Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Virus, Script injection to website. Please help

  • 22-06-2011 2:54pm
    #1
    Registered Users, Registered Users 2 Posts: 40


    Hello friends,
    one of our recently created website seems to have some script/code injection or virus affected. We have noticed 4-5 lines of texts with links at the very top of home page. It appeared there for 5-10 minuets.

    Its a joomla 1.5 site
    used many third party extensions with many javascripts
    appears only on home page
    hosted on blacknight server

    Can any one please help. Never seen this before. Posted this on design forum as well


Comments

  • Registered Users, Registered Users 2 Posts: 11,989 ✭✭✭✭Giblet


    Can you check where the data is being pulled from? Usually someone has either inserted or injected script via a form, or some other means, and for it to display on the homepage consistently, means it is stored in a database somewhere, or some local storage. If you can find where it is stored, you might be able to find the module or page that was compromised, and from that, establish the attack vector. I've also seen Ad Servers that have been affected, if you are using any on your site.


  • Registered Users, Registered Users 2 Posts: 40 team eGlobe


    Thanks Giblet for the reply. How do I find out where this is coming from? Its not appearing all the time. but only on home page. is that mean some script that's called only on home page is causing this? not using add servers. using twitter feed and fb like box but I have that in footer ie. on all pages. any other thoughts? please help. Now I have replicated everything on home page to a test page and just waiting this to happen.


  • Registered Users, Registered Users 2 Posts: 11,989 ✭✭✭✭Giblet


    I would remove the scripts, one by one, to ascertain where the problem lies, there could be a dodgy script that someone has found an exploit in. As for finding where the script is pulled from (if it is stored by yourself), I would first check the script itself, is there javascript appending html to the document? You can check this in something like firebug for Firefox. The HTML could also be coming from a news item on your homepage or something. You need to query your database to find out if any SQL injection attacks made it through or if any unsanitised data is present. If you are displaying news items or some feeds from the DB, the problem could be present in one of those.


  • Registered Users, Registered Users 2 Posts: 40 team eGlobe


    Thanks Giblet. Trying by removing scripts. if its on our server or from our DB then why its not coming all the time? :(


  • Registered Users, Registered Users 2 Posts: 527 ✭✭✭Sean^DCT4


    After removing the injected script lines from your pages..

    1. With Joomla, you probably need to upgrade your version.
    and/or
    2. If you have the latest version of Joomla you should look at changing your instance of Joomla to originate from a behind a CGI-app. This solves 99.9% of Joomla injected scripts problems for me (especially on shared hosting).


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 40 team eGlobe


    Hi Sean, thanks for the reply. teh problem is the injected script is not in the code. from some where (I I think js) it got added to body tag while browsing home page. and tis is not happening all the time. noticed only couple of time for few minutes. couldn't figure out where this is coming from. any idea from this description?


  • Registered Users, Registered Users 2 Posts: 2,781 ✭✭✭amen


    you should also check the file permissions on your joomla server, change all your passwords(once the scripts have been removed).

    Look for the Joomla security doc on their website. A handy reference guides.
    Also go through all installed plugins removing any that are not required.

    You should also update any plugins that you use.

    Do you have clean backup?


  • Registered Users, Registered Users 2 Posts: 1,987 ✭✭✭Ziycon


    I would wipe the site and restore from a previous healthy backup to be on the safe side. These type of attacks can be very messy to clean up.


  • Moderators, Technology & Internet Moderators Posts: 1,336 Mod ✭✭✭✭croo


    re: permissions
    Last year my joomla site on blacknight was hacked. The code was hidden in many places and I used the access logs & also looked at file date changes to clear it out. While investigating HOW it occurred I discovered that the standard update functionality left the joomla install with the permissions 777 (i.e. full access to everyone) on all files and directories. So yes, keep your joomla installation up to date but also be sure when ever you upgrade to reset the permissions on all the files! Without a shell, I did this with filezilla.


  • Registered Users, Registered Users 2 Posts: 40 team eGlobe


    Thanks guys. I compared the latest one with the clean backup and found the injected script.blacknight guys helped too. its php file with large base64 encoded string in includes folder and include that in index.php. removed that,changed file permissions suggested by croo and changed all passwords. do I need to anything else to prevent this happening again. Thanks again guys for ur help.


  • Advertisement
  • Moderators, Technology & Internet Moderators Posts: 1,336 Mod ✭✭✭✭croo


    re:prevention
    I just make sure I reset the permissions whenever I upgrade joomla and have had no issues since.


  • Registered Users, Registered Users 2 Posts: 3,141 ✭✭✭ocallagh


    Changing your passwords won't help against future cross site scripting/XSS. Setting restrictive permissions on your dirs/files might help.

    It's quite probable it's one of your many Joomla extensions. Many extensions have known security holes and can be exploited quite easily.

    Do some research on each of your extensions for XSS. Check here for starters and see if one of your extensions is listed. http://docs.joomla.org/Vulnerable_Extensions_List and also do some research on google etc

    If you can't find what script/extension was accessed, then have a look through your server access logs and look our for any weird entries around the same time as you noticed the problem.


  • Moderators, Technology & Internet Moderators Posts: 1,336 Mod ✭✭✭✭croo


    yes! as ocallagh says... watch the logs very carefully over the coming weeks. You might have missed some backdoors they left for themselves ... mine did!
    Watching the logs helped me find those hidden amongst the standard joomla files. Also note I say "weeks" ... those who hacked mine came back 2 or 3 weeks after I removed the obvious code to try and re-instate it.

    I say "hacked" but it was hardly a hack in truth, the real problem was that stupid "application vault" upgrade process from BK that sets permissions to 777. I was keeping my joomla version updated to the latest version in the expectation that I was improving my security, while in fact I was completely opening the site to anybody and every body.


  • Registered Users, Registered Users 2 Posts: 297 ✭✭stesh


    You really should keep regular backups so that you can roll back this kind of stuff more easily :-/


Advertisement