Today I found foreign JavaScript on my homepage along with a backlink to a website I don't recognize (although the backlink is not visible when viewing my homepage, they have positioned it somehow so that it is hidden but search engines still find it).
I was wondering how my Joomla website managed to become compromised? Is there any possibility you can think of? How can I protect my website from this attack in the future?
First of all which version of joomla are you using.?
There is some possibilities to hack the Joomla Version of 1.5.23 or some similar version hacked and some bad script attached in all js files or may be some rewrite url condition in your .htaccess file.
the best option to prevent the problem is Update your Joomla Version and change your admin and FTP Password.
There could be a number of reasons, a few things to check:
Are you on a shared server? Is it secure?
Has someone compromised your password?
Is your version of Joomla up to date?
Are you running any other PHP apps on your web server? Are they secure?
Just because Joomla appears to have been affected doesn't mean that it was necessarily the entry point for the compromise - check everything. Make sure you keep your software up to date. Disable anything you don't require to run your website. Use .htaccess to protect files and folders. Make sure your own computer is as secure as possible and patched and up to date. Make sure you are using the latest version of PHP.
Good luck.
I don't know HOW, but if you wanna eliminate it is probably it is in the index.php file, check there.
website root/templates/yourtemplate/index.php
Installed joomla extension (plugins, module, component and template) may also contain file which will be very unsafe and may perform dangerous file activity like updating, renaming, deleting and creating the file on your site.
So my suggestion is read the joomla forum and manage the permission of your file according to that.
Related
We are using MySQL db and Apache as our server. All of our project folders are affected by a particular script called "y.js/a.js" which is blocking our whole .js files and sits before that triggers 404 error. The URL it all refers to is https://tom.verybeatifulantony.com/a.js (or) https://tom.verybeatifulantony.com/y.js. It calls this same js files in each and every project.
The following are the screenshots below:
we have noticed this script being inserted in HTML and PHP files in many of our hosted sites as well. this appears to be some sort of malicious code. you will need to remove this script from every file where the script has been inserted.
on Linux, go to the root directory of where all your sites are located, or to the root of each site and execute the following to get a list of all files infected.
sudo grep --include=\*.{js,html,htm,php} -rnw '.' -e "tom.verybeatifulantony.com"
If you have not read the article on Wordfence security site, check it out. Google "wordfence multiple-attack-campaigns-targeting-recent-plugin-vulnerabilities"
It mentions some compromised WordPress plugins that have been used by attackers to compromise websites using vulnerable plugins. This includes adding back-doors and grabbing administrative rights to the websites. One of the many malicious domains mentioned in the article is tom.verybeatifulantony.com
The article unfortunately, does not describe a full cleanup method if your site has been attacked (maybe because they offer a paid clean-up service?).
So my suggestion is to install the free version of the Wordfence plugin and use its scan function to check for security problems on your site. Other security plugins might also help but I have no experience of these other plugins. I would also change the admin username and password and check if other admin users have been added and delete them if you don't recognise them. Or change their passwords. Of course, update all your plugins to the latest versions too.
To those with many sites to administer, Wordfence offers Wordfence Central where many sites can be managed from one central dashboard.
PS I am not in any way connected with Wordfence. I use their free plugin and they send me regular security updates related to WordPress vulnerabilties, which includes naming plugins that have been compromised.
Witam
źródło tego jest w luce wtyczki Hello Doly, a raczej wtyczce niezaktualizowanej w której jest luka stosowana w Cms Wordpress katalog wp-hello-plugin. Obejżyj zawartość usuń plik-u mnie "mn" wyczyść pliki index.php i index.html z wpisu : "https://tom.verybeatifulantony.com/y.js'>" i będzie ok
Just remove the link and save it, i did the same and it works.
It seems that whatever vulnerability this is also changes write permissions on the infected files - remember to change that after editing the files.
Also, infected files seem to be index.php and index.html
Our files are affected, too. Where or how do I have to execute the following you wrote?
sudo grep --include=*.{js,html,htm,php} -rnw '.' -e "tom.verybeatifulantony.com"
Would you be so kind and give me a manual....
I have a web application which has login page.
In the source code (specifically in the <head>), I can see the third party javascript libraries used and the path to this library, sometimes the version of the library.
I can even access the code of these libraries without authentication.
Is that a security risk ?
For example:
<script type="text/javascript" src="/****/js/ui/js/jquery-ui-1.2.2.custom.min.js"></script>
<script type="text/javascript" src="/*****/dwr/interface/AjaxService.js"></script>
If yes, how to mitigate it?
Yes, there are two threats you need to mitigate:
First, the authenticity of the library. This can be achieved with SRI, which is a way to check the library signature - see this great post by Scott Helme.
Second, you want to check the library itself for know vulnerabilities. I'm not sure how it can be done when you add the libraries in that way - but there are tools you can use like Snyk to test and see if the library has known security issues. For example, here Snyk's results to the jquery version you're using. See here to find out more on the issue.
Hoped this help you out :)
Yes, such way has some issues.
