The Joomla! Forum ™

start by following checklist 7 safe route to recovery as has been suggest/recommended several times in this toic
find out where the injection came in by following other actions in checklist 7

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Isn't it so that it is always the lower htaccess that is valid? The higher htaccess is then valid in its folder, but not below that if another htaccess is present.

PHP Built on: Linux servps.fastservernow.com 2.6.18-028stab070.14 #1 SMP Thu Nov 18 16:04:02 MSK 2010 i686
Database Version: 5.0.95-community-log
Database Collation: utf8_general_ci
PHP Version: 5.2.17
Web Server: Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/0.9.7a mod_bwlimited/1.4
Web Server to PHP interface: cgi
Joomla! Version: Joomla! 1.5.26 Stable [ senu takaa ama busani ] 27-March-2012 18:00 GMT
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0

Last night one of my clients' site was hacked. All internal links now redirect to Google search. I did a live http headers check and found that the site is redirecting through xx.ru/in.cgi?4. After reporting this to the host, it was discovered that all the .htaccess files site wide were hacked.

I found another thread, where a poster said they suffered the same kind of exploit with their .htaccess files corrupted. They said they found some suspicious php files with a jos_ prefix (jos_core.php) in their tmp directory. They further said removing them seemed to keep the site from being reinfected. Checking my tmp directory, I found I had three such files with the jos prefix and one of them was the jos_core.php. I have left them on the site for now, so the host can investigate. I do not know if this is anything or not, but seemed like an incredible coincidence. Therefore, I'm posting the info here in case it's relevant.

We're going to restore the site. But my fear is that the hole will still remain and I have no idea how to plug it. One of the first things I do when I set up a site is to set my permissions for .htaccess to 0444. I also password protect the admin portal and change my db prefixes to further harden the site. Permissions set to 0755 for directories and 0644 for files.

Any assistance in helping me lock this down would be greatly appreciated. Just want to make sure that we don't get hacked again in this manner.

Thanks so much!

follow the procedures detailed in the other topics. It may seem strange but to prevent a mass of hta hacked topics all on the same subject, please follow the topic viewtopic.php?f=432&t=705216&start=30, i am going to merge this post into that topic.
I would HEAVILY suggest that your host take the file and delete it themselves. if it there longer than 5 minutes after your host acknowledged the location of the files, they are in breach of morals. just delete it. its dangerous and malicious

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Absolutely agree - delete files ASAP!! ... Leaving infected files there intact is actually leaving backdoor wide open! Scripts that I found are pretty nasty ones, programmed to give full file access and more to the attacker.
The only thing that could be useful to any hosting provider is:

• path/filename
• timestamp (modification time)

so basically just make a screenshot of FTP/file manager window where this info is viewable, or push a filelist to a file via shell

It's a good idea to note .htaccess last modification time and take a look in "access.log" searching for records in this time. It might be something there, or not, eg. if malware is run via cronjob...

_________________
Croatian Joomla Translation coordinator | www.orion-web.hr
JAMSS author- viewtopic.php?f=621&t=777957
PHP/WebApp Security enthusiast (OWASP) & Linux Admin
don't PM me with requests (unless you want paid help), post in forum

Hello,
I would thank all the persons who helped in this topic
Since yesterday with my Hoster we spent a lot of time but now I applied all your suggestions and all seems to be OK

I will keep an eye on the site for next days
Best regards
Amorino

_________________
Création sites web Tunisie : http://www.idealconception.com
http://www.italianistica-tunisia.com

what extension was used on your site?

_________________
Croatian Joomla Translation coordinator | www.orion-web.hr
JAMSS author- viewtopic.php?f=621&t=777957
PHP/WebApp Security enthusiast (OWASP) & Linux Admin
don't PM me with requests (unless you want paid help), post in forum

Hello,
on that site I had:

- rereplacer (That I updated)
- Sobi2
- Chronoforms (that I uninstalled now because I don't need it)
- Easy book reloaded
- JCE
- Xmap (That I updated)
- Acymailing
- Joomlart extension manager
- K2 with its modules (that I uninstalled now because I don't need it)

They are the same as yours BernardT ?

The file found in the tmp folder had the following name :
_cache_bw0qezl9.php

And it contained many strange lines :
preg_replace("/.*/e","\x65\x76\x61\x6c\x20\x28\x20\.....

