Discussion in 'General' started by kangoo, Dec 17, 2012.

  1. kangoo

    kangoo New Member

    Unfortunately a website on our webserver (ispconfi3) is compromised with "itsnoproblemo" scripts.
    What can we do against that. How can we identify the infected pages? The website is an Joomla website.

    Regards Kangoo
  2. Ben

    Ben ISPConfig Developer ISPConfig Developer

    How did you identify this infection and how did you locate it?
    Did you verify if your joomla installation is fully up to date, incluing all plugins?
    Do you have a backup that you could consider as clean?
    Do you use mod_php or su_php?

    I'd personally recommend at least wiping the whole joomla installation, create it up to date from scratch and migrate the content in. Its much time and effort but its a safer way to not have any backdoors in that area of the system.
    generally spoken reinstall the whole server from scratch, and reinstall / copy alls applications ony by one after verifying them as good as you can, that they are clean.
  3. kangoo

    kangoo New Member


    i use fast.cgi and suEXEC. I got an mail from cert, that the server is infected and I see that there is a problem on our network monitoring system.

    On the server ther are a view websites. so i do not exactly know which one is infected.

    The Joomla installation is from a customer.

    Regards Kangoo
  4. Ben

    Ben ISPConfig Developer ISPConfig Developer

    Then you should also ask the CERT that informed you about the issue, if they can help you further how to nail down which web page / application is infected.

    never the less you should consider reinstalling the whole server in parallel, as you do not know the level of infection. But I am sure, depending an what malware in particular is found on the system, the can give you further tips.
  5. kangoo

    kangoo New Member

    Hello, i found the issue by using clamscan. The problem is solved.

    ThankĀ“s for help!


Share This Page