View Full Version : HELP! Site hacked and hidden link inserted?

04-20-2009, 05:42 PM
Yesterday our sites security was breached and some hacker came in inserting his link into our sites code? We cannot find it anywhere and have even replaced the core file of our cms site? Whatever we do his link shows up on our site and we cannot find out how to remove it, here is the code:

<table class="blog" cellpadding="0" cellspacing="0"><tr><td valign="top"><div><div id="only-bots" style="display: none;">
<a href="http://hackersurllink.com">un wanted link</a>

If anyone has any idea on where this code could be hidding, please help, we want to remove it asap.

thanks so much for your help..

Here is an example of the code he inserted in another site:

Just look at the source and check out all the spmy stuff he inserted?

04-20-2009, 07:38 PM
delete that code?

04-20-2009, 08:29 PM
I would but I cannot find where he hide it. It is not in my template file, not in my css, I am looking all over for it?

04-20-2009, 08:38 PM
Look into your database. The spammer probably used some form on the site or other vulnerability to insert the code into the database. Physical static files can’t be changed like that.

04-20-2009, 09:38 PM
View all of the .htaccess files you have (there may be some stuck in several directories).
They may have done something with .htaccess

04-20-2009, 09:48 PM
Checked that a few hours ago and nothing. Cannot find anything in the htaccess, checked out Vbulletin forum, blog everyhing and am running out of places to look :( Where else can div tags like this be hiding? Or is there a php function somewhere that is calling this code to be inserted in evrey page of my Joomla template?

Thanks for all your help

04-20-2009, 10:32 PM
My first thought would be to contact hosting support, they generally have the ability to do more, and if you can pinpoint a timeframe perhaps you can roll back your site to that time?

Otherwise, is Joomla up to date? You might consider reuploading Joomla files to make sure that one wasn't altered. It sounds bad, but you probably have an outdated version of Joomla out there, which is a security risk of any platform. Otherwise, its not Joomla but something like .htaccess as mentioned.

I'm pretty involved with Joomla, so if you want me to take a closer look at it send me some details or post them here, such as the site url?

04-21-2009, 12:42 AM
Thanks for all the help and responses. We finally figured out the problem. We replaced all the files in the mambots folder and deleted 2 components we were not using: Joomfish for translation and another simple Slide show module. We tried to go through as many modules as possible to find where this code is hidden but could not find it. Finlay as last resort we just replaced the folders and deleted old components as mentioned above.

We noticed over the past weeks hundreds and sometimes thousands of 404-logs jam-packed with requests for dodgy looking files, ukrainians, russians, indians (IPS from all thos countries). Obviously they are looking for known exploitable scripts, which they might of found in our case.

What is the best thing to do to prevent this in Joomla jeremy?


04-21-2009, 12:28 PM
Well first don't use out of date files. This is less to do with Joomla and more to do with any script, make sure everything is up to date. You mentioned mambots, which means you are using 1.0, not that you have to upgrade to 1.5, but it might be something to consider.

Second if you have IPs hitting your site, block them. If you don't plan on targeting certain countries, perhaps block them entirely.

Third always remove things you aren't using. Obviously it was an issue with a mambot, as they are the only thing that can control the output of each page besides the core itself.

Fourth always be selective when choosing an extension or third party plugins for any software. Look at things like is it being developed, does the developer respond to issues with patches or updates, and so on.

Fifth make sure your server environment is secure. Change passwords regularly. Perhaps your host is lax on security and has some vulnerabilities, I always recommend paying a little more for a solid host than to skim by on a budget host which fails to watch its security.

If you have so many 404 entries, then they have your site and will keep hitting it in all likelyhood. Contact your host about getting those IP addresses blocked.

Again, these aren't just Joomla things, they relate to any website attack or any script.