Virus on my Joomla website? Please Help

Trev Rich

Trev Rich

Messages
3,836
Name
Trev
Edit My Images
Yes
I've had a few people say that when they visited my site they caught a virus off of it.. :thinking:
I run a Joomla based site and am wondering if thier software just doesnt like the scripts on it.
It's a bit worrying though and not sure what to do, i dont even know how to check if there are any virus or not.

the last person said he had 57 trojans???

My website addy is in my profile for those that dare to look at help :naughty:
 
I just had a look at your sight and no warnings or anything were given by my avira antivirus, I will run a scan though to be sure
well just scanned with anti virus and malwarebytes and It came back clear, I think they probably had them already or its the competition trying to stop you selling photos:LOL: nice site BTW
 
Ask them to tell you how they know... I've just opened up the site and nothing to report here...

(I am an information security consultant BTW :D)
 
Well, they are slightly wrong actually - the problem (if there was one) would almost certainly be caused by modifications to your site to include embedded links to malware hosted elsewhere. Its unlikely that any dodgy stuff would actually ever be on your site itself.

Something you will want to do though is to make sure your admin passwords for your webhosting are secure. Don't make them a dictionary word or anything too obvious. Go for something really obscure - Hj4a@!mv45z$P for example. Write it down if you have to - the biggest threat is password guessing tools, Joomla is too widespread and obvious to be safe. If you use something stupid like "admin" or "password" or even your wife/child/football team name, you will get 0wn3d sooner or later...
 
After a super fast look - the site looks clean to me. Ask the people concerned how they knoew it was your site. perhaps you have a outbound link to a bad domain?
 
chrome seems ok but using firefox and AVG, I was taken to ptth://scanray4.com/22/?uid=13100 (misspelt on purpose). AVG kicked in and protected me and I have a screenshot that shows my computer files being deleted in the background although this appears to be fake.

I tried to resize the screenshot but it looks awful, if the OP wants a copy, I can email it if it'll help sort out any issues

screenscan.jpg
 
just been and opened it up ....... no problems at all and weve got avast which seems to pick everything up nice site by the way
 
Hmmmm something must be different on Gary's PC - he must have some sort of unpatched vulnerability I am guessing. That will be Windows, Firefox or Java...

Quite where the malware is coming from though I don't know. You often see problems with sites that serve up adverts from other places, but our friend here doesnt seem to have any of that. There's a lot of java in that page, maybe its embedded in there???
 
GarynLea said:
chrome seems ok but using firefox and AVG, I was taken to ptth://scanray4.com/22/?uid=13100 (misspelt on purpose). AVG kicked in and protected me and I have a screenshot that shows my computer files being deleted in the background although this appears to be fake.

I tried to resize the screenshot but it looks awful, if the OP wants a copy, I can email it if it'll help sort out any issues

screenscan.jpg
Click to expand...

That would be the outbound link I was talking about. Time for some professional help, or a reinstall, followed by the correct security patches, mods and plugins
 
Just out of interest... how is your wesbite setup? Is it all hosted in one place or have you bought a domain and are getting it to point web traffic at something like your ISP free webspace?

I've just done a site suck on your website and it looks like there is an invisible frame handling the redirect. Nothing iffy in it, but just wondering if you've got a domain redirect that it could actually be compromised from there....
 
It's weird because it doesn't redirect every time ... only about every 8th go.

I've checked my system and everything's fine, updated java, windows, firefox, avg, spybot etc. and emtied all caches, temp internet files.
 
Sounds like a load balancer in there...
 
desantnik said:
Just out of interest... how is your wesbite setup? Is it all hosted in one place or have you bought a domain and are getting it to point web traffic at something like your ISP free webspace?

I've just done a site suck on your website and it looks like there is an invisible frame handling the redirect. Nothing iffy in it, but just wondering if you've got a domain redirect that it could actually be compromised from there....
Click to expand...

no redirect, both name and site parked with servage :shrug:
 
GarynLea said:
It's weird because it doesn't redirect every time ... only about every 8th go.

