The Joomla! Forum ™

1.) Yes that is what I am saying
and
2.) Yes that is what I am saying

3.) Yes, there are extensions and file managers that are quite capable of going outside the public area of a site. Hackers use these extensions to their advantage.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

gosh this is bad news, All my client sites [about 30 of them have been hacked htaccess rewrite... attached is a screen print jpeg of the code writen into the file.

taken 2012-04-14 : 5.41pm Sydney AU time


What triggers it?
How deep does it go?
any one?
shall read the preceeding posts, thought the screen print woud be useful like NOW!

If this is infecting many different platforms
If this is repetitive in that once you clean it reemmerges.
If this is as big as it seems
we got to trap the bugger somehow...
the time and source of the file write...
can someone generate a monitor script and set up a test site just waiting to be hacked.
I have not the nouse to do so and am not even sure my idea is worth considering but one thing I do know is that it is a robot of somesort [ given the volume of hacks and repetitions.]
and if it is a robot then it can be trapped and traced. [ maybe?]
The hack has virtually destroyed my business and I await claims for compensation.. so any information regarding this issue will be useful in court.

edit: most likely a htaccess "writer" script placed somewhere in the domains files is my guess.
All my sites ranging from early 1.5 series to lastest 2.5 series have been infected.
Including the lastest 2.5 release [ full package and not an upgrade patch] so access to my server has been acheived with out doubt.
Also just noticed that a file has been installed in the server root directory.
Have uploaded a fresh install with out addons to see what happens.

Thank you for this discovery.
I have found and deleted a similar file on my Joomla site in the tmp folder called "_cache_nqajmves.php"
All 11 domains in my hosting plan were infected by those nasty .htaccess files and all of those sites were blacklisted by google!! I was very frustrated by the idea of deleting every thing and reinstall joomla from scratch as those sites contained more than 10 GB of data.

I deleted that file, emptied every tmp folder in each domain, erased .htaccess file from every domain's root folder.
More than 72 hours have passed now, without any symptoms of infection.
.htaccess files are no longer automatically created or altered.
sucuri.net says my sites are 100% clean.
My sites are no longer blacklisted by google.

So, friends go search your Joomla tmp folder and empty it, especially if it contains a file like "_cache_xxxxx.php"

Yaanimai, thank you again, you saved my life.

One of my sites was also hacked by this ugly hack, so I sat down and went through all the files on the site. In the folder images/stories I found a file called ".cache_jmqbbl.php" which seemed out of place. After further investigation I found that most of this file was identical to another file "toolbar.php" found in administrator/includes/ except for a very suspiciously looking preg_replace section at the end of the file.

After having removed this file and restored my .htaccess it looks as if my site is running okay now. I'll report back later.

Oh, I am running Joomla 1.5
/Pontus

I beleive the hacker got in through a NoNumber vulnerability that has since been fixed. Make sure you upgrade to the latest versions of No Number extensions if you have them installed.

Sorry, but that's just guessing without any evidence.
Two weeks ago I helped a new client that was hacked with a .htaccess redirect to some spam sites.
And in that case it was a very old JCE version ( < 2.0.10) that had a vulnerability.

I support your advice about upgrading though!
Make sure that you have the latest Joomla 2.5, and update all 3rd party extensions to the latest versions.

_________________
Kind Regards,
Peter Martin, Global Moderator - Community Leadership Team
http://www.db8.nl - Joomla specialist, Nijmegen, Nederland
Joomla 2.5 multilanguage in 10 steps: http://www.db8.nl/multilanguage-in-10-steps

it has been proven that 9 out of 10 occurrences of this hack has been caused by one important extension - the site admin.
the malicious file changes name, the locations vary, but the effect is the same.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

pe7er,

GoDaddy's security team sent me a file from their logs that indicated access through the NoNumber framework. A fix was released that addresses the issue so it's no longer a problem if you update to the latest version.

http://www.nonumber.nl/news/releases/28 ... extensions

Other sites could have been compromised through other vulnerable extensions but in my case I am pretty sure it was NoNumber. Not a problem anymore though & I highly recommend all the NoNumber extensions. I subscribe to several of their Pro versions of their extensions.

One of the biggest things I noticed cleaning sites of this is most were actually compromised around September - November of last year when a backdoor was uploaded which took advantage of any number of insecurities in sites. While you may feel fairly sure a specific version of a specific extension caused your issue, it may have some other issue with another site as others have mentioned. The hack actually appears to not have been activated until this year and at various times this year.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

My site has been running flawlessly since friday now so I believe that I found the culprit. I am also patching my site to the latest 1.5 version. Upgrading to 2.5 will have to wait untill this fall. I don't have any NoNumber extension(s) but I did have an old JCE editor which I removed.

No. you have found the file the 'culprit' placed on there. You have not found the 'culprit' or any backdoors it may have also placed. Your site is probably still compromised and could be hacked again.

Did you not understand what PhilD said ? The exploit was placed on severs last year. That means any number of undiscovered(not yet activated) hacks could be on the server.

