Joomla .htaccess hacked to xxx.ru

[PhilD]

First it most likely will not run on the local XAMPP install and remain hidden.

So your reduced to either following what has been posted numerous times (see below) in this thread, or searching for it by manually inspecting files in areas such as /tmp, /templates, /includes, /images, to name a few common places.

It is suggested to do all of the following. Failure to follow the suggestions below may leave your site vulnerable to being hacked again in the future.

You must state what version of Joomla you were using when when the site became hacked.

[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file. Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory), and fresh copies of extensions and templates used. Upload the copy of your configuration file. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories More detail can be found in the security Checklist 7 link below.

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 and 755 and 444 for the configuration.php file.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

Note: The forum post tool will work with 1.0.x, J1.6.x, J1.7.x, 2.5.x versions of Joomla.

[mandville]

PS: i looked over the htaccess file and it doesn't appear to have anything out of the ordinary in it.

try looking at it with word wrap on, or as are right as you can go, sometimes its hidden there

[Webdongle]

... i looked over the htaccess file and it doesn't appear to have anything out of the ordinary in it.
...

The redirect has also been found in an image downloaded with a free Template. Some free Templates have malware placed in them ... it's a good way to get hack files on a server.

[HollyK]

Thanks to you three kind folks.
This is running before I can crawl in terms of working my way through PhilD's post. I hadnt missed that btw :-);

just thought
a/ i should post so you security boffins can keep some semblence of a tally on how many poor sods like me have been hit.
b/ thought the whole google redirect was weird and so bloody sneaky cause the site itself looks fine if you came to it via a bookmark.

Learning more than I wanted to / or thought i would have to but we have a great community on our site and I really don't want to lose them.

I might be in touch while i work through Phils list of pointers. Sorry :-)

Using Notepad ++ word wrap on.

Using joomlarts jasocial template - not the quickstart package just the template, but I'll double check.

BTW - the site as a whole isn't so important to me, its the forum that's so important - its the basis of our community - maybe there's a way to save that and just import it after i do a new install if i cant get to the bottom of this, or is that too risky?

Nearly 2am in UK and have been working on this for 14 hours.....but I'll crack into it again tomorrow.
Thanks
HK

[Webdongle]

If the database has not been hacked then you still have your site. All the data is in the database (that's why it's call a database ). Basically the files just put/get and display the data(in a secure manner). So deleting all the files is no problem because they can be replaced. The info given to you tells you how

[nem2ace]

I'm a victim too. I had an old joomla on my server, and found the joomla file on my tmp folder. It spead to all my domains, my vbulletin was also hacked. So i moved to a new dedi server and installed a fresh cpanel. I zipped one of my interspire shopping cart site from my old server and unzipped to new server. Unzipped and updated the database, put the site live.... The bot was hidden and its infected my new server LOL. .htaccess files reappear when deleted on mostly all root of my domains.

It also then had a "filesman" backdoor tool too, which when i opened looked like he could upload/modify or delete any file/folder.(on my old server only, did not appear on my new server)


I'm hiring a sys admin to help and he wrote this cool script to check if the htaccess has been modified with the hacker signature and delete it. It's run every minute with cron.

Code: Select all

#!/bin/bash
for i in $(find /home/USERNAME -name '.htaccess'); do
	sed -e 's/^.*\r$//g' -i $i
done

It's a temporary fix. Working good so far.

[Webdongle]

....

I'm hiring a sys admin to help and he wrote this cool script to check if the htaccess has been modified with the hacker signature and delete it. It's run every minute with cron.

Code: Select all

#!/bin/bash
for i in $(find /home/USERNAME -name '.htaccess'); do
	sed -e 's/^.*\r$//g' -i $i
done

It's a temporary fix. Working good so far.

That will not stop any other exploits that are on the server. You did not mention checking your computer either.

