# Church Website Hacked



## Hamalas (Dec 19, 2014)

I operate the website for my church (Sheffield Presbyterian Church): Sheffield Presbyterian Church I recently added two new articles to our site - one is for a conference we will be hosting: Reformation Bible Conference and the other is for a church planting Bible study we will be hosting: Church Planting in Manchester

When you look on the home page at the menu on the left hand side the links show up as normal. However if you click on either of these links you will see a strange link insert itself trying to sell some medical product on our site. I can't see anywhere in our Joomla menu manager or article manager where this is coming from or what I need to do to fix it! It looks like something has hacked into our site and is trying to use it to sell their product. What should I do? I did notice that if you click on the second link I included (the one for the church plant) but remove the &Itemid=110 from the url that the link goes away in the sidebar.


----------



## SolaScriptura (Dec 19, 2014)

It's probably the North Koreans.


----------



## Jack K (Dec 19, 2014)

Perhaps you should contact your web hosting company, assuming you use one. Most of them provide decent customer service (it's their one real way to distinguish themselves from the competition).


----------



## DMcFadden (Dec 19, 2014)

Probably because of that upcoming sermon "Kim Jong-Un: Antichrist -- Yes or No?"

The intrusion by outside groups with their own agenda is, unfortunately, more and more common. One of my Bible software sites was hacked by someone who sends everyone in the mailing list enticements to p*** sites and adulterous dating.


----------



## Berean (Dec 19, 2014)

Blocking everything with NoScript, if I click on About Us > Students, I see in "Our Student Worker" an insert in your bio.



> Our Student Worker
> 
> Since August of 2014 Ben Franks has been serving as *buy generic propecia online* the Pastoral intern and student worker at Sheffield Presbyterian Church (SPC).



Also



> Please let me know if you are interested in joining these studies or are interested in visiting our *buy levitra online* church. May God bless you all!



The drug links appear to have been inserted in random sentences throughout the site.


----------



## Hamalas (Dec 19, 2014)

Berean said:


> Blocking everything with NoScript, if I click on About Us > Students, I see in "Our Student Worker" an insert in your bio.
> 
> 
> 
> ...



Oh no! Even with Adblocker turned off I don't see those links but if you are that's an even greater problem. 

Any ideas folks? I'm not a techie guy at all and the stuff I've read on various forums seem like gibberish to me. I'm way out of my depth here.


----------



## Berean (Dec 19, 2014)

Hamalas said:


> Oh no! Even with Adblocker turned off I don't see those links but if you are that's an even greater problem.



Ben, I have AdBlock Plus "on" in the latest Firefox and I see those links inserted into sentences on almost every page. I know little about web site construction, but I would guess those links have been inserted into the site's HTML coding. I hope you find someone to clean it, or restore a good backup copy.


----------



## SolaScriptura (Dec 19, 2014)

Well, on the plus side, at least it's for medicine and not p*rn.


----------



## nick (Dec 19, 2014)

This happened to a website I built in Wordpress. I tried a number of things to get rid of the inserted code, but never got rid of it. Another group of web people more advanced than myself got involved and could never get rid of it. We would clear it out for a few weeks and it would find a way back in. Drove me nuts.

How'd they get in? I didn't update Wordpress in a timely manner, and they got in through a vulnerability. Is your Joomla updated? Is your site backed up? Delete everything and load your backup on a fresh Joomla install.


----------



## Hamalas (Dec 19, 2014)

Thanks all; I've contacted the guy who set up the website for us so we'll see what he says, but I'm guessing you're right and we'll have to see if we have a backup we can use to reload it.


----------



## KeithW (Dec 19, 2014)

The folks on the *Joomla forums* can sometimes be a big help. I used to be a moderator on there, meaning I used to help people every day. Understanding hacking is not my area though. In the forums look for security sections which contain FAQs along the lines of - I've been hacked, now what?

For some background, a content management system like Joomla has a few major pieces: the scripts which are written in PHP, the text content which is stored in a database like MySQL, and things like pictures which are stored as files.

Hackers run automated scripts to scour the internet for websites which have known vulnerabilities. Typically they insert their own scripts, and alter you Joomla scripts. If you know what you are doing you can find out how extensive the hack is by logging in to your webhost account to look through the file structure where Joomla is installed, looking for any and every file which has been changed recently. You can then examine the scripts and remove the hacks. You have to be a programmer to know what you are doing. I've done this once for my church's website and once for a friend's website.

But the average person should look for instructions on what to do. The options may be to check if your webhost account is being backed up and if so then ask to have the account restored to a time previous to when you were hacked. And then find out how to update your Joomla installation, and every module, to the latest versions to reduce the vulnerabilities. Otherwise you should be able to find instructions on how to reinstall Joomla with the templates and modules you installed and connect the new installation to the existing database (your existing content).


----------



## jwithnell (Dec 19, 2014)

Also, have everyone who has access to the site change his password. Our webhost cleared something like what you've experienced, we changed our passwords and the problem has not reappeared.


----------



## Edward (Dec 19, 2014)

Here's some of the hidden offending code with spaces added to break links. 

< span class="eioynltrltcaxddxwz" >< a href=" buy clomid " > buy clomid< /a >< /span >

My guess is that the problem is buried in the Joomla template. 

A suggestion would be to either change templates, or do some hand editing of the code deleting what appears to be a blank line and a half. Someone put some effort into this project. I doubt it was the Norks, however. 

Given how broke those liberal Episcopals in Northeast Florida are after they ran off the conservatives but held onto a bunch of empty buildings, it may be how they make ends meet now. You might ask them about the page, however. [email protected]


----------



## Edward (Dec 19, 2014)

Hamalas said:


> Even with Adblocker turned off I don't see those links but if you are that's an even greater problem.



It shows up in my Firefox, but not in Seamonkey (which comes with better tools than most of the browsers).


----------



## VictorBravo (Dec 19, 2014)

You can easily see the offending code in IE "view source", too.


----------



## KeithW (Dec 20, 2014)

Edward said:


> My guess is that the problem is buried in the Joomla template.


Typically a hack injects itself deep inside of the Joomla installation.


----------



## Semper Fidelis (Dec 20, 2014)

Could be any number of reasons. Joomla may have been out of date. File permissions may not have been set properly.


----------

