Pharma Hack - Can't find the malicious files - Joomla! Forum - community, help and support
i have client site continually gets pharma hacked. site looks fine except google. when fetch site googlebot there tons of pharma links inserted site.
i know, i'm supposed delete entire site , start over. know. site developed numb-nut didn't know joomla, , customized dozens of files on place. re-install break site completely. if nothing else works, redevelop site in joomla 3.0. need find offending files , remove them - after going through of other security checklist items first (change passwords, check local computers viruses, fix permissions, make sure extensions date... blah, blah, blah...)
i've tried md5 checksum , didn't find wrong site. files have correct checksum j 1.5.26. here's fpa results:
anybody notice off? appears fine me.
i know, i'm supposed delete entire site , start over. know. site developed numb-nut didn't know joomla, , customized dozens of files on place. re-install break site completely. if nothing else works, redevelop site in joomla 3.0. need find offending files , remove them - after going through of other security checklist items first (change passwords, check local computers viruses, fix permissions, make sure extensions date... blah, blah, blah...)
i've tried md5 checksum , didn't find wrong site. files have correct checksum j 1.5.26. here's fpa results:
problem description :: forum post assistant (v1.2.3) : 16th november 2012 wrote:pharma hack , can\'t find offending files
actions taken resolve forum post assistant (v1.2.3) 16th november 2012 wrote:ran md5 hash checker.
forum post assistant (v1.2.3) : 16th november 2012 wrote:basic environment :: wrote:joomla! instance :: joomla! 1.5.26-stable (senu takaa ama busani) 27-march-2012
joomla! configured :: yes | writable (644) | owner: ridgetrail.org (uid: 1/gid: 1) | group: ridgetrail.org (gid: 1) | valid for: 1.5
configuration options :: offline: 0 | sef: 0 | sef suffix: 0 | sef rewrite: 0 | .htaccess/web.config: no | gzip: 0 | cache: 0 | ftp layer: 1 | ssl: 0 | error reporting: -1 | site debug: 0 | language debug: 0 | database credentials present: yes
host configuration :: os: linux | os version: 3.2.6mtv12 | technology: x86_64 | web server: apache/2.2.22 | encoding: gzip,deflate,sdch | doc root: /home/156411/domains/ridgetrail.org/html | system tmp writable: yes
php configuration :: version: 5.3.15 | php api: cgi-fcgi | session path writable: unknown | display errors: 1 | error reporting: 22519 | log errors to: | last known error: | register globals: 0 | magic quotes: 1 | safe mode: 0 | open base: /nfs:/tmp:/usr/local:/etc/apache2/gs-bin | uploads: 1 | max. upload size: 2m | max. post size: 8m | max. input time: -1 | max. execution time: 120 | memory limit: 99m
mysql configuration :: version: 5.1.55-rel12.6 (client:5.1.63) | host: --protected-- (--protected--) | collation: latin1_swedish_ci (character set: latin1) | database size: 4.97 mib | #of tables: 93detailed environment :: wrote:php extensions :: core (5.3.15) | date (5.3.15) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | spl (0.2) | iconv () | session () | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | standard (5.3.15) | pdo (1.0.4dev) | pdo_mysql (1.0.2) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | phar (2.0.1) | posix () | pspell () | reflection ($id: e98652ba2326bd9391b730afdaf96c017d9fab48 $) | imap () | simplexml (0.1) | soap () | sockets () | sqlite (2.0-dev) | exif (1.4 $id$) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | cgi-fcgi () | suhosin (0.9.33) | zip (1.9.1) | mhash () | zend engine (2.3.0) |
potential missing extensions ::
switch user environment (experimental) :: php cgi: yes | server su: yes | php su: yes | custom su (litespeed/cloud/grid): yes
