Welcome to WebmasterWorld Guest from 34.204.173.45

Forum Moderators: phranque

Message Too Old, No Replies

My host blames Joomla for iframe exploits

iframe injections, malicious script, spam, abuse

     
1:01 am on Sep 5, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:Dec 12, 2003
posts:412
votes: 0


All my sites on both my hosting accounts are infected with an iframe.

At the end of the index.html files the malicious code just appeared...suddenly 3 weeks ago.

The host blamed Joomla so I took the appropriate steps:

Upgraded my Joomla to the latest version, changed the whole account username and password, changed the configuration and template to unwriteable.

It stopped the injection for a few days but then it came back.

I would also like to add that 2 other sites on my account, one simple index.html file and an old website I have that is totally HTML with nothing to do with Joomla also got infected.

The iframe also infected a Drupal install I did as a test.

So according to these fact is this a Hosting Company not taking responsibility or can a Joomla site infected spread to other normal HTML sites and different CMS's on the server?

This situation is ruining me and I strongly suspect it's a Hosting problem and not Joomla.

Any expert opinions from true professionals would be appreciated because if I can prove that it's not a Joomla issue I might take legal action against the hosting company since this has cost me dozens of hours of work and several hundred dollars of lost revenue.

The iframe exploit installs itself on every index file...in every folder - components, mambots, ect..additionally it attaches itself on any and every kind of addon that has an index.html file.

Thanks

[edited by: encyclo at 1:11 am (utc) on Sep. 5, 2007]

1:20 am on Sept 5, 2007 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9074
votes: 6


If the hole in Joomla allowed command-line access to the server, either under your user account or (worse) as root, then it is possible for the attacker to add exploit code to any and all sites on the same server, whether Joomla-based or not.

You can see the effects of various Joomla vulnerabilities from the list of published advisories, for example:

[secunia.com...]

You will need to try to get your host to give you more detail about how the server was compromised, as without knowing which Joomla vulnerability was to blame means that it is impossible to check the veracity of their claim.

Bear in mind that if you were negligent in keeping your CMS installation up-to-date, that will naturally put at least some of the responsability in your hands.

1:44 am on Sept 5, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:Dec 12, 2003
posts: 412
votes: 0


Thank you Encyclo,

Actually I got infected before without taking enough security precautions.

But the problem is that even after updating and taking all the precautions the iframe came back...

Now is there a way to do a find and replace on the server,get rid of all the malicious code ( on about 1000 files I approximate)?

Thanks

1:53 am on Sept 5, 2007 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9074
votes: 6


even after updating and taking all the precautions the iframe came back

Which would indicate that the hacker may still have a "back-door" to the server. You don't mention if this is a dedicated server or shared, managed or unmanaged. Whatever the case, don't try to repair it, you simply need to switch to a good backup of your sites and move everything off the compromised server. That means a different physical machine, different user account password (and all access passwords changed), either with your current host or a new one.

Once a server is compromised, you can't really trust it again short of having it wiped clean and reinstalled from scratch.