See the free Joomla code. Flight magazine Stars and viruses

If you have SSH access to the site, you can find files with injected code using the following commands:

#grep -lr --include=*.php "eval(base64_decode" /pathWebroot) #grep -lr --include=*.php "strrev(" /pathWebroot)

If you don’t have access, you can ask the hosting support service to do it for you and send you a call.

At once 1606 input. This is practically all PHP files. You can delete the injection code manually. It's already quite an hour. A new file images/post.php has been revealed for the wiki code.

I will first need to create a new backup copy of the site just in case something is wrong.

If the integrity of your site is important to you, you can remove the injection code by entering simple commands.

#grep -lr --include=*.php "eval(base64_decode" /pathWebroot | xargs sed -i.bak "s/eval(base64_decode[^;]*;//" #grep -lr --include=*) . php "strrev(" /pathWebroot | xargs sed -i._bak "s/$_ = strrev([^;]*; @$_([^;]*;//"

Commands to find all entries of such malicious code from files and create their backup copies with .bak extensions. This will allow you to only gain an hour to completely update the site, rather than save you from further attacks. It is clear that there is a high probability of availability of files of the type images/post.php of the described device for locating any code and old directories in installed extensions.

If you have not been added to the site's admin panel, you can view installed components, modules, plugins and templates. If there is no access, you need to look at the site by connecting via FTP or SSH.

The standard Joomla modules are not subject to wiki research.

The cream of standard components is vicorized at com_jshopping and com_phocapdf.

In addition, you need to look through all these folders. The smell is a group of plugins.

#ls ./plugins/authentication gmail index.html joomla ldap #ls ./plugins/captcha index.html recaptcha #ls ./plugins/content emailcloak geshi joomla codemirror index.html none tinymce #ls./plugins/editors-xtd article image index.html pagebreak readmore #ls./plugins/extension index.html joomla #ls. ./plugins/quickicon extensionupdate index.html joomlaupdate #ls ./plugins/search categories contents index.html newsfeeds weblinks #ls ./plugins/system cache /plugins/user contactcreator index.html joomla profile

In addition to standard plugins, the phocapdf plugin is used.

In addition to standard templates, templ1 is used.

• We download the distribution kit for the latest release, unpack the archives from the directory of the new website and create the installation directory from it.
• The file htaccess.txt is renamed to .htaccess. If there were directives written by you in the new vikory, transfer them from the infected copy.
• We copy the configuration.php file from the infected copy, first checking the presence of the new injected code.

Third party extensions

• Well-known third-party components Phoca PDF, JoomShopping, Phoca PDF Content Plugin are popular.
• We unpack and copy the files, first creating the directory structure of the infected copy. Don't forget about localization files.

The pieces are folded on the right with the template. The generation template is for special software and it is impossible to know. You will have to “take away everything unnecessary from him.”

Luckily, the template has 21 PHP files and all the injection code can be found with the command #grep -lr --include=*.php "strrev(" /pathWebroot | xargs sed -i._bak "s/$_ = strrev([^ ;]*; @$_([^;]*;//"

Vlasna files

• Create directories containing images, documents and other files and copy them.

The site is guilty of starting to work as soon as you replace the old one with the new one.

Go to the administrative panel of the site, change the username and password for access to the CMS and look to see if you have changed the SuperUsers e-mail (the attacker can quickly use the function of renewing a forgotten password). Never vikorist the standard name of the koristuvach admin. Carefully review the rights of all holders. The possibility of the attacker creating another administrator is not disabled.

Replace the username, password for the MySQL database, if the standard prefix database table jos_ is used, it is necessary to replace it with something else, which avoids the danger of SQL injection attacks.

After completing the new work, install the BotsGo404 plugin.

On this post, I was prompted by several Vlasnik sites about how to remove the bad code from your resource. Below I will try to describe the sequence in simple terms, which will not require any special knowledge and will be useful to beginners in the administration of Internet resources.

