Some of my URLs are being redirected to German sites.. hack?

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
giodoc
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Mon Jul 12, 2010 7:44 am

Some of my URLs are being redirected to German sites.. hack?

Post by giodoc » Sun Mar 18, 2012 8:13 am

Hi, I recently converted my static html site to Joomla.. I'm on version: 1.5.24

I was looking through my visitor stats, using CPanel, and found "additions" to my urls see below:

Code: Select all

/images/stories/videos/web_show.flv&buffer=http%3A%2F%2Fwww.witchers.net%2Fforum%2Fcache%2Ftemplates%2
/images/stories/videos/web_show.flv&buffer=10&autostart=http%3A%2F%2Fadventure.keuschnig.com%2	
/images/stories/videos/web_show.flv&buffer=http%3A%2F%2Fmarc-rohe.net%2Fkontakt%2Ffiles%2Fsohef%2Fevok
/3d-models.html?start=http%3A%2F%2Fwww.deadlament.de%2Fintern%2Fbilder%2Fbilder_substage_2004%2Fbilder%2Flive%
It seems some of my urls, are being redirected to the german sites above, ie witchers.net, keuschnig.com, deadlament.de?, two of them give a 404 error, one gives a 200..

I've looked at the instructions on what to do, if you think you're site is hacked etc.. But before I take any drastic measures, just want to make sure its necessary..

The site has only been live 1 week.. What is this redirection about?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Some of my URLs are being redirected to German sites.. h

Post by mandville » Sun Mar 18, 2012 11:21 am

1. yous site is out of date, we have been on 1.5.25 for a while
2. are you folder permissions 777?
run the fpa tool and post the results
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

giodoc
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Mon Jul 12, 2010 7:44 am

Re: Some of my URLs are being redirected to German sites.. h

Post by giodoc » Sun Mar 18, 2012 6:12 pm

Here's the output from the forum post asst:
Forum Post Assistant (v1.2.0) : 18th March 2012 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.24-Stable (senu takaa ama naiki) 17-October-2011
Joomla! Configured :: Yes | Read-Only (444) | Owner: giodoc (uid: 32174/gid: 673) | Group: giodoc (gid: 673) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 1 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.37-2 | Technology: i686 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/giodoc/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.13 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: | Register Globals: 1 | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 256M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 256M

MySQL Configuration :: Version: 5.1.54 (Client:5.1.54) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 298.5 KiB | #of _FPA_TABLE: 39
Detailed Environment :: wrote:PHP Extensions :: date (5.2.13) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dba () | dbase () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | gmp () | session () | iconv () | json (1.2.1) | mbstring () | mcrypt () | mhash () | ming () | ncurses () | posix () | pspell () | readline () | Reflection (0.1) | standard (5.2.13) | shmop () | SimpleXML (0.1) | SPL (0.2) | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | cgi-fcgi () | ew (0.9) | mysql (1.0) | mysqli (0.1) | pgsql () | htscanner (0.6.0) | imap () | soap () | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | pdo_mysql (1.0.2) | pdo_pgsql (1.0.2) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: zip | suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
Templates Discovered :: wrote:Templates :: SITE :: beez (1.0.0) | JA_Purity (1.2.0) | rhuk_milkyway (1.0.2) | rt_gantry_j15 (3.1.18) | themza_j15_14 (1.0.0) |
Templates :: ADMIN :: Khepri (1.0) |
No I'm not running things with 777 permissions, 755 for folders, and I think 644, 444 for files

Got in touch with my webhost who say, they can't find any malware on the server.. As I said in the note above, those German URLs are being appended to the end of my URLs, but are giving a 404 error.. This is being done via =http, at the end of my URL.. Any help on what this is is much appreciated.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Some of my URLs are being redirected to German sites.. h

Post by mandville » Sun Mar 18, 2012 6:58 pm

can we see the extensions your running as the we_show might be a clue. which one is the 200 site.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

giodoc
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Mon Jul 12, 2010 7:44 am

