Scott, that's an interesting comment. Do you think on a shared hosting account it's being hacked because of the permissions on the .htaccess or possibly other files? Thanks!
David Roth On Tue, Sep 4, 2012 at 5:49 PM, Scott Wolpow <sc...@wolpow.com> wrote: > Each time I have found that hack it was on a shared hosting platform. > Though Blue Host and their sister companies have stepped up security on > this. > SW > On 9/4/2012 5:18 PM, David Roth wrote: > > Hi Mark. > > I'm so sorry to hear about someone doing this to your website. > > I think you have done a noble job of damage control on this. You > mentioned it was on Joomla 1.5. If possible, I would create a new > installation of Joomla with 2.5 and do a migration if feasible. The concern > to go to Joomla 2.5 is because of security. I don't know how your website > was hacked, but there have been security updates since 1.5. > > You mentioned the .htaccess, the problem could be a re-write issue. > Also, check to see if the SEO stuff is on or off. I don't recall how 1.5 > did this or if you needed an extension to do it. > > David Roth > > On Tue, Sep 4, 2012 at 4:01 PM, Mark Simko <masi...@verizon.net> wrote: > >> I've fixed up a Joomla 1.5 based web site that was hacked to redirect to >> a malware site. >> >> I was not able to find any of the Joomla files changed, nor did I find >> any changes in the database. >> >> What I did find is that the .htaccess file was changed. In addition, >> several other .htaccess files were added in several subdirectories of the >> site. >> Also found several php files in the tmp directory with the redirect url >> encoded with a preg_replace function. The evaluation string had another >> string encased in single quotes inserted to it. >> >> I was able to ftp the whole site preserving the time stamps on the files. >> I removed all the .htaccess files and replaced the original one with an >> unadulterated one. >> >> that set most of the site back to normal. I have one persistent problem. >> >> I have looked through the database using string search, and I have >> replaced all the joomla core with newest version. >> >> And I've looked for index.html files that might be adulterated, but >> haven't found any. >> >> The problem ... (finally!) >> >> When I direct a browser to: >> >> http://affectedsite.com/adminstrator/index.php >> >> I can get to the administrator console. >> >> I cannot get to the admin console with >> >> http://affectedsite.com/administrator >> >> for that I get an error message in the browser window >> >> Illegal variable _files or _env or _get or _post or _cookie or _server or >> _session or globals passed to script. >> >> and the address in the browser is >> >> >> http://affectedsite.com/kunend/homepages/4/changed/htdocs/administrator/htttp://reltime2012(donttry >> it)ru/frunleh?9 >> >> Note the second malformed url inserted at the end! >> >> ====== >> >> Does anyone know where I can look to find where this is coming from. I >> thought perhaps a plugin, but I haven't been able to find anything. I also >> checked for an index.html file, but none is there. >> >> Thanks, >> Mark >> >> -- > Scott Wolpow > 718 275 7765 > ------------------- > I am participating in the > MS Charity Bike ride to raise > Money for this good cause, > can you please support my > ride.<http://main.nationalmssociety.org/site/TR/Bike/NYNBikeEvents?px=2240208&pg=personal&fr_id=18354> > <http://main.nationalmssociety.org/site/TR/Bike/NYNBikeEvents?px=2240208&pg=personal&fr_id=18354> > >
_______________________________________________ New York PHP SIG: Joomla! Mailing List http://lists.nyphp.org/mailman/listinfo/joomla NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
