HTML:imghack-a [Trj] on Joomla website

Today i wanted to login to my Joomla website (backend administrator) when Avast blocked the site and gave me the warning that it detected HTML:imghack-a [Trj]
I looked at my site with an FTP client and I looked at the server logs, but I see nothing unusual. So I was wondering:

  1. What is this trojan, is it malicious?
  2. Where could it be hiding on my site?
  3. Could this be a false positive?

Thanks.

Could you write down the site?xxx.joomla.yyy ?

I didn’t because I was unsure if I am allowed to post links?
I get the warning here: xww.zoekeenmodel.com/administrator

Yes,possibly FP.
Url void:
Report 2011-06-02 15:41:26 (GMT 1)
Website zoekeenmodel.com
Domain Hash b1e508a6a2e1709531ed991b7f2aaed4
IP Address 77.243.233.132 [SCAN]
IP Hostname -
IP Country NL (Netherlands)
AS Number 25459
AS Name NEDZONE-AS NedZone Internet BV
Detections 0 / 23 (0 %)
Status CLEAN

Ok, thanks, I’ll keep an eye on it but will disable avast for that site for now.

avast is alerting on a image link that appears to be malicious.

http://www.virustotal.com/file-scan/report.html?id=de18761dff2907ab029aab137f32a46269388b2913294317a4930868625acea5-1307023337

nice catch!

The page does appear to have been hacked, an IMG tag is set to run a .php file rather than open an image, a bit of a standards no, no. Not to mention it comes after the closing HTML tag another standards no, no. Finally the image size is 1x1 another way to try and hide it, and highly suspect.

Looks like that site has been hacked.

http://www.virustotal.com/file-scan/report.html?id=d7c9985c2b690a3eace567d81816bf67db9ce9cb984c33cd8800611ae9da4c28-1307022918

That is playing Russian roulette with an automatic. See further images 2&3 this is a malicious site that it is trying to run this .php page.

Not a FP. You can google lots of links about this, even we had some stats in one of our blogs.

I get a 500 error on the actual link in malzilla (for now…could be changed later - good that avast blocks it anyway)

Hopefully this also highlights the problem with using just URLVoid in checking a website. Since it only checks some blacklists and not actually scans the sites, it most often will be wrong. Especially in recently hacked sites…

Hi Evert & Left 123,

Will you make the url non-click through like: htxp://www.zoekeenmodel.com/administrator
or -http://www.zoekeenmodel.com/administrator
I get a redirect at SOSWebScan, Error Reason:Moved Permanently
Redirected-to :
So we cannot scan this website.Please check and try again. Why?
Because the site is infected with malware, known javascript malware (Word Press site hack),
re: http://sucuri.net/malware/malware-entry-mwbackdoor23 (see attached gif)
Better not disable avast there, avast scan is not a false positive…
Inform the admin of the site it has been hacked and should be cleansed,

polonus

He IS the site admin ;D

Hi scythe944,

Funny, I should have realized because of the link, that is obvious.
Then Evert the admin knows what to do, cleanse his site. The malicious code has to be removed, as well as all backdoors (countimg malware), cannot understand why Left123 missed it,

pol

Ok, thanks all. I’ll just replace the site with a backup then…sigh, and change all passwords again.

Hoi Evert,

Kan nu eenmaal gebeuren. Zorg tevens ook dat al je webapplicatie software naar de laatste versie geupdate wordt, dat maakt een herinfectie/hack wat moeilijker,

groetjes

polonus

P.S. Summary of Dutch txt -this means that he has to update all his web app software to make reinfection-hacks somewhat harder to be performed,

D

You’re welcome.

As Polonus mentions, you need to ensure you have the latest versions of any content management software (CMS), Joomla, PHP, etc. as this is usually the entry point for hackers old CMS with vulnerabilities which can be exploited.