CODEWITHSUNDEEP
joomlajoomla1.5spam-prevention
camperdave
camperdave

Reputation: 1421

Locating source of spam in Joomla

So, I've just started working with a new Joomla site, and something we've added has started hijacking various parts of the site and added links to various places we don't want. Unfortunately, I can't give out a link to the live site right now, but I can describe the problems:

Now, I'd like to get rid of these advertisements, but I've got no idea where they are coming from. If you guys know some commonly-hijacked files I can search in, or good debugging tricks to find them (I've tried FirePHP, but haven't had much success with it) I'd be much obliged. Unfortuantely, since a few people have been working on the site simultaneously, we're not really sure what extensions could have caused it (if that is in fact, the problem) - but all of them seemed ok, and came from the main Joomla extension site.

EDIT:

Here's a list of the modules I know were installed before we noticed the spam problems start happening:

Other than that, everything else was installed after the problems started, or was a theme that has since been uninstalled (and hence, I don't know what it is anymore). The theme that's on it now, I've looked at thoroughly, but is version of this Martial Arts Theme with a lot of modified images (and one change in the php from a .gif to a .png)

EDIT EDIT: So, still looking, but seems an older version of picasa2gallery (we had a new version at one point, but uninstalled it) had an LFI vulnerability. Perhaps that was the source. In any case, I think I'll be doing a full wipe, and just start over, really.

Upvotes: 0

Views: 2097

Answers (4)

Tobias P.
Tobias P.

Reputation: 4664

Your complete Joomla installation seems to be hacked, follow the guidelines what you should do now (re-installing and securing)

Upvotes: 1

camperdave
camperdave

Reputation: 1421

So, turns out the correct answer was "none of the above", not that I noticed that until after I erased everything to remove the hack.

Once I restored the theme, and nothing else, I noticed that the "hack" spam links were back, way too fast to even be an automated script.

That's when I discovered that there was a .gif file in the images directory that contained the "bad" PHP code to include the spam links. Ironically, the code they were using to make it was particularly bad, so at least I got a good laugh out of this long ordeal.

Moral of the story: Don't get themes from ThemZa, and if you do, be prepared to dig through them for cruft, if you like the way they look.

Upvotes: 1

Pekka
Pekka

Reputation: 449613

If you can't positively identify and fix the hole they broke in through, it's likely the reinstall Tobias P. recommends is the only safe way. If somebody has access to files on that level, you have a big problem. You will need to identify which way they come in. This could have a multitude of reasons:

  • Somebody exploiting a Joomla security hole (or one in a plug-in)

  • Somebody having gained access to the FTP account through spying on a client computer

  • Somebody exploiting a weakness in the server software

this is most likely somebody exploiting a Joomla hole, and there's probably no reason to panic. But you definitely should find out, or do a reinstall. Maybe you'll find more specific help on the Joomla forums or with your ISP.

While you're at it, best change all FTP passwords too, just to make sure.

Good reading at Google: My site's been hacked - now what?

Upvotes: 0

TomWilsonFL
TomWilsonFL

Reputation: 523

Check the server access logs. You'll most likely see accesses to a particular component (look for the com_* in the URI) that are excessive, or just out of place.

When this has happened to my sites it has been a particular component that hijackers are searching Google for (i.e. com_virtuemart was the last culprit) and then they attempt their exploit on the component hoping it is a flawed version.

Upvotes: 0

Related Questions