The Joomla! Forum ™

Hello,

My site, http://www.newleafmentoring .org, in some instances redirects to Google.com when people try to go there. Not all my users are experiencing this problem and I've been unable to determine a common link. Some users using I.E. have this problem, other's do not. Some Safari users do, other's do not.

Unfortunately, I am unable to recreate this problem and have not seen it myself under this version of Joomla. It did happen to this site one other time when it was at level 1.5. I upgraded (actually completely began a new site under new hosting account) assuming this would fix the problem. It did, until now.

My current site is updated to Joomla 2.5.6.

I am pretty new to Joomla and have found some difficulty understanding some of the threads and how to protect your site.

Thanks to anyone for their help.

Jeff

is it only when someone comes in via a search engine?
which part of the following dont you understand?



[ ] Download and RUN the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Post the generated results in your security/been hacked topic.

[ ] Ensure you have the latest version of Joomla for your 1.5 or 2.5 version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.

[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.

[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories More detailed information can be found in the security Checklist 7 link below.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

No. It's also whenever someone types in the url.

I don't understand deleting the installation files and keeping the php file. That seems like a lot. I don't want to do it wrong and mess everything up.

what you are effectively going to do is wipe all your folders to ensure there is no trace of a hack
http://docs.joomla.org/Security_Checkli ... ter_relief might be easier for you to read

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

So if I'm to understand correctly, I am to basically erase my entire site (minus the configure.php file, for which I have saved a copy). Reinstall a freshly downloaded copy, then reinstall all my extensions, replace every file and picture associated with the site, then save over the new .php file with my prior version? That seems very time consuming. I'm basically rebuilding the site, if that's the case.

There's a lot of information in the documentation you've sent on, so I'm still filtering through that.

There's no way to find out if there's been a script added somewhere, or some other magic wand that would just "fix" my site?

I've attached a picture of my root file I'm assuming I'm supposed to delete.

Jeff

Unless you know every file you have uploaded or have the ability to grep for a multitude of suspicious entries then

A Safe route for disaster relief

save the configuration.php file and your images and personal files one by one, (not the folder as it may contain unwanted files)
wipe the entire folder where Joomla! is installed
upload a new clean full package latest version of joomla 1.5.x or Joomla 2.5.x (minus the install folder)[2]
reupload your configuration file & images.
reupload or reinstall the latest versions of your extensions , templates (even better is to use original clean copies to ensure that the hacker/defacer did not leave any shell script files in your site)

you are not reinstalling as such, just re uploading your files. some extensions may need to be removed and then reinstalled but most extensions will preserve their db tables on removal. back up the sql db just in case

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}