NYCPHP Meetup

[David Roth]

Scott, that's an interesting comment. Do you think on a shared hosting
account it's being hacked because of the permissions on the .htaccess or
possibly other files? Thanks!

David Roth

On Tue, Sep 4, 2012 at 5:49 PM, Scott Wolpow <scott at wolpow.com> wrote:

>  Each time I have found that hack it was on a shared hosting platform.
> Though Blue Host and their sister companies have stepped up security on
> this.
> SW
> On 9/4/2012 5:18 PM, David Roth wrote:
>
> Hi Mark.
>
>  I'm so sorry to hear about someone doing this to your website.
>
>  I think you have done a noble job of damage control on this. You
> mentioned it was on Joomla 1.5. If possible, I would create a new
> installation of Joomla with 2.5 and do a migration if feasible. The concern
> to go to Joomla 2.5 is because of security. I don't know how your website
> was hacked, but there have been security updates since 1.5.
>
>  You mentioned the .htaccess, the problem could be a re-write issue.
> Also, check to see if the SEO stuff is on or off. I don't recall how 1.5
> did this or if you needed an extension to do it.
>
>  David Roth
>
> On Tue, Sep 4, 2012 at 4:01 PM, Mark Simko <masimko at verizon.net> wrote:
>
>> I've fixed up a Joomla 1.5 based web site that was hacked to redirect to
>> a malware site.
>>
>> I was not able to find any of the Joomla files changed, nor did I find
>> any changes in the database.
>>
>> What I did find is that the .htaccess file was changed. In addition,
>> several other .htaccess files were added in several subdirectories of the
>> site.
>> Also found several php files in the tmp directory with the redirect url
>> encoded with a preg_replace function. The evaluation string had another
>> string encased in single quotes inserted to it.
>>
>> I was able to ftp the whole site preserving the time stamps on the files.
>> I removed all the .htaccess files and replaced the original one with an
>> unadulterated one.
>>
>> that set most of the site back to normal. I have one persistent problem.
>>
>> I have looked through the database using string search, and I have
>> replaced all the joomla core with newest version.
>>
>> And I've looked for index.html files that might be adulterated, but
>> haven't found any.
>>
>> The problem ... (finally!)
>>
>> When I direct a browser to:
>>
>> http://affectedsite.com/adminstrator/index.php
>>
>> I can get to the administrator console.
>>
>> I cannot get to the admin console with
>>
>> http://affectedsite.com/administrator
>>
>> for that I get an error message in the browser window
>>
>> Illegal variable _files or _env or _get or _post or _cookie or _server or
>> _session or globals passed to script.
>>
>> and the address in the browser is
>>
>>
>> http://affectedsite.com/kunend/homepages/4/changed/htdocs/administrator/htttp://reltime2012(donttry it)ru/frunleh?9
>>
>> Note the second malformed url inserted at the end!
>>
>> ======
>>
>> Does anyone know where I can look to find where this is coming from. I
>> thought perhaps a plugin, but I haven't been able to find anything. I also
>> checked for an index.html file, but none is there.
>>
>> Thanks,
>> Mark
>>
>> --
> Scott Wolpow
> 718 275 7765
> -------------------
> I am participating in the
> MS Charity Bike ride to raise
> Money for this good cause,
> can you please support my ride.<http://main.nationalmssociety.org/site/TR/Bike/NYNBikeEvents?px=2240208&pg=personal&fr_id=18354>
> <http://main.nationalmssociety.org/site/TR/Bike/NYNBikeEvents?px=2240208&pg=personal&fr_id=18354>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/joomla/attachments/20120904/eae1e6be/attachment.html>