Joomla .htaccess hacked to xxx.ru

[Webdongle]

@theitd

The only thing that showed in scans was the last on the list that you PM'd. Outdated software, Joomla needs updating. That doesn't mean your site is clean just that nothing was found. But it's a good indication all is OK so far.

[mandville]

Summary of this topic so far.
* affects "any" hosts and server configurations
* is not joomla specific (vb/wp/drup/html sites all report issues)

procedure to repair
see the forum sticky Before you post : read and action this

concentrate on http://docs.joomla.org/Security_Checklist_7 with specific attention to http://docs.joomla.org/Security_Checkli ... ter_relief
and http://docs.joomla.org/Security_Checkli ... d_and_cron

suggestion: create a htaccess file in the tmp folder with the code from http://docs.joomla.org/Security_Checkli ... ermissions to attempt to hamper attacks

[leolam]

Summary of this topic so far.
* affects all hosts and server configurations

Sorry but happen to, based on our own hosting environment, strongly disagree. We have had not any of these events on our servers and I am sure that many other hosts have the same non-experience based on their security settings so you simply cannot state this as (your perception) fact

Leo

[mandville]

is that better and taken as read?

[Webdongle]

Typed it while mandville edited her post so will post anyway

Summary of this topic so far.
* affects all hosts and server configurations

Sorry but happen to, based on our own hosting environment, strongly disagree. We have had not any of these events on our servers and I am sure that many other hosts have the same non-experience based on their security settings so you simply cannot state this as (your perception) fact
...

Perhaps this is a use of grammar misinterpretation. It is Obvious to me that "affects all hosts and server configurations" means that it is not aimed specifically at Joomla or shared Hosting or specific Hosts. Dear lam your servers may not be effected now(and may not be in the future). But the possibility is there.

Your Hosts and servers are no doubt set up securely but if someone using your services has a vulnerability in their site files then they open to be hacked. Regardless of your server settings.

Again it is obvious to me that" affects all hosts and server configurations" means that even the strictest security on the Hosting server will not prevent the hack. Because the hack is not specific to server set up. It is using any vulnarability to access the server.

And no, I am not trying to speak for mandville. I am explaining why I think your interpretation of the English grammar is incorrect.

[leolam]

is that better and taken as read?

No..... should read "might effect hosts and servers where security is not optimized"

Cheers
Leo

[Webdongle]

.... should read "might effect hosts and servers where security is not optimized"

No it should not because it can effect any server regardless of if it is security is optimized. It could effect your servers if your customers have insecure software on their sites.

It has the potential of effecting ANY Hosts and ANY server configuration because it does not always enter because of bad server set up !!!

[leolam]

Perhaps this is a use of grammar misinterpretation.

Is not. Nothing wrong with my interpretation of English or Dutch grammar. Do not cat the issue on native English which is rather patronizing.

Dear lam your servers may not be effected now(and may not be in the future). But the possibility is there

Address me with proper grammar Webdongle! And i do not agree with the statement. Your observation and your assessment are not shared with me and what is obvious for you is definitely not obvious for me. You talk from a user point of view.... I express from a hosting and a security background and daily (hosting) care for thousands of Joomla users

Because the hack is not specific to server set up. It is using any vulnarability to access the server.

That is not proven and I do doubt it actually. (error in your grammar btw ;-) ). I am strongly convinced due to the fact that it is platform independent that it is using a system/server/cpanel breach

I am explaining why I think your interpretation of the English grammar is incorrect.

wrong interpretation and I have no need to go back to language school. Tnx Webdongle!

Leo

[leolam]

Let's get a couple of issues straightened out here:

1) this post and its replies are about hacked htaccess files

2) this htaccess can be protected as stipulated and further in detail explained by PhilD above in an earlier post

3) Any vulnerability in files or folders ("no direct access allowed" missing for instance) makes the respective site vulnerable BUT does not need automagically (not a typo but simply reusing a cPanel word) make the server vulnerable if the host has taken good security on board. That specific site might go down but (the hack) can be isolated with a good server setup to that single site which again depends on security tools an monitoring tools installed on server level: For obvious reasons I will not go in further detail but a good resource is http://configserver.com)

4) How good a site is protected by its host sever setup; it can always be hacked through bad coded scripts. We as hosting companies cannot control all but we can do much (!)

