Website hacked, JavaScript code appearing in search results

[Timeisnow]

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Joomla! Rule 1" stopProcessing="true">
<match url="^(.*)$" ignoreCase="false" />
<conditions logicalGrouping="MatchAny">
<add input="{QUERY_STRING}" pattern="base64_encode[^(]*\([^)]*\)" ignoreCase="false" />
<add input="{QUERY_STRING}" pattern="(>|%3C)([^s]*s)+cript.*(<|%3E)" />
<add input="{QUERY_STRING}" pattern="GLOBALS(=|\[|\%[0-9A-Z]{0,2})" ignoreCase="false" />
<add input="{QUERY_STRING}" pattern="_REQUEST(=|\[|\%[0-9A-Z]{0,2})" ignoreCase="false" />
</conditions>
<action type="CustomResponse" url="index.php" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="Joomla! Rule 2">
<match url="(.*)" ignoreCase="false" />
<conditions logicalGrouping="MatchAll">
<add input="{URL}" pattern="^/index.php" ignoreCase="true" negate="true" />
<add input="{URL}" pattern="/component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$" />
<add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
</conditions>
<action type="Rewrite" url="index.php" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>

[Timeisnow]

I found a fishy file in remository downloads folder with php extension, had many random characters, should have saved it so I could figure out how the bugger operates.... Anyone catch one of these things, please let me know, and I'll tell u how to send it to me. I doubt joomla forum will allow it as an attachment.

OH, what on earth is this file?: .gitignore - It has

Code: Select all

 *~
/.project
/.settings
/.buildpath
/configuration.php

in it... It's gone. .... But what do I do about this mess in my htaccess??

Code: Select all

##
# @package		Joomla
# @copyright	Copyright (C) 2005 - 2012 Open Source Matters. All rights reserved.
# @license		GNU General Public License version 2 or later; see LICENSE.txt
##

##
# READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE!
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations.  It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file.  If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's.  If they work,
# it has been set by your server administrator and you do not need it set here.
##

## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks
AddHandler application/x-httpd-php53 .php .php5 .php4 .php3
## Mod_rewrite in use.

RewriteEngine On

## Begin - Rewrite rules to block out some common exploits.
# If you experience problems on your site block out the operations listed below
# This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block out any script that includes a <script> tag in URL.
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL.
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
## End - Rewrite rules to block out some common exploits.

## Begin - Custom redirects
#
# If you need to redirect some pages, or set a canonical non-www to
# www redirect (or vice versa), place that code here. Ensure those
# redirects use the correct RewriteRule syntax and the [R=301,L] flags.
#
## End - Custom redirects

##
# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root).
##

# RewriteBase /

## Begin - Joomla! core SEF Section.
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the request is for something within the component folder,
# or for the site root, or for an extensionless URL, or the
# requested URL ends with one of the listed extensions
RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC]
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path and file doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
#
## End - Joomla! core SEF Section.

[mandville]

Moderator comment: - Please do NOT hijack other topics and then change their subject names to suit your needs. Please start a NEW topic unless your issues is related.

* Next please specify what part of the code you think is Interesting.
* what is the "mess" within your htaccess file?
* Dodgy files in the remos uploads folder usually indicates a poorly set up install of remository eg you didnt alter the settings to allow anonymous or unchecked uploads.

Onto the .gitxxx you normally ONLY get those if you download a un released version of joomla from the git file store. Some extensions eg admintools which call update files from the github MAY place these files on your server.

[Timeisnow]

I have cleaned up my server of the virus and have uploaded a new VERY SECURE htaccess file, but it's giving me a 404 on the content on my homepage.....

To the mod, first of all, I did not 'hijack' the post which was about the HTACCESS hack, I merely used the subject text field which I assumed was available to be able to EDIT the subject to make things more clear about my RELATED post, as I am affected by this htaccess hack as well.... and my only 'crime' is to have added more of my problems to my post.

The OP original subject is clearly visible.... You're acting as if I hacked it itself or something.... I mean, seriously.... You're going too far... This is the FIRST time I've ever been nagged at because I edited the subject of the original post.... Out of order.

The mess, was clearly the hack. Allowing for the script.... I thought I was showing the community perhaps valuable information, because I saw similar code which included the square root sign being called up by javascript to have a hidden weird link to 'freeonlinegames' in my search results in the HTML source code.... - The way I found out was by copying the search results to post in an email..... And was a bit freaked out to see the weird website added.... to every search result link..... It's enough that hardly anyone looks at information that would save the world, let alone to be hacked and now.... I need help on how to get my site to stop having 404 errors, as I've edited the htaccess file with uber security measures, after deleting the virus and all it's generated htacess files. I did a search on all directories.

Now here is the code, hopefully someone can help by telling me what I should take out, that is generating the 404 error when I click anything on my homepage. which at least has now come out of the 500 error....

Code: Select all

###############################################################################
## The Master .htaccess
##
## Version 2.5 (proposed) - May 16th, 2011
##
## ----------
## This file is designed to be the template .htaccess file to put on your new
## sites, increasing your site's security and performance.
###############################################################################

########## Begin - RewriteEngine enabled
RewriteEngine On
########## End - RewriteEngine enabled

########## Begin - RewriteBase
# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root)

# RewriteBase /
########## End - RewriteBase

########## Begin - No directory listings
## Note: +FollowSymlinks may cause problems and you might have to remove it
IndexIgnore *
Options +FollowSymLinks All -Indexes
########## End - No directory listings

########## Begin - File execution order, by Komra.de
DirectoryIndex index.php index.html
########## End - File execution order

########## Begin - ETag Optimization
## This rule will create an ETag for files based only on the modification
## timestamp and their size. This works wonders if you are using rsync'ed
## servers, where the inode number of identical files differs.
## Note: It may cause problems on your server and you may need to remove it
FileETag MTime Size
########## End - ETag Optimization

