My Website is infected with malware - Joomla! Forum

hi,

my website infected malware. dont know how fix this. hosting support has restored website though no more blacklisted still there malware. here results, please help:

last php error(s) reported :: forum post assistant (v1.2.1) : 19th august 2012 wrote:[19-aug-2012 05:20:26] php warning: invalid argument supplied foreach() in /home1/dargahm1/public_html/mohrasharif.com/components/com_easybook/helpers/menu.php on line 25

forum post assistant (v1.2.1) : 19th august 2012 wrote:
basic environment :: wrote:joomla! instance :: joomla! 1.5.15-stable (wojmamni ama mamni) 05-november-2009
joomla! configured :: yes | read-only (444) | owner: dargahm1 (uid: 658/gid: 658) | group: dargahm1 (gid: 658) | valid for: 1.5
configuration options :: offline: 0 | sef: 0 | sef suffix: 0 | sef rewrite: 0 | .htaccess/web.config: yes | gzip: 0 | cache: 0 | ftp layer: 0 | ssl: 0 | error reporting: -1 | site debug: 0 | language debug: 0 | database credentials present: yes

host configuration :: os: linux | os version: 2.6.32-20120131.55.1.bh6.x86_64 | technology: x86_64 | web server: apache | encoding: gzip,deflate,sdch | doc root: /home1/dargahm1/public_html/mohrasharif.com | system tmp writable: yes

php configuration :: version: 5.2.17 | php api: cgi-fcgi | session path writable: unknown | display errors: | error reporting: 6135 | log errors to: error_log | last known error: 19th august 2012 05:20:26. | register globals: | magic quotes: 1 | safe mode: | open base: | uploads: 1 | max. upload size: 10m | max. post size: 10m | max. input time: 60 | max. execution time: 30 | memory limit: 64m

mysql configuration :: version: 5.1.63-community-log (client:5.1.63) | host: --protected-- (--protected--) | collation: utf8_general_ci (character set: utf8) | database size: 445.97 mib | #of _fpa_table: 168
detailed environment :: wrote:php extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dba () | dbase () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | gmp () | session () | iconv () | standard (5.2.17) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mhash () | mime_magic (0.1) | mysql (1.0) | simplexml (0.1) | ncurses () | odbc (1.0) | pcntl () | spl (0.2) | pdo (1.0.4dev) | pdo_dblib (1.0.1) | pdo_mysql (1.0.2) | pdo_odbc (1.0.1) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | posix () | pspell () | readline () | reflection (0.1) | imap () | shmop () | mysqli (0.1) | soap () | sockets () | sqlite (2.0-dev) | exif (1.4 $id: exif.c 293036 2010-01-03 09:23:27z sebastian $) | sysvmsg () | sysvsem () | sysvshm () | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.8.11) | cgi-fcgi () | ioncube loader () | zend optimizer () | zend engine (2.2.0) |
potential missing extensions :: suhosin |

switch user environment (experimental) :: php cgi: yes | server su: yes | php su: yes | custom su (litespeed/cloud/grid): yes
potential ownership issues: no
folder permissions :: wrote:core folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