How can you tell if a site has become a victim of an attack that has involved someone using a bad code? First and foremost - the site has stopped working and does not look like a “healthy” resource. This may result in the appearance of unwanted content or knowledge of yours, the pages will not be attracted or will be attracted to the favors. In addition, since your site is added to Yandex or Google webmaster, you, with great confidence, receive information from these systems about corrupted code. In some cases, you can find out about spills from your browser (screenshot from Google Chrome).

It’s extremely unwise to try to open the side away in such situations.

We won’t bother trying to figure out the motives of the person who installed the bad code on your site. Our main goal is to find out the “bad” code and remove it. To begin with, you need to scan the resource to find all the “infected” pages. This allows the sound of a joke to be heard. For example, the ugly code may appear in the Javascript script as if I were to close the page, say, instead of a post or a comment before. In this case, the problem can be resolved through the site admin by removing such code from the site/comment. Otherwise, you have to search for the output code of your resource.

To scan the site for any problems, you can quickly visit https://sitecheck.sucuri.net The results may lead to some problems:

As you can see from the screenshot, the “rotten” script was found on many pages of the site, which you can find in the output code.

You can revoke access to the site's exit code using the following steps:

You can’t help but find out the bad code in the output files of your site by submitting it. See its unique part, like googleleadservices.cn in our collection, and repeat the search several times.

Once an invalid code has been identified, it must be deleted. In our case, the site was running under Joomla, and the “filthy” script was inserted into index.php in the root directory. Moreover, the spill was detected on several pages, and fragments of index.php data are detected when all pages of the resource are called up.

Immediately after removing the corrupt code, I recommend changing the passwords of all users on the site’s management panel, and also try to find out about other administrators who have encountered this problem. It is possible, but it will be necessary to live out some additional approaches.

First of all, be better in advance, never be gentle, I recommend that:

With food and respect, I ask for comments.

You can often get the hang of it: the site was working normally and started running like a doorman with a hangover, the hoster wrote rotten pages, search engines bypassed the site, and browsers blocked the latest information that this site is attacking computers !

The most widespread reason today is the use of quickstart (quickstart rather than installation archives, which allows you to easily open an exact copy of the site, with many extensions), usually loaded with warez resources; A Quickstart purchased from a retailer is clear, you don’t have to be afraid. It’s really easy, you don’t have to worry about design, installing extensions, or tweaking the site. However, often from the site you can remove a set of scripts that give control over your resource, such as sending spam, distributing viruses or placing invisible messages on third-party resources (black SEO).

Why do Varezni resources include backdoor (from the English back door - “black exit”) in the archives? As a rule, varezni resources live for the purpose of protecting the skin from file sharing services, and then, in their own way, by displaying advertising and paid subscriptions, which allows you to increase the speed of attraction, which for simple buyers is limited a. Although there is little wealth, there is more if there is the ability to create hundreds and thousands of sites. If you already want to buy a quickstart, then buy it from a retailer, so your average price will be 30-50 dollars, which can be purchased inexpensively at the lowest exchange rate.

On the other hand, it is possible to install an evil CMS through complications, and due to the security of the engines, the reason is trivial - they do not install updates. I’m afraid that after the update the site will “fly off”, I’m just too lazy that the studio broke up the site and handed it over to the deputy. The deputy has entrusted the management of the site to one of the specialists, and she will promptly remind him of the instructions, and the update to his function will not be included.

So, one of the possible reasons for the “Panamanian Archive” round, the fakers cite an outdated CMS - Drupal, which at the time had at least 25 leaks, and WordPress 4.1 with a dangerous plugin.

First of all, the antivirus itself is found to be cheap for the PC, no matter how much you place a backdoor on your computer in PHP, it will not be possible to infect your PC.

Otherwise, there may be a short piece of code (depending on encryption), which will encourage useless scripts from another resource, and if so, then joke about it.

You can sing in different ways.

