Virus, Script injection to website. Please help

team eGlobe

Hello friends,
one of our recently created website seems to have some script/code injection or virus affected. We have noticed 4-5 lines of texts with links at the very top of home page. It appeared there for 5-10 minuets.

Its a joomla 1.5 site
used many third party extensions with many javascripts
appears only on home page
hosted on blacknight server

Can any one please help. Never seen this before. Posted this on design forum as well

Giblet

Can you check where the data is being pulled from? Usually someone has either inserted or injected script via a form, or some other means, and for it to display on the homepage consistently, means it is stored in a database somewhere, or some local storage. If you can find where it is stored, you might be able to find the module or page that was compromised, and from that, establish the attack vector. I've also seen Ad Servers that have been affected, if you are using any on your site.

team eGlobe

Thanks Giblet for the reply. How do I find out where this is coming from? Its not appearing all the time. but only on home page. is that mean some script that's called only on home page is causing this? not using add servers. using twitter feed and fb like box but I have that in footer ie. on all pages. any other thoughts? please help. Now I have replicated everything on home page to a test page and just waiting this to happen.

Giblet

I would remove the scripts, one by one, to ascertain where the problem lies, there could be a dodgy script that someone has found an exploit in. As for finding where the script is pulled from (if it is stored by yourself), I would first check the script itself, is there javascript appending html to the document? You can check this in something like firebug for Firefox. The HTML could also be coming from a news item on your homepage or something. You need to query your database to find out if any SQL injection attacks made it through or if any unsanitised data is present. If you are displaying news items or some feeds from the DB, the problem could be present in one of those.

team eGlobe

Thanks Giblet. Trying by removing scripts. if its on our server or from our DB then why its not coming all the time?

Sean^DCT4

After removing the injected script lines from your pages..

1. With Joomla, you probably need to upgrade your version.
and/or
2. If you have the latest version of Joomla you should look at changing your instance of Joomla to originate from a behind a CGI-app. This solves 99.9% of Joomla injected scripts problems for me (especially on shared hosting).

team eGlobe

Hi Sean, thanks for the reply. teh problem is the injected script is not in the code. from some where (I I think js) it got added to body tag while browsing home page. and tis is not happening all the time. noticed only couple of time for few minutes. couldn't figure out where this is coming from. any idea from this description?

amen

you should also check the file permissions on your joomla server, change all your passwords(once the scripts have been removed).

Look for the Joomla security doc on their website. A handy reference guides.
Also go through all installed plugins removing any that are not required.

You should also update any plugins that you use.

Do you have clean backup?

Ziycon

I would wipe the site and restore from a previous healthy backup to be on the safe side. These type of attacks can be very messy to clean up.

croo

re: permissions
Last year my joomla site on blacknight was hacked. The code was hidden in many places and I used the access logs & also looked at file date changes to clear it out. While investigating HOW it occurred I discovered that the standard update functionality left the joomla install with the permissions 777 (i.e. full access to everyone) on all files and directories. So yes, keep your joomla installation up to date but also be sure when ever you upgrade to reset the permissions on all the files! Without a shell, I did this with filezilla.

team eGlobe

Thanks guys. I compared the latest one with the clean backup and found the injected script.blacknight guys helped too. its php file with large base64 encoded string in includes folder and include that in index.php. removed that,changed file permissions suggested by croo and changed all passwords. do I need to anything else to prevent this happening again. Thanks again guys for ur help.

croo

re:prevention
I just make sure I reset the permissions whenever I upgrade joomla and have had no issues since.

ocallagh

Changing your passwords won't help against future cross site scripting/XSS. Setting restrictive permissions on your dirs/files might help.

It's quite probable it's one of your many Joomla extensions. Many extensions have known security holes and can be exploited quite easily.

Do some research on each of your extensions for XSS. Check here for starters and see if one of your extensions is listed. http://docs.joomla.org/Vulnerable_Extensions_List and also do some research on google etc

If you can't find what script/extension was accessed, then have a look through your server access logs and look our for any weird entries around the same time as you noticed the problem.

croo

yes! as ocallagh says... watch the logs very carefully over the coming weeks. You might have missed some backdoors they left for themselves ... mine did!
Watching the logs helped me find those hidden amongst the standard joomla files. Also note I say "weeks" ... those who hacked mine came back 2 or 3 weeks after I removed the obvious code to try and re-instate it.

I say "hacked" but it was hardly a hack in truth, the real problem was that stupid "application vault" upgrade process from BK that sets permissions to 777. I was keeping my joomla version updated to the latest version in the expectation that I was improving my security, while in fact I was completely opening the site to anybody and every body.

stesh

You really should keep regular backups so that you can roll back this kind of stuff more easily :-/