[mandville]

a lot of these scripts can be dangerous without full knowledge of how they work. hthe script also does not check other files, such as the tmp folder ones.
running a cron job every minute on shared hosting set up may also violate your hosts AUP and T&C

[nem2ace]

So upon more inspection of my files and folders i check my addons/templates folder and found a file called templates.php, this is the backdoor, if someone can decode this:

Code: Select all

*** Code Removed*** 

This will decode to a base64_decode, and that then decodes to normal user data ,
I used http://serverfault.com/questions/249190 ... press-hack

[Webdongle]

So upon more inspection of my files and folders i check my addons/templates folder and found ...

Told you so !!! Now will you follow the advice given (numerous times) by the forum Moderators ?

[PhilD]

I do not advise running a cron script every minute on shared hosting. That will very likely cause you to violate your TOS with your host.

The security checklist 7 has a cron script to check for changed files within public_html. Generally it is run from cron just a few times a day and won't get you into TOS trouble with your host.

A script such as the one @nem2ace posted will only play "Tag your it" with the hack.
The Hack modifies htaccess, you delete it over and over. What good did that do?

Proper procedure is to not spend a bunch of time putting band aids on stuff and playing around. While your busy doing that, the hackers are busy placing backdoors and root scripts on your site to do further damage or damage at a later time.

Do the following FIRST to fix the site properly and quit wasting time and effort and trying to reinvent the wheel with little or no effectiveness.

It is suggested to do all of the following. Failure to follow the suggestions below may leave your site vulnerable to being hacked again in the future.

You must state what version of Joomla you were using when when the site became hacked. This can make a difference as to how we approach your individual situation.

[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file. Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory), and fresh copies of extensions and templates used. Upload the copy of your configuration file. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories More detail can be found in the security Checklist 7 link below.

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 and 755 and 444 for the configuration.php file.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

Note: The forum post tool will work with 1.0.x, J1.6.x, J1.7.x, 2.5.x versions of Joomla.

[nem2ace]

I found the php script and deleted it. Now the backdoor is gone and im using a dedicated server. my htaccess is fine again.

[Webdongle]

I found the php script and deleted it. Now the backdoor is gone ...

Perhaps you are confusing cause with effect ... the script you found may not have been the back-door just something that came through it.

[shaunoff]

Hi, just wanted to share how I fixed the problem.

I removed everything from the server (after copying to my laptop). I then installed the latest version of joomla stable and reconnected to the database. Re-installed all of the lugins one by one and uploaded all of the images.

The problem was fixed and has remained fixed since.

If this happens to you then as far as I can see this is the only remedial course of action.

Good luck and I hope it doesnt happen to you.

[m4soN]

Hey Folks,

i am no big coding guy and don´t know really much about problems with hacks and stuff like that, but now i am also an victim

As far as i now figured out i had an htaccess hack on my website. So i tried to understand what happened and what i have to do to solve this problem but actually i failed.

Can someone give me please a try and explain in an real easy way how i have to go on to solve this problem?

I would be really thankful for some help!

[Webdongle]

....

Can someone give me please a try and explain in an real easy way how i have to go on to solve this problem?
...

Delete everything except the database
Scan all computers with everything you can
Rebuild the site with the newest of everything
Use as many of the security methods mentioned.

[m4soN]

....

Can someone give me please a try and explain in an real easy way how i have to go on to solve this problem?
...

Delete everything except the database
Scan all computers with everything you can
Rebuild the site with the newest of everything
Use as many of the security methods mentioned.

Is there no chance to delete just some specific files? Do i really have to delete my whole webspace? (there are 1 blog, 3 boards and 1 joomla page on it )

[Webdongle]

....
Is there no chance to delete just some specific files? Do i really have to delete my whole webspace?...

You can spend days trawling through every single file to see if you can find the infected images. And even if you find some files ... then by the time you do that others (that you checked and were clean) can be infected while you are looking elsewhere. The only sure way is to delete everything.

....
(there are 1 blog, 3 boards and 1 joomla page on it )

Those records are in the database not in the files. So as soon as you put fresh files on the server you will be able to display the data in the Browser. All the files do is put/get to/from the database and display the data on the screen.

Phrases like "Can someone give me please a try and explain in an real easy way how i have to go on to solve this problem?" usually translate as I want a quicker way than recommend. But the fact of the matter is ... you got hacked and you need to delete all the files. If you read the posts about hacks you will see a common theme .... users questioning the official advice, looking for a quick fix and volunteers time and time again saying "Delete ALL the files on your server".