65 lines in Total with the header commented of vBulletin 3.1.9 that I never installed of course
Best regards
Amorino

_________________
Création sites web Tunisie : http://www.idealconception.com
http://www.italianistica-tunisia.com

- rereplacer is based on NoNumber Framework, this was used on my subject site... if you search closely in your access log you will find traces of NoNumber file inclusion...
- the inserted file had the vBulletin header but that's actually code that's not used anyway so ignore it, encoded one is the whole malware

_________________
Croatian Joomla Translation coordinator | www.orion-web.hr
JAMSS author- viewtopic.php?f=621&t=777957
PHP/WebApp Security enthusiast (OWASP) & Linux Admin
don't PM me with requests (unless you want paid help), post in forum

Hello Bernard,

could you please show me an example of trace you found?
I had 2 sites infected one of them had no number extention but just a joomla 1.5.25 + JCE + Xmap
I think that it's a joomla 1.5.25 and lower version security problem

So should upgrade all sites to 1.5.26

But I'm thinking that I have so many sites with 1.5.x and I couldn't upgrade all of them and 1.5 will no more being supported after few days
Ho to do if this happen after again

Best regards
Amorino

_________________
Création sites web Tunisie : http://www.idealconception.com
http://www.italianistica-tunisia.com

My sites are being redirected by a .htaccess redirect attack. I am running j1.5.15,. I will upgrade once I delete the folders and dod a fresh install of the latest version, but do you see where I have been breached?
Below is the code from FORUM POST ASSISTANT.

I will add this to the main topic. and asuggest you follow the multiply posted advice
quite possibly due to

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

The security moderators have taken the descision to merge all the related hack topics into one places. This is not normal practice.
The htaccess redirect hack is not joomla specific, it has affected all sorts of platforms (wordpress, drupal, vbulletin) on various hosts.
At the present time we are lost as to what could be causing this.
Our clear recommendation is to follow the following checklist viewtopic.php?f=432&t=475313 and security checklist 7.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

My theory is that it is not one specific hack but several. They are using any vulnerability they can to insert a script on the site. The script finds the /. top level folder the ftp can access. (Because some packages allow for setting a folder for the site root, that explains why some report it's the .htaccess above the root that gets hacked !)

Once it finds the file it does it's 'thing' and edits the .htaccess (or replaces it).

In the mean time everyone is running around looking for a specific vulnerability when it is not a new exploit ... but just a new method of exploiting existing ones.

Addendum
As some of the redirects are redirecting sites when searched from Google and other search sites then http://www.whitefirdesign.com/resources ... oogle.html may be useful ?

_________________
http://weblinksonline.co.uk/joomla-faq.html

One of my clients Joomla site was hacked and I looked into it and found some strange code in .htaccess as the below:
Could some help me understand what this thing does?

_________________
Norito H.Yoshida, Yokohama, Japan
norito@gmail.com
http://kaigai.goyat.info/
goyat.jp

1. redirects search results tro a malicious page
2. update your clients joomla to the latest version
i have added your topic to the rest, please read the topic for aadvice

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Thank you for your advice.

_________________
Norito H.Yoshida, Yokohama, Japan
norito@gmail.com
http://kaigai.goyat.info/
goyat.jp

My Churches website has also been hacked. It redirects when you do a search in Google to a Russian site. Here is the post generated from the FPA. Any help would be greatly appreciated.

if people run the cron commands here http://docs.joomla.org/Security_Checkli ... d_and_cron then that may help time stamp the insertion of the code so that your logs/host can track it down.
not on some busy sites a large email will be produced.

mleadingham why are your folders 705?

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

@mleadingham
at least one of your extensions is in the http://docs.joomla.org/Vulnerable_Extensions_List

_________________
http://weblinksonline.co.uk/joomla-faq.html

mleadingham- an i also see that one of your sites templates is listed and offered on one the worlds leading malicious template providers viewtopic.php?f=619&t=637762&p=2760230#p2696541

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Hello,
I see that it can be produced also with 1.5.26 if there are other problems
How could we bloc this malicious script definitely ?

Best regards
Amorino

_________________
Création sites web Tunisie : http://www.idealconception.com
http://www.italianistica-tunisia.com

To All.
This is not news that anyone wants to hear but I'm going to say it anyway. To my knowledge, there is currently no way to block this hack that will be effective. Entry at this time to a domain is unknown. While this hack seems to be affecting any php driven site, it can and does also affect plain html sites as has been reported within this thread as well as elsewhere. It is also seems to be affecting up to date and apparently secure sites.

It is just my opinion, but I suspect the entry is by a vulnerable extension, other vulnerable php software installed on a domain, or a site with bad permissions allowing entry. It could also be some type of server hack.

Once the vulnerability is exploited, access is gained to the entire server allowing easy access with full permissions to other domains contained on the server without the need for any password or username. Most affected seem to be sites that are on a shared server or a VPS. These environments are hard to control and secure and generally have lots of sites of varying security quality on them. Shared servers are also the most common type of environment in use. Your site can be fully up to date with all kinds of security measures in place and taken and you can still be hacked.

If you fail to keep your domains installed software updated (Joomla, forum, using bad permissions,or whatever), then you are contributing to the problem as your giving the hackers an entry point into not only your domain, but into everyone's domain within the server your on.

If you have a reseller account, or just have multiple domains under one master account, and one of those domains becomes hacked, then it is very likely that all the domains controlled by that master account will become hacked as well as the master account. This is generally called cross contamination and is very similar to cross site scripting. Because these reseller/multiple domain accounts are generally in a shared environment, the cross contamination within one account can spread to all the other accounts within that server.