Re: Some of my URLs are being redirected to German sites.. h

Post by giodoc » Sun Mar 18, 2012 7:20 pm

Hi,
I think they are:
1. Aidanews2
2. Spearhead FB btn
3. Sigplus gallery
4. JCE (latest) I did check and its the latest version
5. Rokbox
6. Simple picture slideshow
7. system easycalc check plus
8. System-SEF, for URL redirection
9. JW_all videos

The one that hits a 200 is this one:
<code>
/3d-models.html?start=http%3A%2F%2Fwww.deadlament.de%2Fintern%2Fbilder%2Fbilder_substage_2004%2Fbilder%2Flive%
</code>

I've just created the list of extensions manually, is there a way to get an automated list using the diagnostic tool?

-Thanks for taking the time to look intio this with me.. :)

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Some of my URLs are being redirected to German sites.. h

Post by mandville » Sun Mar 18, 2012 7:36 pm

http://forum.joomla.org/viewtopic.php?f=432&t=586336
"Select run time options detail level for the report and select the Information Privacy Level of the report (optional). You may leave this information at the defaults if desired, but providing additional information about installed extensions can usually help figure out the issue."
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

giodoc
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Mon Jul 12, 2010 7:44 am

Re: Some of my URLs are being redirected to German sites.. h

Post by giodoc » Sun Mar 18, 2012 7:49 pm

Thanks ok, here's the report with the extensions, plugins and modules:
Forum Post Assistant (v1.2.0) : 18th March 2012 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.24-Stable (senu takaa ama naiki) 17-October-2011
Joomla! Configured :: Yes | Read-Only (444) | Owner: giodoc (uid: 32174/gid: 673) | Group: giodoc (gid: 673) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 1 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.37-2 | Technology: i686 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/giodoc/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.13 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: | Register Globals: 1 | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 256M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 256M

MySQL Configuration :: Version: 5.1.54 (Client:5.1.54) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 298.6 KiB | #of _FPA_TABLE: 39
Detailed Environment :: wrote:PHP Extensions :: date (5.2.13) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dba () | dbase () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | gmp () | session () | iconv () | json (1.2.1) | mbstring () | mcrypt () | mhash () | ming () | ncurses () | posix () | pspell () | readline () | Reflection (0.1) | standard (5.2.13) | shmop () | SimpleXML (0.1) | SPL (0.2) | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | cgi-fcgi () | ew (0.9) | mysql (1.0) | mysqli (0.1) | pgsql () | htscanner (0.6.0) | imap () | soap () | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | pdo_mysql (1.0.2) | pdo_pgsql (1.0.2) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: zip | suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
Extensions Discovered :: wrote:Components :: SITE :: Gantry (3.1.18) | WF_AGGREGATOR_VIMEO_TITLE (2.0.21) | WF_AGGREGATOR_[youtube]_TITLE (2.0.21) | WF_FILESYSTEM_JOOMLA_TITLE (2.0.21) | WF_LINKS_JOOMLALINKS_TITLE (2.0.21) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.0.21) | WF_POPUPS_JCEMEDIABOX_TITLE (2.0.21) | WF_POPUPS_WINDOW_TITLE (2.0.21) | WF_ARTICLE_TITLE (2.0.21) | WF_AUTOSAVE_TITLE (2.0.21) | WF_BROWSER_TITLE (2.0.21) | WF_CLEANUP_TITLE (2.0.21) | WF_CONTEXTMENU_TITLE (2.0.21) | WF_DIRECTIONALITY_TITLE (2.0.21) | WF_FULLSCREEN_TITLE (2.0.21) | WF_IMGMANAGER_TITLE (2.0.21) | WF_INLINEPOPUPS_TITLE (2.0.21) | WF_LAYER_TITLE (2.0.21) | WF_LINK_TITLE (2.0.21) | WF_MEDIA_TITLE (2.0.21) | WF_NONBREAKING_TITLE (2.0.21) | WF_PASTE_TITLE (2.0.21) | WF_PREVIEW_TITLE (2.0.21) | WF_PRINT_TITLE (2.0.21) | WF_SEARCHREPLACE_TITLE (2.0.21) | WF_SOURCE_TITLE (2.0.21) | WF_SPELLCHECKER_TITLE (2.0.21) | WF_STYLE_TITLE (2.0.21) | WF_TABLE_TITLE (2.0.21) | WF_TEXTCASE_TITLE (2.0.21) | WF_VISUALCHARS_TITLE (2.0.21) | WF_XHTMLXTRAS_TITLE (2.0.21) | MailTo (1.5.0) | User (1.5.0) | Wrapper (1.5.0) |
Components :: ADMIN :: Banners (1.5.0) | Cache Manager (1.5.0) | Configuration Manager (1.5.0) | Contact Items (1.0.0) | Content Page (1.5.0) | Control Panel (1.5.0) | Frontpage (1.5.0) | Gantry (3.1.18) | Installation Manager (1.5.0) | JCE (2.0.21) | Unknown (-) | Editor - JCE (2.0.21) | Language Manager (1.5.0) | Mass Mail (1.5.0) | Media Manager (1.5.0) | Menus Manager (1.5.0) | Messaging (1.5.0) | Module Manager (1.5.0) | Newsfeeds (1.5.0) | PhocaSEF (1.0.0) | Plugin Manager (1.5.0) | Polls (1.5.0) | RokNavMenu Bundle (3.2) | Search (1.5.0) | Template Manager (1.5.0) | Trash (1.0.0) | User Manager (1.5.0) | Weblinks (1.5.0) |