5) A default .htaccess file cannot be hacked if server security is properly setup and htaccess itself protected.

Based on the above I therefor refuse to slightly accept or acknowledge the statements made by Webdongle in this thread nor do I agree with Mandville's 'conclusion' as outlined for reasons explained. This is no about general bad coded scripts (where I would agree with Webdongle's remarks) but about htaccess where the perception he has taken has no merit

Leo

[Webdongle]

Let's get a couple of issues straightened out here:

1) this post and its replies are about hacked htaccess files
...

The hacked htaccess file is the end result it is not the point of entry nor the only end result of the hack.

...
2) this htaccess can be protected as stipulated and further in detail explained by PhilD above in an earlier post
....

No he did not say that, in fact he said the opposite. If you are trying to justify your theories by quoting Moderators perhaps quote them correctly.

Once access to a site/domain is gained by some means other than normal web access, then everything is accessible. It does not matter what is put into the htaccess to "prevent" viewing. This includes the htaccess file, any password protected directories, any configuration files, and anything else both inside of and outside of the public_html directory.

http://forum.joomla.org/viewtopic.php?f ... 0#p2778590

...
3) Any vulnerability in files or folders ("no direct access allowed" missing for instance) makes the respective site vulnerable BUT does not need automagically (not a typo but simply reusing a cPanel word) make the server vulnerable if the host has taken good security on board....

'affects any hosts and server configurations' Does not mean the server is vulnerable. It means it applies to sites on any server. That is what I meant about grammatical misinterpretation. It is not meant to be 'patronising' but merely to point out that people from different parts of the world interpret some sentences differently.

...
4) How good a site is protected by its host sever setup; it can always be hacked through bad coded scripts. ...

My point exactly that's why the 'affects all hosts and server configurations'

...
5) A default .htaccess file cannot be hacked if server security is properly setup and htaccess itself protected.
...

According to PhilD

Once access to a site/domain is gained by some means other than normal web access, then everything is accessible. It does not matter what is put into the htaccess to "prevent" viewing. This includes the htaccess file, any password protected directories, any configuration files, and anything else both inside of and outside of the public_html directory

http://forum.joomla.org/viewtopic.php?f ... 0#p2778590

...
Based on the above I therefor refuse to slightly accept or acknowledge the statements made by Webdongle in this thread nor do I agree with Mandville's 'conclusion' as outlined for reasons explained. This is no about general bad coded scripts (where I would agree with Webdongle's remarks) but about htaccess where the perception he has taken has no merit
...

From the evidence given it appears you are confusing cause with effect. The redirects in the .htaccess are the result of a site being hacked via any vulnerability in the files of that site.

[mandville]

[moderation comment]
degenerating/distracting posts removed

[leolam]

Once again:
1) This post and its replies are about hacked htaccess files. If somebody has another idea about that refer to the title of this post

2) This htaccess can be protected as stipulated and further in detail explained by PhilD above in an earlier post

No he did not say that, in fact he said the opposite. If you are trying to justify your theories by quoting Moderators perhaps quote them correctly

I did and my memory is very good so I exactly know where I was pointing at when referring to an equivalent (and at least constructive) discussion on the very same issue: http://forum.joomla.org/viewtopic.php?f ... 9&start=30

It is not meant to be 'patronising' but merely to point out that people from different parts of the world interpret some sentences differently

Since you were addressing me with that remark I need to be amazed since I did not know that Netherlands were a different part of the world. I know we do have a piece of water between UK and Holland but therefor calling Holland a different part of the world seems odd to me.(no offense meant!)

A default .htaccess file cannot be hacked if server security is properly setup and htaccess itself protected.

I am referring to a direct hit on the htaccess file as described in the already referred at (constructive) discussion which anybody can read so I have no need to quote only parts to suit my needs.

From the evidence given it appears you are confusing cause with effect.

