Joomla .htaccess hacked to xxx.ru

[craion]

Hi: this post had been really useful to me, I had removed the hack using the list of thing to check, by PhilD.

In my case, I don’t know how the infection began, but it is possible that it was to a poor admin password. When you install Joomla for the first time, it asks for an administrator username and pass, and lot of people just type admin in both cases. Any simple script that uses brute force methods to enter the administrator can try using that easy passwords and enter really easily.

So these are my suggestions...

1- Never user easy to guess passwords, even in testing sites, or provisory installations;

2- If you ever need to see the changes on a site but your ISP (company used to login to Internet) has a cache so your ISP cache is not cleaned, you can always surf anonymously using tools like... anonymouse.org so you can see how the rest of the world is seeing your site;

3- if you want to check if there are other files infected on your server, and you have root access, you can use PUTTY and enter via SSH to your server (Linux) and type this line...

find /home -type f -iname "*.php" -print0 | xargs -0 egrep 'gzuncompress\(base64_decode'

This will check on every file to see if the hacked code is still there.
If you need anything else you are always free to post questions here or contacting me...

[gaudigabriels]

I tried a few things like updating to 1.5.26 but the .htaccess files kept reappearing.

I used Cpanel's Virus Scanner and it found the file images/stories/story.php
I removed it and it worked for me.

No more htaccess files appeared.

[HackRepair]

Though if you've found a hacked file within your account you should assume the entire account has been compromised and take action accordingly.

The thief is likely still hiding in your closet.

[pe7er]

I tried a few things like updating to 1.5.26 but the .htaccess files kept reappearing.

I used Cpanel's Virus Scanner and it found the file images/stories/story.php
I removed it and it worked for me.

Make sure that all your 3rd party extensions are up to date!

Last week I solved the same problem with unwanted redirections for a new customer.
It contained a couple of .htaccess files with redirects to other websites, and also /images/stories/story.php
At their site it was caused by an old not-updated version of JCE editor which contained a insecurity.
Which has been solved in the most recent JCE versions.

[Webdongle]

I tried a few things like updating to 1.5.26 but the .htaccess files kept reappearing.

I used Cpanel's Virus Scanner and it found the file images/stories/story.php
I removed it and it worked for me.

No more htaccess files appeared.

Deleting all folders/files is the only sure way to get rid of it.

[Slackervaara]

Did you look when story.php was modified? It can get you information, when the hack was made. In addition you could look in access logs that time and find out how the hack was made. You will also get the hackers ip-adress and then you can check what else he has done on your site. You can also ban the hackers ip-address in your .htaccess and report abuse to his ISP.

[bhcrow]

HI, i just want to say thanx to BernardT, using his script i managed to detect backdoor file on my server. It was hidden in images/stories/ folder in two files:

story.php and cache_uthqek.php

my htaccess file was reinfecting every 45mins, after deleting this two files htaccess remains clean.

I believe i got infected due to old version of joomla, or old JCE editor plugin, now i updated both of them. I was fightin against this malware near 3 days, and while i was fighting i was changing back to normal my htaccess file just not to get on list of malicious sites on google and other sites. later i made cronjob that copies clean htaccess file very minute, that gave me time to search for backdoor and to be clean in eyes of visitors nad browsers.

[M4RCU5]

In every case of this hack that I cleaned up so far there was a hidden script in images/stories/ called something like .cache_i24tgg.php. That is also part of this hack. Delete that script, story.php and all .htaccess files and update Joomla to your most recent version.

To deploy the scripts an exploit for JCE is being used. The vulnerability has been patched on 29 August 2011 and updating Joomla to a release after that will fix it. Alternatively you can just patch JCE using the vendor supplied patch at http://www.joomlacontenteditor.net/news ... 1-released.

Hope this helps some of you!

[vixensjlin]

I got this too! After clearing cache within Joomla control panel, I still have a file called "cache_inelin.php" under the folder "tmp". Inside of this file there's a suspicious line:

$icon = preg_replace('#\.[^.]*$#', '', $icon);

The virus stop rewriting .htacess after removing this file.

Anybody know where is the security hole in addition to JCE?

[yaanimai]

If you have an old version of NoNumber extensions you need to update it http://www.nonumber.nl/news/releases/28 ... extensions

and check the vulnerable extensions list also. http://docs.joomla.org/Vulnerable_Extensions_List

Make sure all your extensions are the latest versions.

