Home/ Questions/Q 878265
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T11:44:41+00:00

So, I’ve just started working with a new Joomla site, and something we’ve added

  • 0

So, I’ve just started working with a new Joomla site, and something we’ve added has started hijacking various parts of the site and added links to various places we don’t want. Unfortunately, I can’t give out a link to the live site right now, but I can describe the problems:

  • In the footer, where it should say “Designed By: ” and the name of the place we got our template from, it leaves the “Designed By:” but removes the name of the template author, and instead puts in two links (not giving the hijacker any more hits but here’s the text of them), “online album” and “check whois”

  • When we hover over the site name, the alt text is set to “Forex Trading Home” which is most certainly not what it should be.

  • Finally, when you hover over the “Home” item in the main menu, a dropdown appears after a short delay, with a link to “cpanel reseller hosting” inside it.

Now, I’d like to get rid of these advertisements, but I’ve got no idea where they are coming from. If you guys know some commonly-hijacked files I can search in, or good debugging tricks to find them (I’ve tried FirePHP, but haven’t had much success with it) I’d be much obliged. Unfortuantely, since a few people have been working on the site simultaneously, we’re not really sure what extensions could have caused it (if that is in fact, the problem) – but all of them seemed ok, and came from the main Joomla extension site.

EDIT:

Here’s a list of the modules I know were installed before we noticed the spam problems start happening:

Other than that, everything else was installed after the problems started, or was a theme that has since been uninstalled (and hence, I don’t know what it is anymore). The theme that’s on it now, I’ve looked at thoroughly, but is version of this Martial Arts Theme with a lot of modified images (and one change in the php from a .gif to a .png)

EDIT EDIT: So, still looking, but seems an older version of picasa2gallery (we had a new version at one point, but uninstalled it) had an LFI vulnerability. Perhaps that was the source. In any case, I think I’ll be doing a full wipe, and just start over, really.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    So, turns out the correct answer was “none of the above”, not that I noticed that until after I erased everything to remove the hack.

    Once I restored the theme, and nothing else, I noticed that the “hack” spam links were back, way too fast to even be an automated script.

    That’s when I discovered that there was a .gif file in the images directory that contained the “bad” PHP code to include the spam links. Ironically, the code they were using to make it was particularly bad, so at least I got a good laugh out of this long ordeal.

    Moral of the story: Don’t get themes from ThemZa, and if you do, be prepared to dig through them for cruft, if you like the way they look.

    • 0