Joomla .htaccess hacked to xxx.ru

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
shaunoff
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Fri Mar 23, 2012 12:38 am

Joomla .htaccess hacked to xxx.ru

Post by shaunoff » Fri Mar 23, 2012 9:56 am

Hi guys,

This is a follow on from a previous thread as I have the same problem that has happened at exactly the same time.
Problem Description :: Forum Post Assistant (v1.2.0) : 23rd March 2012 wrote:Joomla htaccess hacked
Actions Taken To Resolve by Forum Post Assistant (v1.2.0) 23rd March 2012 wrote:nothing as yet
Forum Post Assistant (v1.2.0) : 23rd March 2012 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.23-Stable (senu takaa ama baji) 04-March-2011
Joomla! Configured :: Yes | Read-Only (444) | Owner: domain3802411 (uid: 554741/gid: 500) | Group: vweb (gid: 500) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-238.1.1.el5PAE | Technology: i686 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/fhlinux203/u/ --protected--/user/htdocs | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.6 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 20M

MySQL Configuration :: Version: 5.0.95-log (Client:5.0.95) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 69.35 MiB | #of _FPA_TABLE: 1439
Detailed Environment :: wrote:PHP Extensions :: libxml () | xml () | wddx () | tokenizer (0.1) | sysvshm () | sysvsem () | sysvmsg () | session () | pcre () | SimpleXML (0.1) | sockets () | SPL (0.2) | shmop () | standard (5.2.6) | Reflection (0.1) | pspell () | posix () | pcntl () | mime_magic (0.1) | json (1.2.1) | iconv () | hash (1.0) | gmp () | gettext () | ftp () | filter (0.11.0) | exif (1.4 $Id: exif.c,v 1.173.2.5.2.25 2008/03/12 17:33:14 iliaa Exp $) | date (5.2.6) | curl () | ctype () | calendar () | bz2 () | zlib (1.1) | openssl () | cgi-fcgi () | bcmath () | dba () | dom (20031129) | gd () | imap () | ldap () | mbstring () | mysql (1.0) | mysqli (0.1) | ncurses () | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | snmp () | soap () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: zip | mcrypt | suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:Core Folders :: images/ (707) | components/ (707) | modules/ (707) | plugins/ (707) | language/ (707) | templates/ (707) | cache/ (707) | logs/ (707) | tmp/ (707) | administrator/components/ (707) | administrator/modules/ (707) | administrator/language/ (707) | administrator/templates/ (707) |
Templates Discovered :: wrote:Templates :: SITE :: beez (1.0.0) | yoo_shelf (1.0.2) | rhuk_milkyway (1.0.2) | JA_Purity (1.2.0) | yoo_nano (1.0.6) |
Templates :: ADMIN :: Khepri (1.0) |
Last edited by mandville on Sun Apr 01, 2012 4:34 pm, edited 2 times in total.
Reason: hidden url - retitled

shaunoff
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Fri Mar 23, 2012 12:38 am

Re: Joomla .htaccess hacked

Post by shaunoff » Fri Mar 23, 2012 9:59 am

is there a security issue with posting the above info??? The last thing I want is my site being further compromised...

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14802
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla .htaccess hacked

Post by mandville » Fri Mar 23, 2012 10:16 am

i have edited the site name out..
joomla out of date,
707 permissions is bad. looking at it, Owner: domain3802411 (uid: 554741/gid: 500) is wrong.
run through the rest of the checklist 7 as suggested previous
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

johnb18919
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Fri Mar 23, 2012 10:31 am

Re: Joomla .htaccess hacked

Post by johnb18919 » Fri Mar 23, 2012 10:47 am

I have been working on this problem for 10 hours affecting 15 of my joomla sites, am finding the culprit htaccess in my html only sites as well.

Having difficulty placing the copied post assistant file in the correct place.

Torgock
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Fri Apr 02, 2010 4:35 am

Re: Joomla .htaccess hacked

Post by Torgock » Fri Mar 23, 2012 12:14 pm

Who is your hosting provider?

I'm having same issue, my hosting provider is Godaddy.

shaunoff
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Fri Mar 23, 2012 12:38 am

Re: Joomla .htaccess hacked

Post by shaunoff » Fri Mar 23, 2012 12:16 pm

That says to me that its a host or program issue but i have contacted my host who say delete everything and install a previous backup.

I dont actually have one... because Im with a poor hosting company (streamline) and whenever I have tried in the past the server times out. I eventually after months of trying gave up. I did try akeeba but I was never able to upload and install a file via kickstart so eventually gave up.