[ivar]

I have also had this on serveral Joomla! sites on different servers. On all of these, the JCE was old. In all cases it was a file called story.php under /images/stories. It was also other infected files but the story.php was common for all. On the latest hack, the file was renamed to story.gif.

[glenn3095]

Hi,
In the last week or so my site at http://www.rinet.com .au has been attacked somehow.

The result is that the .htaccess file has been modified with

Code: Select all

<IfModule mod_rewrite.c>																														

RewriteEngine On																														

RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|[youtube]|wikipedia|qq|excite|alaarchiv|infospace)\.(.*)																														

RewriteRule ^(.*)$ http://gdrivedownuntil .pro/creation?8 [R=301,L]																														

RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-land|browseireland|finditireland|iesearch|ireland-ikz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)																														

RewriteRule ^(.*)$ http://gdrivedownuntil .pro/creation?8 [R=301,L]																														

</IfModule>	

... and ...

Code: Select all

ErrorDocument 500 http://gdrivedownuntil. pro/creation?8	

after the legitimate htaccess data.

There are lots of spaces in front to try and hide what the hacker is doing.

When finished it modifies the .htaccess to permissions 444 removing the owner write access to make editing the file back again just a little bit annoying.

The net effect is when some images are requested they get a "301 Moved Permanently" error being redirected to places such as:
http://phonesthoughuploader .info
http://imagesworsetightened .info
http://midaugustoperations .pro

and the latest one is http://gdrivedownuntil .pro

The new destinations seem to be dead.

I have tried restoring an old backup but the problem is still there.

Users of phpBB have reported the same issue.

Any help would be much appreciated.

Thanks.

Any help

[glenn3095]

Should have mentioned I am running Joomla! 1.5.26 ... and I've put in the wrong forum, sorry.

[mandville]

this topic is highly relevant http://forum.joomla.org/viewtopic.php?f=432&t=705216

Users of phpBB have reported the same issue.

and what are phpbb doing about this hack?

when/if you respond i will merge with the associated topic

[wernejo]

you got hacked as well?

one of my websites has been hit the same way. i have just deleted the current website and uploaded a back up but nothing has changed.

i noticed that a bunch of .htaccess files had been scattered around the main directories but i still deleted everything but the configuration.php

this is also the second website in the last week that hacked in the a similar way over the last week.

the last website was easily fixed after the backup was uploaded.

any advice?

[glenn3095]

I too tried restoring from Akeebra backup but the problem came back.

Next I followed the advice given elsewhere in the forum of blowing away all folders, keeping only the images and templates folders on your PC. Then I did a clean install using the full 1.5.26 package.
Deleted the installation folder, copy configuration.php back up to the root folder. Then restore your additional images, checking each file for malicious code (inspect it in a binary viewer). Then restore your template folder (additional template only) checking each file for malicious code again.

You are basically leaving the database intact but in removing all folders malicious files get deleted as well :-)

I found the best thing for additional modules etc is to uninstall them before deleting your site. I found overwriting with a fresh install didn't work too well for some modules/plugins.

So far my site seems to be OK.

[wernejo]

I too tried restoring from Akeebra backup but the problem came back.

Next I followed the advice given elsewhere in the forum of blowing away all folders, keeping only the images and templates folders on your PC. Then I did a clean install using the full 1.5.26 package.
Deleted the installation folder, copy configuration.php back up to the root folder. Then restore your additional images, checking each file for malicious code (inspect it in a binary viewer). Then restore your template folder (additional template only) checking each file for malicious code again.

You are basically leaving the database intact but in removing all folders malicious files get deleted as well :-)

I found the best thing for additional modules etc is to uninstall them before deleting your site. I found overwriting with a fresh install didn't work too well for some modules/plugins.

So far my site seems to be OK.

i've just had our 3rd website hacked in this same manner.

the method i have used so far is download a copy of the templates css, html, and images folders and files, then do the same for the images in the stories file and then do the same for any other folder that is part of an extension that's been installed. i also grabed a copy of any other important files except for any .htaccess files i found.

because the database is fine, all you need to do is delete the current site and all the files then upload a backup and restore any key files such as the template, images, and extensions you have installed.

you need to remove all of the core files that was on the server when it got hacked or it will not go away.

it will also take a little while for google to check your site again so dont panic.

