Welcome to WebmasterWorld Guest from 126.96.36.199
Forum Moderators: phranque
At the end of the index.html files the malicious code just appeared...suddenly 3 weeks ago.
The host blamed Joomla so I took the appropriate steps:
Upgraded my Joomla to the latest version, changed the whole account username and password, changed the configuration and template to unwriteable.
It stopped the injection for a few days but then it came back.
I would also like to add that 2 other sites on my account, one simple index.html file and an old website I have that is totally HTML with nothing to do with Joomla also got infected.
The iframe also infected a Drupal install I did as a test.
So according to these fact is this a Hosting Company not taking responsibility or can a Joomla site infected spread to other normal HTML sites and different CMS's on the server?
This situation is ruining me and I strongly suspect it's a Hosting problem and not Joomla.
Any expert opinions from true professionals would be appreciated because if I can prove that it's not a Joomla issue I might take legal action against the hosting company since this has cost me dozens of hours of work and several hundred dollars of lost revenue.
The iframe exploit installs itself on every index file...in every folder - components, mambots, ect..additionally it attaches itself on any and every kind of addon that has an index.html file.
[edited by: encyclo at 1:11 am (utc) on Sep. 5, 2007]
You can see the effects of various Joomla vulnerabilities from the list of published advisories, for example:
You will need to try to get your host to give you more detail about how the server was compromised, as without knowing which Joomla vulnerability was to blame means that it is impossible to check the veracity of their claim.
Bear in mind that if you were negligent in keeping your CMS installation up-to-date, that will naturally put at least some of the responsability in your hands.
Actually I got infected before without taking enough security precautions.
But the problem is that even after updating and taking all the precautions the iframe came back...
Now is there a way to do a find and replace on the server,get rid of all the malicious code ( on about 1000 files I approximate)?
even after updating and taking all the precautions the iframe came back
Which would indicate that the hacker may still have a "back-door" to the server. You don't mention if this is a dedicated server or shared, managed or unmanaged. Whatever the case, don't try to repair it, you simply need to switch to a good backup of your sites and move everything off the compromised server. That means a different physical machine, different user account password (and all access passwords changed), either with your current host or a new one.
Once a server is compromised, you can't really trust it again short of having it wiped clean and reinstalled from scratch.