What is so difficult for users to understand about

Delete all files in your Joomla installation. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories

that they keep ask is there a quicker way ?

[PhilD]

It is suggested to do all of the following. Failure to follow the suggestions below may leave your site vulnerable to being hacked again in the future.

You must state what version of Joomla you were using when when the site became hacked. This can make a difference as to how we approach your individual situation.

[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file. Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory), and fresh copies of extensions and templates used. Upload the copy of your configuration file. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories More detail can be found in the security Checklist 7 link below.

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 and 755 and 444 for the configuration.php file.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

Note: The forum post tool will work with 1.0.x, J1.6.x, J1.7.x, 2.5.x versions of Joomla.

[yaanimai]

I deleted all the files off the server & followed all instructions above but Google Webmaster Tools still reported the site as having malware.

I finally figured it out.

After being told by GoDaddy tech support several times that there were no files above the hosting root & no one could access them anyway I got frustrated & called GoDaddy Site Scanner tech support . I had purchased the GoDaddy Site Scanner add on a while back hoping it would help diagnose where these files were but basically it just reported the Google Webmaster Tools & Google's Safebrowser results. No specifics on which files were the problem.

Go Daddy Site Scanner security told me to use an FTP client to connect to my site & use the SFTP method to connect. I did this & was able to access files above my hosting root directory.

LO & BEHOLD! There I found a .htaccess file that had the malicious code in it that was similar to the one they had put in all the Joomla core directories & the root directory.

I have deleted that .htaccess file that was above the root & am waiting on a Google Webmaster Tools site review now.

So the files I found that had malicious code were .htaccess files (in root, in core Joomla directories & above root) and also a couple of malicious files in the tmp directory.

I will report back here as soon as the Google review comes back.

[Webdongle]

....
So the files I found that had malicious code were .htaccess files (in root, in core Joomla directories & above root) and also a couple of malicious files in the tmp directory.
...

There may be more unless you have deleted all the folders.

[yaanimai]

Webdongle, yes I did delete all files & folders & then replaced them but Google Webmaster Tools still said the site was infected & the site was blacklisted in Google search results.

I just deleted the .htaccess above the root & am waiting for a Google review submitted through Webmaster Tools. I am hoping it will get a clean report now. I will report back after Google reviews the site.

[Webdongle]

...
I just deleted the .htaccess above the root & am waiting for a Google review submitted through Webmaster Tools. I am hoping it will get a clean report now. I will report back after Google reviews the site.

But if you replaced the files before deleting the .htaccess above the root ... then they could have been infected by it.

[PhilD]

Ok this is going to be very very general. On this particular hack....as I have said numerous times.
1.) There will be a hacked htaccess stored outside of the publuc_html area.

2.) There will be other hacked htaccess files depending on the structure of your particular site setup. Mainly the main one in public_html.

3.)There will be at least 2 (probably 3) hack files stored within the Joomla /tmp directory. These hack files can be elsewhere, but normally are in the /tmp directory. This is apparently because either some sites or some extensions are bad about cleaning the /tmp directory leaving all kinds of junk so it is easy to hide an additional 2 files there.

4.) The template files may have a root shell installed there (c99 type shell script) or an attempt will be made to install a root shell there. If the attempt is unsuccessful, an attempt may be made to place the shell script elsewhere.

5.) At least part of the hack is apparently onsite for a period of time before it was activated.

6.) if the site is not cleaned properly, then the hack will return.

[yaanimai]

PhilD's outline above was the exact scenario for the hack I had on my site.

After cleaning all the files in the tmp & .htaccess in the root & .htaccess in all the joomla core sub directories it was still blacklisted by Google & flagged as harmful in Google earch resutls & I couldn't figure out where the redirect to the xxx.ru site was.