potential ownership issues: nofolder permissions :: wrote:core folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
elevated permissions (first 10) ::extensions discovered :: wrote:components :: site :: wrapper (1.5.0) | mailto (1.5.0) | user (1.5.0) | wf_browser_title (2.2.9.1) | wf_imgmanager_title (2.2.9.1) | wf_preview_title (2.2.9.1) | wf_spellchecker_title (2.2.9.1) | wf_link_title (2.2.9.1) | wf_anchor_title (2.2.9.1) | wf_searchreplace_title (2.2.9.1) | wf_nonbreaking_title (2.2.9.1) | wf_article_title (2.2.9.1) | wf_table_title (2.2.9.1) | wf_layer_title (2.2.9.1) | wf_visualchars_title (2.2.9.1) | [do not buy our kitchens!] (2.2.9.1) | wf_lists_title (2.2.9.1) | wf_visualblocks_title (2.2.9.1) | wf_print_title (2.2.9.1) | wf_style_title (2.2.9.1) | wf_autosave_title (2.2.9.1) | wf_contextmenu_title (2.2.9.1) | wf_source_title (2.2.9.1) | wf_textcase_title (2.2.9.1) | wf_cleanup_title (2.2.9.1) | wf_xhtmlxtras_title (2.2.9.1) | wf_fullscreen_title (2.2.9.1) | wf_inlinepopups_title (2.2.9.1) | wf_directionality_title (2.2.9.1) | wf_clipboard_title (2.2.9.1) | wf_media_title (2.2.9.1) | wf_link_search_title (2.2.9.1) | wf_aggregator_vimeo_title (2.2.9.1) | [youtube] (2.2.9.1) | wf_mediaplayer_jceplayer_title (2.2.9.1) | wf_filesystem_joomla_title (2.2.9.1) | wf_links_joomlalinks_title (2.2.9.1) | wf_popups_jcemediabox_title (2.2.9.1) | wf_popups_window_title (2.2.9.1) |
components :: admin :: media manager (1.5.0) | mass mail (1.5.0) | admintools (2.2.10) | newsfeeds (1.5.0) | glossary plugin (1.5.2) | content plugin (1.5.1) | web links plugin (1.5.1) | joomdoc extension (1.0.0) | jmovies plugin (1.5.0) | rsgallery2 extension (1.0.0) | rapid recipe plugin (1.0.0) | myblog plugin (1.5.1) | sobi2 plugin (1.5.1) | mosets tree plugin (1.0.1) | jdownloads plugin (1.5.1) | hot property plugin (1.0.1) | kunena plugin (1.0.2) | yoflash xmap plugin (0.0.1) | jcalpro plugin (1.0.0) | gallery2 bridge plugin (1.0.2) | cms shop builder plugin (1.5.0) | joomgallery plugin (1.5.1) | virtuemart plugin (1.1.4) | zoo plugin (1.0.4) | lknanswers plugin (1.5.0) | agora plugin (1.0.0) | sectionex plugin (1.0.2) | contacts plugin (1.0.1) | joomsuite resources plugin (1.0.0) | acymailing plugin (1.0.0) | remository plugin (1.0.3) | eventlist plugin (1.0.0) | rd-autos plugin (1.5.0) | rokdownloads plugin (1.0.4) | knowledgebase plugin (1.0.0) | docman plugin (1.5.0) | jevents plugin (1.0.3) | jomres plugin (1.0) | xmap (1.2.14) | search (1.5.0) | banners (1.5.0) | plugin manager (1.5.0) | template manager (1.5.0) | nonumber! extension manager (2.1.3) | unknown (-) | control panel (1.5.0) | illbethere (1.0.6) | menus manager (1.5.0) | configuration manager (1.5.0) | module manager (1.5.0) | user manager (1.5.0) | installation manager (1.5.0) | trash (1.0.0) | content page (1.5.0) | akeeba (3.4.3) | contact items (1.0.0) | polls (1.5.0) | language manager (1.5.0) | jevents (1.5.3 (b1629)) | comment (4.0 alpha3) | search advanced (2.0 - build42) | weblinks (1.5.0) | cache manager (1.5.0) | frontpage (1.5.0) | plg_quickicon_jcefilebrowser (2.5.0) | editor - jce (2.2.9.1) | editor - jce (2.2.9.1) | jce file browser (2.0.0) | unknown (-) | jce (2.2.9.1) | jce (2.2.9.1) | messaging (1.5.0) | jcal pro 2 mini-calendar j (2.2.22.1824) | jcal pro 2 events joomsoci (2.2.22.1824) | cb jcalpro minical (@ant_current_) | cb jcalpro events (@ant_current_) | jcalpro (2.2.22.1824) | aicontactsafe (2.0.19.stable) | aicontactsafe - link (1.0.10.stable) | aicontactsafe - form (1.0.15.stable) | aicontactsafe module (1.0.13.stable) | aicontactsafe (1.0.0) |