_________________
http://weblinksonline.co.uk/joomla-faq.html

I think I understood pretty much everything that PhilD said, what I meant to say was that I have done what I can to purge my site from any threats. I have compared each and every file to the originally installed files and updated files that had suspicious content and removed files that that shouldn't be there. This is how I found the installed threat on my site. I have also patched my site to the latest version of Joomla 1.5 and followed all the guides on how to secure the site as well as changed all my passwords. There's not much more that I can do as my site is hosted on an external ISP. If their security model have been compromised, my site will most likely be hacked again. If (when !?) that happens I suspect that it doesn't really matter what I do to protect my site, I need to get of that server.

@Leo
regarding your answer d.d. april 1, 2012 adding
this:

too htaccess files.
At the moment I encounter many problems with changing or replacement of htaccess files.
I have added thes lines yesterday to all my files and noticed today (within 24 hours!!) that all files have been replaced with files contain redirections tot some russian or other sites.

As I changed several passwords (e.g. FTP) last week and the problem still occurs, I seems to come from ínside"the websites, so some kind of unauthorized PHp file or script might be the cause.

next problem is to find out which file


note I still have to read the other pages of this thread

wjonker - i will try and put this simply, anyone with root access can access your hta files even with that code. otherwise it would stop YOU accessing it.
why dont people follow the advice numerously posted and scrub their webpace?
follow checklist 7 safe route to recover

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

I've done it, and am happily sailing (for now). - Apart from having to remove instances from previously installed extensions before having to reinstall them, it's the way to go, unless you administrate your own server and wont charge yourself hundreds of dollars like certain hosting companies will do to search and replace malicious code.

_________________
CriticalUnity.org - Need to Know Info
===> Clarifying conspiracy realities of mass deception for Humanity before it's too late....
THE TIME IS NOW to investigate!

@mandville
I did those actions just before I found this thread and understood what might be wrong.
I've planned to delete the sites and rebuilt them all over again.

It's a total of about eight websites with over 12000 files.

I don't like the thought of checking all those files to see which one might have been hacked and causing the problem

Just leave your non joomla files, and try and install the joomla system files. I looked through the images directory and my downloads folder just to make sure and found a weird hhf5654jy54.php (not actual file name, just random characters.php doc), and was deleted... You might wanna try doing just that, and if it's all good, it's all good mate.

_________________
CriticalUnity.org - Need to Know Info
===> Clarifying conspiracy realities of mass deception for Humanity before it's too late....
THE TIME IS NOW to investigate!

If you have ftp access to do search and replace malicious code then you have ftp access to delete all the files !!! And it is far quicker and more efficient to delete all the files than patch it like a bloody patchwork quilt.

mandville and others spent a lot of time putting together the instructions together. And it is a pain in the proverbial when people talk out of the seat of their pants with contradicting the help with bad advice.

Searching for the malicious files and deleting the ones you find is not enough. And to come on here posting otherwise is misleading to newbies. And irresponsible because it can cause users (who follow your bad advice) to continually have problems. And thus cause them more time and effort.

_________________
http://weblinksonline.co.uk/joomla-faq.html

A better suggestion would be to read my post CORRECTLY, as I was advocating for doing what I had to end up doing; reinstalling joomla. At least I didn't have to wipe the database, but I backup regularly anyways.

The guy was saying that he had a lot of files, and didn't want to have to delete and reupload them. In that case, if it's possible, it WOULD be a good idea to make sure there isn't anything fishy residing in non joomla files and folders. Anyways, I solved it by just reinstalling joomla, now dealing with the nightmare of database errors because I have to reinstall the components and modules that were deleted when I marched into the filemanager in cpanel, but that's another story, just a byproduct of having to reinstall. That's life.

_________________
CriticalUnity.org - Need to Know Info
===> Clarifying conspiracy realities of mass deception for Humanity before it's too late....
THE TIME IS NOW to investigate!

Your post said
"Just leave your non joomla files, and try and install the joomla system files"
Then goes on to say that if nothing is found in the ' images directory' and 'downloads' folder then it was OK.

That does not sound like you are advocating following the correct advice. Far from it.

Polite notice
This is not a personal attack. It's an observation on the advice given in the post.

_________________
http://weblinksonline.co.uk/joomla-faq.html

Yes, I see what you mean, but with the particular specification of certain folders, I was only talking about what I did in my case. Other users could have all sorts of other non joomla installation folders. All I was saying was that if it would be possible in the first place to search and replace, it might be a good idea to do that, if it would take a long time to deal with the non joomla files. Pointless discussion, because most people can't search the contents of files on their server, and as everyone who knows what their talking about says, the best thing to do is delete joomla folders, then reinstall joomla.

I do however think that it is helpful to state that I saved time by not deleting my videos and PDF downloads folder, including my images folder, but I did spend a good hour or so checking over and over to make sure they were clean. Other people with high bandwidth abilities may wish to be completely safe, and wipe everything. Peace.