########## Begin - Common hacking tools and bandwidth hoggers block
## By SigSiu.net and @nikosdion.
# This line also disables Akeeba Remote Control 2.5 and earlier
SetEnvIf user-agent "Indy Library" stayout=1
# WARNING: Disabling wget will also block the most common method for
# running CRON jobs. Remove if you have issues with CRON jobs.
# SetEnvIf user-agent "Wget" stayout=1
# The following rules are for bandwidth-hogging download tools
SetEnvIf user-agent "libwww-perl" stayout=1
SetEnvIf user-agent "Download Demon" stayout=1
SetEnvIf user-agent "GetRight" stayout=1
SetEnvIf user-agent "GetWeb!" stayout=1
SetEnvIf user-agent "Go!Zilla" stayout=1
SetEnvIf user-agent "Go-Ahead-Got-It" stayout=1
SetEnvIf user-agent "GrabNet" stayout=1
SetEnvIf user-agent "TurnitinBot" stayout=1
# This line denies access to all of the above tools
deny from env=stayout
########## End - Common hacking tools and bandwidth hoggers block

########## Begin - Automatic compression of resources
# Compress text, html, javascript, css, xml, kudos to Komra.de
# May kill access to your site for old versions of Internet Explorer
# The server needs to be compiled with mod_deflate otherwise it will send HTTP 500 Error.
# mod_deflate is not available on Apache 1.x series. Can only be used with Apache 2.x server.
# AddOutputFilterByType is now deprecated by Apache. Use mod_filter in the future.
# AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
########## End - Automatic compression of resources

########## Begin - Add optional bad user agent or IP blocking code
#
# If you need to block certain user agents or IP addresses and
# other signatures, place that code here. Ensure the rules use
# the correct RewriteRule syntax and the [F] flag.
#
########## End - Add optional bad user agent or IP blocking code

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# If the request query string contains /proc/self/environ (by SigSiu.net)
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
# Block out any script trying to set a mosConfig value through the URL
# (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin)
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode or base64_decode data within the URL
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]
## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines:
# RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR]
# RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
########## End - Rewrite rules to block out some common exploits

########## Begin - File injection protection, by SigSiu.net
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]
########## End - File injection protection

########## Begin - Basic antispam Filter, by SigSiu.net
## I removed some common words, tweak to your liking
## This code uses PCRE and works only with Apache 2.x.
## This code will NOT work with Apache 1.x servers.
RewriteCond %{QUERY_STRING} \b([* spam *]|blue\spill|[* spam *]|[* spam *]|ejaculation|[* spam *])\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(erections|[* spam *]|huronriveracres|impotence|levitra|libido)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|[* spam *]|troyhamby)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|[* spam *]|vicodin|[* spam *]|ypxaieo)\b [NC]
## Note: The final RewriteCond must NOT use the [OR] flag.
RewriteRule .* - [F]
## Note: The previous lines are a "compressed" version
## of the filters. You can add your own filters as:
## RewriteCond %{QUERY_STRING} \bbadword\b [NC,OR]
## where "badword" is the word you want to exclude.
########## End - Basic antispam Filter, by SigSiu.net

########## Begin - Advanced server protection - query strings, referrer and config
# Advanced server protection, version 3.2 - May 2011
# by Nicholas K. Dionysopoulos

## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
## your PHP version). See http://www.0php.com/php_easter_egg.php and
## http://osvdb.org/12184 for more information
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule .* - [F]

## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
RewriteRule .* - [F]

## Referrer filtering for common media files. Replace with your own domain name.
## This blocks most common fingerprinting attacks ;)
## Note: Change www\.example\.com with your own domain name, substituting the
## dots with \.  i.e. use www\.example\.com for www.example.com
RewriteRule ^images/stories/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [L]
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?criticalunity\.org [NC]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule \.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [F]

## Disallow visual fingerprinting of Joomla! sites (module position dump)
## Initial idea by Brian Teeman and Ken Crowder, see:
## http://www.slideshare.net/brianteeman/hidden-joomla-secrets
## Improved by @nikosdion to work more efficiently and handle template
## and tmpl query parameters
RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC]
RewriteRule .* - [L]
RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC]
RewriteRule .* - [F]

## Disallow access to htaccess.txt, configuration.php, configuration.php-dist and php.ini
RewriteRule ^(\.htaccess|configuration\.php(-dist)?|php\.ini)$ - [F]

########## End - Advanced server protection - query strings, referrer and config

########## Begin - Advanced server protection rules exceptions ####
##
## These are sample exceptions to the Advanced Server Protection 3.1
## rule set further down this file.
##
## Allow UddeIM CAPTCHA
RewriteRule ^components/com_uddeim/captcha15\.php$ - [L]
## Allow Phil Taylor's Turbo Gears
## RewriteRule ^plugins/system/GoogleGears/gears-manifest\.php$ - [L]
## Allow JoomlaWorks AllVideos
RewriteRule ^plugins/content/jw_allvideos/includes/jw_allvideos_scripts\.php$ - [L]
## Allow Admin Tools Joomla! updater to run
RewriteRule ^administrator/components/com_admintools/restore\.php$ - [L]
## Allow Akeeba Backup Professional's integrated restoration script to run
## RewriteRule ^administrator/components/com_akeeba/restore\.php$ - [L]
## Allow Akeeba Kickstart
## RewriteRule ^kickstart\.php$ - [L]

# Add more rules to single PHP files here

## Allow Agora attachments, but not PHP files in that directory!
RewriteCond %{REQUEST_FILENAME} !(\.php)$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^components/com_agora/img/members/ - [L]

# Add more rules for allowing full access (except PHP files) on more directories here

## Uncomment to allow full access to the cache directory (strongly not recommended!)
#RewriteRule ^cache/ - [L]
## Uncomment to allow full access to the tmp directory (strongly not recommended!)
#RewriteRule ^tmp/ - [L]

