The Joomla! Forum ™

Can you explain, I do not understand the ISP cache or city location.

But an infected computer with ftp access is one possible way(of many) the exploit got on your server.


Why not ? You still have the database and ftp access yes ?

_________________
http://weblinksonline.co.uk/joomla-faq.html

Couple things. If you still have the database then you can manually copy the Joomla files back. Use the same version that you were on before you attempted to fix things. If you don't have a copy of the configuration.php file we can help get that back by telling you what to edit manually to create one.
Once the basic site is back, you can update to the latest version then go from there.

Have you checked what nameservers are attached to your domain name and are they correct?

I would think about switching hosts if they are being unhelpful and you were not able to make backups of your site because or them. Backups of any site is very important.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

It does not have to be an htaccess redirect hack or even a server hack.

This (redirect) can be performed by a specific bit of code dropped into a file on your site usually in the form of obfuscated code. This file it is inserted within could be your templates index.php file, an html file, javascript file or a php file different from the index file already mentioned. Done properly this code is usually a conditional redirect so only people reaching the site from a specific path (google,yahoo, facebook, etc. and so on) and using a specific selection of browsers (user agents), get the redirect to a bad (malware, spam etc.) site. Anyone not meeting the requirements gets a normal page without a redirect to somewhere else. This makes it a bit harder to discover and thus the code gets to serve it's redirects longer. Done improperly, everyone gets the redirect and it is easily discovered.

Though there are other methods that can be employed, the code (as with any other type of malware hack) normally gets onto a site by an insecure extension or by using out of date (and thus insecure) core software.

Because this code can be within almost any file within a site and it is recommended that one follow the points below. Only by doing this can one be assured the code is truly removed form the site.

[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Select the checkboxes for Show Components, Show Modules, Show Plugins before generating the forum code.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file. Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory), and fresh copies of extensions and templates used. Upload the copy of your configuration file. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories More detail can be found in the security Checklist 7 link below.

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

Note: The forum post tool will work with 1.0.x, J1.6.x, J1.7.x, 2.5.x versions of Joomla.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Hi,

I have a few sites (3 joomla, 1 mambo, 2 forums) and i have a strange problem.
Suddenly all of my .htacess files have this code:



and a few pages of my sites (not all of them, just those that are well positioned in google searches) are redirected to a russian site.

I deleted the files several times and the code reapeares.
I`ve asked the host if the problem occurs in every account hosted on that server (it is a shared account) and they`ve told me that the problem is on my account (i don`t know if i can trust this answer). They even changed the .htacess permissions to 444 and the files is still changing every time.

Any idea on how should i handle this thing?

beyond following the instructions in this post viewtopic.php?f=432&t=475313
have you looked at the other topics in this forum?
Moderators comment: we can not provide support for other peoples forum and cms scripts eg mambo

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

How about providing support for joomla instead.

The version is 1.5.22

thats what we are here for, and as stated in the post, viewtopic.php?f=432&t=475313 run that, and read the other htaccess hacked posts for anything familiar

which means you are using a vulnerable version of joomla.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

I am using the latest Joomla version (1.5.26), and am also getting this problem.

I keep deleting the code from .htaccess but it keeps reappearing. I have tried changing passwords, but this does not work either.

This is from the link mandville posted

Tell us if you have done the following, try copy and paste to use as a posting guide if needed

[ ] Did you use the forum http://forum.joomla.org/search.php search box for a similar htaccess hacked issue? There may be info to help you in one of those posts.

[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Check the check boxes for Show Components, Show Modules, and Show Plugins before generating the forum post code. Post the generated code so we can check your environment.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file. Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory), and fresh copies of extensions and templates used. Upload the copy of your configuration file. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories More detail can be found in the security Checklist 7 link below.

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

Note: The forum post tool will work with 1.0.x, J1.6.x, J1.7.x, 2.5.x versions of Joomla.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Hi

I also have/had this problem today.

I'm not sure at this time, but after I deleted all files in /tmp where I had one file named jos_core.php.

This file I have seen mentioned a couple of times regarding this problem.

Since deleting this file and restored httaccess file from remote backup the domain I have had problems with have been fine, no new "infections" for a couple of hours now.

Hope this helps, and please report back if this also helped you so we can help others.

In order to better help, pepole jumping on the OP's topic should think about starting their own.

Everyone including the me too's should follow what I and mandville posted above. almost Any hack of your website can be solved by following the posted information. This includes non Joomla websites and programs.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

I just want to say that I too had code mysteriously appear in more than one .htaccess file on my server (Godaddy Shared)... What I believe this is: a bot that searches the root of tons of websites for an .htaccess file with permissions set incorrectly. As long as you can reset the permissions to 444 (only read for owner,group & public) It should remain unchanged in the future. - I deleted the ones with the malicious conditional redirect code and replaced them with backups but set the permissions to 444 immediately. - This cured the redirect from search engine urls that they had placed in my .htaccess....


