Joomla .htaccess hacked to xxx.ru

[shaunoff]

Hi guys,

This is a follow on from a previous thread as I have the same problem that has happened at exactly the same time.

Joomla htaccess hacked

nothing as yet

Joomla! Instance :: Joomla! 1.5.23-Stable (senu takaa ama baji) 04-March-2011
Joomla! Configured :: Yes | Read-Only (444) | Owner: domain3802411 (uid: 554741/gid: 500) | Group: vweb (gid: 500) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-238.1.1.el5PAE | Technology: i686 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/fhlinux203/u/ --protected--/user/htdocs | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.6 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 20M

MySQL Configuration :: Version: 5.0.95-log (Client:5.0.95) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 69.35 MiB | #of _FPA_TABLE: 1439

PHP Extensions :: libxml () | xml () | wddx () | tokenizer (0.1) | sysvshm () | sysvsem () | sysvmsg () | session () | pcre () | SimpleXML (0.1) | sockets () | SPL (0.2) | shmop () | standard (5.2.6) | Reflection (0.1) | pspell () | posix () | pcntl () | mime_magic (0.1) | json (1.2.1) | iconv () | hash (1.0) | gmp () | gettext () | ftp () | filter (0.11.0) | exif (1.4 $Id: exif.c,v 1.173.2.5.2.25 2008/03/12 17:33:14 iliaa Exp $) | date (5.2.6) | curl () | ctype () | calendar () | bz2 () | zlib (1.1) | openssl () | cgi-fcgi () | bcmath () | dba () | dom (20031129) | gd () | imap () | ldap () | mbstring () | mysql (1.0) | mysqli (0.1) | ncurses () | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | snmp () | soap () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: zip | mcrypt | suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (Cloud/Grid): No
Potential Ownership Issues: Maybe

Core Folders :: images/ (707) | components/ (707) | modules/ (707) | plugins/ (707) | language/ (707) | templates/ (707) | cache/ (707) | logs/ (707) | tmp/ (707) | administrator/components/ (707) | administrator/modules/ (707) | administrator/language/ (707) | administrator/templates/ (707) |

Templates :: SITE :: beez (1.0.0) | yoo_shelf (1.0.2) | rhuk_milkyway (1.0.2) | JA_Purity (1.2.0) | yoo_nano (1.0.6) |
Templates :: ADMIN :: Khepri (1.0) |

[shaunoff]

is there a security issue with posting the above info??? The last thing I want is my site being further compromised...

[mandville]

i have edited the site name out..
joomla out of date,
707 permissions is bad. looking at it, Owner: domain3802411 (uid: 554741/gid: 500) is wrong.
run through the rest of the checklist 7 as suggested previous

[johnb18919]

I have been working on this problem for 10 hours affecting 15 of my joomla sites, am finding the culprit htaccess in my html only sites as well.

Having difficulty placing the copied post assistant file in the correct place.

[Torgock]

Who is your hosting provider?

I'm having same issue, my hosting provider is Godaddy.

[shaunoff]

That says to me that its a host or program issue but i have contacted my host who say delete everything and install a previous backup.

I dont actually have one... because Im with a poor hosting company (streamline) and whenever I have tried in the past the server times out. I eventually after months of trying gave up. I did try akeeba but I was never able to upload and install a file via kickstart so eventually gave up.

Basically I'm screwed. I am in my first year of trading. I need the website to survive. I cant afford to spend all of my time rebuilding my website from scratch, there obviously isnt a solution to this problem... I'm screwed.

I have followed the instructions as best I can.. I just dont know how to find the cron job. But there is a .htaccess file outside of my htdocs...

Thanks hacker... you achieved what you intended, in most likelihood putting a new start up in an economy thats struggling out of business. congratulations.

[Torgock]

Sorry to hear that shaunoff - having a backup of site content an database is the most important thing ever. Most hosting providers can restore your web server back to a previous date, you should ask them if this option is available. I know Godaddy can do this for $150.

If you want a quick fix which only stops the website redirect, it may give you a little breathing room.

Restore or create a brand new .htaccess in every site root directory and set the file permission to 400 or 000. This will stop the .htaccess from being re-written. The problem will still persist an you'll need to get on top of that, but at least your sites wont be pointing to a virus landing page.