# Add more full access rules here

########## End - Advanced server protection rules exceptions ####

########## Begin - Advanced server protection - paths and files
# Advanced server protection, version 3.2 - May 2011
# by Nicholas K. Dionysopoulos

## Back-end protection
## This also blocks fingerprinting attacks browsing for XML and INI files
RewriteRule ^administrator/?$ - [L]
RewriteRule ^administrator/index\.(php|html?)$ - [L]
RewriteRule ^administrator/index[23]\.php$ - [L]
RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
RewriteRule ^administrator/ - [F]

## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory
RewriteRule ^xmlrpc/(index\.php)?$ - [L]
RewriteRule ^xmlrpc/ - [F]

## Disallow front-end access for certain Joomla! system directories
RewriteRule ^includes/js/ - [L]
RewriteRule ^(cache|includes|language|libraries|logs|tmp)/ - [F]

## Allow limited access for certain Joomla! system directories with client-accessible content
RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
## Uncomment this line if you have extensions which require direct access to their own
## custom index.php files. Note that this is UNSAFE and the developer should be ashamed
## for being so lame, lazy and security unconscious.
# RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)?$ - [L]
## Uncomment the following line if your template requires direct access to PHP files
## inside its directory, e.g. GZip compressed copies of its CSS files
# RewriteRule ^templates/([^/]+/)*([^/.]+\.)+php$ - [L]
RewriteRule ^(components|modules|plugins|templates)/ - [F]

## Disallow access to rogue PHP files throughout the site, unless they are explicitly allowed
RewriteCond %{REQUEST_FILENAME} \.php$
RewriteCond %{REQUEST_FILENAME} !/index[23]?\.php$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^([^/]+/)*([^/.]+\.)+php$ - [F]

########## End - Advanced server protection - paths and files

########## Begin - Redirect index.php to /
## Note: Change example.com to reflect your own domain name
RewriteCond %{THE_REQUEST} !^POST
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$
RewriteRule ^index\.php$ http%2://www.criticalunity.org/$1 [R=301,L]
## If the above line throws a 500 error, change [R=301,L] to [R,L]
########## End - Redirect index.php to /

########## Begin - Redirect non-www to www
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L]
########## End - Redirect non-www to www

########## Begin - Redirect www to non-www
## WARNING: Comment out the non-www to www rule if you choose to use this
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
# RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L]
########## End - Redirect non-www to www

########## Begin - Custom internal rewrites
#
# If you need to internally rewrite some specific URL requests,
# place that code here. Ensure those internal rewrites use the
# correct RewriteRule syntax without domain name and with [L] flag.
#
########## End - Custom internal rewrites

########## Begin - Joomla! core SEF Section
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the request is for the site root, or for an extensionless URL,
# or the requested URL ends with one of the listed extensions
RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw|ini|zip|json|file))$ [NC]
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
#
########## End - Joomla! core SEF Section

########## Begin - Optimal default expiration time
## Note: this might cause problems and you might have to comment it out by
## placing a hash in front of this section's lines
<IfModule mod_expires.c>
	# Enable expiration control
	ExpiresActive On

	# Default expiration: 1 hour after request
	ExpiresDefault "now plus 1 hour"

	# Image files expiration: 1 month after request
	ExpiresByType image/bmp "now plus 1 month"
	ExpiresByType image/gif "now plus 1 month"
	ExpiresByType image/jpeg "now plus 1 month"
	ExpiresByType image/jp2 "now plus 1 month"
	ExpiresByType image/pipeg "now plus 1 month"
	ExpiresByType image/png "now plus 1 month"
	ExpiresByType image/svg+xml "now plus 1 month"
	ExpiresByType image/tiff "now plus 1 month"
	ExpiresByType image/vnd.microsoft.icon "now plus 1 month"
	ExpiresByType image/x-icon "now plus 1 month"
	ExpiresByType image/ico "now plus 1 month"
	ExpiresByType image/icon "now plus 1 month"
	ExpiresByType text/ico "now plus 1 month"
	ExpiresByType application/ico "now plus 1 month"
	ExpiresByType image/vnd.wap.wbmp "now plus 1 month"
	ExpiresByType application/vnd.wap.wbxml "now plus 1 month"
	ExpiresByType application/smil "now plus 1 month"

	# Audio files expiration: 1 month after request
	ExpiresByType audio/basic "now plus 1 month"
	ExpiresByType audio/mid "now plus 1 month"
	ExpiresByType audio/midi "now plus 1 month"
	ExpiresByType audio/mpeg "now plus 1 month"
	ExpiresByType audio/x-aiff "now plus 1 month"
	ExpiresByType audio/x-mpegurl "now plus 1 month"
	ExpiresByType audio/x-pn-realaudio "now plus 1 month"
	ExpiresByType audio/x-wav "now plus 1 month"

	# Movie files expiration: 1 month after request
	ExpiresByType application/x-shockwave-flash "now plus 1 month"
	ExpiresByType x-world/x-vrml "now plus 1 month"
	ExpiresByType video/x-msvideo "now plus 1 month"
	ExpiresByType video/mpeg "now plus 1 month"
	ExpiresByType video/mp4 "now plus 1 month"
	ExpiresByType video/quicktime "now plus 1 month"
	ExpiresByType video/x-la-asf "now plus 1 month"
	ExpiresByType video/x-ms-asf "now plus 1 month"
</IfModule>
########## End - Optimal expiration time

[Timeisnow]

Re gitxxx, I installed admin tools today, so unless files can go back in time, it wasn't me that put it there. Thanks for trying to help tho.

[Timeisnow]

I think it could be this:

Code: Select all

RewriteCond %{HTTP_REFERER} !^https?://(www\.)?criticalunity\.org [NC]

- As I don't have https available on my site at the moment. .... If you're still getting 404s, you know it's something else... As the file originally explained, it's only by trial and error that one can finally get the site functional, and I'm doing that.... But I, and the rest of the world REALLY need people to help get this site back online! Thanks in advance to those who help.