First option

Since the site contains thousands of files, then the search for changes or “requests” can take up to an hour, and the result is unpleasant - after using the resource, after a dozen hours, “live” messages appear again.

We install clean Joomla (or another CMS), install the template, all components, modules, plugins that were on your site. We are transferring all the images from the old site, the images directory, having previously verified it, so that it does not lose any necessary files, including images, including in internal directories. If you have K2 components installed, the images will be located in the media/k2/items/cache/ directory.

Respect! We will not confirm the presence of an image with an obviously random name, such as i2495mg.gif, because in such images there is a code that is added.

We connect the old base. Bad scripts practically never write anything to the database, and it turns out that this is not the case, then scripts for accessing the database are daily, and you can also use the name of the table to determine what the data is up to, and delete requests manually.

We connect the database from the old site

We export the database. We go to the hosting in phpmyadmin, select the required database in the section and go to the “Export” tab. Click “See all”, you can press zip, and at the very bottom of the page click “Ok”. We save the database to your old PC. We go to phpmyadmin, create a new database, go to it, open the import tab and select the path to the dump that is downloaded. Now it’s impossible to send configuration.php, which is located in the root of the directory, apparently as an editor. For example, Notepad++.

public $db = "base"; - instead of base you can indicate your base name;

public $user = "root"; - if you did not change the account manager’s name on the local server, this is forbidden;

public $password = ""; - On the local server, if you have an empty password, it will also be lost.

We save changes and check the site.

Another option

If you have enough information, you can enable viewing of the output code and see what “other people’s” messages are, and then see, for example, through firebug, the signs of a stink. As a rule, they are encrypted, usually with the base64 algorithm.

If it doesn’t happen yet, you can quickly use an online service, the simplest option is in the webmaster’s office Yandex or Google or a web scanner https://rescan.pro/. I prefer to manually review the page code, wanting, obviously, to know that all sorts of scripts and scanners will definitely be sent to the robot.

Butt poshuku "Lefty" posilan

For the example, I took a quickstart from one of the warez resources. Press Ctrl+F5 to view the output code; if you look quickly, you will find:

In the admin panel, we change the site template to the standard one, the message was sent, which means the code for the instructions in the varez template, there we can find it.

Open Notepad++, press Ctrl+F, go to the “Locate in files” tab, indicate the directory of the template, and search for “sa_wqngs”. The pressure is on to “Know everything.” Look for two escapes.

We are deleting the rows, updating the page, the rows with the messages were not known, and some of them I previously did not know the direct messages, the encryption code.

We launch a new search, now for “base64” and add it to the template code:

We can see rows 174, 184, 186 (I won’t comment on the code, but if you want, you can find out the description from the row). We are updating the page with the exit code again, the message has been sent. In the same way, we go through all search results from base64, before speech, there were a dozen similar inserts in the template. Here, sorting by the hour helps a lot, since most of the files in the template are dated, say, May 1, 2014, then the files changed, say, after all the months are least suspected.

Nowadays, “evil hackers” do not break websites manually, because, obviously, it is not a great portal or a database of confidential information. Evil has long been put on the conveyor belt. For this purpose, bots (scripts) are written to sort through all the sites on popular CMS, after which they try to consolidate the library of spills, and then continue to work until the end. Apparently, a new spill appears, and it immediately reaches the library.

First of all, all current CMS directly in the admin panel inform you that new versions have been released and it is necessary to update, otherwise you will often have to update sites that have not been updated in the past.

Of course, it’s not always possible to find out what “surprises” are, so it’s possible that you haven’t updated the system or extensions, and backdoor installations on the site... There are a lot of scanners, one of them is AI-Bolit. Before that, it’s cost-free for a non-commercial website.

Vikoristovuyemo yogo for the “experimental” site, where I received the request sent. How to profit from them is well documented on the official resource, which is not duplicated information.

Following the results of the express check, I received information about two spills. Persha told me about the old version of the engine, which I already knew.

A friend talked about spilling at administrator/components/com_k2/lib/elfinder/elFinder.class.php - AFU: elFinder. Perhaps the reason is that the component is already out of date.