That is a misconception. The cause can be either a bad configured server as you so clearly pointed out in this posting which will have an effect that sites can be hacked or a bad coded script which allows hackers to gain access to the server and hack sites (cross domain even) which is the effect.

No further discussion for me on this on the forum. You can contact me on Skype if you like to but let us now stop polluting the thread with yes/no riddles shall we?

Leo

[MCTarakan]

Got hacked too

Read through topic and still see that nobody understand the way they get access to htaccess. I belive if you know way how it's done you easy close any backdoors they use.

Looking forward to get it fixed at the moment update all my Joomla and vBulletin sites...

[PhilD]

Well, I will be getting a job today cleaning up this hack on a host who so far I think has been immune to the hack, and so any host can have a site become a victim of this hack.

I also do not believe that 'protecting' the htaccess will have any bearing on if the site becomes hacked or not. The htaccess on this site was 'protected' correctly both by the server and by added 'code' in the htaccess file. I go back to saying this again. "If a site is compromised, then ANYTHING can be changed or manipulated within the domain." Depending upon the hack package used and the skill of the hacker more than just that one site can be hacked on any type of shared server. This hack does not affect just Joomla but can affect all sites even html sites.

To say our stuff don't get hacked, just means either none of your clients know that they have been hacked or you have been lucky so far. Accessing a hacked site directly generally does not show the hack (well it does, if you look quick at what the browser is accessing) and the site acts normally.

[Webdongle]

Well, I will be getting a job today cleaning up this hack on a host who so far I think has been immune to the hack, and so any host can have a site become a victim of this hack.
...

Anyone we know ?

Call me paranoid but I've been checking my sites at least once a day and running Akeeba twice a day. Can only afford shared packages so fingers crossed. I Google the sites and see if the link redirects me and run whatever scans I can. If the worst happens I should have some clean full site backups. So I can delete all the folders/files on the server with the minimum of disruption.

Also useful to note that it is not just the htaccess that performs the redirect. At least one user on here had a clean htaccess. The hack was in the image files and that was what was doing the redirecting.

[mandville]

in case someone needs the clean (i hope) 1.5 htaccess then its attached

[leolam]

If a site is compromised, then ANYTHING can be changed or manipulated within the domain."

I never disputed that and I completely agree with that

To say our stuff don't get hacked, just means either none of your clients know that they have been hacked or you have been lucky so far

We do know in principle when a client might face a hack attempt! For instance we have exploit scanning (Actively on all file uploads within user accounts regardless of how they were uploaded) amongst others as well as constant scanning of all user data - scans all user files as soon as they are modified (!) installed which auto identify any dirt happening and quarantines these instantly and sends a message to the System Admins that something needs a review or are auto deleted upon detection for certain types of dirt. We run on specified intervals on each server as advised by CFS, scans of existing user data to see if exploits have been uploaded in the past or via methods not covered by the active scanning. We spend tons of money on each server to optimize security and these investments pay clearly off. No secrets here. The above words are basically copied from the description of the CXS-webpage, one of the many installed tools we use to work mighty hard for our clients to keep our servers clean and free from dirt. You might find it interesting reading material Phil!.

We have been lucky so far to quote you because we work effortless to keep our 'luck'. You will not hear me say none of our servers never will get hacked but hosting companies can do a lot more than being done in general. It cost money yes....We spend on each server an average of US$ 750 on security products upon commissioning each server not to speak of the costs of maintaining these applications but it is so much worth the money!

Hope this clarifies some

Leo

[PhilD]

Ok. Overall, what I have been saying is true.

