Unwanted Web Links

  • wpas
  • Proficient
  • Proficient
  • User avatar
  • Posts: 322
  • Loc: Canada

Post 3+ Months Ago

Whenever I access my website I get two unwanted links with images showing up in russian. It appears I have been hacked.

I used this program called Fiddler which showed the two links going to a russion website ads.nic.ru.

I found the IP address and found that it was part of the CIDR given by 31.177.92.0/23 so I banned the whole range.
This did nothing which I believe is because my site is accessing and not the other way around.

Anyone run into similar hacked issues

My site is a Joomla 1.5 version.
I know this is old but I have so much information that it will take quite a long time to change.
I want to make sure the site is clean before I backup and eventually update

Thanks
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Mr OBrien
  • Graduate
  • Graduate
  • User avatar
  • Posts: 185
  • Loc: down a creek without a paddle

Post 3+ Months Ago

Your advertisement is in the following lines of code off your home page.
1238-1243

Code: [ Select ]
<div class="banner">
  <script type="text/javascript">
var mathrand = Math.floor(Math.random()*99999999999);
document.write ("<scr"+"ipt type=\"text/javascript\"src=\"http://ads.nic.ru/banner/15?"+mathrand+"&c=utf8\"language=\"JavaScript\"><\/script>");
</script>
</div>
  1. <div class="banner">
  2.   <script type="text/javascript">
  3. var mathrand = Math.floor(Math.random()*99999999999);
  4. document.write ("<scr"+"ipt type=\"text/javascript\"src=\"http://ads.nic.ru/banner/15?"+mathrand+"&c=utf8\"language=\"JavaScript\"><\/script>");
  5. </script>
  6. </div>


Delete these and it should dissapear.
  • Mr OBrien
  • Graduate
  • Graduate
  • User avatar
  • Posts: 185
  • Loc: down a creek without a paddle

Post 3+ Months Ago

Oh and just be for that is your strange question marks. Also an extra </head>
in lines 1224-1237
Code: [ Select ]
</head></head>
<div class="header">
    <div class="htext">????????????? ????????<br/>?? ????? ???????????</div>
  <div class="himg"><img src="/errordocs/404.png" alt="404" /></div>
</div>
<div class="main">
<div class="page">
    <p><strong>????????? ???????, ?? ??????? ???????? ??? ??????:</strong></p>
  <ul>
      <li><strong>??????????? ?????? ????? ????????.</strong><br/>????????? ???????????? ?????? ?????? ???????? ? ???????? ?????? ????????.</li>
    <li><strong>??? ???????? ???? ??????? ? ??????? ???? ?????????? ?? ??????? ??????.</strong><br/>?????????? ????? ???????????? ????????, ????????? ????????? ?? ???????? ?????.</li>
  </ul>
    <p>    <a href="/" class="return_link">????????? ?? ???????</a></p>
    </div>
  1. </head></head>
  2. <div class="header">
  3.     <div class="htext">????????????? ????????<br/>?? ????? ???????????</div>
  4.   <div class="himg"><img src="/errordocs/404.png" alt="404" /></div>
  5. </div>
  6. <div class="main">
  7. <div class="page">
  8.     <p><strong>????????? ???????, ?? ??????? ???????? ??? ??????:</strong></p>
  9.   <ul>
  10.       <li><strong>??????????? ?????? ????? ????????.</strong><br/>????????? ???????????? ?????? ?????? ???????? ? ???????? ?????? ????????.</li>
  11.     <li><strong>??? ???????? ???? ??????? ? ??????? ???? ?????????? ?? ??????? ??????.</strong><br/>?????????? ????? ???????????? ????????, ????????? ????????? ?? ???????? ?????.</li>
  12.   </ul>
  13.     <p>    <a href="/" class="return_link">????????? ?? ???????</a></p>
  14.     </div>


I really hope thats what you wanted.
  • wpas
  • Proficient
  • Proficient
  • User avatar
  • Posts: 322
  • Loc: Canada

Post 3+ Months Ago

Mr OBrien

Thanks for the response.

I am not sure what you mean by "off your home page".

Using Google Chrome I went to my website and did a view source and I saw what you were indicating.

The problem is my site uses a template and when I check the template I do not see anything as indicated.

It is then probably inserted after I load my home page.

How it is inserted is the mystery I need to uncover
  • Mr OBrien
  • Graduate
  • Graduate
  • User avatar
  • Posts: 185
  • Loc: down a creek without a paddle

Post 3+ Months Ago

I could not tell you how its gotten their. But i can say that if you replace the html file that contains the code for your home page (usually index.html) with THIS file then the content thats appearing wont be their anymore. Unfortunately i cannot vouch for how long it will go away for if somebodys doing this to you on purpose. However it would be a temporary fix. Just be sure to rename the file i have linked to the EXACT same name as your home page file if you make the decision to replace it with this and to back up your original home page file. I've tested it and it seems to work fine. If you want to test it on your home machine just extract the contents of the ZIP file to a local folder and double click it. It will open a web browser showing your page with the unwanted content removed. Hope this helps. Its the most I am capable of doing for you.
  • wpas
  • Proficient
  • Proficient
  • User avatar
  • Posts: 322
  • Loc: Canada

Post 3+ Months Ago

As I had mentioned before, because I use a template, I cannot just simply replace my home page.
I did as you suggested but it only worked when the page gets initially loaded. If you click on any links they cause the same promblem

I actually loaded my home page without a template and all the box menus did not show up but those russion adds stll showed up.

This gives me the impression that no matter what I do to my home page it will not change things.

I need to figure out how these bloody ads are being injected
  • Mr OBrien
  • Graduate
  • Graduate
  • User avatar
  • Posts: 185
  • Loc: down a creek without a paddle

Post 3+ Months Ago

So if you fixed the code that was injected and then upgraded wouldnt that fix your ad problem and give you the nessasary security upgrade to prevent the code from being injected again? You've already banned the ip address of your attacker so i was under the assumption that just removing the unwanted code that was injected would mean that your attacker would have to be monitoring you to notice and hack you a second time. I realize that since its on almost every page this is not an easy task but I believe that would fix your problem. Removing the code would be the temporary fix and the upgrade would prevent further problems to make the fix permanent.
  • wpas
  • Proficient
  • Proficient
  • User avatar
  • Posts: 322
  • Loc: Canada

Post 3+ Months Ago

The problem is that I have so much information on my site and use many extensions that cannot be used on higher version upgrade.

I checked and a lot of the extension people have not upgraded for the higher version of Joomala

Many of my information on my site depends on these extensions.

If I simply upgrade, then half of my website will not function correctly to get to the required information.

I wish it was just a matter of upgrading

Post Information

  • Total Posts in this topic: 8 posts
  • Users browsing this forum: No registered users and 9 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.