In any case, I downloaded the remaining version of the component from the official website and updated the version on the scanner with the newly downloaded one. For this purpose, please check out the plugin for Notepad ++, Compare. As it was transmitted, the importance was lost in the versions.

At which point the verification could have been completed, otherwise I would have felt paranoid about any incident. One of the best ways is to see what packages your site can handle. We install Wireshark, and there is also good documentation on the retailer’s website. Let’s go side by side to the site, okay, the site is going crazy, but there’s nothing wrong with that. Find fonts from Google Fonts, videos from YouTube...

This material, of course, does not provide instructions for cleaning sites, but only a small amount of care before operation. The road is good for the one who walks...

It’s really bad to put basic defenses on the defense, but not on the offensive part.

Joomla is not only one of the most popular CMS on the Internet. It’s a great pity that this content management system is the most vulnerable to hacker attacks. Today we’ll talk about what to do if your site on Joomla is malfunctioning, and we’ll also look at how to prevent and combat criminals.

It was difficult for readers to complete the paragraph. We do not offer cost-free or paid consultations related to the damage to your site, but we are ready to provide paid service to clean up and update the site after a hacker attack.

Exotic consequences cannot be seen if the attack on the site is carried out directly through the acquisition of information. Bottom line, if confidential data is placed on the Internet, it will be victorious, but not Joomla. The motivation of current attackers is well understood and can be divided into three main sections.

Scripts are used to recreate your stories sent to the scammer’s website. A possible option for a redirect is if it directly targets the attacker in question.

There are different situations when the attacker denies access to the database and the administration panel, and you find other people’s statistics and news in the list of materials.

Joomla files may be completely deleted or replaced with malicious scripts. There is a high degree of confidence, which is why we want to paint this in dark-red tones, where it will be written that the evil was done by the wonderful lad from Turecchini.

In 2015, the majority of evils occurred for this reason.

What is the robotic algorithm for useless scripts and malicious ones?

The attack on the site occurs through the vulnerability of the CMS Joomla component. There may be problems if the installed extension has an incorrect code.

There are a number of components, plugins, and modules that were obtained illegally.

The result of penetration into the site is the appearance of numerous script files in various Joomla directories.

The names of the files and their placement in the directories are such that it would be difficult to identify unprofitable scripts from the “original” Joomla files. That’s why it’s not uncommon for the site to be treated inappropriately, and after a few days or more, your domain name receives a huge amount of spam.

It is practical to immediately send a dirty sheet to your address as a result of technical support, to demonstrate the problem safely. Inactivity risks blocking your cloud account and connecting your site.

The beginning of your war with naughty scripts will start with your hosting provider. For everything, give this leaf itself a hand to the military actions.

Their success largely depends on what tools your hosting company provides. I’ll list the main ones:

Use your hosting antivirus panel. As a rule, you shouldn’t spend any time searching, but will help you find a significant part of the bad scripts

Access to SSH. Without it, it’s impossible to talk about a full-scale fight against viruses

Prompt and qualified technical support

A good backup copy. The ideal option is to be able to recreate or own a month-old copy

If your hosting provider does not provide anti-virus software (it can be built into the hosting panel, or run independently by the hosting provider on your account) - grab your infected site and change the company that provides the hosting service. The market is simply explained with similar propositions.

Most of the sites are hosted on virtual hosting, and I would give a solid high five for all over-insurance points to the companies sent below:

It's a completely different story if you rent the entire server. The first, third and fourth points will be entirely at your discretion. And let’s understand point two by ourselves.

Procedure 1. Cleaning the site of junk files

As a rule, it doesn’t take too long to get to the technical support sheet for hosting. In many cases, Vlasnik himself reveals himself as evil.

The simplest way is to restore the site from an uninfected backup copy. However, it is only suitable in the event that there have been no changes on the site for a long time.

