tags:

views:

41

answers:

4
Q: 

Locating source of spam in Joomla

So, I've just started working with a new Joomla site, and something we've added has started hijacking various parts of the site and added links to various places we don't want. Unfortunately, I can't give out a link to the live site right now, but I can describe the problems:

  • In the footer, where it should say "Designed By: " and the name of the place we got our template from, it leaves the "Designed By:" but removes the name of the template author, and instead puts in two links (not giving the hijacker any more hits but here's the text of them), "online album" and "check whois"

  • When we hover over the site name, the alt text is set to "Forex Trading Home" which is most certainly not what it should be.

  • Finally, when you hover over the "Home" item in the main menu, a dropdown appears after a short delay, with a link to "cpanel reseller hosting" inside it.

Now, I'd like to get rid of these advertisements, but I've got no idea where they are coming from. If you guys know some commonly-hijacked files I can search in, or good debugging tricks to find them (I've tried FirePHP, but haven't had much success with it) I'd be much obliged. Unfortuantely, since a few people have been working on the site simultaneously, we're not really sure what extensions could have caused it (if that is in fact, the problem) - but all of them seemed ok, and came from the main Joomla extension site.

EDIT:

Here's a list of the modules I know were installed before we noticed the spam problems start happening:

Other than that, everything else was installed after the problems started, or was a theme that has since been uninstalled (and hence, I don't know what it is anymore). The theme that's on it now, I've looked at thoroughly, but is version of this Martial Arts Theme with a lot of modified images (and one change in the php from a .gif to a .png)

EDIT EDIT: So, still looking, but seems an older version of picasa2gallery (we had a new version at one point, but uninstalled it) had an LFI vulnerability. Perhaps that was the source. In any case, I think I'll be doing a full wipe, and just start over, really.

A: 

Check the server access logs. You'll most likely see accesses to a particular component (look for the com_* in the URI) that are excessive, or just out of place.

When this has happened to my sites it has been a particular component that hijackers are searching Google for (i.e. com_virtuemart was the last culprit) and then they attempt their exploit on the component hoping it is a flawed version.

TomWilsonFL  2010-06-27 18:59:33
almost every one of the lines in my server access logs that contain "com_" reference "com_component", "com_sections", "com_noixacl" (which I know for a fact, some if not all of the spam was there before we installed that one, "com_content" or "com_modules". All of those seem to be ok, any ideas of what ones to look for?I'm going to edit the question with a list of components that I installed as well... hopefully one will jump out at you as "bad"?
camperdave  2010-06-27 19:19:44
First, take a backup of the site then lock down your installation. Assuming this is Linux, remove the write flag from everything. Second, uninstall any components you aren't using. Third, examine your PHP files. They may all have hijacked script injected into them, in which case if the script is only one huge line of code (it often is) you can use grep to fix it. Many times it is a base64 encoded string at the top of the files. Lastly, review the components you have left using the Installer/Uninstaller and do some Googling. You may find others having the same issues with a particular component
TomWilsonFL  2010-06-27 19:35:03
+1  A: 

Your complete Joolma installation seems to be hacked, follow the guideliness what you should do now (reinstalling and securing)

Tobias P.  2010-06-27 19:00:28
Hm, is a full re-install really the best first option? While we haven't gone too far, it is rather annoying to start over...
camperdave  2010-06-27 19:16:09
@camperdave: While you may find and fix a hacked part of the site, you can never be sure you've found all of them. Reinstalling from scratch is the safest option.
Piskvor  2010-06-27 19:29:23
Now that the attacker has (had) full access, how can you be sure that a new back-door has not been introduced? The safest option would be to roll-back to a backup where the site had not been hacked and *fix the original security hole*.
Nitrodist  2010-06-28 03:12:13
A: 

If you can't positively identify and fix the hole they broke in through, it's likely the reinstall Tobias P. recommends is the only safe way. If somebody has access to files on that level, you have a big problem. You will need to identify which way they come in. This could have a multitude of reasons:

  • Somebody exploiting a Joomla security hole (or one in a plug-in)

  • Somebody having gained access to the FTP account through spying on a client computer

  • Somebody exploiting a weakness in the server software

this is most likely somebody exploiting a Joomla hole, and there's probably no reason to panic. But you definitely should find out, or do a reinstall. Maybe you'll find more specific help on the Joomla forums or with your ISP.

While you're at it, best change all FTP passwords too, just to make sure.

Good reading at Google: My site's been hacked - now what?

Pekka  2010-06-27 19:29:59
Grr. Guess I'll start looking for the hole at least. Looks like the FTP account is clean, so time to track down which component caused the trouble. (The site is hosted at HostGator, so I'm really hoping they don't have a server vulnerability, because I can't fix it anyway if that's the case)
camperdave  2010-06-27 19:39:02
@camperdave yeah. In theory, it could also be that your Joomla source files are compromised so make sure you compare them with a local copy. Also, it's advisable to change the database user name and password, as they could have been accessed too.
Pekka  2010-06-27 19:40:49
A: 

So, turns out the correct answer was "none of the above", not that I noticed that until after I erased everything to remove the hack.

Once I restored the theme, and nothing else, I noticed that the "hack" spam links were back, way too fast to even be an automated script.

That's when I discovered that there was a .gif file in the images directory that contained the "bad" PHP code to include the spam links. Ironically, the code they were using to make it was particularly bad, so at least I got a good laugh out of this long ordeal.

Moral of the story: Don't get themes from ThemZa, and if you do, be prepared to dig through them for cruft, if you like the way they look.

camperdave  2010-06-28 03:06:51

related questions

Joomla Question: How to have different image in Intro Text and Main Text
Joomla Forms extension
Is there a good reference for Joomla 1.5 development?
Which software for intranet CMS - Django or Joomla?
what is the difference between Django and Joomla?
Automatically copying new articles from a website.
Joomla problem: where does "$mainframe->getCfg('lang')" come from?!
Joomla main menu html output
How to get the path to the current template in Joomla 1.5?
Passing credentials between sites
How to set an HTTP environment variable from PHP for Bugzilla?
How do i add additional text to a joomla contact page
Redirect joomla url's to wordpress
good component to password reminding in joomla
How do you get the current user object in Joomla 1.5?
PHP Replace Images with GD Library Resampled Images in Joomla
Getting the first item out of a For loop
How can I make part of a Joomla template editable via the CMS interface?
Joomla tutorial
Which PHP-based CMS or framework has the best documentation?
How do I set the Content-type in Joomla?
How do I make a component in Joomla display as an article?
Joomla Blog/Wordpress Integration
What makes Drupal better/different from Joomla
ASP.NET version of Joomla