• An insecurity somewhere allows hack files to be placed on site. The specific insecurity does not matter. So keep any site under your main account updated and secure.
• The files are probably within the tmp directory, but can be other places.
• The files look harmless but are binary files and modify the htaccess file or creates one. May attempt to do other stuff also. I did not attempt to run the binary.
• The files appear based upon vbulliten files to make them look harmless. True even if you do not have vbulliten.
• The base 64 line in the file does not contain the eval beginning (it's in a preg_replace) so hack cleaning scripts looking for that statement will not find anything. In fact it is probably hidden pretty well from many site cleaning scripts.
• The files will not trigger or be found by any anti-virus scan on a website or locally when downloaded and scanned.
• The htaccess once hacked will trigger online scanners because of the redirect to a malicious site.
• The altered htaccess itself is not malicious and so will not trigger any antivirus scan.
• The files will cross site contaminate all sites within the main account. So if you have more than 1 site on an account, then they all are infected or will be infected in time. This includes reseller accounts and actually would include dedicated servers with multiple domains under one main account or under a reseller account.
• The files also place an htaccess above the public_html directory in the domains it infects which either is a mistake or likely a place to hide the altered file in plain view.
• There are attempts to get a c99 root kit type of file uploaded to the site. Modsecurity should block these attempts, but if the server is not running modsecurity or it is misconfigured, then likely the root kit will be installed to the domain.
• A successful root kit upload will result in much more damage and may hack the server it is installed upon.
• The hack self replicates the htaccess hack upon certain triggers such as cleaning the htaccess file.
• The hacked htaccess files are set to 444 to prevent successful overwriting when attempting to fix by non experienced people or by those not paying attention.
• The hacked htaccess files extra redirect code is hidden by placing the code to the far right (tabbed) out of normal text editor window size. Looking at it in a normal sized window of a text editor will not show the code. A tipoff is a bunch of apparent blank space at the top of the htaccess as well as at the bottom. Use of a code editor such as notepadd++ easily shows the tabs.
• The hack may not reveal itself if the site is directly accessed as mysite.com, but search engines may cause the redirect to happen when attempting to come from a search.

[MCTarakan]

as for me clearing temp derictory of joomla installation seems fixed problem for now

[Webdongle]

@MCTarakan

Did you not understand what PhilD said ?

[X-Bit]

Hello @all!

Just won a new customer for cleaning up the mess...

One behavior seems to bother the site, as some users getting time-outs using the URL without the /index.php. It might be a coincidence as for me and several other users of the site this problem does not occur (might have some relation to the German T-Online provider).

I would like to ask if somebody experienced the same missbehavior?

[brinw05]

Hi There,

I have the same problem as you describe here. Question is... what can we do about it? I consider to ask my provider to replace a backup from about 2 weeks ago. those backups must be clean... the first time i saw this problem was last sunday.

The problem is that we lose a lot of information and i'm talking about 50 sites! If i replace the Joomla code on every site with a 'clean' joomla installation... would that fix the problem or is it a matter of time to be infected with this [censored] again?

Just to spread out some extentions i'm using: qcontact (already removed from all sites)... acesef, SimpleImageGallery (sig), Joomfish, ModuleAnywhere? Anyone use these extensions and have this problem or is it version 1.5.25 which has to be replaced by 1.5.26?

I think we need practical guidelines to eliminate this problem. I'm looking at PhilD! Do you have a practical instruction what to do?

[mandville]

I think we need practical guidelines to eliminate this problem. I'm looking at PhilD! Do you have a practical instruction what to do?

I believe you have not read the posts in the topic, here as you request a practical instruction of what to do,
http://forum.joomla.org/viewtopic.php?f ... 0#p2780642
it is also repeated several times in this topic, and i regret that neither phild or myself are able to provide any further procedures, documentation or pictorial diagrams for this hack.
Other remedies are detailed in this topic, some more effective than others.

[brinw05]

Hi mandville,
I do follow the replies and suggestions of this topic but it's very confusing. It's not easy to keep track you know.

I'm considering this procedure:
- make backups of all my 50 sites;
- make a clean joomla installation locally;
- only add the most necessary extensions;
- delete every Joomla installation in every account (except /media and /template dir);
- extract clean Joomla installation in every account.

If i do this... can i expect that the problem will be back or will it be elimated?

The problem with my own solution is that i don't know WHY this hacker came into my sites or how he infected my sites. It's a lot of work to do and there is no guarantee that it will return.

So my question was actually... does anybody know HOW he came into our sites and what do we have to do to block this hacker?

[Webdongle]

....
So my question was actually... does anybody know HOW he came into our sites and what do we have to do to block this hacker?

Yes, many different ways. Sometimes because the software is not up to date. Sometimes because someone has an infected computer. Sometimes from another site on shared hosting. It uses any weak spot it can.

