I developed and I am now supporting a Joomla 1.5. It appears that it was hacked recently with: MW:SPAM:SEO (http://labs.sucuri.net/db/malware/malware-entry-mwspamseo). I have looked at the directory structure (using FTP) and I have discovered a folder called: 'f42ad68b3fb9cdd940d9eacc861791aa' in libraries\joomla\session\storage. What is this folder used for? I never used it when I developed the website.
The default files within libraries\joomla\session\storage are:
acp.php
database.php
eaccelerator.php
index.html
memcache.php
none.php
xcahe.php
Extensions installed should not manipulate any core Joomla files and store anything within the core folders. there is there are any, delete them for security reasons.
The majority of files notied above are for sessions and cache For more information on sessions, please read: php.net/manual/en/intro.session.php
As for solving hacking in the future, I answered a question not long ago which explains some things you can do and recommended extensions.
Joomla! 2.5.4 Hacked: Having trouble with diagnosis
I've had a cope of attacks from this malware. In my case it seems to have entered through an image slide plugin ( for joomla 2.5).
For want of a better approach I downloaded the whole site and serched for
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'} ');}dnnViewState();
This is the malware code string as per the sucuri scan of the site. There was one instance of this in a javacript script, which when removed produced a clean bill of health for the site according to the the sucuri scanner.
I would not lightly delete a whole folder of files, particularly as this malware has a small footprint - only 1 line of javascript.
I know this thread is well out of date but perhaps others are still having problems. My infections occurred around Feb 2013
Related
Good day/night great minds,
I have a perfectly functional website hosted online at the following url: www.gmaworld.com (malware infected). Unfortunately This site is infected with malware. I am looking to transfer the contents to another setup to get rid of the malware.
My concern however is how to backup/retain the current addons that i have in the current set up so i dont loose them during the new setup.
I have read through most of the migration/upgrade articles for joomla and none seem to mention anything in this regard. If it does help, I am using the shaper_qubic theme.
I will appreciate every bit of advice to help me ensure a successful transfer of my addons.
Thank you.
If you are rebuilding your website to eradicate malware, the best course of action is to re-download Joomla and third party extensions from the official websites and start again.
It's possible (by examining the contents of the extension XML install file) to download all the relevant folders and files which you could then zip back into a Joomla install file but this would be a tedious process, likely prone to manual error and possibly still have vulnerabilities if these aren't the latest versions.
To keep a website secure, you should be installing Joomla and third party extension updates on a regular basis. If you have commercial extensions on your website, you'll need to renew your subscriptions in order to have access to updates.
If cost is an issue, then try to replace commercial extensions with free extensions or try to implement features using core Joomla instead. This is often possible when new features are implemented in the core.
An alternative way to retain your extensions is to clean up the malware without rebuilding your site.
The myjoomla.com audit / clean up tool does this quite well and is a much quicker way to recover your website compared to a complete rebuild.
You will probably still need to update Joomla and third party extensions to the latest versions to prevent a recurrence.
You have best free options available and not only that it is super easy to take backup and restore your site anywhere either in localhost or any other webhost. I hope you have access to backend Administrator side
Steps
Download Akeeba backup http://extensions.joomla.org/extension/akeeba-backup and install it.
Take a backup of your entire site going to components->Akeeba Backup .backup will have extension JPA backup.jpa format. it wont open in normal extractors. To open the zip file follow the next step.
Download the extract wizard from https://www.akeebabackup.com/products/akeeba-extract-wizard.html . This will help you to extract the backup file in your desktop.
To Clean the website files use kaspersky Internet Security demo version. it cleaned many of my infected files. And do a vulnerability scan installing it in localhost to know where are the loopholes.
A friend has asked me to do some work on his existing site which was built in Rapidweaver. I'm on Windows, so is there another way I can access and edit his site?
The Rapidweaver project file is meant to be edited only in Rapidweaver, really. As far as I know, the only way around would be to use an HTML editor to modify the pages that are already in the server. However, I would not reccomend you to do it unless you are not going back to Rapidweaver anymore. Because changing the files in the server does not update your local Rapidweaver files. So, you could end up editing something in the server, then getting back to Rapidweaver and upload a "new" version that would not be completely up to date (the previous changes in the server version would be overriden by the older rapidweaver project).
