Strategy for cleaning eval(base64 .rr.nu hack

[babaraccas]

My site (1.5.23) got hacked recently and every .php file has

Code: Select all

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCd...blah blah blah for a long time

It was redirecting users to a .rr.nu address. I found a lot of information how to clean a similar hack out of a wordpress site, but not much for Joomla.

I've changed my passwords (ftp, admin, users) and I'm planning to overwrite my old Joomla installation files with a fresh install and then restore my old configuration file. I'm hoping that takes care of the bulk of the damaged code. Then I think I can go through and find the rest in the components and clean them manually.

I've looked through the vulnerable extensions list and none of my extensions are red flagged. So I'm going to update all of those as well.

I'm still concerned about my database. Is it likely that this hack has damaged my database? How can I tell? Can I fix it?

Disclaimer: I know my installation is out of date which makes me a loser. Sometimes we have to learn lessons the hard way. I appreciate any help in advance in spite of my loserness.

[mandville]

i suggest tat after going through this, you see checklist 7 and follow the safe route to recovery.
Unfortunately some extensions dont get caught as vulnerable


[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

[babaraccas]

Thanks mandville. Will the FPA be able to determine if my database has been altered or affected adversely? I have a site backup from December, but I'd rather not lose the work I've done over the last few months. But I also don't want to spend a bunch of time cleaning out my Joomla! installation only to find my database is unrecoverable.

Any advice? Again, thanks for the help and I realize I am a double-loser for not having a more recent backup. I swear I thought I backed it up last month.

[mandville]

Will the FPA be able to determine if my database has been altered or affected adversely?

nope

I swear I thought I backed it up last month.

ask your host - they may have a secret back up plan

I realize I am a double-loser for not having a more recent backup.

a true loser doesnt admit they are one. {opening lines of losers anon}

[coloradofree]

I just deleted that script out of every index.php file in all my installations, I looked everywhere, I reinstalled and the message "you have to pay for this crypt" still appeared on everyone of my sites Wordpress and Joomla as well as Gallery2 and Coppermine. It appears to be Java based. No go I deleted all my sites (30) and have to start all over. If you find a working answer to this one I'd like to know, Thanks.

http://forum.joomla.org/viewtopic.php?f=432&t=700372

On another forum I found a location for the codes origin it's coming from here

98.206.239.156

Somewhere in Aurora Illinois it appears on 3 blacklists.

[TownWebsites]

I suggest you do a database dump on the December and current databases, and use a text difference tool to peruse the changes. If your site hasn't had extensive changes then you should be able to check all our articles , and most tables shouldn't have changed at all. Anything that has changed should stand out in a good text differencing tool, and you should be able to spot anything that a hacker has overwritten.

Charlie

Thanks mandville. Will the FPA be able to determine if my database has been altered or affected adversely? I have a site backup from December, but I'd rather not lose the work I've done over the last few months. But I also don't want to spend a bunch of time cleaning out my Joomla! installation only to find my database is unrecoverable.

Any advice? Again, thanks for the help and I realize I am a double-loser for not having a more recent backup. I swear I thought I backed it up last month.

[nicol]

I've had the same hack on two user accounts, affecting everything, regardless if it's Joomla, CakePHP, Wordpress, etc. One blog I saw today suggests at least 30,000 wordpress blogs have been infected.

There's a script here for scanning for infected files:

http://discussion.dreamhost.com/thread-134470.html

And a script for cleaning up WordPress files (it timed out for me on WP, not tried on Joomla yet).

http://discussion.dreamhost.com/archive ... 262-1.html

It does seem a lot of people with problems are on Dreamhost shared hosting (I am) - tho both my user accounts that got infected also hosted Wordpress blogs. Am now trying to isolate all sites with their own user account.

Nic

[geoffmack]

Yep, we are on dreamhost as well. We got hacked a few days ago and it just won't stop. We had a brand-spanking new Joomla 1.7 site, and today I upgraded to 2.5.2. The problems persist.

I don't know where to turn next. I delete the htaccess file the moment it appears, but I have no idea how to prevent this from continuing to take over my site.

[TownWebsites]

You might try putting in your own .htaccess with permissions 444 - that is read only- user group and world. If someone is writing to .htaccess , whether it is from outside your account or inside, a write protected .htaccess could slow them down. On my CPanel server, it seems to need the 444 permission on .htaccess - I would otherwise recommend 400. 400 seems to work for index.php - that is read permission, only for the user. Apache seems to need broad permissions for some operations, like reading .htaccess and I think also for opening a directory; and the permissions depend on exactly how your server is configured, I think FastCGI allows the most specific permissions (owner on some things - but not everything - where other methods run just as user www-data for everything meaning anyone can do almost anything across CPanel accounts if they want to under that setup). Wish I could find a good guide on what needs to have what permissions, it looks non-intuitive to me so far except maybe for the different rules for files directly accessed (index.php) and others. Templates directory seems to need 755 or some css files can't load - wierd. But templates/mytemp/index.php can be 400.

