blacklisted and, the most useful part in this case is to check whether or not you have any outdated plugin or CMS running - as well as a list of links.

http://aw-snap.info/file-viewer/
Use Redleg's file viewer to easily see if any malicious iframes have been injected - you can even choose which Referrer and User Agent should be used (some malware requires you to visit the site via a specific Referrer or User Agent).

http://www.rexswain.com/httpview.html
Useful additional tool to Redleg's file viewer. Allows you to only fetch headers of a website, or fetch both header and content.

http://jsunpack.jeek.org/
Excellent tool in case any malicious Javascript (iframe) is injected into any of your web server files. Less intuitive, but provides a great overview.

http://urlquery.net/
Excellent tool and more graphical as opposed to JSunpack - especially useful is to see if any IDS was triggered as well as JavaScript and HTTP Transactions.

https://www.virustotal.com/
As usual, VirusTotal is a great resource as well - it can pinpoint which Antivirus (if any) is triggering an alert related to your website.
http://bartblaze.blogspot.sg/2015/03/c99shell-not-dead.html
0
 
LVL 25

Author Closing Comment

by:Lionel MM
ID: 40658210
Already explained in my last comment
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
exchange 2010 turning off 3des ciphers 2 554
obsev.719 virus in win 7 pc 9 104
WinZIp - quick question 8 41
SonicWall port forward 4 25
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
What You Need to Know when Searching for a Webhost Provider
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question