You can scan your site after you make the corrections here: sucuri.net - click the link for CMS's Wordpress, Joomla etc. - This caches the results for 24 hrs. or more so re-scanning will not tell you if you fixed it or not.

Try http://www.siteadvisor.com/ -Use the little form on the right hand side labeled "View a Site Report" to check if you have malware...

Or you can try: http://safeweb.norton.com/

P.S. On GoDaddy, in hosting control panel under "FTP File Manager" there is a setting for "History" you can use the calendar to set the date and select the files/directories you want to restore to that date and this can help if you cant find the culprit... I set mine to yesterday and the .htaccess files came back with permissions 604 but no code so the backups must have been done before the code was stuck in there... meaning simply setting the permissions correctly (444) again seems to stop the problems entirely. (I could find no malicious code in databases at all so I think this fixed the redirect)

Unless other unwanted files have been put on your server

_________________
http://weblinksonline.co.uk/joomla-faq.html

I must take issue with your "recommendations" on solving the hacked site

so what permissions were they in the first place? your htaccess is normally 644 anyway, so the person who had root access to your joomla wrote it without worrying what permissions it had. .

As webdongle points out, you dont know what else was put on the site or even how it was hacked in the first place
if you had searched or read other posts you will have seen the that suggestions such as this do not work with sorting the reasons first, or locating the shell script that was installed.
Many experienced users have compiled the list of how to and guides for resolving hacking issues.

Checklist 7 is the page you want that is linked in the checklist below from the sticky post "before you post read this".
As you apparently have been hacked, then would you post your extended fpa output so we can attempt to see why?



[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

+1 mandvile for that and the rest of the post. There are far too many posting they fixed the issue and misleading others. mandville has put a lot of time and effort into creating a method to recover/rebuild a hacked site. Those who do not follow that guide will inevitably be hacked again. Or be an unknowing carrier of spam.

_________________
http://weblinksonline.co.uk/joomla-faq.html

others were involved, phild and i just compiled it.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

I am not very good at asking for help. I was merely trying to explain what happened to me and how I got a site to be accessible from search engine referring urls (90% of our traffic comes from one of the conditional rewrites that had been added to my .htaccess.) This means that our clients (new & returning) were being redirected to a site serving up malware (Windows Antivirus 2012) - I got my sites live again and so far it's business as usual. (I have about 8 sites in this account 5 have SSL and only the 2 sites with .htaccess files I edited last night were affected?

You see, I had just last evening put a new .htaccess in my hosting root (Joomla site#1) and edited the .htaccess in a folder inside of another hosted site in same account (Joomla site #2) -
Then today, when I discovered the referring links (serps/facebook/twitter etc.) were
redirecting to this .ru malware site,
After discovering the code, I checked permissions on these two files found that only these two files were 604 and so I swapped them out with new untainted ones and set permissions to 444.

Then I deleted the .htaccess from my hosting root (Joomla site#1) and then used GoDaddy's control panel to do a complete file restore on every file/folder in my enitre account (to the date of yesterday) from Godaddy's backups, and voila' the .htaccess without the malicious code and the old permissions re-appeared.
I again reset permissions to 444 and I can't see anything in PHPMyAdmin - you see on sucuri.net it was reporting that malicious code was found in http:// [your-site] .com/ (*no spaces*) 404javascript.js - This file does not exist. nor can I find any reference to it in my database (I searched for 404 across the entire db) - See this (cache for 24 hrs) http://sitecheck.sucuri.net/results/http:// [your-site] .com

And here is my FPA Post


I understand what you are saying and I will try to follow the instructions you have given me but until I see evidence of an injection or any strange files or my site(s) or .htaccess gets re-written again - I don't want to upgrade Joomla and risk the crazy modifications I have made over the years without any training to break my entire site..... I am not tying to offer recommendations to anyone rather explain what happened to me as best I can and see if it leads to any advice...... or helps anyone else.... I thank you for your responses to my crazy post. I am a scatterbrained kinda dude.... HELLLLP (& Thank you)

The file 404javascript.js pretends to throw a 404 error.

Generated source code

Your site is still infected !!!

_________________
http://weblinksonline.co.uk/joomla-faq.html

and after seeing your fpa output


I will say either you update the core files that need updating to the latest secure version of joomla or we will be very reluctant to help you as everything we suggest to sticky plaster your site will be in vain

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

No, I am afraid that is SmartOptimizer throwing that error... I just uploaded a blank 404javascript.js that contained a silly sentence, removed the "SmartOptimizer code from my .htaccess and you can call it just fine I saw the sentence in the file.
The results from sucuri.net i linked to are cached results.