Modules :: SITE :: AiDaNews (1.1.1) | AiDaNews 2 (2.1.1) | Archived Content (1.5.0) | ARI Cloud Carousel (1.5.13) | Banner (1.5.0) | Breadcrumbs (1.5.0) | Breadcrumbs Advanced (1.5.0) | Custom HTML (1.5.0) | Feed Display (1.5.0) | FL Latest Articles (1.5) | Footer (1.5.0) | Latest News (1.5.0) | Login (1.5.0) | Menu (1.5.0) | Most Read Content (1.5.0) | Newsflash (1.5.0) | Poll (1.5.0) | Random Image (1.5.0) | Random Image Plus (2.4.1) | Related Items (1.0.0) | RokNavMenu (3.2) | Search (1.0.0) | Sections (1.5.0) | sigplus (1.3.4.12) | SlideShow Pro (2.1) | Spearhead Facebook Like Button (3.0) | Statistics (1.5.0) | Syndicate (1.5.0) | Who\'s Online (1.0.0) | Wrapper (1.0.0) |
Modules :: ADMIN :: Custom HTML (1.5.0) | Feed Display (1.5.0) | Footer (1.0.0) | Latest News (1.0.0) | Logged in Users (1.0.0) | Login Form (1.0.0) | Admin Menu (1.0.0) | Online Users (1.0.0) | Popular Items (1.0.0) | Quick Icons (1.0.0) | Items Stats (1.0.0) | User Status (1.5.0) | Admin Submenu (1.0.0) | Title (1.0.0) | Toolbar (1.0.0) | Unread Items (1.0.0) |