PS: Since my main problem is the hack, could you edit this OP subject to be: "

Code: Select all

htaccess hacked - 404 with the new htaccess file on links

" ? Thanks.[/b]

[leolam]

Why don't you download the original package from Joomla, http://joomlacode.org/gf/download/frsre ... ackage.zip and upload the original htaccess to your site and than one by one add the rules, test and you will discover when it breaks.

We cannot say what rule is breaking it since it depends entirely on your server settings what rule is allowed. The only way to find out is by adding and testing and adding and testing etc

Leo

[leolam]

<?xml version="1.0" encoding="UTF-8"?>

etc, etc

regarding the title of this thread: This file is the default Joomla web.config.txt and nothing wrong with it. It provides in case of IIS instead of Apache (with htaccess) the rewrite rules

Leo

[Timeisnow]

in my search results....(try searching for something on my site, then copy the results and paste them somewhere....

Searching in firebug shows me this:

Code: Select all

  <dd class="result-category">
<span class="small"> (Economy) </span>
</dd>
<dd class="result-text">
...&nbsp;of thousands of children, according to a
<span class="highlight">new</span>
United Nations study. *** The report highlighted the prospect of an&nbsp;increase of between 200,000 and 400,000 in infant mortality and that child malnutrition,&nbsp;...
<script language="JavaScript">
function dnnViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','778787','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();
</script>
<style undefined="">
.dnn{position:absolute;top:-9999px}
</style>
<p class="dnn">
By fogm
<a title="Free Online Games" href="http://www.freeonlinegamesmonkey.com/">Online Games</a>
</p>
</dd>

How can I rectify this situation?? Thanks!

And in regards to that file, I don't need it, siteground uses apache and I'm using .htaccess.

[leolam]

I got script injected by an an out of date extension like JCE

This remark is just like much of your post 'suggestive' and without ground. JCE is NOT outdated and I have been the person who have been very intensively involved in the issues related to JCE. I actually posted an initial warning and after a careful consideration with other specialists and direct voice communication and interaction with Ryan Demmer of JCE I withdrew the post/warning since it was a false positive.(sort of)

Next why changing your initial posts and updating the so called htaccess (and changing subject lines of your posts? with extra 'additional' info?

## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks
AddHandler application/x-httpd-php53 .php .php5 .php4 .php3
## Mod_rewrite in use.

What are you trying to achieve here? Just curious and not offensive?

Leo

[leolam]

in my search results....

where do you find this 'code'

And in regards to that file, I don't need it, siteground uses apache and I'm using .htaccess.

part of default Joomla...will not be active if you use Apache as with Siteground. It is present though since we cater for multiple scenarios incl. IIS users

And for the rest YOU ARE HACKED so follow the steps outlined http://forum.joomla.org/viewtopic.php?f=621&t=582854

Leo

[leolam]

@ moderators,

I suggest to lock this thread. OP has now posted multiple issue in same post (some have been merged by mods) and this becomes unworkable

@ Timeisnow: I urge you to open for each issue you encounter a new thread and do not mixup the things and be so kind to react to advise from other users or help is useless?

Also you accuse extension developers (JCE in this case) of something and than quickly retract and edit your original remark. This is not done and completely out of order . You can see this from the "quote" I posted and if wanted the moderators can retrieve the original post so refrain from posting messages without any merit?

It is not getting pleasant this way for your for sure!

Leo

[Timeisnow]

Initial post was a natural human expression of wondering why on earth this file was there, I had not seen it before. I thought it was part of the hack. Sorry for causing you to be insulted, my fault for not making it clear, said 'outdated' , instead of NOT UP TO DATE WITH THE LATEST VERSION.

No need to lock the thread, I'll stick to the fact that there is a javascript being called up in my search results no matter what template I use, so yes, I have been hacked, that's clear. I notice that when a problem is not completely known, on MANY posts in this forum sometimes people have to post theories as to how the problem is being caused. Thank you for the link, I will check it out.

"and be so kind to react to advise from other users or help is useless?"

sorry for not replying instantly to your help, I have to check my email or reload this page to see if a reply has been made as I work things out. I am one man running the site, and no it's not pleasant having slight rudeness and misunderstandings thanks.

I'm already EXTREMELY stressed out that I don't get enough traffic as it is, and I DO NOT want Google blacklisting my site on top of it. Getting negativity from a super user on this forum because I merely repeated something I read on the original thread this thread was moved from, about how an editor that is not up to date could be causing the problem is what is out of order and not needed. Thanks for your help tho, and to mods, no need to lock the thread, as the issue is not resolved. Thanks again.

"@ Timeisnow: I urge you to open for each issue you encounter a new thread and do not mixup the things "

That's normally what I do. I do think anything I find that could be related to the hack should be placed in this post... what do you want me to do, create a new thread for every step along the way regarding this javascript hack? I Think that would be HIGHLY annoying for users.

With all due respect, I just got hacked, I don't need to get attacked on top of it.
"What are you trying to achieve here? Just curious and not offensive?"
A reception of understanding and respect, and to get my site working, since it was hacked. I think that's clear. If it's illegal to change subject lines, why have the option on the forum?

What causes unnecessary unpleasantness is when people judge and don't take just a little bit more time to try and understand.

As to where the code is found, that is clear as well. I said 'In my search results' : http://www.criticalunity.org/search.htm ... phrase=all - select some text from the results and paste it somewhere.... You'll see 'By Fogm Online Games" - Which was NOT added my me.

Picture 13.png

Thanks for helping, would be great to be able to trace where this code is coming from. By the way, I LOVE JCE! Thanks also for helping to develop it.

PS: could the mods edit the original title to

Website hacked, JavaScript code appearing in search results

please, cause it's clear that file has nothing to do with the hack now.

[mandville]

Observations so far.

