定位 Joomla 中的垃圾邮件来源
所以,我刚刚开始使用一个新的 Joomla 网站,我们添加的一些内容已经开始劫持该网站的各个部分,并添加到我们不想要的各个地方的链接。不幸的是,我现在无法给出实时站点的链接,但我可以描述问题:
在页脚中,应该显示“设计者:”以及我们获取模板的地点的名称从,它留下了“设计者:”,但删除了模板作者的名字,而是放入了两个链接(不再给劫持者更多的点击,但这里是它们的文本),“在线相册”和“检查 whois”
当我们将鼠标悬停在网站名称上时,替代文本设置为“Forex Trading Home”,其中肯定不是它应该的样子。
最后,当您将鼠标悬停在主菜单中的“主页”项上时,短暂延迟后会出现一个下拉菜单,其中包含指向“cpanel 经销商托管”的链接。
现在,我想摆脱这些广告,但我不知道它们来自哪里。如果你们知道一些我可以搜索的常见被劫持文件,或者找到它们的良好调试技巧(我已经尝试过 FirePHP,但没有取得太大成功),我将非常感激。不幸的是,由于有几个人同时在该网站上工作,我们不确定是什么扩展可能导致它(如果这实际上是问题) - 但所有这些扩展似乎都很好,并且来自主 Joomla扩展站点。
编辑:
以下是我知道在我们注意到垃圾邮件问题开始发生之前安装的模块的列表:
- EasyTemplate - 多插件
除此之外,其他所有内容都是在问题开始后安装的,或者是已被卸载的主题(因此,我不再知道它是什么)。现在的主题,我已经彻底研究过了,但是是这个版本 武术主题有很多修改过的图像(以及php中从.gif到.png的一个更改)
编辑编辑:所以,仍在寻找,但似乎是旧版本picasa2gallery(我们曾经有过一个新版本,但将其卸载)有一个 LFI 漏洞。也许这就是源头。无论如何,我想我会彻底擦拭,然后重新开始,真的。
So, I've just started working with a new Joomla site, and something we've added has started hijacking various parts of the site and added links to various places we don't want. Unfortunately, I can't give out a link to the live site right now, but I can describe the problems:
In the footer, where it should say "Designed By: " and the name of the place we got our template from, it leaves the "Designed By:" but removes the name of the template author, and instead puts in two links (not giving the hijacker any more hits but here's the text of them), "online album" and "check whois"
When we hover over the site name, the alt text is set to "Forex Trading Home" which is most certainly not what it should be.
Finally, when you hover over the "Home" item in the main menu, a dropdown appears after a short delay, with a link to "cpanel reseller hosting" inside it.
Now, I'd like to get rid of these advertisements, but I've got no idea where they are coming from. If you guys know some commonly-hijacked files I can search in, or good debugging tricks to find them (I've tried FirePHP, but haven't had much success with it) I'd be much obliged. Unfortuantely, since a few people have been working on the site simultaneously, we're not really sure what extensions could have caused it (if that is in fact, the problem) - but all of them seemed ok, and came from the main Joomla extension site.
EDIT:
Here's a list of the modules I know were installed before we noticed the spam problems start happening:
- EasyTemplate - MultiPlugin
Other than that, everything else was installed after the problems started, or was a theme that has since been uninstalled (and hence, I don't know what it is anymore). The theme that's on it now, I've looked at thoroughly, but is version of this Martial Arts Theme with a lot of modified images (and one change in the php from a .gif to a .png)
EDIT EDIT: So, still looking, but seems an older version of picasa2gallery (we had a new version at one point, but uninstalled it) had an LFI vulnerability. Perhaps that was the source. In any case, I think I'll be doing a full wipe, and just start over, really.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
所以,事实证明正确的答案是“以上都不是”,直到我删除所有内容以删除黑客之后我才注意到这一点。
一旦我恢复了主题,没有其他任何事情,我注意到“黑客”垃圾邮件链接又回来了,速度太快了,甚至无法成为自动化脚本。
就在那时,我发现图像目录中有一个 .gif 文件,其中包含包含垃圾邮件链接的“不良”PHP 代码。讽刺的是,他们用来制作它的代码特别糟糕,所以至少我从这场漫长的磨难中得到了开怀大笑。
这个故事的寓意是:不要从 ThemZa 中获取主题,如果你这样做了,如果你喜欢它们的外观,请准备好挖掘它们的残渣。
So, turns out the correct answer was "none of the above", not that I noticed that until after I erased everything to remove the hack.
Once I restored the theme, and nothing else, I noticed that the "hack" spam links were back, way too fast to even be an automated script.
That's when I discovered that there was a .gif file in the images directory that contained the "bad" PHP code to include the spam links. Ironically, the code they were using to make it was particularly bad, so at least I got a good laugh out of this long ordeal.
Moral of the story: Don't get themes from ThemZa, and if you do, be prepared to dig through them for cruft, if you like the way they look.
您的完整 Joomla 安装似乎已被黑客入侵,请按照您现在应该执行的操作指南(重新安装和保护)
Your complete Joomla installation seems to be hacked, follow the guidelines what you should do now (re-installing and securing)
检查服务器访问日志。您很可能会看到对特定组件(在 URI 中查找 com_*)的访问过多或不合适。
当我的网站发生这种情况时,劫持者正在 Google 上搜索某个特定组件(即 com_virtuemart 是最后一个罪魁祸首),然后他们尝试利用该组件,希望它是有缺陷的版本。
Check the server access logs. You'll most likely see accesses to a particular component (look for the com_* in the URI) that are excessive, or just out of place.
When this has happened to my sites it has been a particular component that hijackers are searching Google for (i.e. com_virtuemart was the last culprit) and then they attempt their exploit on the component hoping it is a flawed version.
如果您无法确定并修复它们闯入的漏洞,Tobias P. 建议的重新安装可能是唯一安全的方法。如果有人可以访问该级别的文件,那么您就会遇到大问题。您需要确定它们进入的方式。这可能有多种原因:
有人利用 Joomla 安全漏洞(或插件中的一个)
有人通过监视客户端计算机获得了对 FTP 帐户的访问权限
有人利用了服务器软件
这很可能是有人利用 Joomla 漏洞,并且可能没有理由惊慌。但你绝对应该找出来,或者重新安装。也许您会在 Joomla 论坛或您的 ISP 处找到更具体的帮助。
当您这样做时,最好也更改所有 FTP 密码,以确保万无一失。
Google 上的好读物:我的网站被黑了 -现在怎么办?
If you can't positively identify and fix the hole they broke in through, it's likely the reinstall Tobias P. recommends is the only safe way. If somebody has access to files on that level, you have a big problem. You will need to identify which way they come in. This could have a multitude of reasons:
Somebody exploiting a Joomla security hole (or one in a plug-in)
Somebody having gained access to the FTP account through spying on a client computer
Somebody exploiting a weakness in the server software
this is most likely somebody exploiting a Joomla hole, and there's probably no reason to panic. But you definitely should find out, or do a reinstall. Maybe you'll find more specific help on the Joomla forums or with your ISP.
While you're at it, best change all FTP passwords too, just to make sure.
Good reading at Google: My site's been hacked - now what?