Today i wanted to login to my Joomla website (backend administrator) when Avast blocked the site and gave me the warning that it detected HTML:imghack-a [Trj]
I looked at my site with an FTP client and I looked at the server logs, but I see nothing unusual. So I was wondering:
Yes,possibly FP.
Url void:
Report 2011-06-02 15:41:26 (GMT 1)
Website zoekeenmodel.com
Domain Hash b1e508a6a2e1709531ed991b7f2aaed4
IP Address 77.243.233.132 [SCAN]
IP Hostname -
IP Country NL (Netherlands)
AS Number 25459
AS Name NEDZONE-AS NedZone Internet BV
Detections 0 / 23 (0 %)
Status CLEAN
The page does appear to have been hacked, an IMG tag is set to run a .php file rather than open an image, a bit of a standards no, no. Not to mention it comes after the closing HTML tag another standards no, no. Finally the image size is 1x1 another way to try and hide it, and highly suspect.
I get a 500 error on the actual link in malzilla (for now…could be changed later - good that avast blocks it anyway)
Hopefully this also highlights the problem with using just URLVoid in checking a website. Since it only checks some blacklists and not actually scans the sites, it most often will be wrong. Especially in recently hacked sites…
Will you make the url non-click through like: htxp://www.zoekeenmodel.com/administrator
or -http://www.zoekeenmodel.com/administrator
I get a redirect at SOSWebScan, Error Reason:Moved Permanently
Redirected-to :
So we cannot scan this website.Please check and try again. Why?
Because the site is infected with malware, known javascript malware (Word Press site hack),
re: http://sucuri.net/malware/malware-entry-mwbackdoor23 (see attached gif)
Better not disable avast there, avast scan is not a false positive…
Inform the admin of the site it has been hacked and should be cleansed,
Funny, I should have realized because of the link, that is obvious.
Then Evert the admin knows what to do, cleanse his site. The malicious code has to be removed, as well as all backdoors (countimg malware), cannot understand why Left123 missed it,
Kan nu eenmaal gebeuren. Zorg tevens ook dat al je webapplicatie software naar de laatste versie geupdate wordt, dat maakt een herinfectie/hack wat moeilijker,
groetjes
polonus
P.S. Summary of Dutch txt -this means that he has to update all his web app software to make reinfection-hacks somewhat harder to be performed,
As Polonus mentions, you need to ensure you have the latest versions of any content management software (CMS), Joomla, PHP, etc. as this is usually the entry point for hackers old CMS with vulnerabilities which can be exploited.