[Digital Island]

Because this code can be within almost any file within a site and it is recommended that one follow the points below. Only by doing this can one be assured the code is truly removed form the site.
[/b]

Excellent post serve me as a life saver, but also this is extended to all that in good faith helped me to analyze (still doing it) and solve the issue. (I am also considering to thank to the one that compromised my security because he obliged me to learn, but not sure :-)

For the records, I got compromised affecting some Joomla and WP (Can I mention it?:-) solve it here because it happen trough Joomla. For any one else coming to this post just follow PhilD instructions but worth to read all.

Now I learn I need to review more frequently the Joomla! Documentation - Vulnerable Extensions List http://feeds.joomla.org/JoomlaSecurityV ... Extensions and this security forum.

I love Joomla but Joomla community makes me love it more.

[crazydiver]

Yeah, I think this is worldwide attack on the 1.5 versions. I would suggest the security team check this because I had this attack about 2 weeks ago and it whacked all my 1.5 sites on a single server. Here's my post of the incident. http://forum.joomla.org/viewtopic.php?f=432&t=749242

Although I do and always appreciate the support from Joomla!, I ran the the FPA as suggested and unfortunately didn't find jack.! So I had to inspect the server logs for unusual activity and found a backdoor file installed withing the images folder. I took it out and the attack was gone. I then installed an unhacked backup and changed all passwords (backend, FTP, Hosting, DB, everything!)... even installed a firewall on my sites just to be safe from now on.

[Webdongle]

@crazydriver

What version(s) of 1.5 were you running ?
Posting the FPA outputs for (your sites) on here would help locate the error.
Unless you post the FPA results on here we have no way of ascertaining the accuracy of your conclusion.

[crazydiver]

@crazydriver

What version(s) of 1.5 were you running ?
Posting the FPA outputs for (your sites) on here would help locate the error.
Unless you post the FPA results on here we have no way of ascertaining the accuracy of your conclusion.

Hello Webdongle,

Did you see the post I made about my hack incident? The FPA is in it the link I posted. Here's the link of the thread I made. http://forum.joomla.org/viewtopic.php?f=432&t=749242
Actually to be exact here: http://forum.joomla.org/viewtopic.php?f ... 2#p2887684

Unfortunately, I didn't get a response relating to what was wrong in the report. I ran the FPA on a hacked site and I posted it in the link above. I also got many useful advice from other users on the forum who also had the same or similar problem. However grateful, there was no real fix and the .htaccess kept changing on its own every 30 minutes to an hour despite uploading an unhacked .htaccess file.

I fixed my problem by looking at my server logs to pinpoint what was changing my .htaccess. There was unusual activity going to a malicious file in images/stories/banners. I erased it and installed an unhacked backup. I also installed a firewall on to my sites. I then waited for another attack but it never happened. I guess that solved it.

If you got a better solution, I'm all ears.

Thank you for your time on this matter.

[Webdongle]

Not got a better solution than that posted by mandville. Am looking to see if I can help you locate the point of entry so as to help you prevent it happening again.

That FPA output is for one of your sites ... you said you have more than one.

Are all your sites 1.5.26 ?
Have not got the time to check all the myriad of extensions(you have installed) with the VEL. Or to check if they are up to date. Have you meticulously checked each and everyone was up to date before the hack ?

I can see you like custom Templates ... where do you download them from ?

Have all the computers that have server/ftp/admin access been check for Trojans ?

Is it a shared Hosting package ?(it could have spread from another site on shared Hosting).

Who is your Host ?

[crazydiver]

Thanks for the reply.

All sites are 1.5.26. They were all updated soon after the security notice.
For the templates, I'm an RT member so straight from the club site.

As with the trojans, I have ran Avast and malware and found nothing.

I use several shared servers for my websites but just one was affected. Only sites within that attacked server was affected.

[Webdongle]

...
All sites are 1.5.26. They were all updated soon after the security notice.
...

Some sites were infected in November but not noticed until recently. There is a possibility that one of the 1.5.25 sites was infected before the update came out. Updating prevents sites being infected but does not eradicate an exploit that already exists. Unfortunately (often) the exploit has to be in the 'wild' before a fix for it can be made. Did you make a note of the 'last modified date' of .htaccess (or other infected files) ? That would give you a date the exploit started to take effect but (sadly) not the date it entered the server.

....
As with the trojans, I have ran Avast and malware and found nothing.
....

If the exploit entered the server before the patch was released then any infected browser visiting the site could have infected the server. Otherwise is your computer the only one that has ftp, server or Admin access ?

...
I use several shared servers for my websites but just one was affected. Only sites within that attacked server was affected.

Have you inspected the logs from that server ? It could provide info on how and when the exploit entered the server.