[*]freeonline games redirect
http://forum.joomla.org/viewtopic.php?t=694212
website design company, Autson (aka many other names)
https://www.google.co.uk/search?q=<p+class%3D"dnn">
https://plus.google.com/u/0/10098054305 ... fNw6UzvFUv
http://extensions.joomla.org/extensions ... show/18640

[*]your template is available from http://www.joomla24.com/ search forum for warnings on the template distro site.

[*]Suggested Master htaccess file
This can be discussed in this forum topic http://forum.joomla.org/viewtopic.php?f=432&t=549841
Warning: note the hashed areas. Incorrect settings on some servers may cause 500 page errors


Changing subject texts. i couldn't find previous topics where this happened - might have missed a few. It does not follow the procedures of these forums to change subject texts. It may and as shown, has confused people responding to posts. its a forum thing.

[*]Your now have mixed into one "security" topic,
+alleged lack of Security of remository, alleged lack of security of JCE, +administration topic of the suggested master HTA.

[*]Items missing from you multiple faced posts.
FPA for your site, can be set to hide senstive info .
Reason behind the insertion of "AddHandler application/x-httpd-php53 .php .php5 .php4 .php3" which no hack i have encountered will add.

The topic re be retitled as per request to attempt to clarify issues.

[Timeisnow]

Thanks Mandville! The template that was up was just installed to see if it was a bug withing the previous template, "the world news 2". I'm reading the links you posted, and the list of things to do when hacked, but if it's just an extension doing this, then it will be A LOT easier to isolate it, and either replace or remove it.
I noticed that after deleting the cache I see : _system 389.12 and com_plugins being left there, could this have anything to do with the hack, if it is indeed a hack, and not some extension generating the code in the search results? I've put t he site back online so people can see the code being generating for themselves.

Here are the results of the forum post assistant:

Website hacked - search results include \'By fogm free online games\'

[19-Aug-2012 11:04:26] PHP Fatal error: Call to undefined method JDocumentRaw::addCustomTag() in /home/MY_USERNAME/public_html/components/com_hwdvideoshare/hwdvideoshare.html.php on line 768

Joomla! Instance :: Joomla! 2.5.6-Stable (Ember) 19-June-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: MY_USERNAME (uid: 32326/gid: 32328) | Group: MY_USERNAME (gid: 32328) | Valid For: 2.5 and above
Configuration Options :: Offline: 1 | SEF: 1 | SEF Suffix: 1 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 2 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32.59-sg2 | Technology: i686 | Web Server: Apache/1.3.42 (Unix) mod_gzip/1.3.26.1a mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8e-fips-rhel5 | Encoding: gzip, deflate | Doc Root: /home/MY_USERNAME/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.17 | PHP API: cgi | Session Path Writable: Unknown | Display Errors: 1 | Error Reporting: 6133 | Log Errors To: php_errorlog | Last Known Error: 19th August 2012 11:04:26. | Register Globals: | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 24M | Max. POST Size: 32M | Max. Input Time: 60 | Max. Execution Time: 45 | Memory Limit: 96M

MySQL Configuration :: Version: 5.5.24-55-log (Client:5.0.67) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 136.00 MiB | #of _FPA_TABLE: 538

PHP Extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dba () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | session () | iconv () | standard (5.2.17) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mhash () | mysql (1.0) | SimpleXML (0.1) | ncurses () | pcntl () | SPL (0.2) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | posix () | pspell () | readline () | Reflection (0.1) | imap () | shmop () | mysqli (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.8.11) | cgi () | bz2_filter (0.1) | http (1.6.5) | mailparse (2.1.5) | memcache (2.2.5) | sdo (1.2.4) | stats (1.1) | xattr (1.1.0) | SourceGuardian (8.2) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: None chat/bot/programe/aiml/ (777) | chat/images/cust_img/ (777) | chat/uploaddir/ (777) | images/fbfiles/ (777) | images/fbfiles/avatars/ (777) | images/fbfiles/avatars/gallery/ (777) | images/fbfiles/category_images/ (777) | images/fbfiles/files/ (777) | images/fbfiles/images/ (777) |