I've checked my system and everything's fine, updated java, windows, firefox, avg, spybot etc. and emtied all caches, temp internet files.
Click to expand...

You go on my site.. and every 8th attempt or so it redirects you somewhere else? where? :shrug:
 
I cant get it to redirect me via firefox, but I have had this myself on a few joomla sites I run. Check your template permissions in the joomla admin section (infact check all your permissions, if it says they are writeable... thats not going to make your site hard to modify.
Check your temlpate over for anything dodgy written at the top.
 
yoshi said:
I cant get it to redirect me via firefox, but I have had this myself on a few joomla sites I run. Check your template permissions in the joomla admin section (infact check all your permissions, if it says they are writeable... thats not going to make your site hard to modify.
Check your temlpate over for anything dodgy written at the top.
Click to expand...

Thats a very fair point.
Will change the permissions later tonight and also try different templates and see if that does the trick.
Although I never get redirected myself so I will have to rely on you guys :nuts:

ONe thing I've noticed from people though, is that it seems to happen mainly when you google "trev rich" and go on my site from there, never happens if you bookmark the site and go directly.
 
Trev Rich said:
Thats a very fair point.

ONe thing I've noticed from people though, is that it seems to happen mainly when you google "trev rich" and go on my site from there, never happens if you bookmark the site and go directly.
Click to expand...

That's exactly what I did (y) may be a clue there to the more knowledgeable.

Post up when it's done and I'll give a good go :)
 
The only other difference I can see is from google is http://[B]www.[/B]website.com whereas the one on your addy doesnt have the www. - maybe that makes a difference :shrug:
 
Both www.trevrich.com and trevrich.com resolve to the same IP address. I did wonder if there was something iffy with one pointing to a rogue invisible frame type thing, but nope.

I try google too, same result.
 
Good find! Ahhh makes sorta sense, especially this:

“Due to the clustered structure of our systems there is no single log file for you to use as your site is served by many servers. ”
Click to expand...

So there you go, my load balancing guess as to why it was only coming up some of the time is true... obviously one (or more) servers out of a group has been compromised.

Trev, get yourself some different hosting mate!
 
Haven't looked at your site, but based on the last post I'd suggest these guys: http://ukwebsolutionsdirect.co.uk/

I've got my personal gallery hosted with them, not a single bit of downtime to date, and decent service when you need something from em.

Not the cheapest mind. :|
 
Seems as though it's only the index files that get hacked.. and I can't find any script at all that looks sus in my site.

Can anyone tell me if im still getting a virus?
 
Trev, I dunno why it didn't cross my mind before, but just run a HTTP sniffer over your website....

Can't see anything too dodgy coming back, but for some bizarre reason I can see a link to digitalkia.be in there... which is weird, because its a belgian computer hardware website... which has to be iffy in some way shape or form.
 
I've just tried it as before ... Firefox searched trevrich from google then to site and was taken here ... ptth://xmovies-host.com/promo1/?aid=1478&vname=FSCodecPack (misspelt)

Sorry mate :(

Tried it again about 20 times and went striaght to your site, no problems ... cant get it to redirect now
 
Hmmmm thats really odd, I'm not seeing that at all!

The HTTP sniffer shows the URL's annd IP addresses my computer connects to when i open a page. If anything is being hijacked it shows up...

Let me have another try...
 
OK someone please help.
I have just been told by a potential customer that they googled my name to find my site and ended up on a hard-core porn site.
As explained in prebvious posts.. it only ever happens when people google me.. not when you go to my site directly.
I'm really fed up with this now and don't know how to go about solving the problem :(

Heeeyyuuulp!!
 
I had a very similar problem with my site, some nice person had injected code into some of my pages, was a pain in the ****. I was on servage too...
 
You must log in or register to reply here.
Back
Top