[joomla] question about redirect - remediating hacked Joomla website
Scott Wolpow
scott at wolpow.com
Tue Sep 4 17:49:02 EDT 2012
Each time I have found that hack it was on a shared hosting platform.
Though Blue Host and their sister companies have stepped up security on
this.
SW
On 9/4/2012 5:18 PM, David Roth wrote:
> Hi Mark.
>
> I'm so sorry to hear about someone doing this to your website.
>
> I think you have done a noble job of damage control on this. You
> mentioned it was on Joomla 1.5. If possible, I would create a new
> installation of Joomla with 2.5 and do a migration if feasible. The
> concern to go to Joomla 2.5 is because of security. I don't know how
> your website was hacked, but there have been security updates since 1.5.
>
> You mentioned the .htaccess, the problem could be a re-write issue.
> Also, check to see if the SEO stuff is on or off. I don't recall how
> 1.5 did this or if you needed an extension to do it.
>
> David Roth
>
> On Tue, Sep 4, 2012 at 4:01 PM, Mark Simko <masimko at verizon.net
> <mailto:masimko at verizon.net>> wrote:
>
> I've fixed up a Joomla 1.5 based web site that was hacked to
> redirect to a malware site.
>
> I was not able to find any of the Joomla files changed, nor did I
> find any changes in the database.
>
> What I did find is that the .htaccess file was changed. In
> addition, several other .htaccess files were added in several
> subdirectories of the site.
> Also found several php files in the tmp directory with the
> redirect url encoded with a preg_replace function. The evaluation
> string had another string encased in single quotes inserted to it.
>
> I was able to ftp the whole site preserving the time stamps on the
> files. I removed all the .htaccess files and replaced the original
> one with an unadulterated one.
>
> that set most of the site back to normal. I have one persistent
> problem.
>
> I have looked through the database using string search, and I have
> replaced all the joomla core with newest version.
>
> And I've looked for index.html files that might be adulterated,
> but haven't found any.
>
> The problem ... (finally!)
>
> When I direct a browser to:
>
> http://affectedsite.com/adminstrator/index.php
>
> I can get to the administrator console.
>
> I cannot get to the admin console with
>
> http://affectedsite.com/administrator
>
> for that I get an error message in the browser window
>
> Illegal variable _files or _env or _get or _post or _cookie or
> _server or _session or globals passed to script.
>
> and the address in the browser is
>
> http://affectedsite.com/kunend/homepages/4/changed/htdocs/administrator/htttp://reltime2012(dont
> <http://affectedsite.com/kunend/homepages/4/changed/htdocs/administrator/htttp://reltime2012%28dont>
> try it)ru/frunleh?9
>
> Note the second malformed url inserted at the end!
>
> ======
>
> Does anyone know where I can look to find where this is coming
> from. I thought perhaps a plugin, but I haven't been able to find
> anything. I also checked for an index.html file, but none is there.
>
> Thanks,
> Mark
> _______________________________________________
> New York PHP SIG: Joomla! Mailing List
> http://lists.nyphp.org/mailman/listinfo/joomla
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
>
>
>
> _______________________________________________
> New York PHP SIG: Joomla! Mailing List
> http://lists.nyphp.org/mailman/listinfo/joomla
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
--
Scott Wolpow
718 275 7765
-------------------
I am participating in the
MS Charity Bike ride to raise
Money for this good cause,
can you please support my ride.
<http://main.nationalmssociety.org/site/TR/Bike/NYNBikeEvents?px=2240208&pg=personal&fr_id=18354>
<http://main.nationalmssociety.org/site/TR/Bike/NYNBikeEvents?px=2240208&pg=personal&fr_id=18354>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/joomla/attachments/20120904/cf0c5321/attachment.html>
More information about the Joomla
mailing list