_________________
CriticalUnity.org - Need to Know Info
===> Clarifying conspiracy realities of mass deception for Humanity before it's too late....
THE TIME IS NOW to investigate!

I managed to get this problem solved - and I hope it is a long term fix (after I make some security upgrades, of course).

Here is how I found the malicious php file. I opened the logs for each of my websites, and noticed that one of them had a few occurrences of a strange POST request:

192.166.218.253 - - [03/Sep/2012:13:02:27 -0600] "POST /images/banners/.lib_l9ium8.php HTTP/1.1" 500 3950 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"

So naturally, that .lib_l9ium8.php was the trouble maker. There was an encoded preg_replace string at the bottom of the file, as mentioned previously in this thread. It was being hit by at least 2 servers today (one in Poland and one in Latvia, supposedly). Just thought I would share my solution, and hopefully save you a bit of time.

1c

Same here! it was in the images/banners/.lib_q3kmaq.php directory

HOW did it get in there in the first place? All folders in Joomla were at 755!

Thank you thank you thank you!!!!!

I also had the .htaccess hack constantly breaking / redirecting my site and my isp had no idea how to help prevent this.

I also had a suspicious file in my images/banners directory.

I have removed this and so far, so good! After over a week of stress I am not seeing the site re-hacked every few minutes.

This forum has saved my backside yet again!

Kaety

I just found out that all my Joomla sites hosted on GoDaddy.com have been hacked. 2.5 and 1.5. It looks like a hack by [removed]. In my .htaccess file I found this at the top of the file:


<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google||sharelook|sucharchiv|suchbiene|suchmaschine|infospace)\.(.*)
RewriteRule ^(.*)$ http://ntfsstresses. ru/Costs?8 [R=301,L]
RewriteCond %{HTTP_REFERER} ^.*(web||claymont|clickz|clush|ehow|findhow|icq|westaustraliaonline)\.(.*)
RewriteRule ^(.*)$ http://ntfsstresses. ru/Costs?8 [R=301,L]
</IfModule>

And this at the bottom:

ErrorDocument 500 http://ntfsstresses .ru/Costs?8

Before I go and wipe out all files on all websites, is there a way to block this hack?

follow the previous advice in this topic for advice and resolution

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

STOP!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ok here is the deal everyone being hacked, this is a one page .php file this file has to be put where public can insert, which means in images folder or in tmp folder. its going to be some crazy name.php delete it and then delete the .htaccess. if your using rewrites go into global configuration and change everything to no until your .htaccess is good again. this small script will keep rewriting your .htaccess no matter how many times you delete it. this file is not deep in your files, remember this was a group hack thats it which means they are just trying to piss everyone off,

this does mean to upgrade to 2.5 and get some security on your sites. i have a ton of sites and only 1.5 got attacked, and fixed in a few minutes.

_________________
Dwayne Stephens
Wyredin
http://www.wyredin.com

Yes it is common to have the hack code by some crazy names in some common directory such as /images or /tmp. Removing it is part of the process but is NOT ALL OF THE PROCESS!!! The code has also been found in real files but placed in odd places that should not have any php files. There are also additional hack files scattered through the site in almost all cases.

You do not need to delete your .htaccess file in all cases. To do so on some sites will totally break the site and everything within it. If you use the default htaccess file and are sure nothing special has been added to make your site work the way you need it to, then replace it with a fresh copy when you fix the rest of your site. If you have a specially modified htaccess file as some sites do then you need to clean the hack code from the htaccess file. The code is normally found at the top and at the very bottom of the file. Be careful and do not remove anything required to make your site work. If you are not sure get a professional to look at the file and help.

You do need to find and remove all "extra" htaccess files and you do need to look individually at each one you need to keep. An example of one to keep is if you password protected the administration file. Deleting this one or 'replacing' it with the wrong stuff will eliminate your ability to access the administration area and directory. Most sites have none or one htaccess file. some have more, be careful what you delete and enlist a professional if your in doubt.

You do need to remove the 'hidden' htaccess file from outside of the public area. It does not belong there, will not work from there, and is a hack file contents which will be copied back to your site at a later date.

There are other hack files such as rootkits that are placed within known places on a site and also some placed in random places within the site. Failure to remove these files properly will allow these files to remain to allow your site to continue to be hacked in the future. I have also seen file fragments that get reassembled at runtime scattered around.

Most templates will also have some trigger code added to the template files to assist in enabling the initial hack. Sometimes hack files are also added within the template directories. With the current complication of Joomla templates and their files and structure that is the norm, many hacks effectively hide this way.

So follow what we post and clean the site properly, or follow other advice, take a chance on breaking your site, or being hacked again and again.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

From what I know, if hackers want to hack your website, you really cannot do anything about it... it's just a matter of time for them to be able to break through your security tools. This is from my experience of being hacked for at least 5 times already and also from an ethical hacker that I know. So what I do now is to always make backups. Then, after my site is hacked, I just use the backup and transfer to a new hosting.