Basically I'm screwed. I am in my first year of trading. I need the website to survive. I cant afford to spend all of my time rebuilding my website from scratch, there obviously isnt a solution to this problem... I'm screwed.

I have followed the instructions as best I can.. I just dont know how to find the cron job. But there is a .htaccess file outside of my htdocs...

Thanks hacker... you achieved what you intended, in most likelihood putting a new start up in an economy thats struggling out of business. congratulations.

Torgock
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Fri Apr 02, 2010 4:35 am

Re: Joomla .htaccess hacked

Post by Torgock » Fri Mar 23, 2012 12:31 pm

Sorry to hear that shaunoff - having a backup of site content an database is the most important thing ever. Most hosting providers can restore your web server back to a previous date, you should ask them if this option is available. I know Godaddy can do this for $150.

If you want a quick fix which only stops the website redirect, it may give you a little breathing room.

Restore or create a brand new .htaccess in every site root directory and set the file permission to 400 or 000. This will stop the .htaccess from being re-written. The problem will still persist an you'll need to get on top of that, but at least your sites wont be pointing to a virus landing page.

Please advise if this helped as I can not do myself because my hosting provider is analyzing the problem and said to leave everything as is.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14802
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla .htaccess hacked

Post by mandville » Fri Mar 23, 2012 12:37 pm

i would say regarding the htaccess file is to copy the htaccess.txt into the contents (overwritting) the dodgy one and then set at 444. setting to 000 on most servers will not do anything as its not readable by anyone including the server.

on the basis that the sql db is rarely altered, follow checklist 7 safe route to recovery.

reading suggestion for those hosts who dont run suphp etc.
http://community.joomla.org/blogs/leade ... oomla.html
http://community.joomla.org/blogs/leade ... en-up.html
http://community.joomla.org/blogs/leade ... -time.html
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

Torgock
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Fri Apr 02, 2010 4:35 am

Re: Joomla .htaccess hacked

Post by Torgock » Fri Mar 23, 2012 12:50 pm

000 returns a 403 Forbidden for me, which is better than having a live website shooting viruses to visitors. but if 444 works go with that, you should be able to run the site live without the redirect.

johnb18919
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Fri Mar 23, 2012 10:31 am

Re: Joomla .htaccess hacked

Post by johnb18919 » Fri Mar 23, 2012 12:59 pm

I am currently going through my sites, replacing files and changing to 444. They are working. Through the night the new files appeared in about 50-60 minutes, will soon see if this prevents the files from reappearing.

shaunoff
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Fri Mar 23, 2012 12:38 am

Re: Joomla .htaccess hacked

Post by shaunoff » Fri Mar 23, 2012 1:14 pm

thanks but I have just made the whole thing worse.

I upgraded to the latest version by using admin tools. I have then proceeded to copy the files across again just to be sure as per the instruction. I have deleted the .htaccess and tried to upload a new one but i think it gets re-written before I get chance to change the permissions. I have now broken the website whilst trying to upload the file files, I can see from cyberduck that the permissions of files are changing to 644 as they are uploading and when I try to access the website it appears that google in now aware that there is a problem and wont allow access to the site by displaying the malware landing page.

summary:
cant access the site
site is broken anyway
keep seeing upload failed
i have changed all my passwords with no change
deleted loads of files
followed the list of things to do as best I can
lost all the work that I have put in

... gutted!

Torgock
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Fri Apr 02, 2010 4:35 am

Re: Joomla .htaccess hacked

Post by Torgock » Fri Mar 23, 2012 2:52 pm

shaunoff, call your hosting provider... surely they offer hosting server restore.

You could also try downloading each site onto your local machine an running it through a local environment like xampp.

Ensure the infected .htaccess is no longer on the site.

Download the latest stable build of Joomla, pull your ethernet cable so you are no longer connected to the internet. Install joomla manually over the top of your existing joomla version (I'd suggest against using admin tools to update this).

Do this for each one of your sites. Before you upload each site one by one, you will need to clear everything off you current webserver.

You should only do this if you know what your doing, otherwise you could lose everything.