I kept calling GoDaddy (the site is on a shared hosting account) to ask them to look at .htaccess files above the root & they kept telling me no one could access them or there were no files above the root. I finally purchased the GoDaddy add-on called Site Scanner which was no help it basically told me the same info that the Google Webmaster Tools & Google Safesearch told me. It did give me access to the GoDaddy security tech support though. I talked to them & they helped me get access to files above the root using SSH & there I found the offending .htaccess. I deleted that, submitted the site for review in Google Webmaster Tools & within hours it was removed from the Google blacklist & was no longer listed as a harmful site in Google's search results.

The whole process would have been a lot quicker if GoDaddy tech support had looked at the .htaccess file above the root the first time I asked them instead of telling me it didn't exist or couldn't be accessed by anyone.

[andyc24_uk]

Hello,

As of the past few days, all links to my website (http://www.newfuturesorganisation .com) attempt to redirect to some russian spam site (http://med-nais. ru/sunreal?9). This site fails to load; however it means that nay link from google, Facebook or anywhere else does not take visitors to my site.

From what I can understand, this seems to be some kind of redirect script, probably in my index.php file?

I am a complete amateur with no training in fixing these kinds of problems. I have gone through the security checklist, so please don't just tell me to read that. I have downloaded the index.php file (included below), however I really don't know what I'm looking for. Could somebody please tell me what part the script is so I can remove it?

Many thanks

Andy

<?php
/**
* @version $Id: index.php 14401 2010-01-26 14:10:00Z louis $
* @package Joomla
* @copyright Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
* @license GNU/GPL, see LICENSE.php
* Joomla! is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*/

// Set flag that this is a parent file
define( '_JEXEC', 1 );

define('JPATH_BASE', dirname(__FILE__) );

define( 'DS', DIRECTORY_SEPARATOR );

require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );

JDEBUG ? $_PROFILER->mark( 'afterLoad' ) : null;

/**
* CREATE THE APPLICATION
*
* NOTE :
*/
$mainframe =& JFactory::getApplication('site');

/**
* INITIALISE THE APPLICATION
*
* NOTE :
*/
// set the language
$mainframe->initialise();

JPluginHelper::importPlugin('system');

// trigger the onAfterInitialise events
JDEBUG ? $_PROFILER->mark('afterInitialise') : null;
$mainframe->triggerEvent('onAfterInitialise');

/**
* ROUTE THE APPLICATION
*
* NOTE :
*/
$mainframe->route();

// authorization
$Itemid = JRequest::getInt( 'Itemid');
$mainframe->authorize($Itemid);

// trigger the onAfterRoute events
JDEBUG ? $_PROFILER->mark('afterRoute') : null;
$mainframe->triggerEvent('onAfterRoute');

/**
* DISPATCH THE APPLICATION
*
* NOTE :
*/
$option = JRequest::getCmd('option');
$mainframe->dispatch($option);

// trigger the onAfterDispatch events
JDEBUG ? $_PROFILER->mark('afterDispatch') : null;
$mainframe->triggerEvent('onAfterDispatch');

/**
* RENDER THE APPLICATION
*
* NOTE :
*/
$mainframe->render();

// trigger the onAfterRender events
JDEBUG ? $_PROFILER->mark('afterRender') : null;
$mainframe->triggerEvent('onAfterRender');

/**
* RETURN THE RESPONSE
*/
echo JResponse::toString($mainframe->getCfg('gzip'));

[mandville]

please read the posts in this topic i have moved your post too.

[andyc24_uk]

Thankyou!

[shadowcrawler]

Hi

I also have/had this problem today.

I'm not sure at this time, but after I deleted all files in /tmp where I had one file named jos_core.php.

This file I have seen mentioned a couple of times regarding this problem.

Since deleting this file and restored httaccess file from remote backup the domain I have had problems with have been fine, no new "infections" for a couple of hours now.

Hope this helps, and please report back if this also helped you so we can help others.

I don't have this file in my /tmp folder. Actually, I doubt it's root reason.

[PhilD]

Then why this post?

Hi I also have/had this problem today. I'm not sure at this time, but after I deleted all files in /tmp where I had one file named jos_core.php. This file I have seen mentioned a couple of times regarding this problem. Since deleting this file and restored httaccess file from remote backup the doma...