If you deleted everything on the server and rebuilt as per the official advise(posted by mandville) ... and nothing is amiss now ... then it is likely that the exploit entered before the patch was produced ? Only examination of the server logs will confirm if the exploit entered before or after the update to 1.5.26.

Because viruses, exploits, etc. are often out in the wild before a remedy is produced is the main reason why deleting of ALL the files on the server is recommended. Because the exploit can be in backed up files of the site.

[Tomoe]

What a nightmare ! On the server, I have one real site and test sites. Among them, 1.5 site and even 1.7 site. Of course, after testing, I didn't made any upgrade or deleted this sites. Fatal error. Everything is infected. I cleared .htaccess problem, no more redirection, but there's still iframes in all pages of all sites. I deleted old sites, but now I have to clean and restore the site and a test site I was working on.

Thus, I have some questions.

1/ Is the database safe in spite of this attack ?

2/ Is there any risk of corruption of images ? Not unknown images but images clearly identified with my own regular names.

3/ Do I have to erase files and folders not linked with Joomla ? I'm afraid the answer is "yes"...

4/ What is the safer way to backup templates and overrides ?

5/ Is there any risk using the backoffice ?

Thanks for your help.

[Webdongle]

...
Thus, I have some questions.

1/ Is the database safe in spite of this attack ?

2/ Is there any risk of corruption of images ? Not unknown images but images clearly identified with my own regular names.

3/ Do I have to erase files and folders not linked with Joomla ? I'm afraid the answer is "yes"...

4/ What is the safer way to backup templates and overrides ?

5/ Is there any risk using the backoffice ?

Thanks for your help.

1. Probably please seeBefore you post please read this
2. Yes ... best to replace those with the originals
3. Correct all folders/files
4. http://extensions.joomla.org/extensions ... ackup/1606 is good to backup the whole site. But be aware that the hack can exist for several months before it is discovered. So your backups may contain hacked files.
5. 

[Tomoe]

1. Probably please seeBefore you post please read this
2. Yes ... best to replace those with the originals
3. Correct all folders/files
4. http://extensions.joomla.org/extensions ... ackup/1606 is good to backup the whole site. But be aware that the hack can exist for several months before it is discovered. So your backups may contain hacked files.
5. 

Thanks Webdongle.

1. Read, but I confess I don't know how to complete some points.
2. Problem : there's auto-generated images in several sizes. So, if I don't download it, there will be some recognition problem.
3. Nightmare...
4. Excuse me, I think I mistaked in my question. Thing is not using or not using Akeeba (very good component, by the way), it's the opportunity to download template files. Because there is differences I can't explain clearly beetween local site and online site. Problem is that local site is on a previous version of Joomla! (site takes time to be built).
5. Rephrasing the question : will it getting worse if I use the backend to see or modify some settings ?

The hack could be "sleeping" for a while ? Yesterday, everything was still OK.

[muddauber]

I know several people said that it is unlikely the database is altered, but I would
strongly recommend you check to see all the users in the database via
PhpAdmin. I have found an extra admin on several hacked sites.

Another tip is to use the IP address of account to access site during troubleshooting,
this can bring up server and network caching issues. Also, your browser needs to
have caching disabled, or you'll be going in circles during this whole process.
Regarding your host, run, don't walk, away from them as fast as you can.

Since you said your Joomla and HTML sites have been hacked it is more
likely a shared server intrusion where they could get to all your directories.
If they get into your sites and directories, sometimes they'll start working
some additional hacks, including embedding scripts in your template
files.

[PhilD]

the comment should have been more clear. Always check for users that don't belong. Extra admins are common and there are a number of ways to check for them. Use whatever method your comfortable with, but do check them.
What is meant by the general comment though is that the articles etc. are seldom altered in such a way to effect a hack and thus it is generally ok to reuse the database.

htaccess hacks can affect your entire domain. does not matter if your site is a cms site, a forum, or a plain html site, any and all can be affected. they do not necessarily affect other sites on the same server as the files that cause the hack are normally local to one or more sites within the domain or master account you have. There are also hidden files that reside outside of your public_html area that will copy the bad htaccess code back into any htaccess found in the public_html area of your domain. These must also be removed.

[surendrapmishra]

I found very good tool for free online scanning for joomla website. Hacking and malware attacks are common problem for Joomla based sites. I scan my website in [removed]. It helps me every time diagnosing effected file. I replace those affected file and site display without any trouble. Let me know if it's helpful for you anyhow.