Navigation

kangoo · #1 17th December 2012, 08:47

Unfortunately a website on our webserver (ispconfi3) is compromised with "itsnoproblemo" scripts.
What can we do against that. How can we identify the infected pages? The website is an Joomla website.

Regards Kangoo

Ben · #2 17th December 2012, 10:02

How did you identify this infection and how did you locate it?
Did you verify if your joomla installation is fully up to date, incluing all plugins?
Do you have a backup that you could consider as clean?
Do you use mod_php or su_php?

I'd personally recommend at least wiping the whole joomla installation, create it up to date from scratch and migrate the content in. Its much time and effort but its a safer way to not have any backdoors in that area of the system.
generally spoken reinstall the whole server from scratch, and reinstall / copy alls applications ony by one after verifying them as good as you can, that they are clean.

kangoo · #3 17th December 2012, 17:41

Hello,

i use fast.cgi and suEXEC. I got an mail from cert, that the server is infected and I see that there is a problem on our network monitoring system.

On the server ther are a view websites. so i do not exactly know which one is infected.

The Joomla installation is from a customer.

Regards Kangoo

Ben · #4 19th December 2012, 14:08

Then you should also ask the CERT that informed you about the issue, if they can help you further how to nail down which web page / application is infected.

never the less you should consider reinstalling the whole server in parallel, as you do not know the level of infection. But I am sure, depending an what malware in particular is found on the system, the can give you further tips.

kangoo · #5 19th December 2012, 19:53

Hello, i found the issue by using clamscan. The problem is solved.

Thank´s for help!

Regards
Kangoo

Navigation

Facebook

News

Recent comments

Newsletter