Oh no!

[crusad77]

Morning all, I have awoken this morning to find the website I run for my local Scout Group suspended. I have followed the appeals process and it says it's because the website is running malicious code.

Now I have some experience of using joomla (which the site is built in)
But can't for the life of my think why it would suddenly have malicious code on it?

Its a website for a charity organisation which we use to keep our young people and
parents informed.
Whilst I'm waiting to see what happens to my appeal has anyone had this issue before or know what causes it?

 

[Skizzerz]

Usually the cause is not keeping your software up-to-date or not using strong passwords for your administrator accounts. More information should be given in the response to your appeal.

 

[crusad77]

Thanks for the reply Skizzers. It may be because the software is not up to date. I'm still using joomla 1.5. Well at Lear I hope it's that reason

 

[Livewire]

It was; I've responded to the dispute and restored the account. As an FYI to anyone stumbling on this, keep your software up-to-date - old versions likely have unpatched software exploits, which can result in the account being disabled for security, and even after unsuspension the content will likely get moved to a non-public folder to keep the server secure.

 

[crusad77]

Ok, may seem like a silly question, but i can't get access to my joomla admin side to perform the update whilst it's in the _compromised folder, am i allowed to move it back to the public_html folder to get access and perform the update? or will it suspend it immediately?

Thanks to anyone in advance

 

[Livewire]

It won't suspend immediately, but I do not recommend moving any of those files live - the compromise was quite extensive. If any of the files in the old install are compromised, the update won't fix them enough to un-compromise them, leaving the entire account open once again. The exploits essentially open a back-door into the account; once the exploit's there, the account becomes an open book since even if the rest of the install is secure, that back-door is not.

 

[crusad77]

Thanks Livewire, could you give me a more detailed output on the compromise please? What would you recommend as a course of action?

Thanks in advance

James

 

[Livewire]

If at all possible, I would say ignore everything in the old files that ends in .htm, .html, or .php - any of those are at risk of compromise. If you need to grab images, those should be fine, but I would go to Joomla's main site and download a fresh install file from them and install it from scratch, as that's the only real way to ensure the files themselves aren't already compromised.

The issue with Joomla and other CMS' is they aren't easy to identify what's been compromised by looking at the files. Some of them are blatantly obvious, where it inserts something like "eval(base64_decode(" right at the top of the file, followed by what looks like random characters. The problem is lately they've been embedding more subtle lines throughout the code, suhc as eval(base64_decode($_REQUEST['cid'])) 2/3rds of the way through a 4kb core file. It's not easy to check for them sadly, which is why we recommend starting over as fresh as possible just to ensure the old compromises don't carry over.

 

[crusad77]

Thanks Livewire, you've been really helpful, one last question however.
can you tell if the files were compromised when i uploaded them or only in the last few days, how often do your servers run checks? I have a back up that is 4 weeks old (on my local drive) you see and i was wondering if it worth installing the new version of joomla, changing all passwords, and then slowly restoring from this back up.

Once again thanks in advance

James

 

[Livewire]

This one actually didn't get picked up by our scanners; it was reported when one of the phishing pages went live. That said, look for these files in your backup; if they exist, the backup was done when the account was already compromised:

public_html/tmp/tmp.php
public_html/cru.php

There were a bunch of others in the main folder that I had already erased (sadly I don't remember their names) but if either of those two files exist, it was already compromised.

The other way to check is to pick up a fresh install of Joomla, and compare file names/locations - if there's a large number with unusual filenames in the backup that don't exist in a new install, it's been compromised.

To be honest, out of the two options, if the backup is intact/uncompromised that is the faster option to use, and would work for getting the site live in a heck of a lot less time. If you're at all unsure though, install the new Joomla, and slowly restore from the backup.

 

[crusad77]

Morning Livewire! Thank you so much for the help you provided last night I have both a fresh copy of Joomla and my original back up.
My back up is clean! I've ran different scans on it and there a no infected files! SO thanks very much for your help! I'm going to upload the back up file and update to joomla 2.5 and then find any additional security features i can add and change my passwords!

You're great Livewire! thanks so much

 

[Livewire]

No problem; if you need anything else, let us know!