From my research nothing has been altered in the database, but I could be wrong.

johnb18919
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Fri Mar 23, 2012 10:31 am

Re: Joomla .htaccess hacked

Post by johnb18919 » Fri Mar 23, 2012 3:38 pm

I agree the database does not seem to be affected. I have a post up with the same bug.

shaunoff
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Fri Mar 23, 2012 12:38 am

Re: Joomla .htaccess hacked

Post by shaunoff » Fri Mar 23, 2012 4:05 pm

Ive tried that but the permissions off the new .htaccess file but it always rests to 0644 every time using fireftp and filezilla.

am I doing something wrong?

I have contacted host... but awaiting their response regarding a host reset

I am now trying to download the website so that I can delete it all, do a fresh install, reconnect to the database (reset the password as well) and then hopefully upload images etc in hope that it sorts the problem.

johnb18919
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Fri Mar 23, 2012 10:31 am

Re: Joomla .htaccess hacked

Post by johnb18919 » Fri Mar 23, 2012 4:11 pm

On Filezilla are you checking the boxes or entering the numbers in the permissions field? I was playing with it, and checking the box reverted back but entering the numeric value sticks.

shaunoff
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Fri Mar 23, 2012 12:38 am

Re: Joomla .htaccess hacked

Post by shaunoff » Fri Mar 23, 2012 4:14 pm

johnb18919 wrote:On Filezilla are you checking the boxes or entering the numbers in the permissions field? I was playing with it, and checking the box reverted back but entering the numeric value sticks.
trying both methods

oscarguzval
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Wed Mar 17, 2010 10:15 pm

Re: Joomla .htaccess hacked

Post by oscarguzval » Fri Mar 23, 2012 4:17 pm

I have the same problem. My .htaccess are all y 0644. I see many .htaccess in several folders. What do you thing about download my site, open it locally, run a search and remove all the .htaccess inside and then re-upload again? If it reappers, what could generate these files? Thanks for your advice. By the way, I found too jos_core.php y the temp folder... should I delete it?

johnb18919
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Fri Mar 23, 2012 10:31 am

Re: Joomla .htaccess hacked

Post by johnb18919 » Fri Mar 23, 2012 4:25 pm

oscar I do not believe finding the htaccess files is our hurdle, the issue is in finding the script that is writing them. The scary part for me is I am on a shared hosting platform and it may be possible the script is not in one of my folders. ???

oscarguzval
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Wed Mar 17, 2010 10:15 pm

Re: Joomla .htaccess hacked

Post by oscarguzval » Fri Mar 23, 2012 4:32 pm

I'm in a shared hosting platform too. I'm downloading a last week backup to compare... I found the malicious .htaccess in my root!!! So, maybe you're right... Any other clue?

shaunoff
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Fri Mar 23, 2012 12:38 am

Re: Joomla .htaccess hacked

Post by shaunoff » Fri Mar 23, 2012 5:13 pm

Still not sorted but look at this as a response from my host:

Thank you for your query

We're afraid we do not secure back up. This has been highlighted on the Terms and Conditions. Please see the draft below:

16.1 Streamline.Net does not back up Your data and/or website and whilst every attempt would be made in the unlikely event of any corruption or hardware failure, Streamline.Net cannot guarantee to be able to replace lost data. This includes loss of data resulting from delays, non-deliveries, wrong delivery, and any and all Service interruptions caused by Streamline.Net and its employees.

I need to change hosts as soon as this issue is sorted and I'm back in business...

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14802
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla .htaccess hacked

Post by mandville » Fri Mar 23, 2012 5:41 pm

shaunoff i did say
copy the htaccess.txt into the contents (overwritting) the dodgy one and then set at 444.
Torgock
You could also try downloading each site onto your local machine an running it through a local environment like xampp.
will take a long time and could infect your machine
Install joomla manually over the top of your existing joomla version (I'd suggest against using admin tools to update this).
is this on your local or remote?
the issue with that is by doing that you also copy any dodgy files that could be reinfecting the sites

note before doing this that cpanel will automatically create a blank htaccess file in the root of the publuc_html/docs older that you need to copy the htaccess.txt content into

i will repeat the relevant section from http://docs.joomla.org/Security_Checklist_7

A Safe route for disaster relief

[*]save the configuration.php file and your images and personal files one by one, (not the folder as it may contain unwanted files)
[*] wipe the entire folder where Joomla! is installed
[*] upload a new clean full package latest version of joomla 1.5.x or Joomla .5.x (minus the install folder) (you can do this by uploading then extracting the zip file and then deleting the installation folder
[*] reupload your configuration file & images.
[*] reinstall the latest versions of your extensions , templates (even better is to use original clean copies to ensure that the hacker/defacer did not leave any shell script files in your site)

To do this will take your site off line for around 15 minutes. To track down your hacked/defaced html may take hours or even longer.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

sbrad
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Fri Mar 23, 2012 4:55 pm

.htaccess Redirect Hack

Post by sbrad » Fri Mar 23, 2012 9:15 pm

Has anyone found out how this is happening yet? I restored my site with a week-old Akeeba backup after deleting everything but I'm afraid it's going to happen again if I don't figure out how they got in.