If you maintain 50 sites then charge for the work you need to do to ensure they are as safe as possible. Charge for making regular backups. Security of a site requires constant effort. Just the same as securing a building and it's premises need to done on a regular basis so does site security. You cant just put a site up and not touch it for years without expecting it to be hacked.

There are some dubious companies that charge their customers for maintaining a site and then sit back doing nothing. Then (when a site is hacked) complain about having to do the work they are paid to do. I am sure you are not one of those and am not suggesting you are.

IMHO this mass hacking was 'an accident' waiting to happen. Just look at all the posts in here. Files 777, Joomla versions often 10 updates behind. Sites with extensions on the VEL. Templates downloaded from known spam sites, commercial Templates downloaded for free via share sites.

Sites need daily maintenance and that means the more sites you look after then the more work you need to do.

[theitd]

Given the increasing number of hosts that seem to be affected - isn't it likely that the hacks a scripted? And if so, doesn't this increase the likelihood that we're looking at a single vulnerability? Just one that exploits Apache but is easier to run on sites hosting Joomla?

I'm no expert - but I think this alert that keeps appearing in syslog has a lot to do with it:

Code: Select all

Apr  8 13:47:26 <hostname> suhosin[21222]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'task' (attacker '204.197.244.61', file '/var/www/<joomla_root>/index.php')

The variable 'task' has also been 'controller', 'view' etc....
I think this is a suhosin attack, just one that targets Joomla sites. I agree that the answer partially lies in securing the tmp/.htaccess file - but this doesn't stop the attacker being able to place the file there in the first place, does it?

Since setting up fail2ban to block suhosin attempts, mod_security using the joomla rules, and altering the permissions on .htaccess - I haven't had any more trouble. (And I deliberately left one Joomla installation on 1.5.25 to test). So the best conclusion I can come to is that the script which these guys are using to carry out attacks targets Joomla, but exploits a known vulnerability of insecure Apache installations.

[Webdongle]

... So the best conclusion I can come to is that the script which these guys are using to carry out attacks targets Joomla, but exploits a known vulnerability of insecure Apache installations.

Very possible only the redirect has been found in an image of a Template (download from a known malware template provider). There was nothing in the .htaccess files or any of the other files (but all was deleted just in case, at least the site owner said he had). Also wordpress is affected with the .htaccess redirect as well.

Is it possible the hackers are having another competition with each other and there are several hacks out there all finding their own point of entry ?

[mandville]

Code: Select all

Apr  8 13:47:26 <hostname> suhosin[21222]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'task' (attacker '204.197.244.61', file '/var/www/<joomla_root>/index.php')

interesting IP report
http://www.threatexpert.com/report.aspx ... 36cb2925b4

[brinw05]

Hi Webdongle,

No, i'm not such a company. I maintain their sites which means follow (joomla) updates with a delay of about 1 week to sort out problems in updates. I also check updates of the (non-)commercial components they use. Everything for a small monthly fee. I don't charge them for stuff like this. I consider this my problem and i don't charge them for this at all.

My situation here is:
- we only use our own pictures and photo's. No photo's from the internet;
- we only use our own template i created in the last 2,5 years. No strange templates;
- i'm running my sites in a Virtual Private Server (php 5.2x);
- my vps is 100% used for Joomla sites (no other kind of sites);
- i have only 1 ftp account per domain for downloading the weekly backup to my nas. Every ftp account has a different password.

I like to know more about that exploit that does something with apache? How can it get in my server and what does it trigger in Apache configuration?

I'm considering ordering a new vps, do clean installs of Joomla 1.5.26, restore databases and connect them to the clean joomla installation. Still, it's a lot of work and if we don't know how they get in...

[Webdongle]

Hi brinw05

Looks like you have ruled out entry points being out dated software and known server hacks. Which leaves

• A new (as yet) undiscovered server hack
  and
• A Trojan on a computer that has ftp access.
  If one of the 50 sites is connected to with ftp by a computer that is infected it will keep reinfecting it.

http://forum.joomla.org/viewtopic.php?f ... 0#p2783813 may be of interest.