I run multiple sites with Joomla CMS and yesterday evertime I go to my website I get a popup that says:
"Network Shield: Blocked Access to Malicious site hotican.com/
"Network Shield: Blocked Access to Malicious site bitsinfoware.net/
No matter which page loads I still get the popup. I have been unsuccessful finding a remedy. I called GoDaddy.com and they told me that they do not use Avast and cannot replicate the error therefore they can not help. :-[ . I would appreciate any advice that can point me in some direction on how to fix this or why it is happening.
Please note all of my friends use Avast and they all see the pop-up also. Everyone that I know that does not use Avast does not see anything at all. I just want to make the “malicious site” warning not appear when my family goes to my website.
Threats found: 1
Here is a complete list:
Threat Name: Backdoor.Tidserv
Location: hxtp://bitsinfoware.net/1/stats.php
and
Suspicious Applications (what’s this?)
Threats found: 1
Here is a complete list:
Threat Name: Suspicious Process
Process name: C:\Documents and Settings\user\Local Settings\Temp\install.exe
Location: hxtp://hotican.com/image/oute.php
Just an FYI guys, This website is for my family to view pictures of my son. There are a whole (4) registered members on the site. I have not updated the website in 4 weeks and that is why I am so confused. Does anybody know if this is due to the fact that people are targeting Joomla? If that is the case I will turn my back and start making static webpages again. Thank you guys for your responses!!! I am in that boat we have all heard of “without the paddle”
You own the site? if so, that means your site was hacked. Try editing the code to see if you can find something like and remove it. Also, if there is any obfused javascript coding, delete it, it might be part of the virus. After that, please change your password to an even stronger password to prevent hackers to hack your website.
In my experience it is an obfuscated JavaScript. Look for the string “eval” or “fromCharCode” in the html of your pages. Usually it is right after the BODY tag.
Here is a sample of what I found on these pages. (I removed whole bunch of numbers from the sample here, just to make sure this doesn’t translate into some executable script by accident)
[b][/b]
BTW, my site is also hosted on GoDaddy and I am not using Joomla, just a static pages that we edit and upload.
I beleive this is the result of the site being hacked or GoDaddy servers have been compomised otherwise. Either way GoDaddy should have been on top this, but they are not. I first noticed this back in March, at that time I thought it was somebody from our end uploaded infected webpages. I cleaned all the pages at that time, now I see only the home page getting modified to include this javascript once every fewdays. I have asked my site admin to contact GoDaddy to find out what’s happening.
Please share your experience, if you contact GoDaddy or if you find the source of this page change
I am dealing with the same issue and ALSO use godaddy.
First we were hacked by gumblar.cn - we uploaded clean code and clean database, and were clean for about 12 hours.
We were then hacked again - this time refering to hotican.com
We uploaded clean code, clean database, we were clean for about 20 hours.
We were then hacked again!
Godaddy claims that someone has our username and password to the ftp.
I format my computer. I reinstall windows. The ONLY applications I have installed on my machine are avast (which picks up this virus, avg doesnt) and coreftp.
I change ALL the passwords to LONG strings that no one could guess - 15 charecters long with capitols and numbers - computer is clean for sure - code is clean for sure - I upload the code, I upload the database, website is clean, online for about 30 hours
and then we get hacked AGAIN!
I dont even know what to do at this point - we are bringing in an outside security consultant.
I just do not see how someone could keep getting our usernames / passwords, especially because I just formatted the only machine with the login information, so it defnitily does not have a trojan.
Godaddy, of course, has not been much help at all.
For me that is just too many co-incidences, for it to be isolated to someone having your FTP user name & password, which you presumably changed after the first hack. Because that would imply that all those sites that have been hacked which are also hosted by godaddy would have had their user names & passwords captured too.
When you get multiple sites being hacked you have to look at common issues and user names & passwords being guessed/stolen is only one, godaddy being another and any content management software being another.
Many of the hacks can be as a result of old versions of content management software (a Host responsibility) such as PHP, WordPress, SQL, etc. so if you use something this it could be that which is being exploited.
Presumably you have set the CHMod permissions to restrict changes other than by the owner.
Personally I would be speaking to another Host provider and asking them the questions, how can or what measures they/you can take to prevent your site being hacked as it has in the past. This not only gives you an idea by their responses if they have a clue about the problem and how to prevent it and gives an idea of their customer support service potential. It is also cheaper than bringing in a security consultant, who may just repeat what a good Host would tell you.
Interesting we have had several from GoDaddy now and they still appear to be in denial when users have gone to them as above, they say don’t give anyone your password.