Components :: SITE :: WF_CONTEXTMENU_TITLE (2.1.3) | WF_PREVIEW_TITLE (2.1.3) | WF_DIRECTIONALITY_TITLE (2.1.3) | WF_TEXTCASE_TITLE (2.1.3) | WF_ARTICLE_TITLE (2.1.3) | WF_INLINEPOPUPS_TITLE (2.1.3) | WF_BROWSER_TITLE (2.1.3) | WF_LAYER_TITLE (2.1.3) | WF_AUTOSAVE_TITLE (2.1.3) | WF_VISUALCHARS_TITLE (2.1.3) | WF_FULLSCREEN_TITLE (2.1.3) | WF_VISUALBLOCKS_TITLE (2.1.3) | WF_PRINT_TITLE (2.1.3) | WF_XHTMLXTRAS_TITLE (2.1.3) | WF_MEDIA_TITLE (2.1.3) | WF_LINK_TITLE (2.1.3) | WF_STYLE_TITLE (2.1.3) | WF_TABLE_TITLE (2.1.3) | WF_PASTE_TITLE (2.1.3) | WF_SPELLCHECKER_TITLE (2.1.3) | WF_SEARCHREPLACE_TITLE (2.1.3) | WF_IMGMANAGER_TITLE (2.1.3) | WF_CLEANUP_TITLE (2.1.3) | WF_NONBREAKING_TITLE (2.1.3) | WF_SOURCE_TITLE (2.1.3) | WF_ANCHOR_TITLE (2.1.3) | WF_FILESYSTEM_JOOMLA_TITLE (2.1.3) | WF_LINKS_JOOMLALINKS_TITLE (2.1.3) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.1.3) | WF_AGGREGATOR_[youtube]_TITLE (2.1.3) | WF_AGGREGATOR_VIMEO_TITLE (2.1.3) | WF_POPUPS_JCEMEDIABOX_TITLE (2.1.3) | WF_POPUPS_WINDOW_TITLE (2.1.3) | Kunena Forum - English (1.7.2) | Bubble (2.6.1) | Bubble (2.6.0) | Blackout (2.6.1) | Blackout (2.6.0) | Default (2.6.1) | Blueface (2.6.0) | gk_style (2.6) | Blueface (2.6.1) | com_mailto (2.5.0) | com_wrapper (2.5.0) |
Components :: ADMIN :: com_newsfeeds (2.5.0) | com_menus (2.5.0) | com_login (2.5.0) | com_users (2.5.0) | com_installer (2.5.0) | com_cache (2.5.0) | Ninja RSS Syndicator (2.0) | com_cpanel (2.5.0) | com_redirect (2.5.0) | com_languages (2.5.0) | com_templates (2.5.0) | Udja Comments (1.0.1) | JCE (2.0.21) | Unknown (-) | com_admin (2.5.0) | hwdVideoShare ([ Nightly Bui) | com_plugins (2.5.0) | EasyDiscuss (2.0.3945) | com_messages (2.5.0) | com_checkin (2.5.0) | Admintools (2.3.1) | Kunena Forum - English (1.7.2) | com_kunena (1.7.2) | plg_system_kunena (-) | plg_system_kunena (-) | Kunena language pack (@kunenaversio) | System - Kunena (1.7.2) | plg_system_kunena (1.7.2) | com_categories (2.5.0) | com_joomlaupdate (2.5.0) | Qlue 404 (2.5.0) | com_content (2.5.0) | JomSocial (2.6.1) | com_banners (2.5.0) | com_modules (2.5.0) | AcyMailing : trigger Joomla Co (3.7.0) | AcyMailing Manage text (1.0.0) | AcyMailing Tag : content inser (3.7.0) | AcyMailing Module (3.7.0) | AcyMailing Tag : CB User infor (3.7.0) | AcyMailing : (auto)Subscribe d (3.7.0) | AcyMailing Tag : Manage the Su (3.7.0) | AcyMailing : Statistics Plugin (3.7.0) | AcyMailing Tag : Website links (3.7.0) | AcyMailing Template Class Repl (3.7.0) | AcyMailing Tag : Joomla User I (3.7.0) | AcyMailing Tag : Date / Time (3.7.0) | AcyMailing : share on social n (1.0.0) | AcyMailing table of contents g (1.0.0) | AcyMailing Tag : Subscriber in (3.7.0) | AcyMailing (3.8.0) | com_xmap (2.2.1) | com_media (2.5.0) | Remository (3.54.04J) | com_finder (2.5.0) | JXTC (1.0.1) | com_weblinks (2.5.0) | JFBConnect (4.1.2) | SCLogin (1.0.2) | Content - JFBCContent (4.1.2) | Authentication - JFBConnect Fa (4.1.2) | User - JFBConnect Facebook (4.1.2) | System - JFBCSystem (4.1.2) | com_config (2.5.0) | com_search (2.5.0) |

Modules :: SITE :: Videos (2.1.1 Build 2) | JFBCComments (4.1.2) | JomSocial Statistics (2.6.0) | GTranslate (1.6.x.32) | Activity Stream (2.6.0) | Video Comments (2.6.0) | mod_wrapper (2.5.0) | mod_feed (2.5.0) | Latest Members (2.6.0) | Top Members (2.6.0) | AcyMailing Module (3.7.0) | mod_whosonline (2.5.0) | Latest Discussion (2.6.0) | JFBCSend (4.1.2) | Jomsocial Notification (2.6.0) | SP Tab (1.7.0) | Flexi Custom Code (1.2.1) | mod_related_items (2.5.0) | mod_articles_category (2.5.0) | mod_gk_register (GK4 1.0) | JomSocial Connect (2.6.0) | mod_finder (2.5.0) | mod_languages (2.5.0) | mod_random_image (2.5.0) | JFBCRecommendations (4.1.2) | AiDaNews 2 (2.1.0) | mod_search (2.5.0) | Photo Comments (2.6.0) | mod_articles_categories (2.5.0) | mod_footer (2.5.0) | Horizon Slim (0.2.6_RC3) | Dating Search (2.6.0) | Hello Me (2.6.0) | JFBCFan (4.1.2) | mod_articles_latest (2.5.0) | mod_custom (2.5.0) | mod_breadcrumbs (2.5.0) | [spam] (4.1.2) | mod_articles_news (2.5.0) | mod_articles_popular (2.5.0) | JFBCSubscribe (4.1.2) | mod_users_latest (2.5.0) | JFBCFriends (4.1.2) | Online Users (2.6.0) | mod_banners (2.5.0) | mod_login (2.5.0) | mod_stats (2.5.0) | JFBCLike (4.1.2) | mod_articles_archive (2.5.0) | mod_fj_related_plus (1.03) | mod_menu (2.5.0) | mod_syndicate (2.5.0) | JFBCRequest (4.1.2) | Photos ([ Kronig ]) | Tabs & Sliders (by JoomlaW (2.0) | mod_weblinks (2.5.0) | SCLogin (1.0.2) | Udja Comments (1.0) |
Modules :: ADMIN :: mod_multilangstatus (2.5.0) | mod_feed (2.5.0) | mod_title (2.5.0) | mod_toolbar (2.5.0) | mod_quickicon (2.5.0) | mod_custom (2.5.0) | Admin Tools Joomla! Upgrade No (2.3.1) | mod_version (2.5.0) | mod_status (2.5.0) | mod_login (2.5.0) | mod_logged (2.5.0) | mod_submenu (2.5.0) | mod_menu (2.5.0) | mod_latest (2.5.0) | mod_popular (2.5.0) |

