Hacked Mambo website redirecting traffic

[MarkSteger]

My website has been hacked. The symptom is that calls to certain pages get redirected to a porn website. The pages have names like "/buscar-numeros-de-telefonos-de-mujeres-solteras/". In other words, nothing like any page that exists on my website. There are numerous versions of this, but all redirect to the same place. If I change even a single character and make a call to my website with the variant, it gets directed to my home page, as expected. In short, my website seems to be working correctly for everyone, but it also seems to be working like a redirect engine for whoever is directing traffic my way using these porn page names.

I've checked my .httaccess without finding anything. I've looked at my index.php page without finding anything. I've looked for in the redirected website name in the text of any of my own website pages without finding anything. I'm stumped. How can I find what is causing a simple request to my website to get redirected to a porn website, without such requests impacting normal traffic?

[leolam]

If you do not want to do viewtopic.php?f=714&t=946026 you should subscribe to https://mysites.guru/ which will identify all for you. First scan is free.

Leo

[MarkSteger]

I didn't link to *any* website. But now I see that if you Google the page name I mentioned, it leads to several websites that have been hacked like my own has been hacked. My website happens to be running Mambo, which is a very early incarnation of Joomla but is now obsolete. I hoped some Joomla user either might have seen a similar hack, or at least might be interested in whether the latest version of Joomla might be vulnerable as well. If that is out of line, let me know and I will delete my question and go away.

[toivo]

Please do not go away, @leolam's point is very valid because you will need professional help, and Phil Taylor from mysites.guru would be a good choice.

However, it may be difficult to convince Joomla experts to repair a 15 year old Mambo site, rather than rebuild it quickly using the secure and supported current version of Joomla with a free responsive template and a few free whizz-bang third party extensions.

[PhilTaylor-Prazgod]

I'll bite my tongue, however, even Phil Taylor is not interested in Mambo sites. Its 2020 now. Its unprofessional and insane that there are live sites running Mambo in 2020.

Im not surprised you are hacked. Im only surprised that you are surprised.

[toivo]

You could still post your requirements to the Professional Development Services forum at viewforum.php?f=177 with your details so that interested Joomla experts can contact you with their proposals.

[MarkSteger]

Toivo Talikka, thanks for your reply. I'm not really looking for professional development services. I run a hobby site that I've always used as a platform for me to learn about website development.

Phil Taylor, thanks for your reply. I am not surprised that I was hacked. It's a moot point why I am still running Mambo, but FYI, I created my site 20 years ago as a hobby site, not a commercial site. It's a labor of love. I could have shut it down a decade or more ago, but I have a couple of dozen loyal users that I've kept it alive for their enjoyment. But I've invested little time or money in it. I've warned the users that if the site were ever hacked, I might just shut it down. And that might or might not still be my reaction here. But I came here not to discuss what I should do with my personal hobby site, I came here to learn something about how my particular hack works. If I just shut down, or paid someone to upgrade to Joomla, I still wouldn't know how the hack works. And I want to learn. If this forum is more for selling services, I'd understand.

I thought I understood how Apache turns a request like mysite.tld/abcde into returning a particular page from my website's file directory, but obviously I don't. Because mysite.tld/abcde returns a page named abcde if that page exists, and if it doesn't, it returns mysite.tld/index.php, except if it's a page name from the hack like mysite.tld/special-porn-page, and then it redirects to a different site altogether, a porn site like porn-site.tld/special-porn-page. I'm not even sure it's a Joomla hack (or Mambo). It might be a hack outside of whatever CMS I'm running. I'm willing to track down the problem, but I was hoping someone could give me some leads where to start looking, even if it's a good tutorial on sources of selective redirect hacks.

[Webdongle]

Wipe the server, scan all computers that have access to the server and rebuild with the latest Joomla.

Addendum
Forgot to say ... change your user/pass after that.

[toivo]

Cheers. This purpose of the Security sub-forums is to provide advice on best security practice and to help webmasters and site owners to configure their servers and rebuild their websites so that they are secure.

Study the sticky topics at the top of the 3.x Security forum at viewforum.php?f=714. The point there is to fix possible security vulnerabilities in the server environment and update obsolete third party extensions and to rebuild the website so that no compromised files are left behind, as recommended by @Webdongle, who is an expert and one of the authors of those tutorials.

Hack code is not allowed to be presented in this forum. If you want to learn about how hackers attack vulnerabilities in web software, there is plenty of material available on the internet about things like SQL injection or cross-site scripting, but that is an area of specialist knowledge and a profession for many experts.

[MarkSteger]

Toivo, thanks. I believe I am asking for help on the wrong forum. My apologies.