ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

Website under attack ... help needed

(1/4) > >>

Carol Haynes:
A website I set up and host has been compromised but I am not sure what to do.

I can restore a backup before the attack but I really want to avoid it happening again.

The sits is based on Joomla. All frontend (public) pages redirect to random websites after about 15 seconds. In the backend this does not happen.

Anyone got any idea where to look for how this is happening?

I have looked at index.php and .htaccess and can't see any obvious changes in the code. Only two of us have admin rights on the website and the forum is not available without logging in. Even then normal uses are restricted to BBCODE and can't use any scripts or HTML. None of the site is open for comments.

The site is hosted under a CPanel account on a Linux server.

All passwords are long and random and the backend of the website uses a non-standard URL to get access with a 20+ character pin code just get to the login form.

Panicking a bit as I am a bit out of my depth with this sort of stuff.

rgdot:
Header file (not index) injected with a redirect code is one likely source.

Often in an up to date, 'secure' install that is on a shared server, another user getting compromised is enough.

Carol Haynes:
Header file (not index) injected with a redirect code is one likely source.

Often in an up to date, 'secure' install that is on a shared server, another user getting compromised is enough.
-rgdot (February 11, 2013, 04:14 PM)
--- End quote ---

It is on a VPS - I don't seem to have any other sites compromised.

When you say header file do you mean an insert file (sucha as a function file) in the template or somewhere else?

Trouble is I have no idea how to track this down. I can restore the site but without knowing what has happened it is just likely to happen again??

mouser:
I have not much guidance to offer, just a few things:

1. take a deep breath.  these things happen.  don't panic don't stress too much.
2. if the exploit came because of a known issue that has been since patched, then updating your site software (joomla and extensions) will be sufficient after restoring from a backup.

the fact that this happens AFTER 15 seconds suggests to me that it's probably some javascript inserted into every page:
All frontend (public) pages redirect to random websites after about 15 seconds.
--- End quote ---

So,

visit a page with javascript disable do it doesnt redirect, view source, and identify the snippet of code causing the redirect.

then try to search+find files on your server that contain this code.

wraith808:
^ I had it happen to me when I was using Joomla, and this was exactly what had happened, so good advice (and on the relaxing.  Easy to say, hard to do, but it works)  :Thmbsup:

Navigation

[0] Message Index

[#] Next page

Go to full version