Plugins :: SITE :: Flow Player ([ Nightly Bui) | JW FLV (Version 5) Player ([ Nightly Bui) | JW FLV (Version 4) Player ([ Nightly Bui) | MyBlog (2.6.0) | Walls (2.6.1) | Unknown (-) | My Google Ads (2.6.0) | Unknown (-) | My twitter updates (2.6.0) | My Latest Videos (2.6.0) | Unknown (-) | Invite (2.6.0) | JFBConnect - FB Wall Integrati (4.1.0) | Unknown (-) | My Tagged Videos (2.6.0) | Friend's Location (2.6.0) | My Articles (2.6.0) | Wordfilter (2.6.0) | Input Processor (2.6.0) | My kunena updates (2.6.0) | Latest Photos (2.6.0) | Unknown (-) | Feeds (2.6.0) | Log (2.6.0) | Events (2.6.0) | Unknown (-) | Events (2.6.0) | MyBlog Toolbar (2.6.0) | My Contacts (2.6.0) | Unknown (-) | User - Jomsocial User (2.6.1) | User - JFBConnect Facebook (4.1.2) | User - EasyDiscuss Users (1.1.1) | plg_user_contactcreator (2.5.0) | plg_user_joomla (2.5.0) | plg_user_profile (2.5.0) | plg_captcha_recaptcha (2.5.0) | English Language ([ Nightly Bui) | Xmap - Mosets Tree Plugin (2.0.2) | Xmap - Virtuemart Plugin (2.0.0) | Xmap - SobiPro Plugin (2.0.1) | Xmap - Kunena Plugin (2.0.2) | Xmap - Content Plugin (2.0.3) | Xmap - WebLinks Plugin (2.0) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | AcyMailing Tag : Joomla User I (3.7.0) | AcyMailing Manage text (1.0.0) | AcyMailing Tag : Website links (3.7.0) | AcyMailing Tag : Date / Time (3.7.0) | AcyMailing : Statistics Plugin (3.7.0) | AcyMailing Tag : Manage the Su (3.7.0) | AcyMailing table of contents g (1.0.0) | AcyMailing Template Class Repl (3.7.0) | AcyMailing : trigger Joomla Co (3.7.0) | AcyMailing Tag : Subscriber in (3.7.0) | AcyMailing : share on social n (1.0.0) | AcyMailing Tag : CB User infor (3.7.0) | AcyMailing Tag : content inser (3.7.0) | plg_editors_tinymce (3.5.2) | Editor - JoomlaCK (5.0 Stable) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | JTreeLink (1.0) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | System - JCK Typography (3.4. | plg_editors_codemirror (1.0) | Editor - JCE (2.0.21) | JFBConnect - Profiles - Kunena (4.1.1) | plg_content_geshi (2.5.0) | plg_content_pagenavigation (2.5.0) | Tabs & Sliders [for articl (2.6) | plg_content_multiads (2.4) | plg_content_loadmodule (2.5.0) | plg_content_emailcloak (2.5.0) | Content - Udja Comments (1.0) | AllVideos (by JoomlaWorks) (4.4) | Content - JFBCContent (4.1.2) | JoomlaXTC Xtream Video Player (1.1.2) | plg_content_finder (2.5.0) | plg_content_vote (2.5.0) | plg_content_joomla (2.5.0) | plg_content_pagebreak (2.5.0) | Content - KeyWord Link (1.7) | Authentication - Facebook (GK4 1.2) | plg_authentication_gmail (2.5.0) | Authentication - JFBConnect Fa (4.1.2) | plg_authentication_joomla (2.5.0) | plg_authentication_ldap (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_content (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_search_categories (2.5.0) | plg_search_contacts (2.5.0) | plg_search_weblinks (2.5.0) | plg_search_content (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_image (2.5.0) | Button - GK Typography (1.0.2) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | Editor Button - My Photos (2.6.0) | Azrul System Mambot For Joomla (2.6.1) | plg_system_highlight (2.5.0) | plg_system_debug (2.5.0) | plg_system_logout (2.5.0) | GK Cache (1.0) | Qlue 404 (2.5.0) | System - SEOSimple (2.1) | System - Jomsocial Facebook Co (2.6.1) | jomsocialredirect (2.6.0) | plg_system_cache (2.5.0) | Security - jHackGuard (1.3.4) | plg_system_languagefilter (2.5.0) | plg_system_languagecode (2.5.0) | plg_system_gavickExtCache (1.0) | GK Open Graph Article Paramete (1.0) | System - Admin Tools (2.3.1) | GK Menu Extended Parameters (1.0) | plg_system_p3p (2.5.0) | System - JCK Typography (3.4. | plg_system_redirect (2.5.0) | plg_system_kunena (1.7.2) | Jomsocial Update (2.6.1) | System - Zend Lib (1.11.4) | plg_system_log (2.5.0) | System - Seobooster (1.6) | AcyMailing : (auto)Subscribe d (3.7.0) | GK AJAX Search (1.0) | plg_system_remember (2.5.0) | System - JFBCSystem (4.1.2) | plg_system_sef (2.5.0) | plg_extension_joomla (2.5.0) | [youtube] ([ Nightly Bui) | Google ([ Nightly Bui) | Remote Video ([ Nightly Bui) |

Templates :: SITE :: rt_afterburner_j15 (1.5.0) | rt_maelstrom (1.6.5) | JA_Purity (1.2.0) | Political (3.4.1) | it_community (1.7.0) | siteground-j15-19 (1.0.0) | beez_20 (2.5.0) | siteground-j15-28 (1.0.0) | rt_voxel (1.0) | siteground-j15-171 (1.0.0) | rt_terrantribune_dark_j15 (1.5.2) | mobile_iphone (1.0.1) | siteground-j15-1 (1.0.0) | gk_twn2 (2. | siteground-j15-14 (1.0.0) | Transparent_Bliss_1.5 (1.0.1) | siteground-j15-133 (1.0.0) | JA_Teline_IV (2.5.0) | mobile_smartphone (1.0.1) | siteground-j15-167 (1.0.0) | siteground-j15-23 (1.0.0) | gk_music_free (3.4) | beez5 (2.5.0) | mobile_wap (1.0.1) | siteground-j15-112 (1.0.0) | yoo_planet (5.5. | siteground-j15-150 (1.0.0) | atomic (2.5.0) | rhuk_milkyway (1.0.2) | mobile_imode (1.0.1) | JA_Cloris (2.5.0) | siteground-j15-22 (1.0.0) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |

[Timeisnow]

The backlinks link you posted was about extensions that do this. In my case, it's coming up in my search results, and I can't seem to find out where this original code is coming from.... I'm not a coding expert however... I challenge those who think they are to help rectify this before Google notices this.... THANKS!