On a regularly updated site, searches have to be done manually. I'm looking for help with SSH. The mischief will be extremely forgiving. It is necessary to know which files were changed during the rest of the day. For example, for a week. For the Debian operating system the command looks like this:

find /directory where you search/ -type f -mtime -7

With this command, the system will display those files that have been changed in the last 7 days. We have great respect for files with PHP extensions.

The stench itself is a threat. Please understand that some of the displayed files may appear uninfected and belong to Joomla itself. Therefore, you have at your fingertips the output distribution of the same version that is running at the same time.

There are two files in the screenshot. The first one is the most viral virus. The other is the Joomla system file.

Are the stars new?

On the right, in the catalog /components/com_weblinks/views/category/ there is nothing wrong with the start.php file in principle.

And the error.php file in the /logs/ directory is part of the CMS. However, as soon as this particular one is seen, nothing critical will happen, as long as it serves as a hub for Joomla leagues.

Croc 2. We protect the site from evil

Let's assume that you have successfully dealt with all the useless scripts. Technical instructions for hosting and antivirus were reported: “okay, everything is clean.” What do you need to do to overcome this?

Joomla update and extension to the latest version

If your site is running on a version of Joomla up to 3.X, there is a good reason to think about upgrading. The rest of the time, they rely on a lot of hosting providers.

Don't worry about the security problem for 100 mobile phones, but in the near future you will be able to quickly update the system by pressing one button and install security patches, which will leave you with a lot of work.

I would especially like to thank you for installing extensions on your site. The skin component, plugin, module must also be updated to the latest version. Conduct an audit of the administrative panel of your website.

Why are all the extensions being vicorized?

Due to low qualifications, current web developers rely on installing a plugin or module if they want to add a couple of rows of code to the website template. Or edit the CSS.

The fewer additional extensions on your site, the less you are immune to evil!

Regardless, a site that operates under the CMS Joomla is vulnerable to attacks. Hackers' attempts to gain passwords to the admin panel and attempts to exploit malicious code occur with any regularity. It is impossible to resist attacks and attacks one by one.

I express your respect to the component that is responsible for the safety of the site. Im'ya yomu – “RSFirewall”.

Let's briefly look at the main capabilities, functions and tasks of RSFirewall:

Check your system for any problems. There is an analysis of the database, files, and also the middle in which the site operates

Updating your system files with the original Joomla distribution. This will significantly reduce the search for infected files.

Analysis of rights to directories and files.

Search for files using a sneaky code. After the list is displayed, you have to manually analyze the skin file, some of them can be found in the entire working code of the Joomla extension

Logging tests to log in to the Joomla admin panel and the possibility of blocking users who have entered an incorrect login and password many times

Logging any information on the site and the possibility of blocking the IP address for which the evil attempt was made

Restriction of access to the site from designated countries.

Paid component. The current version is available inclusive for Joomla version 3.X

At the time of creation, the statistics are expanded in three options. Below is a table where the payment is indicated, where the prepayment is sent and sent to the side, where the prepayment is redeemable.

We will monitor RSFirewall during localization “behind the scenes”. Then my interface will lose English.

Installation of the component is usually done through the extension manager. After that, as an installation component, go to “Components – RSFirewall – System Check”

A page will open where we will be asked to check the configuration of Joomla and the server to ensure resistance to malware. The search will be made in the same way:

Joomla files, which have been modified and differ from those from the original distribution.

loose files

permissions on directories and files will be verified

To start the verification, just press the “Perform the System Check” button.

Let's look at the result of the analysis.

At the top part, you can keep track of the number of points or hundreds that the component installs after checking the site. The value “100” is the best rating. At the moment of testing, the site was rated at 84 points. Let's find out why.

Let’s take a look at the list, not including the text of the visions in green color.