If you haven't cleaned the account it is likely the perpetrator still has access to a script which they can get to write to .htaccess over and over again.

Admin Tools Pro (J addon) has a signature collecting option that can help you figure out if anything has been dropped or altered onto your site. I use my own signature script which does incremental backups so I can be pretty confident when I compare signatures from one timeframe to another, I can know what files have changed. Saves the hassle of having to start over from scratch or guessing what is a 'known good' version to restore if you get zapped.

Good luck.

Yep, we are on dreamhost as well. We got hacked a few days ago and it just won't stop. We had a brand-spanking new Joomla 1.7 site, and today I upgraded to 2.5.2. The problems persist.

I don't know where to turn next. I delete the htaccess file the moment it appears, but I have no idea how to prevent this from continuing to take over my site.

[mandville]

clarification point. cpanel will automatically create a blank .htaccess file
post the content of your htaccess file so we can see if its corrupted.
check also your cron job

[coloradofree]

Get your backups out and delete your sites then do just what Mandville says. So far so good for me, I started reconstruction this week. I'm also dumping Wordpress for my sites ( I had six using it), sticking strictly with Joomla. I also took an 80 gig hard drive and created five partitions one for original backups and the others for constant backup. Keep one set that are not overwritten so you are insured a clean copy. Backup your data bases the same way and get the best protection you can for your sites, This one is truly eval!!! I don't see it going away for some time. If you guys are finding your ip is riddled with this thing I would suggest moving on!

[PhilD]

Some common points I see throughout this thread.

You can not 'upgrade' to a new version once your site has been hacked. The 'upgrade' is unlikely to remove all (or any) of the hack and the newly 'upgraded' site will just be hacked again.

Solution:
Delete all files within your public_html directory and follow the security checklist 7 info. Download fresh files and upload the fresh files to the site. Then do the 'upgrade' to a new version.

You can not just 'overwrite' your sites files with fresh ones. This may not remove the hack if the hack is in it;s own directory and/or has additional files uploaded to your site. This is very likely with certain hacks. Again, this will simply cause your site to continue to be hacked.

Solution:
Delete all files within your public_html directory and follow the security checklist 7 info. Download fresh files and upload the fresh files to the site. This will eliminate any added directories and added files that would not be replaced by coping over the Joomla files with new fresh files. Be aware as mandville mentioned above that C-panel will generally create blank htaccess file in public_html if it does not find one there so do not be alarmed about this file suddenly appearing.

You can not trust your site file backups as these backups may be contaminated with the hack files. By using backups you may be simply putting back the hack and in essence infecting your own site again and again.

Solution:
Delete all files within your public_html directory and follow the security checklist 7 info. Download fresh files and upload the fresh files to the site. Then do the 'upgrade' to a new version if your not on the current version of your Joomla series. Consider migrating or moving to the 2.5.x version.

Do not fully trust your database. This is where the bulk of your Joomla information lives, and is normally kept for reuse. Though this is still rather rare, it has been seen that code can be added to actual article text contained within the database which will execute when the article is displayed on the site. This is similar to a template hack; just using a different method.

Solution;
Reuse the existing database, but check (offline with a local development server setup xampp, wampp etc. if possible) the database articles for any added code. Use the sorcecode viewer in your desired Joomla editor to do the inspection, or copy the article sourcecode to Dreamweaver or a text editor (Notepad++) and look for anything strange there. Also sort your Joomla users by group and make sure any who have backend (admin, super-admin) privileges are actually people you gave the privileges to.

Do not trust your host especially when using a shared hosting or vps account. Many, big and small, have a high incidence of hacked servers as evidenced by these forums and Google. Ever wonder why?

Solution:
If you suspect your host is not serious about security setups, keeping the server malware free, and the server software up to date, or their tech support appears to be reading off que cards, then find a better host. Cheap does not necessarily mean bad and expensive does not necessarily mean good. Web Hosting Talk is a good place to find decent hosts.

The above is not exhaustive and you should make sure you at least follow what is written in the checklist 7, It is also wise to head what is in the "Before you Post" forum sticky http://forum.joomla.org/viewtopic.php?f=621&t=582854 The documentation is there to assist in properly fixing a hacked site and helping to prevent it from happening again.