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 22233
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, The Netherlands
Contact:

Re: .htaccess Redirect Hack

Post by pe7er » Fri Mar 23, 2012 10:23 pm

Welcome to Joomla forum!

I'd recommend contacting your hosting company.
They might be able to help you with finding the cause (e.g. some other account at the same shared hosting server).

Furthermore, there are some excellent security checklist available that you should read and check with your server / Joomla settings:
http://docs.joomla.org/Category:Security_Checklist
Kind Regards,
Peter Martin, Global Moderator
https://db8.nl - Joomla specialist, Nijmegen, Nederland
Co-developer of d2 Content https://data2site.com/joomla-extensions/d2-content

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37286
Joined: Sat Apr 05, 2008 9:58 pm

Re: .htaccess Redirect Hack

Post by Webdongle » Fri Mar 23, 2012 10:39 pm

There is a lot of that one going around. Most likely a sever hack https://www.google.co.uk/search?num=100 ... 9l0.frgbld.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

shaunoff
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Fri Mar 23, 2012 12:38 am

Re: Joomla .htaccess hacked

Post by shaunoff » Fri Mar 23, 2012 11:38 pm

copy the htaccess.txt into the contents (overwritting) the dodgy one and then set at 444.
I would if I could but as mentioned... it defaults back to 644 immediately i.e. it will not change to 444.

As for finding the problem. I deleted the entire joomla site leaving only directories like images and a couple of other directories that were not joomla related. Well, after uploading the entire stable version of joomla and without even setting up the configuration file... the website still redirected to the virus.

So the script MUST be outside of the joomla files.

I am now deleting everything from the server and I will then upload a brand new joomla stable install and see if that makes any difference.

if this doesn't work then I am essentially starting from scratch and still not making any difference...

shaunoff
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Fri Mar 23, 2012 12:38 am

Re: Joomla .htaccess hacked

Post by shaunoff » Fri Mar 23, 2012 11:43 pm

right... I have deleted everything off the server!!!! yet it still diverts to the virus...

shaunoff
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Fri Mar 23, 2012 12:38 am

Re: Joomla SEF URLs hacked

Post by shaunoff » Sat Mar 24, 2012 12:05 am

the issue runs much much deeper. I have deleted everything... absolutely everything from the server. Changed all passwords and the domain still redirects.

now lets face it... theres just no way of getting around this infection by changing a htaccess file. There must be a secret, hidden script that the ftp programmes dont pick up.

It also shows that its probably not even a joomla issue considering that I havent even got joomla installed on the server anymore.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37286
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla .htaccess hacked

Post by Webdongle » Sat Mar 24, 2012 12:36 am

@shaunoff

Have you looked in your Host's CP to see if anyone has set a redirect in there ?

Have you checked your PC for malware ? If yes how many programs have you checked it with ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

shaunoff
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Fri Mar 23, 2012 12:38 am

Re: Joomla .htaccess hacked

Post by shaunoff » Sat Mar 24, 2012 11:38 am

Hi, I have checked my laptops for malware with a couple of programs but... if that was the issue then it wouldnt affect my mac, my windows laptop, my iphone, my ipad and my mates nokia.

I have looked at the host control panel and it doesnt even offer a forwarding facility... I have asked them to look into it.

my host does have a built in ftp which also confirms deletion of everything:

Directories: 3
Files: 0 / 0 B
Symlinks: 0
Unrecognized FTP output: 0

shaunoff
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Fri Mar 23, 2012 12:38 am

Re: Joomla .htaccess hacked to xxx.ru

Post by shaunoff » Sat Mar 24, 2012 1:09 pm

my mistake... the ISP has cached the old page which is why it redirects.

I have just tried it from a different city location and there is nothing there and no redirect to the virus.

which makes me wonder if I had potentially solved the problem sooner. I cant work on the site from my office or from home though... how useless is that!!!
Last edited by mandville on Thu Aug 30, 2012 3:58 am, edited 1 time in total.
Reason: Merged with main topic


Locked

Return to “Security in Joomla! 1.5”