NYCPHP Meetup

[Mark Simko]

I've fixed up a Joomla 1.5 based web site that was hacked to redirect to a malware site.

I was not able to find any of the Joomla files changed, nor did I find any changes in the database.

What I did find is that the .htaccess file was changed. In addition, several other .htaccess files were added in several subdirectories of the site.
Also found several php files in the tmp directory with the redirect url encoded with a preg_replace function. The evaluation string had another string encased in single quotes inserted to it.

I was able to ftp the whole site preserving the time stamps on the files. I removed all the .htaccess files and replaced the original one with an unadulterated one.

that set most of the site back to normal. I have one persistent problem.

I have looked through the database using string search, and I have replaced all the joomla core with newest version.

And I've looked for index.html files that might be adulterated, but haven't found any.

The problem ... (finally!)

When I direct a browser to:

http://affectedsite.com/adminstrator/index.php

I can get to the administrator console.

I cannot get to the admin console with

http://affectedsite.com/administrator

for that I get an error message in the browser window

Illegal variable _files or _env or _get or _post or _cookie or _server or _session or globals passed to script.

and the address in the browser is

http://affectedsite.com/kunend/homepages/4/changed/htdocs/administrator/htttp://reltime2012(dont try it)ru/frunleh?9

Note the second malformed url inserted at the end! 

======

Does anyone know where I can look to find where this is coming from. I thought perhaps a plugin, but I haven't been able to find anything. I also checked for an index.html file, but none is there.

Thanks,
Mark