Tutorials Joomla CMS Joomla CMS Joomla Iframe Hack Solution

Joomla Iframe Hack Solution

iframe hackThe common hack happened to JOOMLA based website is javascript iframe injection or Iframe hack. Although not serious in term of damage inflicted to the website, precautionary steps should be taken seriously. The nature of the attack is not just on platform based/dinamic(ie. Joomla, Wordpress, Drupal, etc.) website, it also attack a static website.

Recovering from iframe injection will cost time and money. Therefore, this JOOMLA tutorial will show you how to remove and repair your JOOMLA 1.5 after being hack by iframe injection.

 

 

Symptoms:

  • White blank website,
  • able to access the back-end but cannot proceed further than the first page,
  • website redirect to hacker site,
  • all websites under same hosting account will sooner or later being infected resulting in similar symptoms.


The victims:

  • Your index.php, index.html files and
  • you


Source of Infections:

  • Your own computer
    • Transferring files through your FTP software from your PC to your server could become a disastrous event should your PC already infected or compromised with Trojan, virus or other malwares. In the event of infection outbreak, you should initially ‘sanitize’ your PC with antivirus and malware removers. Perform full and thorough scan. Usually, iframe hack is triggered by Trojan malware that extract and steals your FTP access then change the targeted files.
  • Your server
    • Infection from other website originating from the same server could also be the source of infection. Rarely happen but a lousy web hosting company would sometime leave some holes open and it only took few minutes to infect thousand of websites which usually sit on shared server account.


Damage level:

  • Minor to major but non-destructive
    • So far the iframe hack on JOOMLA based website is only known to add a line or few lines of javascript on the index.php files. Previously in JOOMLA 1.0.xx, the level of damage can be traced down to all folders and its content inside you root file or public/html server (which is consider major and massive infection). Luckily in Joomla 1.5, thanks to better security features, the damage may extend to only few files unless you leave your config.php in 777 mode for quite a long time.


Solutions:
The solution that will be presented here is for JOOMLA 1.5.xx version only. However, if you are still using joomla 1.0.xx, same solution principal can be applied.

  1. Clean your PC or laptop first, Then Change Password
    • Update your antivirus, install malwares removers, perform thorough scan and remove virus/malwares.
    • Change your cPanel and FTP password(since both usually the same). Your password has been stolen, there's no point to proceed with Iframe hack solution below if you are still vulnerable for another round of attack.
  2. Quaratine Folders
    • Create a new folder inside your computer. Let’s name it Quarantine. This is to make sure the infected files doesn’t mix up with other files.
    iframe hack_001

  3. Identifying the right file
    • Connect to your server through your FTP software and go to your server root folder. For JOOMLA website, the root folder is public_html. Now, scroll down and find the index.php file. Then, download the file to your Quarantine folder.
    iframe hack_003
  4. Deleting the script
    • Open the file, let’s say we open index.php file. Search the javascript line, usually in <iframe>xxxx</iframe> form. Now, you must delete the javascript <iframe>xxxx</iframe> then save the file.
    iframe hack solution_002
  5. Upload
    • After you check and make no more suspicious javascript syntax inside the file, you can upload the file back to your server to where it belong

Alternative to step 4 above, you can also just replace the file from a fresh extraction of Joomla installation files and then proceed to step 5 (which is much safer).

Follow all the steps above for the file name index2.php.

Restoring Admin After iframe Hack
The above solutions only restore your front-end website. To restore your back-end or admin area, you’ll need to go through the above process for the files below:

public_html>administrator>index.php
public_html>administrator>index2.php
public_html>administrator>index3.php
public_html>administrator>templates>system> index.php

In some case, index.html file can also being infected. Since every hack case varied by the level of infection intensity, you should check every file thoroughly.