Index.html and Index.php Code Additions (malware) - Joomla! Forum - community, help and support
i have had site "infected" , have been doing best recover situation , prevent similar events in future. begin stating not experienced joomla i'm trying rapidly learn go while needing try restore production site quickly. site became infected while running version 1.5.9 , not 1.5.10 (i have since upgraded, site public week before being attacked). i've been trying soak in information provided in beginner's guides , such, know benefit seasoned veterans potentially pointing out problems or providing guidance beyond have learned point. including detailed diagnostic report below , hope configuration flaws might pointed out.
diagnostic information
joomla! version: joomla! 1.5.10 production/stable [ wohmamni ] 27-march-2009 23:00 gmt
configuration.php: not writable (mode: 555 ) | rg_emulation: n/a
architecture/platform: linux 2.4.21-53.elsmp ( i686) | web server: apache ( http://www.mywebsiteremovedforsecurityconcerns.com ) | php version: 5.2.5
php requirements: register_globals: disabled | magic_quotes_gpc: enabled | safe_mode: disabled | mysql support: yes | xml support: yes | zlib support: yes
mbstring support (1.5): yes | iconv support (1.5): yes | save.session_path: writable | max.execution time: 30 seconds | file uploads: enabled
mysql version: 5.0.67.d7-ourdelta-log ( *edited*.secureserver.net via tcp/ip )
extended information:
sef: disabled (without rewrite) | ftp layer: disabled | htaccess: implemented
php/suexec: user , web server accounts same. (php/suexec installed)
php environment: api: cgi-fcgi | mysqli: yes | max. memory: 64m | max. upload size: 8m | max. post size: 8m | max. input time: 60 | zend version: 2.2.0
disabled functions:
mysql client: 5.0.18 ( latin1 )
a detailed description of problem encountering follows. first became aware of problem on site when homepage , other pages failed load. stated there unexpected '<' on line 89. second indication had of significant problem once got site running again, infecting computers piece of malware install fake virus scanner called "spyware protect 2009." looked page load begin loading , in status bar of internet explorer see contact "bitsinfoware.net" , appear download file called "pdf.php" visiting computer. once completed launch spyware protect 2009 malware.
further investigation uncovered looked additional code in index.php , index.html files. there may others, these have uncovered far. example of of code found suspicious shown below:
other strange code had php echos tried hunt down , delete. unfortunately, don't have sample of them post @ moment. occur @ end of .php files.
at point i'm trying determine vulnerability have left me open attack can fix it. hoping discover best course of action try , recover of has happened. i've learned great deal doing wrong, know have more learn. .sql injection attack? different? database alright? in advance assistance provided.
diagnostic information
joomla! version: joomla! 1.5.10 production/stable [ wohmamni ] 27-march-2009 23:00 gmt
configuration.php: not writable (mode: 555 ) | rg_emulation: n/a
architecture/platform: linux 2.4.21-53.elsmp ( i686) | web server: apache ( http://www.mywebsiteremovedforsecurityconcerns.com ) | php version: 5.2.5
php requirements: register_globals: disabled | magic_quotes_gpc: enabled | safe_mode: disabled | mysql support: yes | xml support: yes | zlib support: yes
mbstring support (1.5): yes | iconv support (1.5): yes | save.session_path: writable | max.execution time: 30 seconds | file uploads: enabled
mysql version: 5.0.67.d7-ourdelta-log ( *edited*.secureserver.net via tcp/ip )
extended information:
sef: disabled (without rewrite) | ftp layer: disabled | htaccess: implemented
php/suexec: user , web server accounts same. (php/suexec installed)
php environment: api: cgi-fcgi | mysqli: yes | max. memory: 64m | max. upload size: 8m | max. post size: 8m | max. input time: 60 | zend version: 2.2.0
disabled functions:
mysql client: 5.0.18 ( latin1 )
a detailed description of problem encountering follows. first became aware of problem on site when homepage , other pages failed load. stated there unexpected '<' on line 89. second indication had of significant problem once got site running again, infecting computers piece of malware install fake virus scanner called "spyware protect 2009." looked page load begin loading , in status bar of internet explorer see contact "bitsinfoware.net" , appear download file called "pdf.php" visiting computer. once completed launch spyware protect 2009 malware.
further investigation uncovered looked additional code in index.php , index.html files. there may others, these have uncovered far. example of of code found suspicious shown below:
code: select all
[removed]other strange code had php echos tried hunt down , delete. unfortunately, don't have sample of them post @ moment. occur @ end of .php files.
at point i'm trying determine vulnerability have left me open attack can fix it. hoping discover best course of action try , recover of has happened. i've learned great deal doing wrong, know have more learn. .sql injection attack? different? database alright? in advance assistance provided.
search forum more information on index file injection. quick fix till in order (in fact reliable one), remove malicious code & make index files read (chmod 444).
Comments
Post a Comment