What you can do to help possibly limit the damage to your website.

Keep a close eye on all of your domains files. I would suggest you use the following one line script to keep an eye on things. Be aware that on large sites with lots of activity it will generate a large email as it looks at the entire public_html for changes and the cache directory makes lots of changes. Using this script run once every hour or so can help pinpoint when the files get changed and what files are changed. Couple this info with the site logs and you may be able to pinpoint what is happening.



Make sure you have followed all the steps below if you have been hacked. If you have not been hacked yet then make sure you follow most of the advice below (obviously leaving out the replacing of all files) as it still applies to keeping your site in the best shape security wise as possible.

It would help us to help you if before you post your security/been hacked topic


Tell us if you have done the following, try copy and paste to use as a posting guide if needed

[ ] Did you use the forum http://forum.joomla.org/search.php search box for a similar error?

[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file. Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory), and fresh copies of extensions and templates used. Upload the copy of your configuration file. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories More detail can be found in the security Checklist 7 link below.

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

Note: The forum post tool will work with 1.0.x, J1.6.x, J1.7.x, 2.5.x versions of Joomla.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

I can confirm that this indeed seemed to have helped in my case as well (so far at least), while presumably the problem still persists in terms of vulnerable extensions (not updated I have to confess).

Several of my sites had this kind of files in the tmp folder, always the jos_core.php (which has 0kb and is empty) and one other in the range of 26kb and the vBulletin header also mentioned in this threat. The other file was named jos_qrgq.php in one case and jos_lot3.php in another. The origin as early as March 22nd 2012 and their deletion at least has stopped the one hour copy cycle.

Thanks for pointing to this solution.
Erik


EDIT: needless to say that I am now heavily updating!

I look at it as a thief entering a building. They will check the doors then the windows and find the most convenient point of access. Some of the stats Posted by users who have been hacked have that many security holes it is difficult to know how it got on their site. Others have up to date software and apparently no holes.

By that I mean that is the slack attitude to security that has lead to this mass of hacked sites.

A determined hacker can get into almost anywhere. But failure to follow the advice of mandville and PhilD is the main reason many of the sites are hacked.

_________________
http://weblinksonline.co.uk/joomla-faq.html

I believe someone asked earlier about how they could better protect their images directory as their on a server where theres ownership and permissions issues.

First, strongly consider changing hosts, to one that knows how to set up a server so there are no file/directory ownership (and thus permission) issues.

In the meantime, set up this in an htaccess file within the images directory.
It will not prevent someone from uploading a script to the directory but it will make it harder (or prevent it from running (depending upon hacker skill level) to run the uploaded script.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Several of the Joomla 1.5 sites I host underwent attacks which started on the 22nd March. I found the jos_core.php files in /tmp - and htaccess files containing the redirects had been placed into many of the sub-directories.

I don't want to speak too soon - but I followed the advice in earlier posts and everything seems to be working okay now. For others struggling to fix it - I also found that the stuff listed below worked for me:

• Deleted every htaccess and replaced with files from backup
• Deleted the two jos_core.php & jos_xxxx.php files in /tmp
• Updated all sites to 1.5.26 (from 1.5.25)
• Changed/Checked the directory permissions were 755 and files were 644 (all owned by apache2 user - www-data)
• Changed the ownership and permissions of .htaccess to <standard_user>:www-data and 440
• Downloaded and ran a rootkit search tool - nothing found.
• Downloaded and ran rkhunter from here - nothing found.
  Added a section to fail2ban's jail.conf for suhosin and used the stock regex in filter (suhosin.conf)
  
  Code:
  [suhosin]
        enabled = true
        port    = http,https
        filter  = suhosin                                                                                                                               
        logpath = /var/log/syslog
        maxretry = 1
• Added mod_security to the Apache2 config and added the joomla specific conf file (modsecurity_crs_46_slr_et_joomla_attacks.conf) to the base_rules
• Took (most of) the advice from the following article on securing Apache.
• And finally - applied updates to (many) out-of-date modules & components.

Having been able to check between the sites - there definitely seems to be a pattern to the attacks. The script used seems to target the same modules (whether they're installed or not). The ones that appeared most in the logs were:

GCalendar, CCUsers, SEFServiceMap2 and CiviCRM

IMO, the fail2ban suhosin config made the biggest difference. As in the last 24 hours, it's banned 8 different IPs and the htaccess files have remained untouched.

'Hope this helps someone else - and thank you to those who gave advice in this thread. It's been a steep learning curve but one well worth sticking with!

@theitd

What's your url(s)
in the form of www.site dot com ?

_________________
http://weblinksonline.co.uk/joomla-faq.html

I'd rather not list them here - but can PM you?
They're all www.site dot com though.

PM will be fine

_________________
http://weblinksonline.co.uk/joomla-faq.html