URGENT!! Searches for my website on google being redirected!

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
pcmadeley
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Fri Jan 08, 2010 12:21 am

URGENT!! Searches for my website on google being redirected!

Post by pcmadeley » Fri Jan 08, 2010 12:28 am

URGENT HELP REQUIRED

When people go to Google.com and search for our site {delete evil link} (health force = best search terms) they are being forwarded to {delete evil link}, watching the URL's in the browser... I watch it go from healthforce.com to {delete evil link}and then to {delete evil link}

If they go direct via browser URL bar it works fine. Our host said it is in the website files somewhere and when they replaced the index.php with a test file it worked again, however they said that they cannot support code issues on the CMS. I looked at the index.php and do not see the above redirects.

Please Help ASAP!

Philip Madeley
{delete evil link}
Last edited by mandville on Mon May 03, 2010 7:37 pm, edited 1 time in total.
Reason: links to malicious code or infected sites are not reuired or wanted.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15040
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: URGENT!! Searches for my website on google being redirected!

Post by mandville » Fri Jan 08, 2010 2:16 am

see if your .htaccess file has been moified, or if it works on any other site, your own computer host file.
i suggest searching for hijackthis , download and run the toll. see what results you get
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
chetanmadaan
Joomla! Ace
Joomla! Ace
Posts: 1553
Joined: Sun Feb 10, 2008 1:37 pm
Location: Little Office
Contact:

Re: URGENT!! Searches for my website on google being redirected!

Post by chetanmadaan » Fri Jan 08, 2010 2:16 am

Philip,

seems like some serious hack attempt.

google is sending the traffic to you but there is some other problem.

might be the .htaccess file problem.

try disabling it and paste it here so that we can take a look.
Chetan Madaan - JM-Experts
http://www.Jm-Experts.com

scto
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Fri Jan 08, 2010 2:14 am

Re: URGENT!! Searches for my website on google being redirected!

Post by scto » Fri Jan 08, 2010 2:17 am

I am having a similar issue. The site works well, but as soon as you visit any of the newer pages, every link on the site redirects to p3p) or other sites.

User avatar
chetanmadaan
Joomla! Ace
Joomla! Ace
Posts: 1553
Joined: Sun Feb 10, 2008 1:37 pm
Location: Little Office
Contact:

Re: URGENT!! Searches for my website on google being redirected!

Post by chetanmadaan » Fri Jan 08, 2010 2:24 am

i am telling you it's the .htaccess file problem.
Chetan Madaan - JM-Experts
http://www.Jm-Experts.com

scto
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Fri Jan 08, 2010 2:14 am

Re: URGENT!! Searches for my website on google being redirected!

Post by scto » Fri Jan 08, 2010 2:48 am

I will look into that right away. Thank you.

The httaccess.txt file in the site root?

User avatar
chetanmadaan
Joomla! Ace
Joomla! Ace
Posts: 1553
Joined: Sun Feb 10, 2008 1:37 pm
Location: Little Office
Contact:

Re: URGENT!! Searches for my website on google being redirected!

Post by chetanmadaan » Fri Jan 08, 2010 3:08 am

yes but you will now have it as .htaccess and you have to rename it back to htaccess.txt or somethingelse.txt
Chetan Madaan - JM-Experts
http://www.Jm-Experts.com

pcmadeley
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Fri Jan 08, 2010 12:21 am

Re: URGENT!! Searches for my website on google being redirected!

Post by pcmadeley » Fri Jan 08, 2010 7:49 pm

Here is a copy of the .htaccess file file from the root

http://healthforce.com/backuphtaccess.txt

I do not see redirects in there are there an other locations?

Also how can I protect against such an attack in the future?

Thank You
Philip

pcmadeley
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Fri Jan 08, 2010 12:21 am

Re: URGENT!! Searches for my website on google being redirected!

Post by pcmadeley » Sat Jan 09, 2010 1:14 am

any more insights wuld be great as I do not see errors in the htaccess file... see above

scto
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Fri Jan 08, 2010 2:14 am

Re: URGENT!! Searches for my website on google being redirected!

Post by scto » Sat Jan 09, 2010 1:49 am

jaensen pointed me to the includes/defines.php file which cleared my problem up. There was an Eval() statement added. It was suggested that Ozio Gallery component may have been the source of the problem.

pcmadeley
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Fri Jan 08, 2010 12:21 am

Re: URGENT!! Searches for my website on google being redirected!

Post by pcmadeley » Sat Jan 09, 2010 3:15 am

Thanks

I found this code in the defines file (includes/defines.php) and removed it and it fixed the issue... should I keep any of it, I deleted the whole line of code from line 14

*/ eval(base64_decode("CglpZiAoc3R[removed]p9Cgk="));
Last edited by pe7er on Sat Jan 09, 2010 11:39 am, edited 1 time in total.
Reason: Hacker script has been removed

scto
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Fri Jan 08, 2010 2:14 am

Re: URGENT!! Searches for my website on google being redirected!

Post by scto » Sat Jan 09, 2010 2:33 pm

I removed the whole line and my site has been working properly for a couple of days now.

tinman507
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Fri Nov 28, 2008 2:46 am

Re: URGENT!! Searches for my website on google being redirected!

Post by tinman507 » Sat Jan 09, 2010 5:39 pm

Same issue here. Did as suggested: removed eval code and all is well. But question is....how did this happen? The includes/defines.php file doesn't appear to have been altered anytime with the past year. Yet this problem seems ot have begun on or around Jan 1, 2010. Anyone have any ideas how to prevent this?

Thanks!

pcmadeley
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Fri Jan 08, 2010 12:21 am

Re: URGENT!! Searches for my website on google being redirected!

Post by pcmadeley » Sat Jan 09, 2010 6:04 pm

did you add the Ozio Gallery.. apparently this is the cause, update to the latest version of the gallery software and it will fix the issue.

tinman507
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Fri Nov 28, 2008 2:46 am

Re: URGENT!! Searches for my website on google being redirected!

Post by tinman507 » Sat Jan 09, 2010 6:25 pm

Yes, just updated to the latest and deleted the indicated file.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15040
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: URGENT!! Searches for my website on google being redirected!

Post by mandville » Sat Jan 09, 2010 9:14 pm

If this topic has been sorted can we mark it as closed or move it to the security forum if it has not been resolved.
the ozio gallery has been identified as the cause, and also appears on the the VEL
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
guanche
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Wed Jul 15, 2009 11:34 am

Re: URGENT!! Searches for my website on google being redirected!

Post by guanche » Fri Feb 05, 2010 8:05 am

Hello,

ame problem here but i have unistalled Ozio Gallery component because not being used here, and replaced defines.php file with the original one, and renamed .htaccess to .htaccess.txt and it still continue redirecting to [mod note: removed url] :( :( :(

Any help?

Thank you
regards
guanche

-------------------------
Sorry... SOLVED

was the .htaccess file not from site subdirectory where the domain is redirected and Jommla is installed but from principal server public_html directory.

:)

User avatar
Chinaman
Joomla! Guru
Joomla! Guru
Posts: 575
Joined: Sun Aug 21, 2005 8:46 am
Location: Perth, Western Australia
Contact:

Re: URGENT!! Searches for my website on google being redirected!

Post by Chinaman » Tue Feb 09, 2010 2:07 am

Thank you
Joomla! - enjoying every minute of the journey!

Tom1616
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Mon Aug 17, 2009 10:44 am

Re: URGENT!! Searches for my website on google being redirected!

Post by Tom1616 » Mon Feb 15, 2010 7:52 pm

I found it also in the configuration.php file and the htaccess (same site)

Starts with Eval...

Tom

Tsun
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Fri Jan 15, 2010 8:37 pm

Re: URGENT!! Searches for my website on google being redirected!

Post by Tsun » Tue Feb 16, 2010 11:58 pm

couldnt see it in the includes/defines file at first but found a file called post.php added around the time the problem hit, this had code within it starting eval.

I downloaded this file in case it was needed, revisited the includes/defines.php file and the hack was there, deleted this line and this cured the problem.

Tsun

Rodrigolp
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Mar 16, 2010 6:41 pm

Re: URGENT!! Searches for my website on google being redirected!

Post by Rodrigolp » Tue Mar 16, 2010 6:54 pm

Hello, I found within (includes / defines.php) the coding
* / Eval (base64_decode ( "CglpZiAoc3R [removed] p9Cgk ="));.
I deleted the line where he was and now, my site no longer works.
Please someone help me

My site is www.imbuibocadorio.com.br

nancymoo22
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Dec 22, 2009 5:35 pm

Re: URGENT!! Searches for my website on google being redirected!

Post by nancymoo22 » Mon Mar 22, 2010 3:26 pm

:'(

Hello,

I'm having exactly the same problem.. however I cannot find any EVAL codes in either the includes/defines file, htaccess or the configeration.php files. (or anywhere else)

I have upgraded to the latest version of OZIO Gallery (2.3) but the problem still persists.

Has anyone got any idea what I should do next please ?

nancymoo22
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Dec 22, 2009 5:35 pm

Re: URGENT!! Searches for my website on google being redirected!

Post by nancymoo22 » Mon Mar 22, 2010 3:58 pm

Hello

Following on from my last post :

I have just been back again and rechecked the includes/defines file and the EVAL code had 'appeared' right at the top of the list. It definitely wasn't visible earlier on today so I'm thinking that something that I have done (maybe the ozio upgrade) has caused the code to become visible.

Anyhow, I simply deleted the line and now the site seems to be working perfectly.

I would advise those with the same problem to keep rechecking the defines file for the code even if it doesn't appear first time round.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: URGENT!! Searches for my website on google being redirected!

Post by PhilD » Tue Mar 23, 2010 12:40 am

Once a site has been hacked it is highly likely that there are hidden modifications and backdoors scattered throughout the files of the site. Finding and removing the obvious "eval code" is not going to fix your site even if it "Looks" like it is fine. Some posting here have already found this out.

I would suggest that all here follow the advice given in Security Checklist 7and also check all extensions against the VEL
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
two5chicken
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Mon May 05, 2008 5:56 pm

Re: URGENT!! Searches for my website on google being redirected!

Post by two5chicken » Wed Mar 24, 2010 3:01 pm

These guys are using SQL injection to compromise the site via the frontend.

For example, in Virtuemart a security hole (that was recently patched) allowed a hacker to inject this malicious code into the site.

It is documented here, http://forum.virtuemart.net/index.php?t ... #msg219441

:geek:

nguaden
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sun Dec 21, 2008 10:25 am
Contact:

Re: URGENT!! Searches for my website on google being redirec

Post by nguaden » Mon May 03, 2010 7:05 pm

I have same problem same. when visit link direct no problem. but i try search on google i see error auto direct to {malicious}
code htaccess
##
# @version $Id: htaccess.txt 14401 2010-01-26 14:10:00Z louis $
# @package Joomla
# @copyright Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
##


#####################################################
# READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations. It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file. If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's. If they work,
# it has been set by your server administrator and you do not need it set here.
#
#####################################################

## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks

#
# mod_rewrite in use

RewriteEngine On

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
## Deny access to extension xml files (uncomment out to activate)
#<Files ~ "\.xml$">
#Order allow,deny
#Deny from all
#Satisfy all
#</Files>
## End of deny access to extension xml files
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root)

# RewriteBase /


########## Begin - Joomla! core SEF Section
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$ [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
#
########## End - Joomla! core SEF Section
Last edited by mandville on Wed Jun 02, 2010 10:27 pm, edited 2 times in total.
Reason: evIl code removed - signature against forum rules

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15040
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: URGENT!! Searches for my website on google being redirec

Post by mandville » Mon May 03, 2010 7:35 pm

Looks like another godaddy hack victim.
http://www.wpsecuritylock.com/cechrieco ... ase-study/
http://blog.sucuri.net/2010/05/second-r ... acked.html
nguaden wrote:I have same problem same. when visit link direct no problem. but i try search on google i see error auto direct to {malicious}
code htaccess
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

williwild
Joomla! Intern
Joomla! Intern
Posts: 91
Joined: Sun Oct 04, 2009 1:16 am

Re: URGENT!! Searches for my website on google being redirec

Post by williwild » Mon May 03, 2010 11:01 pm

I have been struggling with this all day. I found the "/ eval(base64_decode(..." in two places. If I could offer a newby the advice, you can not simply search this, study it, know it, and manually look in as many files on your database as needed until all of the occurrences are deleted. Mine was about 800 characters long. Not hard to fund, but impossible to "search" automatically (find). Deleting these solved the p3p0 redirect/hijack problem in the search engine.

Then sit back and have a cool glass of that favorite drink :)

artmicke
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Thu Dec 11, 2008 8:24 am

Re: URGENT!! Searches for my website on google being redirec

Post by artmicke » Tue May 25, 2010 7:30 am

Hi! I have had the same problem as described in this thread, and think I have managed to get rid of all "Eval"-code. Howevere, now, I get Java-script error when working in the administration. I cannot, for example, use any of the "icons buttons", like "New", under Article. It just says:
------------------
Message: Object expected
Line: 300
Char: 1
Code: 0
URI: http://-------.se/administrator/index.php?option=com_content
-------------------

Now, when looking at this line, it says this (source code):

<td class="button" id="toolbar-new">
<a href="#" onclick="javascript:hideMainMenu(); submitbutton('add')" class="toolbar">
<span class="icon-32-new" title="New">
</span>
New
</a>
</td>

Is there anyone that can help me???? I cannot add any information, and we have a very important site that MUST work... PLEASE!!!
:'(

davewood
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Wed Oct 01, 2008 2:25 pm

Re: URGENT!! Searches for my website on google being redirec

Post by davewood » Wed Jun 02, 2010 8:19 pm

Hello all.

Here's what you need to do if this happens to your server.

1. As mentioned above, remove the eval line from the includes/defines.php file
2. Remove (or upgrade) the Ozio Gallery component
3. Delete the file components/com_oziogallery2/imagin/scripts_ralcr/filesystem/writeToFile.php from the gallery that was used to install this hack.
4. Delete the file includes/post.php. This is the backdoor file the attacker installs on your server so they can edit your defines.php file. If you don't remove this file, you can be attacked again, and again.
5. Delete the files images/img.php. This appears to be a test or temp file the attacker creates.

Afterwards, all should be fine. If you look in your log files, and search for writeToFile.php, img.php & post.php you can see what IP's the attacks came from, and exactly when.


Locked

Return to “Security in Joomla! 1.5”