Please advise if this helped as I can not do myself because my hosting provider is analyzing the problem and said to leave everything as is.

[mandville]

i would say regarding the htaccess file is to copy the htaccess.txt into the contents (overwritting) the dodgy one and then set at 444. setting to 000 on most servers will not do anything as its not readable by anyone including the server.

on the basis that the sql db is rarely altered, follow checklist 7 safe route to recovery.

reading suggestion for those hosts who dont run suphp etc.
http://community.joomla.org/blogs/leade ... oomla.html
http://community.joomla.org/blogs/leade ... en-up.html
http://community.joomla.org/blogs/leade ... -time.html

[Torgock]

000 returns a 403 Forbidden for me, which is better than having a live website shooting viruses to visitors. but if 444 works go with that, you should be able to run the site live without the redirect.

[johnb18919]

I am currently going through my sites, replacing files and changing to 444. They are working. Through the night the new files appeared in about 50-60 minutes, will soon see if this prevents the files from reappearing.

[shaunoff]

thanks but I have just made the whole thing worse.

I upgraded to the latest version by using admin tools. I have then proceeded to copy the files across again just to be sure as per the instruction. I have deleted the .htaccess and tried to upload a new one but i think it gets re-written before I get chance to change the permissions. I have now broken the website whilst trying to upload the file files, I can see from cyberduck that the permissions of files are changing to 644 as they are uploading and when I try to access the website it appears that google in now aware that there is a problem and wont allow access to the site by displaying the malware landing page.

summary:
cant access the site
site is broken anyway
keep seeing upload failed
i have changed all my passwords with no change
deleted loads of files
followed the list of things to do as best I can
lost all the work that I have put in

... gutted!

[Torgock]

shaunoff, call your hosting provider... surely they offer hosting server restore.

You could also try downloading each site onto your local machine an running it through a local environment like xampp.

Ensure the infected .htaccess is no longer on the site.

Download the latest stable build of Joomla, pull your ethernet cable so you are no longer connected to the internet. Install joomla manually over the top of your existing joomla version (I'd suggest against using admin tools to update this).

Do this for each one of your sites. Before you upload each site one by one, you will need to clear everything off you current webserver.

You should only do this if you know what your doing, otherwise you could lose everything.

From my research nothing has been altered in the database, but I could be wrong.

[johnb18919]

I agree the database does not seem to be affected. I have a post up with the same bug.

[shaunoff]

Ive tried that but the permissions off the new .htaccess file but it always rests to 0644 every time using fireftp and filezilla.

am I doing something wrong?

I have contacted host... but awaiting their response regarding a host reset

I am now trying to download the website so that I can delete it all, do a fresh install, reconnect to the database (reset the password as well) and then hopefully upload images etc in hope that it sorts the problem.

[johnb18919]

On Filezilla are you checking the boxes or entering the numbers in the permissions field? I was playing with it, and checking the box reverted back but entering the numeric value sticks.

[shaunoff]

On Filezilla are you checking the boxes or entering the numbers in the permissions field? I was playing with it, and checking the box reverted back but entering the numeric value sticks.

trying both methods

[oscarguzval]

I have the same problem. My .htaccess are all y 0644. I see many .htaccess in several folders. What do you thing about download my site, open it locally, run a search and remove all the .htaccess inside and then re-upload again? If it reappers, what could generate these files? Thanks for your advice. By the way, I found too jos_core.php y the temp folder... should I delete it?

[johnb18919]

oscar I do not believe finding the htaccess files is our hurdle, the issue is in finding the script that is writing them. The scary part for me is I am on a shared hosting platform and it may be possible the script is not in one of my folders.

[oscarguzval]

I'm in a shared hosting platform too. I'm downloading a last week backup to compare... I found the malicious .htaccess in my root!!! So, maybe you're right... Any other clue?

[shaunoff]

Still not sorted but look at this as a response from my host:

Thank you for your query

We're afraid we do not secure back up. This has been highlighted on the Terms and Conditions. Please see the draft below:

16.1 Streamline.Net does not back up Your data and/or website and whilst every attempt would be made in the unlikely event of any corruption or hardware failure, Streamline.Net cannot guarantee to be able to replace lost data. This includes loss of data resulting from delays, non-deliveries, wrong delivery, and any and all Service interruptions caused by Streamline.Net and its employees.

