Hi Mark. I'm so sorry to hear about someone doing this to your website.
I think you have done a noble job of damage control on this. You mentioned it was on Joomla 1.5. If possible, I would create a new installation of Joomla with 2.5 and do a migration if feasible. The concern to go to Joomla 2.5 is because of security. I don't know how your website was hacked, but there have been security updates since 1.5. You mentioned the .htaccess, the problem could be a re-write issue. Also, check to see if the SEO stuff is on or off. I don't recall how 1.5 did this or if you needed an extension to do it. David Roth On Tue, Sep 4, 2012 at 4:01 PM, Mark Simko <masi...@verizon.net> wrote: > I've fixed up a Joomla 1.5 based web site that was hacked to redirect to a > malware site. > > I was not able to find any of the Joomla files changed, nor did I find any > changes in the database. > > What I did find is that the .htaccess file was changed. In addition, > several other .htaccess files were added in several subdirectories of the > site. > Also found several php files in the tmp directory with the redirect url > encoded with a preg_replace function. The evaluation string had another > string encased in single quotes inserted to it. > > I was able to ftp the whole site preserving the time stamps on the files. > I removed all the .htaccess files and replaced the original one with an > unadulterated one. > > that set most of the site back to normal. I have one persistent problem. > > I have looked through the database using string search, and I have > replaced all the joomla core with newest version. > > And I've looked for index.html files that might be adulterated, but > haven't found any. > > The problem ... (finally!) > > When I direct a browser to: > > http://affectedsite.com/adminstrator/index.php > > I can get to the administrator console. > > I cannot get to the admin console with > > http://affectedsite.com/administrator > > for that I get an error message in the browser window > > Illegal variable _files or _env or _get or _post or _cookie or _server or > _session or globals passed to script. > > and the address in the browser is > > > http://affectedsite.com/kunend/homepages/4/changed/htdocs/administrator/htttp://reltime2012(donttry > it)ru/frunleh?9 > > Note the second malformed url inserted at the end! > > ====== > > Does anyone know where I can look to find where this is coming from. I > thought perhaps a plugin, but I haven't been able to find anything. I also > checked for an index.html file, but none is there. > > Thanks, > Mark > _______________________________________________ > New York PHP SIG: Joomla! Mailing List > http://lists.nyphp.org/mailman/listinfo/joomla > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php >
_______________________________________________ New York PHP SIG: Joomla! Mailing List http://lists.nyphp.org/mailman/listinfo/joomla NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