elevated permissions (first 10) :: none blogs/wp-content/flgallery/ (777) | blogs/wp-content/flgallery/images/ (777) | blogs/wp-content/flgallery/tmp/ (777) | blogs/wp-content/flgallery/xml/ (777) | modules/mod_swmenufree/ (757) | modules/mod_swmenufree/cache/ (757) | modules/mod_swmenufree/images/ (757) | modules/mod_swmenufree/images/transmenu/ (757) | modules/mod_swmenufree/styles/ (757) |
extensions discovered :: wrote:components :: site :: black (1.0.0) | user (2.0.3) | banners (2.0.2) | search (2.0.4) | aicontactsafe (1.0.0) | content (2.0.13) | mail (2.0.1) | newsfeeds (2.0.2) | weblinks (2.0.2) | wrapper (2.0.2) | alphacontent (2.0.1) | contacts (2.0.2) | qcontacts (2.0.0) | mailto (1.5.0) | user (1.5.0) | wrapper (1.5.0) |
components :: admin :: phocagallery (2.6.2) | qcontacts (1.0.6) | language manager (1.5.0) | menus manager (1.5.0) | search (1.5.0) | messaging (1.5.0) | installation manager (1.5.0) | content page (1.5.0) | user manager (1.5.0) | jevents (1.5.3 (b1629)) | alphacontent (4.0.15) | alpharegistration (2.0.9) | sef (3.5.4) | aicontactsafe (1.0.0) | aicontactsafe - link (1.0.4.stable) | aicontactsafe - form (1.0.8.stable) | aicontactsafe module (1.0.7.stable) | aicontactsafe (2.0.7.stable) | polls (1.5.0) | agora (3.0.08 olympu) | jevents plugin (1.0.3) | hot property plugin (1.0.1) | virtuemart plugin (1.1.3) | gallery2 bridge plugin (1.0.2) | joomdoc extension (1.0.0) | sectionex plugin (1.0.2) | mosets tree plugin (1.0.1) | sobi2 plugin (1.5.0) | agora plugin (1.0.0) | docman plugin (1.5.0) | myblog plugin (1.0.0) | jomres plugin (1.0) | glossary plugin (1.0.0) | remository plugin (1.0.3) | joomsuite resources plugin (1.0.0) | kunena plugin (1.0.1) | content plugin (1.5.0) | jdownloads plugin (1.5.0) | eventlist plugin (1.0.0) | rapid recipe plugin (1.0.0) | knowledgebase plugin (1.0.0) | joomgallery plugin (1.0.0) | jcalpro plugin (1.0.0) | contacts plugin (1.0.1) | rokdownloads plugin (1.0.4) | rsgallery2 extension (1.0.0) | xmap (1.2.6) | frontpage (1.5.0) | noticeboard (1.3) | configuration manager (1.5.0) | swmenufree (5.2) | contact items (1.0.0) | jumi (2.0.6) | jumi (2.0.6) | system - jumi router (2.0.6) | jumi (2.0.6) | new_gallery (v1.0) | plugin manager (1.5.0) | newsfeeds (1.5.0) | trash (1.0.0) | hpalbum (1.0.1) | control panel (1.5.0) | banners (1.5.0) | template manager (1.5.0) | avreloaded (1.2.6) | media manager (1.5.0) | joomlastats (3.0.2) | mass mail (1.5.0) | acymailing tag : manage su (1.1.3) | acymailing tag : online links (1.1.3) | acymailing tag : joomla user (1.1.3) | user - acymailing (1.1.3) | acymailing : statistics plugin (1.1.3) | acymailing tag : subscriber in (1.1.3) | acymailing tag : content inser (1.1.3) | acymailing tag : date / time (1.1.3) | acymailing onpreparecontent tr (1.1.3) | acymailing template class repl (1.1.3) | acymailing module (1.1.3) | acymailing (1.1.3) | agora olympus discuss plugin (1.0.0) | joomlapack backup notification (1.0) | joomlapack (2.4.1) | cache manager (1.5.0) | tag (1.3.0) | weblinks (1.5.0) | module manager (1.5.0) | jce (1.5.7.4) | jcomments (2.2.0.2) | easybook (2.0 rc4) |

modules :: site :: c7collapze (1.5.0) | slick rss (1.5.0) | read tags (1.7) | pixsearch (0.4.0) | related items (1.0.0) | who\'s online (1.0.0) | breadcrumbs (1.5.0) | banner (1.5.0) | yooiecheck (1.5.2) | page peel banner (1.1.2) | newsflash (1.5.0) | jumi (2.0.6) | quran verse (1.5.x.0) | acymailing module (1.1.3) | poll (1.5.0) | extended menu (1.0.6 (build ) | salaat times (1.5.x.0) | joomlastats flags (3.0.0) | read content (1.5.0) | footer (1.5.0) | hijri date (1.5.0) | latest news (1.5.0) | agora latest posts basic (1.1.1 basic) | allvideos reloaded (1.2.6) | agorians online (1.2.2) | archived content (1.5.0) | swmenufree (5.2) | moon phase (1.0) | joomlastats activation (3.0.0) | minifrontpage module j! 15 (1.2.2) | random image (1.5.0) | search (1.0.0) | random tags (1.0) | custom html (1.5.0) | ultimate content display (1.1) | minicalendar (1.06) | r3d floater (1.5.0) | syndicate (1.5.0) | menu (1.5.0) | noticeboard (1.2) | popular tags (1.7) | statistics (1.5.0) | wrapper (1.0.0) | latest tags (1.7) | login (1.5.0) | slideshow pro (2.1) | sections (1.5.0) | custom tags cloud (1.0) | aicontactsafe module (1.0.7.stable) | dwho's online (1.6.0) | agora profile (1.3.2) | feed display (1.5.0) |
modules :: admin :: online users (1.0.0) | agora admin manager (1.0.0) | title (1.0.0) | toolbar (1.0.0) | admin menu (1.0.0) | latest news (1.0.0) | footer (1.0.0) | logged in users (1.0.0) | unread items (1.0.0) | joomlapack backup notification (1.0) | user status (1.5.0) | custom html (1.5.0) | admin submenu (1.0.0) | items stats (1.0.0) | popular items (1.0.0) | quick icons (1.0.0) | login form (1.0.0) | feed display (1.5.0) |