[mandville]

Elevated Permissions (First 10) :: None chat/bot/programe/aiml/ (777) | chat/images/cust_img/ (777) | chat/uploaddir/ (777) | images/fbfiles/ (777) | images/fbfiles/avatars/ (777) | images/fbfiles/avatars/gallery/ (777) | images/fbfiles/category_images/ (777) | images/fbfiles/files/ (777) | images/fbfiles/images/ (777) |

that is plain suicidal in nearly every site.
if you can, run admintools to reset all your file permissions to something sensible,
acymailing out of date.. etc etc

[PhilD]

Elevated Permissions (First 10) :: None chat/bot/programe/aiml/ (777) | chat/images/cust_img/ (777) | chat/uploaddir/ (777) | images/fbfiles/ (777) | images/fbfiles/avatars/ (777) | images/fbfiles/avatars/gallery/ (777) | images/fbfiles/category_images/ (777) | images/fbfiles/files/ (777) | images/fbfiles/images/ (777) |

It is very likely tht your site has been hacked. Permissions such as displayed will enable a site be be hacked in just a few minutes.

follow below.

Before you post your security/been hacked topic, it is suggested to do all of the following. Failure to follow the suggestions below may leave your site vulnerable to being hacked again in the future.

You must state what version of Joomla you were using when when the site first became hacked. This can make a difference as to how we approach your individual situation.

[ ] Download and RUN the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Post the generated results in your security/been hacked topic.

[ ] Ensure you have the latest version of Joomla for your 1.5 or 2.5 version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.

[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.

[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories More detailed information can be found in the security Checklist 7 link below.

Note: The forum post tool will work with all versions of Joomla.

[Timeisnow]

Okay thanks, I noticed that just now as well. I don't need the old flashchat, will install something integrated with jomsocial in the future, but those other permissions will be changed now.... The weird backlink in my search results will still be there, but it's better to make it all as secure as possible, while I go and get something to eat finally.

[Timeisnow]

I added this to the admin tools script blocker, but I still need to delete whatever is generating it in the first place for obvious reasons including parsing time..

UPDATE: I had started working with someone who wanted to help me get more traffic, he was all happy, saying he installed ACYMailing pro... When he finally admitted he didn't pay for it, I asked where he got it from....He said some site on the net, don't worry, it's cool.... NO IT'S NOT cool.... Immediately I investigated and found out within the module itself, there was a backlink to something different, and something about alla... IMMEDIATELY it was removed and replaced with the free version. Could it be that it left over some other malicious code somewhere, if so, can someone more clever with tracing code through firebug than I currently am locate this little demon(s)??

Code: Select all

<script language="JavaScript">
function dnnViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','778787','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();
</script>

As for the permissions, I'm confused because fetch my FTP app is showing it to be 755 , as

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

says.... I'll check with the file manager in Cpanel as well.

Gotta get something to eat now, back in an hour or 2. THANKS SO MUCH TO THOSE THAT ARE HELPING!

[Timeisnow]

Adding the script code to the javascript code blocker didn't help anyways, the hidden link is still there Back in a bit.

[Timeisnow]

Anyone know of a free antivirus for Mac and or Joomla to scan? Everything I've searched for so far costs... Never mind, I found one.

[Timeisnow]

Apparently according to firebug the code is inherited by the CSS of whatever template is currently active...

[leolam]

The first javascript you posted

<script language="JavaScript">
function dnnViewState() etc

comes most likely from a "Share This" module. It utilizes that script.

You have also this script in your template

Code: Select all

</script><p class="dnn">By fogm <a href="http://www.freeonlinegamesmonkey.com/" title="Free Online Games">Online Games</a></p></div>

. Download your site and scan for this code. It will be though most likely initiated somewhere deeply hidden in some file on your site or even on your server

Therefor you really need to follow up what PhilD stated. You have little other choice

Leo

[Timeisnow]

Okay thanks leolam, that's what I thought I had to do... No matter what template I use, even bees, it shows up.... I don't have a share this module but I assume JFBConnect utilizes a similar architecture of code... What's peculiar is that the online games garbage shows up after EVERY link in the search results, right after each one. Try it.

Rant: My host said I'd have to pay to have it fixed by them.... They can't just do a simple search and replace can they, not even for a humanitarian website...Would take minutes, they don't need my 200$ or whatever ridiculous amount he quoted... Money rules all

[Timeisnow]

I would think that there MUST be some way to detect which malicious file is generating this, not site-wide, but only in my search results... It's well weird!

[leolam]

It is not only in your search results. It shows on your index.php

Good luck...it S***s bigtime for sure but you have little choice. Do not forfeit any step please?

"happy and secure landing"

Leo

[Timeisnow]

OMG.... I wish I could swear on here..... Holy Excrement!!!!.... Good god, I counted 3 instances so far, really freaked out... I noticed the bugger likes being after existing javascript like the google ads and the revolver maps..... interesting.... Proceeding with massive cleaning.

[leolam]

"shows on your index.php" means that it is loaded on each page

Cheers
Leo

[Timeisnow]

Yup.... After the google ads, donate button and revolver maps, all other JavaScript codes.... Running to the library now cause of local bandwidth limitations, wish me luck. Being a coder, isn't there ANY way to find out where this is coming from? I looked at the raw index file on my server and it's not in there.