modules :: site :: advanced search selector (build42) | read content (1.5.0) | random image (1.5.0) | poll (1.5.0) | search (1.0.0) | advanced search (build42) | jevents calendar (1.5.3) | latest news (1.5.0) | custom html (1.5.0) | sections (1.5.0) | wrapper (1.0.0) | jcal pro latest events (2.2.22.1824) | jcal pro mini-calendar (2.2.22.1824) | newsflash (1.5.0) | breadcrumbs (1.5.0) | archived content (1.5.0) | jcal pro flex module (1.1.3.545) | who\'s online (1.0.0) | syndicate (1.5.0) | statistics (1.5.0) | login (1.5.0) | menu (1.5.0) | latest jevents (1.5.3) | feed display (1.5.0) | related items (1.0.0) | footer (1.5.0) | banner (1.5.0) | jevents legend (1.5.3) |
modules :: admin :: quick icons (1.0.0) | unread items (1.0.0) | login form (1.0.0) | title (1.0.0) | items stats (1.0.0) | online users (1.0.0) | custom html (1.5.0) | akeeba backup notification mod (3.4.3) | admin menu (1.0.0) | admin tools joomla! upgrade no (revae48dbe) | popular items (1.0.0) | jce file browser (2.0.0) | feed display (1.5.0) | admin submenu (1.0.0) | toolbar (1.0.0) | footer (1.0.0) | user status (1.5.0) | logged in users (1.0.0) | latest news (1.0.0) |
plugins :: site :: editor - tinymce 3 (3.2.6) | editor - xstandard lite jo (1.0) | editor - jce (2.2.9.1) | system - legacy (1.5) | akeeba backup lazy scheduling (3.3) | system - debug (1.5) | system - admin tools (2.2.9) | system - cache (1.5) | system - remember me (1.5) | jcal pro - common libraries (2.2.22.1824) | system - mootools upgrade (1.5) | system - log (1.5) | system - nonumber! elements (2.2.1) | system - backlinks (1.5) | joomlacomment cleancache (4.0.0) | system - sef (1.5) | user - joomla! (1.5) | user - example (1.0) | authentication - gmail (1.5) | authentication - ldap (1.5) | authentication - example (1.5) | authentication - openid (1.5) | authentication - joomla (1.5) | search - content (1.5) | search - weblinks (1.5) | search - weblinks advanced (2.0 - build42) | jcal pro search plugin (2.2.22.1824) | search - contacts (1.5) | search - sections (1.5) | search - newsfeeds (1.5) | search - menus (build42) | search - authors (build42) | search - categories (1.5) | search - jevents (1.5.3b) | xml-rpc - blogger api (1.0) | xml-rpc - joomla api (1.0) | xml-rpc - advancedsearch (2.0 - build42) | jcalpro latest events plugin (2.2.22.1824) | content - code highlighter (ge (1.5) | content - pagebreak (1.5) | content - vote (1.5) | content - email cloaking (1.5) | !joomlacomment (4.0.0) | aicontactsafe - link (1.0.10.stable) | content - load modules (1.5) | content - page navigation (1.5) | content - example (1.0) | aicontactsafe - form (1.0.15.stable) | jcal pro - recaptcha plugin (2.2.22.1824) | button - pagebreak (1.5) | jcal pro event insertion plugi (1.0.0.545) | button - image (1.0.0) | button - readmore (1.5) |templates discovered :: wrote:templates :: site :: bartc_secondary (1.0.0) | bartc_minimal (1.0.0) | beez (1.0.0) | rhuk_milkyway (1.0.2) | bartc_home (1.0.0) | ja_purity (1.2.0) |
templates :: admin :: khepri (1.0) |
anybody notice off? appears fine me.
i found source of pharma hack on site. hacker edited index.php file of template (templates/template_name/index.php) , added slight modification first line of file:
that caused site load css file called main.css. popped little bugger open, found malicious code , promptly deleted file. googlebot sees same site rest of see. damn, took me 5 hours! got of files , plugged of vulnerabilities.
<?php @require(dirname(__file__).'/css/main.css');
defined( '_jexec' ) or die( 'restricted access' );?>
that caused site load css file called main.css. popped little bugger open, found malicious code , promptly deleted file. googlebot sees same site rest of see. damn, took me 5 hours! got of files , plugged of vulnerabilities.
Comments
Post a Comment