plugins :: site :: editor button - jcomments on (1.0) | button - allvideos reloaded (1.2.6) | button - xmap link (1.0) | editor button - jcomments off (1.0) | editor button - agora olympus (1.5) | button - image (1.0.0) | button - phoca gallery (2.6.0) | button - readmore (1.5) | button - pagebreak (1.5) | editor button - add tags (1.3) | button - agora profile (1.5) | search - content (1.5) | search - qcontacts (1.5) | search - easybook (2.0) | search - tags (1.5) | search - weblinks (1.5) | search - newsfeeds (1.5) | search - categories (1.5) | search - sections (1.5) | search - contacts (1.5) | search - jcomments (1.0) | searchbot - agora 3 (1.3) | paste (1.5.7.4) | file browser (1.5.7.4) | media object support (1.5.7.4) | advanced code editor (1.5.7.4) | image manager (1.5.7.4) | jce spellchecker title (1.5.7.4) | paste (1.5.7.4) | joomla! links advanced lin (1.2.1) | zoo2 links advanced link (1.0.0) | advanced link (1.5.7.4) | editor - tinymce 3 (3.2.6) | editor - jce 1.5.7.4 (1.5.7.4) | editor - xstandard lite jo (1.0) | acymailing tag : date / time (1.1.3) | acymailing onpreparecontent tr (1.1.3) | acymailing tag : subscriber in (1.1.3) | acymailing tag : joomla user (1.1.3) | acymailing : statistics plugin (1.1.3) | acymailing tag : online links (1.1.3) | acymailing tag : manage su (1.1.3) | acymailing tag : content inser (1.1.3) | acymailing template class repl (1.1.3) | system - allvideos reloaded (1.2.6) | system - remember me (1.5) | system - artio joomsef (3.3.1) | system - cache (1.5) | system - alpharegistration (2.0.9) | system - backlinks (1.5) | system - tag sef (1.3) | system - legacy (1.5) | system - marco's sql injection (1.1.0) | system - metagora (1.4) | system - debug (1.5) | system - alphacontent (4.0.15) | system - sef (1.5) | security - jhackguard (1.0.11) | system - log (1.5) | system - jumi router (2.0.6) | system - jcomments (1.0) | user - joomla! (1.5) | user - example (1.0) | user - acymailing (1.1.3) | user - jcomments (1.0) | authentication - joomla (1.5) | authentication - example (1.5) | authentication - gmail (1.5) | authentication - openid (1.5) | authentication - ldap (1.5) | content - alphacontent (4.0.15) | content - allvideos reloaded (1.2.6) | jumi (2.0.6) | content - example (1.0) | google maps (2.12m) | content - agora olympus discus (1.0.0) | content - bonckolen image gall (2.1.0) | content - agora authorbot plus (1.1) | content - tags (2.1) | content - code highlighter (ge (1.5) | jscribd (1.0.1) | content - vote (1.5) | phoca gallery plugin (2.6.2) | content - email cloaking (1.5) | content - load modules (1.5) | content - pagebreak (1.5) | content - page navigation (1.5) | phoca gallery slideshow plugin (2.6.2) | content - jcomments (1.0) | xml-rpc - joomla api (1.0) | xml-rpc - blogger api (1.0) |
templates discovered :: wrote:templates :: site :: siteground-j15-70 (1.0.0) | siteground-j15-73 (1.0.0) | dj-0013 (1.0) | rhuk_milkyway (1.0.2) | lavinya_black (1.0) | ja_purity (1.2.0) | mountain (1.0.0) | siteground-j15-75 (1.0.0) | beez (1.0.0) | midnight (1.0.0) | uj_darkworld (1.0.1) | siteground-j15-39 (1.0.0) | siteground-j15-18 (1.0.0) | bucolic2 (1.0) | siteground-j15-1 (1.0.0) | siteground-j15-49 (1.0.0) |
templates :: admin :: khepri (1.0) |

here possible hack points
1. site on 1.5.15 - current version 1.5.26 - using old, vulnerable, hackable version of joomla
2. error shows in com_easybook - easybook 2.0.0rc4 suffers multiple persistent xss vulnerabilities in 2009
3. elevated permissions in various folders - 777! including in wp folders

suggested reading
viewtopic.php?f=432&t=335090
http://docs.joomla.org/top_10_stupidest ... tor_tricks
http://docs.joomla.org/security_checklist_7

Brennick

Search This Blog

My Website is infected with malware - Joomla! Forum - community, help and support

Comments

Post a Comment