Each time I have found that hack it was on a shared hosting platform.
Though Blue Host and their sister companies have stepped up security on
this.
SW
On 9/4/2012 5:18 PM, David Roth wrote:
Hi Mark.
I'm so sorry to hear about someone doing this to your website.
I think you have done a noble job of damage control on this. You
mentioned it was on Joomla 1.5. If possible, I would create a new
installation of Joomla with 2.5 and do a migration if feasible. The
concern to go to Joomla 2.5 is because of security. I don't know how
your website was hacked, but there have been security updates since 1.5.
You mentioned the .htaccess, the problem could be a re-write issue.
Also, check to see if the SEO stuff is on or off. I don't recall how
1.5 did this or if you needed an extension to do it.
David Roth
On Tue, Sep 4, 2012 at 4:01 PM, Mark Simko <masi...@verizon.net
<mailto:masi...@verizon.net>> wrote:
I've fixed up a Joomla 1.5 based web site that was hacked to
redirect to a malware site.
I was not able to find any of the Joomla files changed, nor did I
find any changes in the database.
What I did find is that the .htaccess file was changed. In
addition, several other .htaccess files were added in several
subdirectories of the site.
Also found several php files in the tmp directory with the
redirect url encoded with a preg_replace function. The evaluation
string had another string encased in single quotes inserted to it.
I was able to ftp the whole site preserving the time stamps on the
files. I removed all the .htaccess files and replaced the original
one with an unadulterated one.
that set most of the site back to normal. I have one persistent
problem.
I have looked through the database using string search, and I have
replaced all the joomla core with newest version.
And I've looked for index.html files that might be adulterated,
but haven't found any.
The problem ... (finally!)
When I direct a browser to:
http://affectedsite.com/adminstrator/index.php
I can get to the administrator console.
I cannot get to the admin console with
http://affectedsite.com/administrator
for that I get an error message in the browser window
Illegal variable _files or _env or _get or _post or _cookie or
_server or _session or globals passed to script.
and the address in the browser is
http://affectedsite.com/kunend/homepages/4/changed/htdocs/administrator/htttp://reltime2012(dont
<http://affectedsite.com/kunend/homepages/4/changed/htdocs/administrator/htttp://reltime2012%28dont>
try it)ru/frunleh?9
Note the second malformed url inserted at the end!
======
Does anyone know where I can look to find where this is coming
from. I thought perhaps a plugin, but I haven't been able to find
anything. I also checked for an index.html file, but none is there.
Thanks,
Mark
_______________________________________________
New York PHP SIG: Joomla! Mailing List
http://lists.nyphp.org/mailman/listinfo/joomla
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
_______________________________________________
New York PHP SIG: Joomla! Mailing List
http://lists.nyphp.org/mailman/listinfo/joomla
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
--
Scott Wolpow
718 275 7765
-------------------
I am participating in the
MS Charity Bike ride to raise
Money for this good cause,
can you please support my ride.
<http://main.nationalmssociety.org/site/TR/Bike/NYNBikeEvents?px=2240208&pg=personal&fr_id=18354>
<http://main.nationalmssociety.org/site/TR/Bike/NYNBikeEvents?px=2240208&pg=personal&fr_id=18354>
_______________________________________________
New York PHP SIG: Joomla! Mailing List
http://lists.nyphp.org/mailman/listinfo/joomla
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
