A URL Injection hides itself

Hi

A friends website is labeled by Google as "This site may be hacked."

I thought that I have located it in the sql database.

Because I have made a brand new setup. I even did not bring any css or js scripts and theme files that makes the website horrible. I did everything on my localhost.

I just imported the sql database but I still can not find the malicious code. The page is still there about pharmacy. I have also looked for base64 codes in the database and in the files, still no luck.

Do you have any idea that where this code may be and in what shape. The hacker hided it well.

Hello Raskolt,
That message seems to say that the site can be hacked and NOT that is have been hacked.
There has been many security holes plugged since that version. Your current version needs to
be upgraded.

--------------------------------------------

The 3 first things to do when/if you find a remote file inclusion:
1) Scan all folders for newly created files by checking the file timestamps.
2) Make sure no Manager/Web Users has been added
3) Change passwords (MODX, MySQL, FTP etc.)

IMHO: Best protection is a backup offline on a local webserver. Then if a site gets compromised:
1) Download the latest assets (pics, pdfs etc) and make sure they are legit.
2) Secure the site patch/ upgrade
3) Wipe everything on the server and replace with the fixed/up2date backup.
4) Change passwords (MODX, MySQL, FTP etc.)

Read more
http://forums.modx.com/thread/91891/is-it-a-hack?page=2#dis-post-502182
http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/#injection

Thanks for your quick reply.

I have found the injected page now. My website is really injected.

The problem is I can not find the malicious code in the sql database. Do you know any tool to discover it?

I have upgraded the setup but my friend does not have a backup. The code is still there.

It is not base64 code. Many people say that it can be that code but it is not. What can it be?

I see a page titled "propecia-generic-finasteride" but I dont see any of the strings in my database.

I have made the setup with completely clean install, only I installed database. Still I see the same page, but I cant find the code.

Quote from: raskolt at Apr 20, 2015, 11:20 PM

...Do you know any tool to discover it?

Yes!

Awesome: http://desenmascara.me/
+ VirusTotal powered by Google: https://www.virustotal.com/ [ed. note: mrhaw last edited this post 9 years ago.]

Both have scanned all my website and database.

They havent found anything but I still see the page. That is weird.

Do you have any .js files installed? Open those in an editor and see if you can find anything hidden in the code.

Yes I have but I make a clean install. I only install mysql database from the old website abd the injected pages are coming back.

If you have a js slider or widget on a page, try commenting out the link to the js file.

Also—look for any hidden php files. The filename might start with a period. View using the host file manager and make sure show hidden files is enabled. Look in your assets folders.

What about the .htaccess file. Is it possible there is a redirect of some kind happening?