1

In my typo3temp folder I always find a file called javascript_a1cb3a5978.js. It seems that this is a JS by Typo3 to encrypt email adresses. Now in the code always the trojan is appended. I delete the file from the Typo3 cache and if the page is called in the browser the file is generated.

I tried to download the site and scan it with Security Essentials. Also I tried to search for eval but there are too much in the whole Typo3 folder. I didn't found something in the index.php and also I didn't found it in the htaccess. Permission should be OK for the site.

Do you have some ideas for me where this code is appended?

testing
  • 19,681
  • 50
  • 236
  • 417

1 Answers1

2

Check typo3conf/localconf.php and typo3conf/temp_* files and typo3conf/extTables.php.

Deactivate every extension and update your TYPO3. Check your TypoScript. I guess you should shut down your website and analyse how the attacker injected that code.

maholtz
  • 3,631
  • 1
  • 17
  • 17
  • I already checked that files and also the TS. I didn't found anything special. Currently, the trojan seems to be gone, but I think the provider used a backup. Yeah, the TYPO3 has to be updated! – testing Jul 10 '12 at 14:54