Search code examples
phpjoomlajoomla1.5joomla-extensions

Joomla malicious code removal

Here is my website. http://ziggymonster.com/

At first it was having 4 torjan infected js files and some malicious code. I have cleaned that files. But now i am unable to find this javascript include.

<script src="http://boneraffyaho.cz.cc/jquery.minph.js"></script>

You can see by viewing source of page.

It is included at end of each. It keep page on loading and scanner detects it as malicious code.

The thing which i have tried so far.

1) Changed template 2) Try to disable all components. 3) try to disable all components. 4) tried to disable all plugins. 5) downloaded complete site and searched for this code in complete site. But could not find.

But it was still there. Can you give me some suggestions?

Solution

  • The malicious code is present within the page even when javascript is disabled - this tells us it isn't being written there by a document.write within other js files.

    When we visit the site with the tmpl=component&no_html=1 settings which suppress template output and send only the component's output the code is still present: http://ziggymonster.com/?tmpl=component&no_html=1

    This would point quite strongly to the code having being appended at the end of the main Joomla index.php file in the root of your website. Alternatively the component.php file in your template's own folder or in the /templates/system/ folder may be viable candidates.

    Cleansing a site in situ is risky - but can be done with the right knowledge, some experience and the right tools. I'd advise finding an experienced Joomla security expert to do so, or face re-building the site's files: install a fresh Joomla in a totally clean folder (localhost server would be best), install all of your extensions, then remove your live site, and upload the files to your web space tying the files to the original database.

    Of course reverting to a backup from a few days ago would be the best option - you do have backups yes?

    You should examine log files for an idea of how the attack was perpetrated. You should also change all passwords, upgrade Joomla and all add-ons - and consider changing web hosts if it looks like another account on the server provided access to allow the hackers in.

    Good luck.