For that kind of work, a CMS (Content Management System) is a more flexible way to work. Nowadays, one of the most common is Wordpress. It will require an inicial setup but after it is working it can be updated from anywhere via web browser, or even from an app in your iPhone. But it is not a Rapidweaver based sollution.
There are a couple CMS related plugins or stacks (Dropkick CMS, Armadillo, Easy CMS, Total CMS...) for Rapidweaver that could also be useful in this context. Once again, first you would need to buy a licence and to setup the website using one of those plugins or stacks. Only then you would be able to edit on the go.
A relative asked me to fixed a Joomla website (v2.5.16) who has been hacked last year, probably due to lack of update (is up to date now), unfortunately I have no information about this. The issue is that the front end take 2~ min to load. The administration is loading normally so whatever the issue is, it depend of the front end. I already disabled all modules one by one and switched the template with another one to make sure that thebug is not in template or plugins folders, without success.
I must add that the problem is "probably" more recent than the hack, according to this person. So maybe there was a script somewhere reaching a random server which may not work anymore.
PS : the website is on a shared hosting. I have the FTP access but no ssh.
I know that I don't give any details which can lead to resolve this, but I need more a method to track what can go wrong and where than a solution.
Thanks in advance,
We have written a lengthy post explaining why a website might be slow: http://www.itoctopus.com/20-questions-you-should-be-asking-yourself-if-your-joomla-website-is-slow
From the looks of it, it might that the website is still hacked. Try overwriting the Joomla files with a fresh Joomla install and see if that addresses the problem.
Solving this issue will probably involve some or all of the following:
updating Joomla and all third party extensions to the latest versions
checking for and fixing malicious files using http://myjoomla.com or
https://sucuri.net or similar
analysing the performance of the website using http://gtmetrix.com
(it's free) or similar to pinpoint and fix what is taking the most time to
load
If the website has been hacked, you may need to reset passwords etc once the malicious files have been removed. See https://joomla.stackexchange.com/a/180/120 for more information about securing the website once it is fixed.
We use Joomla and K2 for our website. On this page website in the the meta property="og:description" has been hacked and it shows this content="buy zolpidem us zolpidem online... And wo when we post to Facebook we get this text in the description.
Any idea where to look for this text and delete it? I have searched and found the K2 file that pulls the text. I just dont know where the text lives.
Thanks,
John
I just had this happen with Wordpress... in my case deleting and reinstalling the Facebook plugin fixed this particular issue. The strange thing was the FB plugin wasn't modified in any way.
The larger issue was the site had been hacked - which in your case is almost certainly true as well. I'm not familiar with Joomla, but scan the rest of your files/folders for malware or suspicious code (and your site structure for invisible files and folders (beginning with a '.'), possibly reinstall your files, check your htaccess file to make sure nothing has been added, check the registered users on the site -- any suspicious admins? -- and change your passwords.
In other words, this is a symptom of a greater problem, and not the problem itself.
Here is what I did. I had the hosting copy run a grep to search on my web data for the string containing the malicious text.
Once we found the files I used clean PHP files from another Joomla instal to overwrite the hacked files.
The hacked PHP file was pulling a string of malicious text from a text file named value(s)
I then backed-up the website and installed another layer of security called Admin Tools. The Pro version cost money but could be used on as any websites as I needed.
I develop a Joomla component. At the moment whenever I release a new version I ask the user to download a zip file and to manually upload the changed files via FTP. While this is ok for small releases, when a lot of files have been modified it is a slow, painful and error prone process. As alarming as it may be, many users installed Joomla via Fantastico one-click install and are not familiar with or comfortable using FTP.
I have recently added support for Joomla 1.6 which seems to provide a nice update facility for automated updates. Unfortunately the documentation seems to be lacking, e.g. what is the tags element, can the download type not be "full" and if so what would that look like?
Can any one explain the update process better or provide any good examples?
Joomla 1.5 is going to be around for a long time, is there a similar update process for 1.5?
For Joomla 1.5 at least, there is no need to use FTP for updating. In your XML manifest you can set the component to update. Rather than download, upzip, and FTP up, all your users would need to do is download the entire package, then install via the Joomla admin.
I am not sure about 1.6, your best bet would be to take apart a 1.6 component. It is my understanding that it is a rather simple process.