Plugins :: SITE :: Authentication - Example (1.5) | Authentication - GMail (1.5) | Authentication - Joomla (1.5) | Authentication - LDAP (1.5) | Authentication - OpenID (1.5) | Simple Picture Slideshow (1.5.5) | Content - Email Cloaking (1.5) | Content - Example (1.0) | Content - Code Highlighter (Ge (1.5) | AllVideos (by JoomlaWorks) (4.1) | Content - Load Modules (1.5) | Content - Pagebreak (1.5) | Content - Page Navigation (1.5) | Content - RokBox (1.9) | Content - Image gallery - sigp (1.3.4.12) | Content - Vote (1.5) | Editor - JCE (2.0.21) | Editor - TinyMCE 3 (3.2.6) | Editor - XStandard Lite for Jo (1.0) | Button - Image (1.0.0) | Button - Pagebreak (1.5) | Button - Readmore (1.5) | RokNavMenu - Boost (3.2) | RokNavMenu - Extended Link (3.2) | Search - Categories (1.5) | Search - Contacts (1.5) | Search - Content (1.5) | Search - Newsfeeds (1.5) | Search - Sections (1.5) | Search - Weblinks (1.5) | System - Backlinks (1.5) | System - Cache (1.5) | System - Debug (1.5) | System - Gantry (3.1.18) | System - Legacy (1.5) | System - Log (1.5) | System - Mootools Upgrade (1.5) | System - Remember Me (1.5) | System - RokBox (2.8) | System - SEF (1.5) | System - EasyCalcCheck PLUS (1.5-14-1) | User - Example (1.0) | User - Joomla! (1.5) | XML-RPC - Blogger API (1.0) | XML-RPC - Joomla API (1.0) |
Templates Discovered :: wrote:Templates :: SITE :: beez (1.0.0) | JA_Purity (1.2.0) | rhuk_milkyway (1.0.2) | rt_gantry_j15 (3.1.18) | themza_j15_14 (1.0.0) |
Templates :: ADMIN :: Khepri (1.0) |

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Some of my URLs are being redirected to German sites.. h

Post by mandville » Sun Mar 18, 2012 8:04 pm

messy:ok
jce install looks corrupt due to showing language files, remove and reinstall
all videos plg - out of date
and what is the extension "Unknown (-)"
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

giodoc
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Mon Jul 12, 2010 7:44 am

Re: Some of my URLs are being redirected to German sites.. h

Post by giodoc » Sun Mar 18, 2012 8:21 pm

Ok, thanks I'll do that, I have no idea what the unknown one is...

Sorry about the mess, I'll try and attach some screen grabs from the saved diagnostic page:

Anything else I should do? My host just decode those URLs, and it seems they are leading back to my site. for example the 3d-model.html link, leads to a page numbered 200, ie page 200 of 2.. Just a blank page of my site??, same with the web.flv=http links, what is this? I'm attaching that as screen-grab 4C
You do not have the required permissions to view the files attached to this post.

giodoc
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Mon Jul 12, 2010 7:44 am

Re: Some of my URLs are being redirected to German sites.. h

Post by giodoc » Sun Mar 18, 2012 8:24 pm

here are the other screen grabs
You do not have the required permissions to view the files attached to this post.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Some of my URLs are being redirected to German sites.. h

Post by mandville » Sun Mar 18, 2012 8:54 pm

beyond following checklist 7 safe route to recovery for sanity sake
i would be very tempted to strip out out all your plugins etc and update them eg tinymce3 is now on ver 3.5.x it might also clear that unknown extension.
pop over to jce website for advice on that default language coding issue
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

giodoc
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Mon Jul 12, 2010 7:44 am

Re: Some of my URLs are being redirected to German sites.. h

Post by giodoc » Sun Mar 18, 2012 8:59 pm

Thanks mandeville, I'm currently stripping out those extensions.. Just a little anxious about erasing everything and starting from scratch... :-\

giodoc
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Mon Jul 12, 2010 7:44 am

Re: Some of my URLs are being redirected to German sites.. h

Post by giodoc » Sun Mar 18, 2012 11:16 pm

Just out of interest, in order to understand things abt better.. What is this kind of "attack" called, ie when a bot or something appends =http./www.xxxx.com after a sef url on a site? And is there a way to prevent this kind of thing happening?


Locked

Return to “Security in Joomla! 1.5”