The attacker can exploit lib server and to give you modified lib code.
First, I recommend you to download a lib (or even better is to add it to bundle via package.json) and to include all libs from your server, not 3rd party.
Every time you download you can check control sum of the lib to make sure it is not modified.
This will save you from some issues, but your address can be changed by the attacker too.
(He can redirect user to his host, instead of your when user resolves your address).
So it's better to have html + js in 1 file without cross link to be more safer.
This can be achieved using webpack bundling.
So attacker can compromise only the whole app, not 1 lib, it can be harder.
EDIT
(However, option to have only 1 file is good only for small project. For a bigger project you should use links for perfomance and have just a bit more risk.)
And you can check the code that you have (on server or in package.json) using snyk, which is open-source database of vulnerabilities.
EDIT
One more way of protection is using CSP headers. They allow to download content of some format (styles or scripts or images or etc) using only specific list of sources. It can prevent some kinds of XSS. It is highly recommended to use all types of CSP headers always. However the risk remains always: trusted source can be compromised, even DNS can be compomised.
A new client of mine has asked to write a script (javascript) to track specific events to be reported in google analytics. The client is using TYPO3 as CMS.
Now, I know that there are a lot of answers to this question. I just wanted to know if there is any way to add an external script without using Typoscript or entering the "typo admin panel" (is this even the name?), because i do not have access at the moment.
I have more experience in wordpress, so a solution like adding a hook or even a plain script tag in, lets say the typo3 "template.php", "index.php", or whatsoever would be very nice. Does anybody know if that is possible?
No this is not possible. TYPO3 has a clear separation of code, configuration (TypoScript) and templates - unlike Wordpress which is a big mess of everything.
As written by Fabian Thommen, you could try to change one of the templates, but this depends on how the site is setup.
You can always create an admin account in the Install Tool as long as you have file system access to the typo3conf/ folder.
I just upgraded to WP 4.3.1 on one of my websites. After upgrade (which seemed to go with no problems at all), I noticed that the layout of my pages has changed. There is a bar across the top of my page (not the admin bar) that wasn't there before. When I inspect the element there, I see a whole bunch of new code that is not being created by any of my plugins. And I cannot find the source of this injection in any of the provided php files. I have no idea where it is coming from, but I suspect that something in the WP 4.3.1 package has been compromised, or maybe there is a callout to a site somewhere that injects this code.
Anyway, this is a BIG problem and I don't know how to fix it.
I've copied the injected injected code below. It appears in all the pages on my site, right below the tag. Interestingly it can only be seen by "inspecting element" in the browser; page source does not reveal it (I've added some line breaks to make it more readable, but this is exactly what shows up in my page.
This same problem occurs on every site where I upgrade to WP 4.3.1. I hope someone can fix this problem IMMEDIATELY!!
Clearing cache, history & cookies doesn't resolve the problem. I can't tell where this injected code is coming from. Also, Google doesn't seem to be much help in telling me anything useful about http://kfc.i.illuminationes.com/snitch, which is one of the links that is being created.
Our site was infected, this is what we did to get rid of it
Thanks to this discussion which led me to a more detailed one
Connect via ssh to the server
Check the directory structure and find out recently created / modified directories
Check recently modified files for <script>. I found many files having JavaScript inserted which would connect to external sites.
As these calls were made on each page, I checked header.php in wp-content/themes/your-theme directory. (check the ones you are not using as well as that might be infected but may not show in radar)
You might also want to check footer.php for infection.
Re check file permissions on server as per WordPress Hardening guidelines on Codex
Delete unrequired ftp accounts in FileZilla (or its equivalent)
If you use any caching, delete entire cache.
You can verify if this worked using devtools network tab.
I'm working with a 3rd party vendor who has done the SP 2010 integration of a small site. I've noticed that our incredibly simple login page is nearly 3.2 megabytes. The users of this site are the general public and will include those in rural areas who are still on dial-up. That would obviously be a terrible user experience. It's not so great for those on high-speed connections, IMO (just wasted bandwidth).
Digging into the page, I see that 2.2 megs of the page weight comes from JavaScript files marked debug. I can't see any reason why we should be sending these debug files to end users.
Can these files not be served to users?
Here's a YSlow screenshot, http://i.stack.imgur.com/msGUm.jpg
Also, do we really need to be serving core.css (192k) to end users? Is core.css all the "admin" type of SP css?
Yes, you can serve the minimized version of the javascript files to your end users. There are a couple of ways you can do that. If you are using the ScriptManager tag in the master page there is a property that you can set to control this behavior:
http://msdn.microsoft.com/en-us/library/system.web.ui.scriptmanager.scriptmode.aspx
Or as referenced in that page, there is a way to use that setting plus a web.config file setting to control this behavior.
More info on SharePoint's JavaScript files here:
http://msdn.microsoft.com/en-us/library/ee539757.aspx
As for core.css, it is impossible to know if your 3rd party vendor has relied on anything in core.css so if you have concerns that's something you should bring up with them.