I need to change hosts as soon as this issue is sorted and I'm back in business...

[mandville]

shaunoff i did say

copy the htaccess.txt into the contents (overwritting) the dodgy one and then set at 444.

Torgock

You could also try downloading each site onto your local machine an running it through a local environment like xampp.

will take a long time and could infect your machine

Install joomla manually over the top of your existing joomla version (I'd suggest against using admin tools to update this).

is this on your local or remote?
the issue with that is by doing that you also copy any dodgy files that could be reinfecting the sites

note before doing this that cpanel will automatically create a blank htaccess file in the root of the publuc_html/docs older that you need to copy the htaccess.txt content into

i will repeat the relevant section from http://docs.joomla.org/Security_Checklist_7

A Safe route for disaster relief

[*]save the configuration.php file and your images and personal files one by one, (not the folder as it may contain unwanted files)
[*] wipe the entire folder where Joomla! is installed
[*] upload a new clean full package latest version of joomla 1.5.x or Joomla .5.x (minus the install folder) (you can do this by uploading then extracting the zip file and then deleting the installation folder
[*] reupload your configuration file & images.
[*] reinstall the latest versions of your extensions , templates (even better is to use original clean copies to ensure that the hacker/defacer did not leave any shell script files in your site)

To do this will take your site off line for around 15 minutes. To track down your hacked/defaced html may take hours or even longer.

[sbrad]

Has anyone found out how this is happening yet? I restored my site with a week-old Akeeba backup after deleting everything but I'm afraid it's going to happen again if I don't figure out how they got in.

[pe7er]

Welcome to Joomla forum!

I'd recommend contacting your hosting company.
They might be able to help you with finding the cause (e.g. some other account at the same shared hosting server).

Furthermore, there are some excellent security checklist available that you should read and check with your server / Joomla settings:
http://docs.joomla.org/Category:Security_Checklist

[Webdongle]

There is a lot of that one going around. Most likely a sever hack https://www.google.co.uk/search?num=100 ... 9l0.frgbld.

[shaunoff]

copy the htaccess.txt into the contents (overwritting) the dodgy one and then set at 444.

I would if I could but as mentioned... it defaults back to 644 immediately i.e. it will not change to 444.

As for finding the problem. I deleted the entire joomla site leaving only directories like images and a couple of other directories that were not joomla related. Well, after uploading the entire stable version of joomla and without even setting up the configuration file... the website still redirected to the virus.

So the script MUST be outside of the joomla files.

I am now deleting everything from the server and I will then upload a brand new joomla stable install and see if that makes any difference.

if this doesn't work then I am essentially starting from scratch and still not making any difference...

[shaunoff]

right... I have deleted everything off the server!!!! yet it still diverts to the virus...

[shaunoff]

the issue runs much much deeper. I have deleted everything... absolutely everything from the server. Changed all passwords and the domain still redirects.

now lets face it... theres just no way of getting around this infection by changing a htaccess file. There must be a secret, hidden script that the ftp programmes dont pick up.

It also shows that its probably not even a joomla issue considering that I havent even got joomla installed on the server anymore.

[Webdongle]

@shaunoff

Have you looked in your Host's CP to see if anyone has set a redirect in there ?

Have you checked your PC for malware ? If yes how many programs have you checked it with ?

[shaunoff]

Hi, I have checked my laptops for malware with a couple of programs but... if that was the issue then it wouldnt affect my mac, my windows laptop, my iphone, my ipad and my mates nokia.

I have looked at the host control panel and it doesnt even offer a forwarding facility... I have asked them to look into it.

my host does have a built in ftp which also confirms deletion of everything:

Directories: 3
Files: 0 / 0 B
Symlinks: 0
Unrecognized FTP output: 0

[shaunoff]

my mistake... the ISP has cached the old page which is why it redirects.

I have just tried it from a different city location and there is nothing there and no redirect to the virus.

which makes me wonder if I had potentially solved the problem sooner. I cant work on the site from my office or from home though... how useless is that!!!