Church Website Hacked

Status
Not open for further replies.

Hamalas

whippersnapper
I operate the website for my church (Sheffield Presbyterian Church): Sheffield Presbyterian Church I recently added two new articles to our site - one is for a conference we will be hosting: Reformation Bible Conference and the other is for a church planting Bible study we will be hosting: Church Planting in Manchester

When you look on the home page at the menu on the left hand side the links show up as normal. However if you click on either of these links you will see a strange link insert itself trying to sell some medical product on our site. I can't see anywhere in our Joomla menu manager or article manager where this is coming from or what I need to do to fix it! It looks like something has hacked into our site and is trying to use it to sell their product. What should I do? I did notice that if you click on the second link I included (the one for the church plant) but remove the &Itemid=110 from the url that the link goes away in the sidebar. :confused:
 
Perhaps you should contact your web hosting company, assuming you use one. Most of them provide decent customer service (it's their one real way to distinguish themselves from the competition).
 
Probably because of that upcoming sermon "Kim Jong-Un: Antichrist -- Yes or No?"

The intrusion by outside groups with their own agenda is, unfortunately, more and more common. One of my Bible software sites was hacked by someone who sends everyone in the mailing list enticements to p*** sites and adulterous dating.
 
Blocking everything with NoScript, if I click on About Us > Students, I see in "Our Student Worker" an insert in your bio.

Our Student Worker

Since August of 2014 Ben Franks has been serving as buy generic propecia online the Pastoral intern and student worker at Sheffield Presbyterian Church (SPC).

Also

Please let me know if you are interested in joining these studies or are interested in visiting our buy levitra online church. May God bless you all!

The drug links appear to have been inserted in random sentences throughout the site.
 
Blocking everything with NoScript, if I click on About Us > Students, I see in "Our Student Worker" an insert in your bio.

Our Student Worker

Since August of 2014 Ben Franks has been serving as buy generic propecia online the Pastoral intern and student worker at Sheffield Presbyterian Church (SPC).

Also

Please let me know if you are interested in joining these studies or are interested in visiting our buy levitra online church. May God bless you all!

The drug links appear to have been inserted in random sentences throughout the site.

Oh no! Even with Adblocker turned off I don't see those links but if you are that's an even greater problem.

Any ideas folks? I'm not a techie guy at all and the stuff I've read on various forums seem like gibberish to me. I'm way out of my depth here. :scratch:
 
Oh no! Even with Adblocker turned off I don't see those links but if you are that's an even greater problem.

Ben, I have AdBlock Plus "on" in the latest Firefox and I see those links inserted into sentences on almost every page. I know little about web site construction, but I would guess those links have been inserted into the site's HTML coding. I hope you find someone to clean it, or restore a good backup copy.

MAYlxBY.jpg
 
This happened to a website I built in Wordpress. I tried a number of things to get rid of the inserted code, but never got rid of it. Another group of web people more advanced than myself got involved and could never get rid of it. We would clear it out for a few weeks and it would find a way back in. Drove me nuts.

How'd they get in? I didn't update Wordpress in a timely manner, and they got in through a vulnerability. Is your Joomla updated? Is your site backed up? Delete everything and load your backup on a fresh Joomla install.
 
Thanks all; I've contacted the guy who set up the website for us so we'll see what he says, but I'm guessing you're right and we'll have to see if we have a backup we can use to reload it.
 
The folks on the Joomla forums can sometimes be a big help. I used to be a moderator on there, meaning I used to help people every day. Understanding hacking is not my area though. In the forums look for security sections which contain FAQs along the lines of - I've been hacked, now what?

For some background, a content management system like Joomla has a few major pieces: the scripts which are written in PHP, the text content which is stored in a database like MySQL, and things like pictures which are stored as files.

Hackers run automated scripts to scour the internet for websites which have known vulnerabilities. Typically they insert their own scripts, and alter you Joomla scripts. If you know what you are doing you can find out how extensive the hack is by logging in to your webhost account to look through the file structure where Joomla is installed, looking for any and every file which has been changed recently. You can then examine the scripts and remove the hacks. You have to be a programmer to know what you are doing. I've done this once for my church's website and once for a friend's website.

But the average person should look for instructions on what to do. The options may be to check if your webhost account is being backed up and if so then ask to have the account restored to a time previous to when you were hacked. And then find out how to update your Joomla installation, and every module, to the latest versions to reduce the vulnerabilities. Otherwise you should be able to find instructions on how to reinstall Joomla with the templates and modules you installed and connect the new installation to the existing database (your existing content).
 
Also, have everyone who has access to the site change his password. Our webhost cleared something like what you've experienced, we changed our passwords and the problem has not reappeared.
 
Here's some of the hidden offending code with spaces added to break links.

< span class="eioynltrltcaxddxwz" >< a href=" buy clomid " > buy clomid< /a >< /span >

My guess is that the problem is buried in the Joomla template.

A suggestion would be to either change templates, or do some hand editing of the code deleting what appears to be a blank line and a half. Someone put some effort into this project. I doubt it was the Norks, however.

Given how broke those liberal Episcopals in Northeast Florida are after they ran off the conservatives but held onto a bunch of empty buildings, it may be how they make ends meet now. You might ask them about the page, however. [email protected]
 
Even with Adblocker turned off I don't see those links but if you are that's an even greater problem.

It shows up in my Firefox, but not in Seamonkey (which comes with better tools than most of the browsers).
 
Could be any number of reasons. Joomla may have been out of date. File permissions may not have been set properly.
 
Status
Not open for further replies.
Back
Top