Checking if you have the latest Joomla! Version - Check: the current version of Joomla is installed. Yak bachimo, z tsim use garazd. At the time of writing this article, the version of Joomla was 3.4.8

Checking if you have the latest RSFirewall! Version — Verification: The remaining version of the RSFirewall component is installed. This is an important characteristic of the security of your system; from version to version, the component not only acquires a database of useless scripts, but also gradually changes functionally due to the appearance of problems in Joomla.

Checking if you have a weak database password - This component checks the strength of the password to the database.

Checking if the default "admin" user is active . - The login of the super administrator of the site, for security reasons, may be classified as the broad “admin”. If you know the component from the database of a koristuvach with such a login, show up in advance.

Checking if you have set your FTP password - At the stage of installing Joomla or editing it, a fatal error is allowed. Access via the FTP protocol is required in the Joomla configuration file. This is the place and no less tragic option. When saving your Joomla settings, the login and password for the admin panel are recorded in the FTP access field. Therefore, make sure that all parameters in the configuration.php file are empty.

Checking if you have Search Engine Friendly URLs enabled - Checking: you are aware of the Joomla SEF URL support.

Checking the integrity of configuration.php - Checking the configuration.php file for correctness and integrity.

Checking if any admin users have weak passwords - Checking all passwords of super administrators of your site for maliciousness

Checking your session lifetime - Checking the hour of your session lifetime, which is set in the Joomla settings. As soon as there are 15 hvilins, show up beforehand.

Checking if there are any files left in the Joomla! temporary folder - This option is used to check which files are being displayed in the Joomla temporary folder. Behind such a directory is the “tmp” folder. It is necessary to ensure the cleanliness of this directory, scraps from installing Joomla extensions or updates may contain archives and scripts there.

Checking for .htaccess - Checking the origin of the .htaccess file. After installing Joomla, a htaccess.txt file is created at the root of the site for promotional items. Your manager will rename it to .htaccess. Just as it is written, with a dot on the cob and without.txt for example

Checking if the Joomla! temporary folder is publicly accessible — Checks whether the directory for temporary Joomla files is publicly accessible. What's wrong with you? It seems simpler that you can type www.yoursite.com/tmp in the address bar of your browser.

Not everyone knows that it is possible to place a timely directory in such a way that access to it will be denied only by Joomla scripts. All you need to do is create a folder with sufficient names equal to the directory, deinstall the site and register the route to this folder in the configuration.php file

Checking your Session Handler - Checking the type of session handler. We recommend setting the value “Ні”. You can get started with your Joomla setups

Let's move on to the next section, where we analyze the server configuration.

It is important that the PHP configuration directives from the component's point of view are not adjusted properly.

There is no need to understand what the directive is for. However, you need to keep up with the current Joomla catalog that I wrote about.

Copy it to the hard drive of your computer, and delete it from the root of the site, as it is only for informational purposes and indicates the meaning of PHP directives that you must insert in your php.ini

How to find out on the server and what access is available there, check with your hosting provider. Often, PHP directives are changed to change the configuration of the hosting panel. There is no universal recipe here.

Here are the results of your system scan. I propose to read this result.

Scanning the integrity of your Joomla! (CMS) files - this section will show the result of scanning CMS Joomla files and compare them with the original distribution for the integrity and possible change of files. Not only scripts will be modified, but also image files and CSS. Zagalom, everything.

Scanning your folders - scan using the FTP protocol to remove the skins and transfer them so that they are clean from harmful scripts

Scanning your files - you will learn about file rights. The entries may be similar to those found in catalogs

Scanning your files for common malware - scanning to detect malicious code. As a matter of fact, RSFirewall knows one file and when analyzed in a text editor, it will be recognized effectively and deleted from the server.

Unfortunately, it is impossible to explore all the capabilities and configuration of the RSFirewall component within the framework of one material. As soon as possible, we will investigate the configuration of the component.

If you are not ready to feed yourself on this evil site, write through the “Contacts” section or in the chat at the bottom right corner of the screen.

There is a fee for using the site.

The current version of the work is indicated on the page: “Cleaning sites (CMS Joomla) against viruses”

With respect, Volodimir Egorov