When I removed that smart optimizer code and uploaded new .htaccess, I renamed the phoney 404javascript.js to 1404javascript.js and went to the url including 404javascript.js and it redirected to the russian malware site.... (so site is still infected)
when I upload a blank 404javascript.js file no redirect / not from that file or from search engine referrers... the .htaccess is not being written to,
I hope I am making sense... If I remove that blank 404javascript.js file and you go to that url, you will be redirected to malware... but no redirect in .htaccess because I have a blank version of that file in site root it loads it instead of redirecting....

I wish I knew where the code was injected -On the vulnerable checklist I found that I have RSMonials a known vulnerable and I also had akeeba which I removed.... - I am afraid to upgrade, removing rsmonials will hurt me in search rankings because of all the content lost- I guess I could buy Jreviews....
P.S. this malware site tries to give you a file, after cancel it gives you the "leave page" "stay on page" dialogue, and you can exit out if you are careful....

After reading that last post by mandville - I am trying to get the nerve to just try to upgrade, can I just follow instructions on exactly how to do it? Where should I begin? Sorry if I am asking questions that could be answered with a simple search.. I am not wanting to be a pain..... I just need a little guidance...

Is jUpgrade doable?
-

I will share this. I had the same problem, and appears we are using the same type of GoDaddy account.
1. The hacker got into one of my dormant domains, that I should have removed.
2. Once in, replaced my .htaccess files. The crazy part is that when I started I was using simple FTP. Utilizing FTP with GoDaddy you cannot see the .htaccess file for the root html folder, That was re-directing any errors to the primary and alias domains to the malicious site. Only when I changed to SSH was it visible.
3. Do not believe any of the databases were compromised but all files in all joomla/wordpress domains had to be replaced as any compromise leaves everything suspect.

I have not had any issues since this past Sunday.

That says it all because you don't know. Your site could be compromised in many directories and you don't know!. Until you delete all the folders/files on your server and replace with the latest version of Joomla (and only use the newest versions of extensions not on the VEL) ... and everything else on the list ... you can not be sure of removing the exploit.


Yes, I agree 100%

_________________
http://weblinksonline.co.uk/joomla-faq.html

Cmiw, sometimes they even put the infected .htaccess above the public_html.

I was just yesterday cleaning up the same issue like this one.

The source of it was "local file injection" of a .php script inserted into tmp/ folder in webroot. The php script has a Base64 encoded and packed code inside that gives the attacker access to your whole homedir and can do virtually anything!!

Detection:
Please take a look into tmp/ folder and find any .php files (here they were named "_cache_XYZ...php" in my case, but the name shouldn't really matter). You will notice code like this:
. Simply delete file(s)!

Source:
The weak extension I found that was used to inject files was an old version of "Advanced Module Manager" based on know vulnerable "NoNumber Framework"... so if you have extensions based on NoNumber framework, upgrade or uninstall them...

I can try to take some time and write script to search for those files if needed.

_________________
Croatian Joomla Translation coordinator | www.orion-web.hr
JAMSS author- viewtopic.php?f=621&t=777957
PHP/WebApp Security enthusiast (OWASP) & Linux Admin
don't PM me with requests (unless you want paid help), post in forum

thaks for the offer,
not every site we have looked at has that extension, also it is not server specific, nor joomla specific
the malicious cron file has had various name but is most commonly called "jos_core" or "joom_core"

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Exactly, the issue is widespread last few days, I found that many Wordpress sites are also infected with such scam, and reports say mostly it's some LSI vulnerable extension/plugin that has been used.

I also saw jos_core.php in access logs, but file was gone... are the files regularly in WEBROOT/tmp folder ?

In our case there wasn't any cronjob, at least not on the account-level, it wasn't on our servers (external client) so we can't be sure for the rest of server though...

I'll patch up some scanning script later today

_________________
Croatian Joomla Translation coordinator | www.orion-web.hr
JAMSS author- viewtopic.php?f=621&t=777957
PHP/WebApp Security enthusiast (OWASP) & Linux Admin
don't PM me with requests (unless you want paid help), post in forum

yes, most of them are in the tmp folder..

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

I had this exact file - (mine was named "_cache_tb4cgodq.php").
I uploaded a blank dummy file named 404javascript.js to root of each infected site which seemed to stop the redirect from occurring.

I deleted the _cache_tb4cgodq.php in the tmp folder and renamed 404javascript.js to something else and called my site address + /404javascript.js and the redirect occurs again, (The .ru site is down.....) anyway, I renamed 404javascript.js back to that and left it alone... I have to go do the work that this site produces and it being live and not serving malware is most important. Is there anything that can be done to prevent hackers from doing this type of "local file injection"?

I would like to take this opportunity to remind you that your site is still infected. And by not deleting all the files and replacing them with updated ones ... that you risk infecting the Browsers of visitors to your site.

_________________
http://weblinksonline.co.uk/joomla-faq.html