Where to find and fix malware infected files in Joomla 2.5

Question

I am trying to remove the line of code below that has been inserted into several pages on my Joomla 2.5 site:

<div class="top">
   <style>
     div.links {
       width:150px;
       height:1px;
       padding:0px;
       font:11px Tahoma;
       overflow:hidden;
     }
   </style>

Sucuri states that this code is is in several pages such as:

http://www.mrvtv.com/index.php/public-documents

http://www.mrvtv.com/index.php/board-of-directors

and several others with urls like this. My problem is that I do no know where or how to find these pages in Joomla to remove this code. I have looked at all the index.php files but they don't look like the page source code where i can see the offending lines.

Thanks for any help out there with regards to finding these pages and fixing them.

Very best, Jo

Answer 1

Check the index.php file of your template.

You do need to update though, and I'd replace all files with fresh. ALthough it seems like a strange thing for someone to do.

Answer 2

The easiest way to find the files it to use SSH/Shell access and searching through all of them using grep.

1. SSH into your server using an SSH client, such as Putty

2. Run the following command:

   grep -R 'div.links' /path/to/joomla
   

If done correctly, it will output a list of all the files containing div.links.

Answer 3

Another way to identify modified files is to use Phil Taylor's tool at http://myjoomla.com - the tool can help revert modified core files back to their original state and your first audit is free.