Iframe JS GJ Trojan continuous... - Joomla! Forum - community, help and support

problem description :: forum post assistant (v1.2.3) : 8th january 2013 wrote:iframe js gj trojan continuous infection

log/error message :: forum post assistant (v1.2.3) : 8th january 2013 wrote:trojan found on website

actions taken resolve forum post assistant (v1.2.3) 8th january 2013 wrote:downloaded whole system, searched , deleted iframe trojan infection of index.php, uploaded back. solved problem present again after few days.

forum post assistant (v1.2.3) : 8th january 2013 wrote:

basic environment :: wrote:joomla! instance :: joomla! 1.5.26-stable (senu takaa ama busani) 27-march-2012
joomla! configured :: yes | read-only (444) | owner: (uid: /gid: ) | group: (gid: ) | valid for: 1.5
configuration options :: offline: 0 | sef: 0 | sef suffix: 0 | sef rewrite: 0 | .htaccess/web.config: no | gzip: 0 | cache: 0 | ftp layer: 0 | ssl: 0 | error reporting: -1 | site debug: 0 | language debug: 0 | database credentials present: yes

host configuration :: os: linux | os version: 2.6.18-308.24.1.el5pae | technology: i686 | web server: apache/2.2 | encoding: gzip, deflate | doc root: /web/htdocs/www.lasertagitalia.com/home/ | system tmp writable: yes

php configuration :: version: 5.2.17 | php api: cgi-fcgi | session path writable: yes | display errors: | error reporting: 6135 | log errors to: | last known error: | register globals: | magic quotes: | safe mode: | open base: | uploads: 1 | max. upload size: 25m | max. post size: 30m | max. input time: -1 | max. execution time: 120 | memory limit: 64m

mysql configuration :: version: 5.0.92-enterprise-gpl-log (client:5.1.56) | host: --protected-- (--protected--) | collation: utf8_general_ci (character set: utf8) | database size: 5.28 mib | #of tables: 213

detailed environment :: wrote:php extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | session () | iconv () | standard (5.2.17) | json (1.2.1) | mbstring () | mcrypt () | mhash () | mime_magic (0.1) | mysql (1.0) | simplexml (0.1) | spl (0.2) | pdo (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | posix () | reflection (0.1) | imap () | mysqli (0.1) | soap () | sqlite (2.0-dev) | exif (1.4 $id: exif.c 293036 2010-01-03 09:23:27z sebastian $) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | cgi-fcgi () | pdf (2.1. | sourceguardian (9.0) | ffmpeg (0.6.0-svn) | imagick (3.0.1) | amf (0.9.2-dev) | ioncube loader () | zend engine (2.2.0) |
potential missing extensions :: zip | suhosin |

switch user environment (experimental) :: php cgi: yes | server su: yes | php su: yes | custom su (litespeed/cloud/grid): yes
potential ownership issues: no

folder permissions :: wrote:core folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

elevated permissions (first 10) ::

extensions discovered :: wrote:components :: site :: mailto (1.5.0) | user (1.5.0) | wrapper (1.5.0) |
components :: admin :: banners (1.5.0) | cache manager (1.5.0) | configuration manager (1.5.0) | contact items (1.0.0) | content page (1.5.0) | control panel (1.5.0) | frontpage (1.5.0) | installation manager (1.5.0) | joom!fish (2.1.6) | jshopping (2.9.7) | language manager (1.5.0) | mass mail (1.5.0) | media manager (1.5.0) | menus manager (1.5.0) | messaging (1.5.0) | module manager (1.5.0) | newsfeeds (1.5.0) | phocadownload (1.3.9) | plugin manager (1.5.0) | polls (1.5.0) | rsseo (1.0.0) | search (1.5.0) | template manager (1.5.0) | trash (1.0.0) | user manager (1.5.0) | weblinks (1.5.0) |

modules :: site :: archived content (1.5.0) | banner (1.5.0) | breadcrumbs (1.5.0) | custom html (1.5.0) | feed display (1.5.0) | filtered news (2.1.7) | footer (1.5.0) | global news (2.1.6) | google currency converter (1.5.7) | gtranslate (1.5.x.28) | joomfish-language selection (2.1.5) | ultimate content display (1.1) | latest news (1.5.0) | login (1.5.0) | menu (1.5.0) | menu noix (1.5.0) | read content (1.5.0) | newsflash (1.5.0) | phoca download category menu m (0.9.0) | phoca download latest module (1.0.2) | phoca download section menu mo (1.3.5) | poll (1.5.0) | virtuemart product scroller (1.1.0) | virtuemart product categories (1.1.0) | random image (1.5.0) | related items (1.0.0) | search (1.0.0) | sections (1.5.0) | statistics (1.5.0) | syndicate (1.5.0) | joomshopping tags (2.7.0) | who\'s online (1.0.0) | wrapper (1.0.0) |
modules :: admin :: custom html (1.5.0) | feed display (1.5.0) | footer (1.0.0) | latest news (1.0.0) | logged in users (1.0.0) | login form (1.0.0) | admin menu (1.0.0) | online users (1.0.0) | popular items (1.0.0) | quick icons (1.0.0) | items stats (1.0.0) | user status (1.5.0) | admin submenu (1.0.0) | title (1.0.0) | toolbar (1.0.0) | direct translation (2.1.6) | unread items (1.0.0) |

plugins :: site :: authentication - example (1.5) | authentication - gmail (1.5) | authentication - joomla (1.5) | authentication - ldap (1.5) | authentication - openid (1.5) | content - email cloaking (1.5) | content - example (1.0) | content - code highlighter (ge (1.5) | joomfish alternative language (2.1.6) | content - load modules (1.5) | content - pagebreak (1.5) | content - page navigation (1.5) | phoca download plugin (1.3.6) | content - vote (1.5) | editor - tinymce 3 (3.2.6) | editor - xstandard lite jo (1.0) | button - image (1.0.0) | button - pagebreak (1.5) | button - phoca download (1.3.5) | button - readmore (1.5) | joomfish - missing translation (2.1.6) | search - categories (1.5) | search - contacts (1.5) | search - content (1.5) | search - joomfish categories (2.1.6) | search - joomfish contacts (2.1.6) | search - joomfish content (2.1.6) | search - joomfish newsfeeds (2.1.6) | search - joomfish sections (2.1.6) | search - joomfish weblinks (2.1.6) | search - newsfeeds (1.5) | search - sections (1.5) | search - weblinks (1.5) | system - backlinks (1.5) | system - cache (1.5) | system - debug (1.5) | joomfish - abstraction layer (2.1.6) | joomfish - basic router (2.1.6) | system - legacy (1.5) | system - log (1.5) | system - mootools upgrade (1.5) | system - remember me (1.5) | system - rsseo (1.2.0) | system - sef (1.5) | user - example (1.0) | user - joomla! (1.5) | xml-rpc - blogger api (1.0) | xml-rpc - joomla api (1.0) |

templates discovered :: wrote:templates :: site :: beez (1.0.0) | ja_purity (1.2.0) | rhuk_milkyway (1.0.2) | theme652 (1.0.0) |
templates :: admin :: khepri (1.0) |

downloaded whole system, searched , deleted iframe trojan infection of index.php, uploaded back. solved problem present again after few days.

that incorrect way of solving issue , found resulted in being hacked again. continue until follow proper procedures. proper way follow information provided here viewtopic.php?f=432&t=475313

couple other things
.htaccess/web.config: no should enable , using supplied htaccess.txt file renaming .htaccess

the max. execution time: 120 (seconds) might little high, standard 60 (seconds)

verify using latest versions of extensions have on site.