Hi guys,

the website of a friend has been hacked (I think).
I made some check and I've found this:
wssa.beyondsecurity.com/my_account/?#web632749

As you can see, some k2 files seem to be affected (i.e.: component/k2/itemlist/search.html?searchword=Cerca&categories=&format=html&t=&tpl=search).
Does anybody know how to get rid of this?

Thanks to all of you who will help me!

You did not post a link to your site.

This post is helpful.
docs.joomla.org/Security_Checklist/You_have_been_hacked_or_defaced
www.joomlabamboo.com/blog/how-to-joomla/8-most-common-hacks-of-joomla-sites-and-how-to-avoid-them

Yes, you're right.
The url is dazebaonews.it.
I'll also check for the link you posted. Thanks for answering me!

A security scan from sucuri.net/ is always helpful.

Already done, without finding anything...

The final thing to do is to check your php and .htaccess files manually for any code that looks suspicious.

I say that there's some problem because google sent a message about it (to my friend) telling him that probably somebody has hacked his website, after that, looking at the web audit (I think you can get it from here: wssa.beyondsecurity.com/my_account/?h=0a8bdc314e7b ) there are many Vulnerabilities in Custom Web Code, with this code:

We discovered vulnerabilities in the scripts listed below. Next to each script, there is a description of the type of attack that is possible, and the way to recreate the attack. If the attack is a simple HTTP GET request, you can usually paste it into your browser to see how it works. If it's a POST attack, the parameters for the POST request will be listed in square parenthesis.

Cross Site Scripting
URL: www.xxx.com/component/k2/itemlist/search.html?searchword=Cerca&categories=&format=html&t=&tpl=search
Affected Parameter: searchword
Vector Used: '";%0d%0aalert('a');%0d%0a"'
Pattern found: '";
alert('a');
"'
Complete Attack: www.xxx.com/component/k2/itemlist/search.html?searchword='";%0d%0aalert('a');%0d%0a"' &categories= &format=html &t= &tpl=search

I already saw Sucuri .
I'm not saying that the problem is k2 (I use it often and I never had any problem), I'm just asking if there could be something wrong with it. There are not other strange extensions installed.

I gave you several links to check with possible solutions.
Since this is not a K2 issue but a Joomla!/ security one I am afraid I can assist you any further.

Hi there,

Our Sitelok XSS Scan has detected a critical cross-site scripting vulnerability on our registration page located here: www.dominioncolour.com/registration

They say it must be corrected within 72 hours in order to maintain our certification.

Our site is hosted at GoDaddy and our plan includes Sitelok security services and our website is running on Joomla v.3.4.3 on a Linux, PHP MySQL server using K2 v2.6.9.

Here is a description of the issue from csv I downloaded:
914f68c270edd3ad3fab18aee4292574,K2UserForm,customerother,gid,id,interestother,jform[address],jform[assign],jform[city],jform[comment],jform[company],jform[country],jform[customer][0],jform[email1],jform[email2],jform[interest][0],jform[lname],jform[name],jform[password1],jform[password2],jform[phone],jform[primaryjob][0],jform[skype_name],jform[state],jform[title],jform[username],jform_consentreceive,osolCatchaTxt,osolCatchaTxtInst,primaryjobother,task

Can you please provide any insight and help in this issue.

Thank You

The registration page you posted is based on 3rd party extensions.
You need to locate which extensions are used and contact their developer.

Furthermore Joomla 3.4.3 contains a critical security issue.
You need to upgrade to 3.4.5 asap.