Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    New to the CF scene
    Join Date
    Feb 2009
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts

    HELP! Site hacked and hidden link inserted?

    Yesterday our sites security was breached and some hacker came in inserting his link into our sites code? We cannot find it anywhere and have even replaced the core file of our cms site? Whatever we do his link shows up on our site and we cannot find out how to remove it, here is the code:


    <table class="blog" cellpadding="0" cellspacing="0"><tr><td valign="top"><div><div id="only-bots" style="display: none;">
    <a href="http://hackersurllink.com">un wanted link</a>


    If anyone has any idea on where this code could be hidding, please help, we want to remove it asap.

    thanks so much for your help..

    Here is an example of the code he inserted in another site:
    icon.org.uk/index.php?option=com_content&task=view&id=562&Itemid=15

    Just look at the source and check out all the spmy stuff he inserted?
    Last edited by maximus4; 04-20-2009 at 06:05 PM.

  • #2
    New Coder
    Join Date
    Jan 2009
    Posts
    84
    Thanks
    5
    Thanked 0 Times in 0 Posts
    delete that code?

  • #3
    New to the CF scene
    Join Date
    Feb 2009
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I would but I cannot find where he hide it. It is not in my template file, not in my css, I am looking all over for it?

  • #4
    The fat guy next door VIPStephan's Avatar
    Join Date
    Jan 2006
    Location
    Halle (Saale), Germany
    Posts
    8,875
    Thanks
    6
    Thanked 1,034 Times in 1,007 Posts
    Look into your database. The spammer probably used some form on the site or other vulnerability to insert the code into the database. Physical static files can’t be changed like that.

  • #5
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,531
    Thanks
    8
    Thanked 1,091 Times in 1,082 Posts
    View all of the .htaccess files you have (there may be some stuck in several directories).
    They may have done something with .htaccess

  • #6
    New to the CF scene
    Join Date
    Feb 2009
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Checked that a few hours ago and nothing. Cannot find anything in the htaccess, checked out Vbulletin forum, blog everyhing and am running out of places to look Where else can div tags like this be hiding? Or is there a php function somewhere that is calling this code to be inserted in evrey page of my Joomla template?



    Thanks for all your help

  • #7
    Senior Coder gnomeontherun's Avatar
    Join Date
    Sep 2007
    Location
    Houston
    Posts
    2,846
    Thanks
    10
    Thanked 238 Times in 229 Posts
    My first thought would be to contact hosting support, they generally have the ability to do more, and if you can pinpoint a timeframe perhaps you can roll back your site to that time?

    Otherwise, is Joomla up to date? You might consider reuploading Joomla files to make sure that one wasn't altered. It sounds bad, but you probably have an outdated version of Joomla out there, which is a security risk of any platform. Otherwise, its not Joomla but something like .htaccess as mentioned.

    I'm pretty involved with Joomla, so if you want me to take a closer look at it send me some details or post them here, such as the site url?
    jeremy - gnomeontherun
    Educated questions often get educated answers, and simple questions often get simple answers.

  • #8
    New to the CF scene
    Join Date
    Feb 2009
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks for all the help and responses. We finally figured out the problem. We replaced all the files in the mambots folder and deleted 2 components we were not using: Joomfish for translation and another simple Slide show module. We tried to go through as many modules as possible to find where this code is hidden but could not find it. Finlay as last resort we just replaced the folders and deleted old components as mentioned above.

    We noticed over the past weeks hundreds and sometimes thousands of 404-logs jam-packed with requests for dodgy looking files, ukrainians, russians, indians (IPS from all thos countries). Obviously they are looking for known exploitable scripts, which they might of found in our case.

    What is the best thing to do to prevent this in Joomla jeremy?

    Thanks

  • #9
    Senior Coder gnomeontherun's Avatar
    Join Date
    Sep 2007
    Location
    Houston
    Posts
    2,846
    Thanks
    10
    Thanked 238 Times in 229 Posts
    Well first don't use out of date files. This is less to do with Joomla and more to do with any script, make sure everything is up to date. You mentioned mambots, which means you are using 1.0, not that you have to upgrade to 1.5, but it might be something to consider.

    Second if you have IPs hitting your site, block them. If you don't plan on targeting certain countries, perhaps block them entirely.

    Third always remove things you aren't using. Obviously it was an issue with a mambot, as they are the only thing that can control the output of each page besides the core itself.

    Fourth always be selective when choosing an extension or third party plugins for any software. Look at things like is it being developed, does the developer respond to issues with patches or updates, and so on.

    Fifth make sure your server environment is secure. Change passwords regularly. Perhaps your host is lax on security and has some vulnerabilities, I always recommend paying a little more for a solid host than to skim by on a budget host which fails to watch its security.

    If you have so many 404 entries, then they have your site and will keep hitting it in all likelyhood. Contact your host about getting those IP addresses blocked.

    Again, these aren't just Joomla things, they relate to any website attack or any script.
    jeremy - gnomeontherun
    Educated questions often get educated answers, and simple questions often get simple answers.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •