Joomla .htaccess hacked to xxx.ru

[mandville]

Is there anything that can be done to prevent hackers from doing this type of "local file injection"?

start by following checklist 7 safe route to recovery as has been suggest/recommended several times in this toic
find out where the injection came in by following other actions in checklist 7

[Slackervaara]

Cmiw, sometimes they even put the infected .htaccess above the public_html.

Isn't it so that it is always the lower htaccess that is valid? The higher htaccess is then valid in its folder, but not below that if another htaccess is present.

[zuel]

PHP Built on: Linux servps.fastservernow.com 2.6.18-028stab070.14 #1 SMP Thu Nov 18 16:04:02 MSK 2010 i686
Database Version: 5.0.95-community-log
Database Collation: utf8_general_ci
PHP Version: 5.2.17
Web Server: Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/0.9.7a mod_bwlimited/1.4
Web Server to PHP interface: cgi
Joomla! Version: Joomla! 1.5.26 Stable [ senu takaa ama busani ] 27-March-2012 18:00 GMT
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0

Last night one of my clients' site was hacked. All internal links now redirect to Google search. I did a live http headers check and found that the site is redirecting through xx.ru/in.cgi?4. After reporting this to the host, it was discovered that all the .htaccess files site wide were hacked.

I found another thread, where a poster said they suffered the same kind of exploit with their .htaccess files corrupted. They said they found some suspicious php files with a jos_ prefix (jos_core.php) in their tmp directory. They further said removing them seemed to keep the site from being reinfected. Checking my tmp directory, I found I had three such files with the jos prefix and one of them was the jos_core.php. I have left them on the site for now, so the host can investigate. I do not know if this is anything or not, but seemed like an incredible coincidence. Therefore, I'm posting the info here in case it's relevant.

We're going to restore the site. But my fear is that the hole will still remain and I have no idea how to plug it. One of the first things I do when I set up a site is to set my permissions for .htaccess to 0444. I also password protect the admin portal and change my db prefixes to further harden the site. Permissions set to 0755 for directories and 0644 for files.

Any assistance in helping me lock this down would be greatly appreciated. Just want to make sure that we don't get hacked again in this manner.

Thanks so much!

[mandville]

follow the procedures detailed in the other topics. It may seem strange but to prevent a mass of hta hacked topics all on the same subject, please follow the topic http://forum.joomla.org/viewtopic.php?f ... 6&start=30, i am going to merge this post into that topic.
I would HEAVILY suggest that your host take the file and delete it themselves. if it there longer than 5 minutes after your host acknowledged the location of the files, they are in breach of morals. just delete it. its dangerous and malicious

[Bernard T]

I have left them on the site for now, so the host can investigate.

I would HEAVILY suggest that your host take the file and delete it themselves. if it there longer than 5 minutes after your host acknowledged the location of the files, they are in breach of morals. just delete it. its dangerous and malicious

Absolutely agree - delete files ASAP!! ... Leaving infected files there intact is actually leaving backdoor wide open! Scripts that I found are pretty nasty ones, programmed to give full file access and more to the attacker.
The only thing that could be useful to any hosting provider is:

• path/filename
• timestamp (modification time)

so basically just make a screenshot of FTP/file manager window where this info is viewable, or push a filelist to a file via shell

Code: Select all

ls -al > dirlist.txt

It's a good idea to note .htaccess last modification time and take a look in "access.log" searching for records in this time. It might be something there, or not, eg. if malware is run via cronjob...

[amorino]

Hello,
I would thank all the persons who helped in this topic
Since yesterday with my Hoster we spent a lot of time but now I applied all your suggestions and all seems to be OK

I will keep an eye on the site for next days
Best regards
Amorino

[Bernard T]

Hello,
Since yesterday with my Hoster we spent a lot of time but now I applied all your suggestions and all seems to be OK

what extension was used on your site?

[amorino]

Hello,
on that site I had:

- rereplacer (That I updated)
- Sobi2
- Chronoforms (that I uninstalled now because I don't need it)
- Easy book reloaded
- JCE
- Xmap (That I updated)
- Acymailing
- Joomlart extension manager
- K2 with its modules (that I uninstalled now because I don't need it)

They are the same as yours BernardT ?

The file found in the tmp folder had the following name :
_cache_bw0qezl9.php

And it contained many strange lines :
preg_replace("/.*/e","\x65\x76\x61\x6c\x20\x28\x20\.....

65 lines in Total with the header commented of vBulletin 3.1.9 that I never installed of course
Best regards
Amorino

[Bernard T]

- rereplacer (That I updated)

65 lines in Total with the header commented of vBulletin 3.1.9 that I never installed of course

- rereplacer is based on NoNumber Framework, this was used on my subject site... if you search closely in your access log you will find traces of NoNumber file inclusion...
- the inserted file had the vBulletin header but that's actually code that's not used anyway so ignore it, encoded one is the whole malware

[amorino]

Hello Bernard,

could you please show me an example of trace you found?
I had 2 sites infected one of them had no number extention but just a joomla 1.5.25 + JCE + Xmap
I think that it's a joomla 1.5.25 and lower version security problem

So should upgrade all sites to 1.5.26

But I'm thinking that I have so many sites with 1.5.x and I couldn't upgrade all of them and 1.5 will no more being supported after few days
Ho to do if this happen after again

Best regards
Amorino

[skirby19]

My sites are being redirected by a .htaccess redirect attack. I am running j1.5.15,. I will upgrade once I delete the folders and dod a fresh install of the latest version, but do you see where I have been breached?
Below is the code from FORUM POST ASSISTANT.

[31-Mar-2012 23:38:12] PHP Warning: include() [<a href=\'function.include\'>function.include</a>]: Failed opening \'/home2/beachreu/public_html/language/pdf_fonts/freesans.php\' for inclusion (include_path=\'.:/usr/lib64/php:/usr/lib/php:/usr/share/pear\') in /home2/beachreu/public_html/libraries/tcpdf/tcpdf.php on line 1909

Joomla! Instance :: Joomla! 1.5.15-Stable (Wojmamni Ama Mamni) 05-November-2009
Joomla! Configured :: Yes | Read-Only (444) | Owner: beachreu (uid: 1523/gid: 1522) | Group: beachreu (gid: 1522) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-46.1.BHsmp | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home2/beachreu/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.17 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: 31st March 2012 23:38:12. | Register Globals: | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 10M | Max. POST Size: 10M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M

MySQL Configuration :: Version: 5.1.61-community-log (Client:5.1.59) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 3.67 MiB | #of _FPA_TABLE: 73

PHP Extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dba () | dbase () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | gmp () | session () | iconv () | standard (5.2.17) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mhash () | mime_magic (0.1) | mysql (1.0) | SimpleXML (0.1) | ncurses () | odbc (1.0) | pcntl () | SPL (0.2) | PDO (1.0.4dev) | pdo_dblib (1.0.1) | pdo_mysql (1.0.2) | PDO_ODBC (1.0.1) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | posix () | pspell () | readline () | Reflection (0.1) | imap () | shmop () | mysqli (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | sysvmsg () | sysvsem () | sysvshm () | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.8.11) | cgi-fcgi () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (Cloud/Grid): No
Potential Ownership Issues: Maybe

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Templates :: SITE :: beez (1.0.0) | rt_iridium_j15 (1.5.1) | rhuk_milkyway (1.0.2) | JA_Purity (1.2.0) |
Templates :: ADMIN :: Khepri (1.0) |

[mandville]

My sites are being redirected by a .htaccess redirect attack.

I will add this to the main topic. and asuggest you follow the multiply posted advice

but do you see where I have been breached?

quite possibly due to

I am running j1.5.15,.

[mandville]

The security moderators have taken the descision to merge all the related hack topics into one places. This is not normal practice.
The htaccess redirect hack is not joomla specific, it has affected all sorts of platforms (wordpress, drupal, vbulletin) on various hosts.
At the present time we are lost as to what could be causing this.
Our clear recommendation is to follow the following checklist http://forum.joomla.org/viewtopic.php?f=432&t=475313 and security checklist 7.

[Webdongle]

...
The htaccess redirect hack is not joomla specific, it has affected all sorts of platforms (wordpress, drupal, vbulletin) on various hosts.
At the present time we are lost as to what could be causing this.
...

My theory is that it is not one specific hack but several. They are using any vulnerability they can to insert a script on the site. The script finds the /. top level folder the ftp can access. (Because some packages allow for setting a folder for the site root, that explains why some report it's the .htaccess above the root that gets hacked !)

Once it finds the file it does it's 'thing' and edits the .htaccess (or replaces it).

In the mean time everyone is running around looking for a specific vulnerability when it is not a new exploit ... but just a new method of exploiting existing ones.

Addendum
As some of the redirects are redirecting sites when searched from Google and other search sites then http://www.whitefirdesign.com/resources ... oogle.html may be useful ?

[hanjimail]

One of my clients Joomla site was hacked and I looked into it and found some strange code in .htaccess as the below:
Could some help me understand what this thing does?

Code: Select all

<IfModule prefork.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD}   ^GET$
RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?(wordpress|twit|tweet|flickr\.|linkedin|google\.|yahoo\.|bing\.|msn\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|metacrawler\.|mail\.|dogpile\?).*$   [NC]

[mandville]

1. redirects search results tro a malicious page
2. update your clients joomla to the latest version
i have added your topic to the rest, please read the topic for aadvice

[hanjimail]

Thank you for your advice.

[mleadingham]

My Churches website has also been hacked. It redirects when you do a search in Google to a Russian site. Here is the post generated from the FPA. Any help would be greatly appreciated.

Joomla! Instance :: Joomla! 1.5.26-Stable (senu takaa ama busani) 27-March-2012
Joomla! Configured :: Yes | Writable (644) | Owner: 4419982 (uid: /gid: ) | Group: 450 (gid: ) | Valid For: 1.5
Configuration Options :: Offline: 1 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 1 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-238.19.1.el5PAE | Technology: i686 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /var/chroot/home/content/f/c/c/fcclv19410/html | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.14 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 32M | Max. POST Size: 33M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M

MySQL Configuration :: Version: 5.0.92-log (Client:5.0.77) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 1.92 MiB | #of _FPA_TABLE: 67

PHP Extensions :: date (5.2.14) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | calendar () | ctype () | curl () | dba () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | session () | iconv () | json (1.2.1) | mbstring () | mcrypt () | mhash () | mysql (1.0) | SimpleXML (0.1) | SPL (0.2) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | pspell () | Reflection (0.1) | standard (5.2.14) | mysqli (0.1) | soap () | SQLite (2.0-dev) | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.8.11) | cgi-fcgi () | Zend Engine (2.2.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (Cloud/Grid): Maybe
Potential Ownership Issues: No

Core Folders :: images/ (705) | components/ (705) | modules/ (705) | plugins/ (705) | language/ (705) | templates/ (705) | cache/ (705) | logs/ (705) | tmp/ (705) | administrator/components/ (705) | administrator/modules/ (705) | administrator/language/ (705) | administrator/templates/ (705) |

Components :: SITE :: MailTo (1.5.0) | User (1.5.0) | Wrapper (1.5.0) |
Components :: ADMIN :: Banners (1.5.0) | Cache Manager (1.5.0) | Configuration Manager (1.5.0) | Contact Items (1.0.0) | Content Page (1.5.0) | Control Panel (1.5.0) | Frontpage (1.5.0) | Installation Manager (1.5.0) | Language Manager (1.5.0) | Mass Mail (1.5.0) | Media Manager (1.5.0) | Menus Manager (1.5.0) | Messaging (1.5.0) | Module Manager (1.5.0) | Newsfeeds (1.5.0) | Plugin Manager (1.5.0) | Polls (1.5.0) | Search (1.5.0) | Template Manager (1.5.0) | Trash (1.0.0) | User Manager (1.5.0) | Weblinks (1.5.0) | illbethere (1.0.4) | SermonSpeaker (3.1) | ALFcontact (1.8.2) | Acajoom Content Bot (2.0.0) | Acajoom (3.2.7) | Acajoom CB Plugin (1.2) | Secured (1.5.0) |

Modules :: SITE :: Acajoom Module (3.1.0) | Archived Content (1.5.0) | Banner (1.5.0) | Breadcrumbs (1.5.0) | Custom HTML (1.5.0) | Feed Display (1.5.0) | Footer (1.5.0) | jTweet (1.0.2) | JSN ImageShow PRO (1.0.6) | Latest News (1.5.0) | Login (1.5.0) | Menu (1.5.0) | Most Read Content (1.5.0) | Newsflash (1.5.0) | Poll (1.5.0) | Random Image (1.5.0) | Related Items (1.0.0) | Search (1.0.0) | Sections (1.5.0) | Statistics (1.5.0) | Syndicate (1.5.0) | Tweets Module (2.2) | Who\'s Online (1.0.0) | Wrapper (1.0.0) |
Modules :: ADMIN :: Custom HTML (1.5.0) | Feed Display (1.5.0) | Footer (1.0.0) | Latest News (1.0.0) | Logged in Users (1.0.0) | Login Form (1.0.0) | Admin Menu (1.0.0) | Online Users (1.0.0) | Popular Items (1.0.0) | Quick Icons (1.0.0) | Items Stats (1.0.0) | User Status (1.5.0) | Admin Submenu (1.0.0) | Title (1.0.0) | Toolbar (1.0.0) | Unread Items (1.0.0) |

Plugins :: SITE :: Acajoom Content Bot (2.0.0) | Authentication - Example (1.5) | Authentication - GMail (1.5) | Authentication - Joomla (1.5) | Authentication - LDAP (1.5) | Authentication - OpenID (1.5) | Content - Pagebreak (1.5) | Content - Email Cloaking (1.5) | Content - Example (1.0) | Content - Code Highlighter (Ge (1.5) | Content - Load Modules (1.5) | Content - Page Navigation (1.5) | Content - Vote (1.5) | Content - pdfembed (1.5) | Editor - TinyMCE 3 (3.2.6) | Editor - XStandard Lite for Jo (1.0) | Button - Image (1.0.0) | Button - Pagebreak (1.5) | Button - Readmore (1.5) | Search - Weblinks (1.5) | Search - Categories (1.5) | Search - Contacts (1.5) | Search - Content (1.5) | Search - Newsfeeds (1.5) | Search - Sections (1.5) | System - Backlinks (1.5) | System - Cache (1.5) | System - Debug (1.5) | System - Legacy (1.5) | System - Log (1.5) | System - Remember Me (1.5) | System - SEF (1.5) | System - JB Library (1.0.3) | System - BigoCaptcha (1.2) | System - Mootools Upgrade (1.5) | User - Example (1.0) | User - Joomla! (1.5) | XML-RPC - Blogger API (1.0) | XML-RPC - Joomla API (1.0) |

Templates :: SITE :: beez (1.0.0) | JA_Purity (1.2.0) | kodadesign (1.0) | rhuk_milkyway (1.0.2) | rt_novus_j15 (1.5.1) |
Templates :: ADMIN :: Khepri (1.0) |

[mandville]

if people run the cron commands here http://docs.joomla.org/Security_Checkli ... d_and_cron then that may help time stamp the insertion of the code so that your logs/host can track it down.
not on some busy sites a large email will be produced.

mleadingham why are your folders 705?

[Webdongle]

@mleadingham
at least one of your extensions is in the http://docs.joomla.org/Vulnerable_Extensions_List

[mandville]

mleadingham- an i also see that one of your sites templates is listed and offered on one the worlds leading malicious template providers http://forum.joomla.org/viewtopic.php?f ... 0#p2696541

[amorino]

Hello,
I see that it can be produced also with 1.5.26 if there are other problems
How could we bloc this malicious script definitely ?

Best regards
Amorino

[PhilD]

To All.
This is not news that anyone wants to hear but I'm going to say it anyway. To my knowledge, there is currently no way to block this hack that will be effective. Entry at this time to a domain is unknown. While this hack seems to be affecting any php driven site, it can and does also affect plain html sites as has been reported within this thread as well as elsewhere. It is also seems to be affecting up to date and apparently secure sites.

It is just my opinion, but I suspect the entry is by a vulnerable extension, other vulnerable php software installed on a domain, or a site with bad permissions allowing entry. It could also be some type of server hack.

Once the vulnerability is exploited, access is gained to the entire server allowing easy access with full permissions to other domains contained on the server without the need for any password or username. Most affected seem to be sites that are on a shared server or a VPS. These environments are hard to control and secure and generally have lots of sites of varying security quality on them. Shared servers are also the most common type of environment in use. Your site can be fully up to date with all kinds of security measures in place and taken and you can still be hacked.

If you fail to keep your domains installed software updated (Joomla, forum, using bad permissions,or whatever), then you are contributing to the problem as your giving the hackers an entry point into not only your domain, but into everyone's domain within the server your on.

If you have a reseller account, or just have multiple domains under one master account, and one of those domains becomes hacked, then it is very likely that all the domains controlled by that master account will become hacked as well as the master account. This is generally called cross contamination and is very similar to cross site scripting. Because these reseller/multiple domain accounts are generally in a shared environment, the cross contamination within one account can spread to all the other accounts within that server.



What you can do to help possibly limit the damage to your website.

Keep a close eye on all of your domains files. I would suggest you use the following one line script to keep an eye on things. Be aware that on large sites with lots of activity it will generate a large email as it looks at the entire public_html for changes and the cache directory makes lots of changes. Using this script run once every hour or so can help pinpoint when the files get changed and what files are changed. Couple this info with the site logs and you may be able to pinpoint what is happening.

To check for recent file changes within the last day on your system use these commands from putty (SSH - secure shell) or via a cron job. If you run the command from a cron job you can schedule it to check for changed files several times each day. Results will be sent to the domain account owner and show the time/date stamp for any changed files. When using the command by putty or a cron job, the use of the full physical path to public_html is recommended for best results.

find /home/xxxxxx/domains/xxxxxxx.com/public_html -type f -ctime -1 -exec ls -ls {} \;

Please note your sites files may be located in public_html, httpdocs, www, or a similar place, and your physical path may also be different than in the examples. Adjust the physical path accordingly.

Make sure you have followed all the steps below if you have been hacked. If you have not been hacked yet then make sure you follow most of the advice below (obviously leaving out the replacing of all files) as it still applies to keeping your site in the best shape security wise as possible.

It would help us to help you if before you post your security/been hacked topic


Tell us if you have done the following, try copy and paste to use as a posting guide if needed

[ ] Did you use the forum http://forum.joomla.org/search.php search box for a similar error?

[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file. Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory), and fresh copies of extensions and templates used. Upload the copy of your configuration file. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories More detail can be found in the security Checklist 7 link below.

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

Note: The forum post tool will work with 1.0.x, J1.6.x, J1.7.x, 2.5.x versions of Joomla.

[ejw]

... found some suspicious php files with a jos_ prefix (jos_core.php) in their tmp directory. They further said removing them seemed to keep the site from being reinfected. Checking my tmp directory, I found I had three such files with the jos prefix and one of them was the jos_core.php.

I can confirm that this indeed seemed to have helped in my case as well (so far at least), while presumably the problem still persists in terms of vulnerable extensions (not updated I have to confess).

Several of my sites had this kind of files in the tmp folder, always the jos_core.php (which has 0kb and is empty) and one other in the range of 26kb and the vBulletin header also mentioned in this threat. The other file was named jos_qrgq.php in one case and jos_lot3.php in another. The origin as early as March 22nd 2012 and their deletion at least has stopped the one hour copy cycle.

Thanks for pointing to this solution.
Erik


EDIT: needless to say that I am now heavily updating!

[Webdongle]

[quote="PhilD]It is just my opinion, but I suspect the entry is by a vulnerable extension, other vulnerable php software installed on a domain, or a site with bad permissions allowing entry. It could also be some type of server hack. [/quote]
That seems a reasonable assessment. Like I said previously

My theory is that it is not one specific hack but several. They are using any vulnerability they can to insert a script on the site.

I look at it as a thief entering a building. They will check the doors then the windows and find the most convenient point of access. Some of the stats Posted by users who have been hacked have that many security holes it is difficult to know how it got on their site. Others have up to date software and apparently no holes.

In the mean time everyone is running around looking for a specific vulnerability when it is not a new exploit ... but just a new method of exploiting existing ones

By that I mean that is the slack attitude to security that has lead to this mass of hacked sites.

A determined hacker can get into almost anywhere. But failure to follow the advice of mandville and PhilD is the main reason many of the sites are hacked.

[PhilD]

I believe someone asked earlier about how they could better protect their images directory as their on a server where theres ownership and permissions issues.

First, strongly consider changing hosts, to one that knows how to set up a server so there are no file/directory ownership (and thus permission) issues.

In the meantime, set up this in an htaccess file within the images directory.

Code: Select all

# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

It will not prevent someone from uploading a script to the directory but it will make it harder (or prevent it from running (depending upon hacker skill level) to run the uploaded script.

[theitd]

Several of the Joomla 1.5 sites I host underwent attacks which started on the 22nd March. I found the jos_core.php files in /tmp - and htaccess files containing the redirects had been placed into many of the sub-directories.

I don't want to speak too soon - but I followed the advice in earlier posts and everything seems to be working okay now. For others struggling to fix it - I also found that the stuff listed below worked for me:

• Deleted every htaccess and replaced with files from backup
• Deleted the two jos_core.php & jos_xxxx.php files in /tmp
• Updated all sites to 1.5.26 (from 1.5.25)
• Changed/Checked the directory permissions were 755 and files were 644 (all owned by apache2 user - www-data)
• Changed the ownership and permissions of .htaccess to <standard_user>:www-data and 440
• Downloaded and ran a rootkit search tool - nothing found.
• Downloaded and ran rkhunter from here - nothing found.
  Added a section to fail2ban's jail.conf for suhosin and used the stock regex in filter (suhosin.conf)

  Code: Select all

  [suhosin]
  		enabled = true
  		port    = http,https
  		filter  = suhosin                                                                                                                               
  		logpath = /var/log/syslog 
  		maxretry = 1

• Added mod_security to the Apache2 config and added the joomla specific conf file (modsecurity_crs_46_slr_et_joomla_attacks.conf) to the base_rules
• Took (most of) the advice from the following article on securing Apache.
• And finally - applied updates to (many) out-of-date modules & components.

Having been able to check between the sites - there definitely seems to be a pattern to the attacks. The script used seems to target the same modules (whether they're installed or not). The ones that appeared most in the logs were:

GCalendar, CCUsers, SEFServiceMap2 and CiviCRM

IMO, the fail2ban suhosin config made the biggest difference. As in the last 24 hours, it's banned 8 different IPs and the htaccess files have remained untouched.

'Hope this helps someone else - and thank you to those who gave advice in this thread. It's been a steep learning curve but one well worth sticking with!

[Webdongle]

@theitd

What's your url(s)
in the form of www.site dot com ?

[theitd]

I'd rather not list them here - but can PM you?
They're all www.site dot com though.

[Webdongle]

PM will be fine