How to clean up malware injection attact in joomla 3 and 2.5

How to clean up malware injection attack in joomla 3 and 2.5

Fake malware injections attack in joomla 3 and 2.5 have been very popular among hackers. In the previous year hackers usually attact since jQuery itself went mainstream and became one of the most widely adopted JavaScript libraries. But this year hackers have targeted the legacy.php to inject fake code in joomla. Most of the antivirus didn’t detect the infected site, but luckily the popular avast antivirus have detected the malicious injected script as malware.

How to clean up malware injection attack in joomla 3 and 2.5 Click To Tweet

Symptoms of malware injection attack in joomla 3 and 2.5

  • Website is  misbehaving and not functioning properly.
  • Homepage loads for ages.
  • You can not open your site again unless you have disabled your antivirus ( avast antivirus) for sometime.
  • Homepage is not redirecting properly.
JS: Injection-A [Trj]

JS: Injection-A [Trj]

Where is the malware injected code in joomla?

How to clean up Joomla legacy.php injection attack?

The first suspect will be the but if the is clean . Go to library  and open legacy folder, here you can find legacy.php open this file using Dreamweaver or plain notepad. Mostly the malicious script will be in the opening of the php script line 1. You have to look for unusual script something like this..

How to clean up malware injection attact in joomla 3 and 2.5

How to clean up malware injection attack in joomla 3 and 2.5

Now, if your site is still infected and can not be open. Follow the few step below ..

Open your template folder, download index.php and open using Dreamweaver or Notepad (don’t use notepad++). Again look for unusual script inside your index.php. The injected malware script will be some where in the middle of the file. Delete it !!

If you can not identify  the injected code please compare your file with the backup file you kept. Or you can just replace the file.

Prevent Reinfections from malware attack

Removing the malware is not enough. The hackers regularly try to update the malicious code so the problem will inevitably return unless you delete all the backdoors and close the security holes.

In other words, after removing the visible parts of infection, you should harden you site to prevent reinfections:

  • Change passwords for all Joomla sites.
  • Review them for malicious admin users.
  • Make sure your CMS and all its third-party components are up-to-date. All unused stuff should be ruthlessly deleted from server.
  • Add some protection against brute force attacks.
  • Always update your joomla….update your joomla!!
Suanlian Tangpua
Follow him

Suanlian Tangpua

Suanlian Tangpua is a Graphic & Website Designer based in New Delhi. He loves photography, cooking and blogging. Feel free to contact him at [email protected]
Suanlian Tangpua
Follow him


  • Suan February 9, 2017 Reply

    Joomla site khong a .htaccess file sung a script te lak a hichi dan atung leh anuai a om te ahidimah a diam “wordpress” pen

    #RewriteEngine On
    #RewriteBase /
    #RewriteCond %{REQUEST_FILENAME} !-f
    #RewriteCond %{REQUEST_FILENAME} !-d
    #RewriteRule . /index.php [L]
    # END WordPress

    • Suanlian Tangpua February 9, 2017 Reply

      Na joomla site .htaccess a WordPress Basic .htaccess script omthei lou di om leh le bang mah di hilou. Delete le chin poilou di …

Leave a Reply