Harringay online

Harringay, Haringey - So Good they Spelt it Twice!

Hi,

The Friends of Parkland Walk website was recently hacked and needs recovering. Is there anyone who would be prepared to provide technical help. I need to remove the website from the server, and reinstall from a back up. Normally I'd be ok with this but it's a joomla! site with a database and frankly it could take me days before I get it right. I've just been looking through guides on how to do this and I'm just seeing too much that means nothing! I'm sure, in the right hands, it's probably little more than an hour's work.

I should add, I work on a mac.

Thanks,

Simon

Tags for Forum Posts: web designer

Views: 324

Reply to This

Replies to This Discussion

Hi Simon,

I'm willing to give you a hand with this. I've built and ran many Joomla! sites over the years and can provide you with examples if needed.

Thanks

Lee

Many thanks Lee. Can you call me on 07862 218540 and we can work out when we can do this. Best, Simon

Hi Lee,

I hope you're well. First of all I have been meaning for a long long time to let you know that The Friends of Parkland Walk donated £50 to WOW in appreciation of your help with the site. The reason I have finally got round to thanking you, is of course, I am ashamed to admit, in part due to another query I have.

I just received an email pertaining to come from google re a potential phishing issue (content below)

Having a naturally suspicious nature I decided to check via Webmaster Tools as suggested at the foot of the email, using my login rather than clicking on the link provided. I had to add the site to Webmaster Tools and so far nothing has shown up as they suggest.

Is this something I should take further on the parkland walk site? The Acepolls module it mentions isn't live and never has been. Only myself and one other committee member have any access to the site content.

Best wishes, Simon

Email:

Dear site owner or webmaster of parkland-walk.org.uk,
We recently discovered that some pages on your site look like a possible phishing attack, in which users are encouraged to give up sensitive information such as login credentials or banking information. We have removed the suspicious URLs from Google.com search results and have begun showing a warning page to users who visit these URLs in certain browsers that receive anti-phishing data from Google.

Below are one or more example URLs on your site which may be part of a phishing attack:

http://www.parkland-walk .org.uk/modules/mod_acepolls/index.html

Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A//www.parkland-walk.o...

We strongly encourage you to investigate this immediately to protect users who are being directed to a suspected phishing attack being hosted on your web site. Although some sites intentionally host such attacks, in many cases the webmaster is unaware because:

1) the site was compromised
2) the site doesn't monitor for malicious user-contributed content
If your site was compromised, it's important to not only remove the content involved in the phishing attack, but to also identify and fix the vulnerability that enabled such content to be placed on your site. We suggest contacting your hosting provider if you are unsure of how to proceed.

Once you've secured your site, and removed the content involved in the suspected phishing attack, or if you believe we have made an error and this is not actually a phishing attack, you can request that the warning be removed by visiting
http://www.google.com/safebrowsing/report_error/?tpl=emailer
and reporting an "incorrect forgery alert." We will review this request and take the appropriate actions.

Sincerely,
Google Search Quality Team

Note: if you have an account in Google's Webmaster Tools, you can verify the authenticity of this message by logging into https://www.google.com/webmasters/tools/siteoverview and going to the Message Center, where a warning will appear shortly.

Hi Simon,

Thanks for letting me know about the donation. Glad I could help at the time.

I have seen a few Google phishing messages recently, it looks like they have stepped up on scanning, and have been picking up a few false positives. The URL that is listed wouldn't be accessed by a site user directly.

Though, as it's not a module you use, I would advise uninstalling it from the site. Extra modules increase the potential attack vectors of the site, so keeping it to the ones that are in use is always a good idea.

If you ever need a hand, just give me a shout.

Cheers

Lee

Thanks Lee. I'll do that.

Best,

Simon

I looked in Plug-in manager as opposed to the Module manager and found two active Acepoll modules, I deactivated them after noting that one was assigned to 'Administrator' and one to 'user'. I went back in there later to find they didn't appear  there (I had the option to view enabled and disabled). When I say they had disappeared, something called Acepoll with those two assigned users went. I didn't ake a note of specifically what they were. I still have (disabled) Acepolls: AlphaUserPoints Jomsocial and Mighty touch. I don't know what they did. I didn't install any of them. Presumably they're not going to affect anything either.

Found them again! So confusing this. I found them when I looked in Extension manger. They weren't 'assigned'. They were in locations 'site' and 'administrator'. 'site is a module, 'admin' is a component.

This is all probably quite irrelevant!

I've just had a look through the site and can't see any areas where any of those modules may have been used.

One was a social commenting module and the other was a social networking component. 

If you log in via FTP and just check that the Acepoll directory in /modules/mod_acepoll is empty. If not delete anything that is in there and all should be fine.

Cheers

Lee

Cheers Lee. I'll come back to that.

Simon

Hi Lee,

Back on this issue. The web host suspended the site this morning. I have now deleted the Acepolls module. The web host is asking to ensure that the script used to upload the phishing software is identified and updated or removed. This may have been there before you improved the security but possibly not. Can you advise on where I should look and what for?

Best,

Simon

Just to bring you up to date on this.

As the webhost had suspended the site, I couldn't use the uninstall feature. I found all the folders I could via Dreamweaver and deleted them. The site is back up now, but Acepolls does still appear in the Modules manager. I tried uninstalling it, but I get an error - do doubt connected to the way I deleted the files previously. This may just be some kind of directory signpost I suppose and it's remaining because the uninstall can't complete the task.

I have yet to find out if there are other files floating about that will allow the site to be compromised again. I'm assuming there is still vulnerability. The files all seemed to have had the date 23rd January 1013 leading me to believe there is still a way in. A lot of other files seemed to have been updated on the 4th February. I can't think that has anything to do with me.

For my sins, I haven't done a back up since the one you did. I lazily believed you had set it up to do a regular backup and I never checked to see if this was the case. Looking in the Akeeba back up file I notice there is an exclusion to back up Files and Directories and Database tables. So I'm going to wait for your advice before proceeding. I think I'm right in assuming that I can return to any version of the back up and it might be necessary to do that to properly uninstall the rogue modules properly. I just don't want to lose any pages or pictures I've uploaded as I have spent some time creating and updating the content.

Simon

Hi Simon,

I'll drop you an email.

Cheers

Lee

RSS

Advertising

© 2024   Created by Hugh.   Powered by

Badges  |  Report an Issue  |  Terms of Service