Re: [joomla] question about redirect - remediating hacked Joomla website

Tue, 04 Sep 2012 16:36:39 -0700 

Shared Platforms are always at risk because of security.
In order to allow the user to upload via a webpage, the site has to be part of the Apache group. 
Read this

http://blog.stuartherbert.com/php/2007/11/21/the-challenge-with-securing-shared-hosting/
To really overcome this requires one of these:
1) Customizing Apache
2) Having very high server overhead
3) Kernel modification

Scott Wolpow


On 9/4/2012 5:53 PM, David Roth wrote:
Scott, that's an interesting comment. Do you think on a shared hosting account it's being hacked because of the permissions on the .htaccess or possibly other files? Thanks! 

David Roth
On Tue, Sep 4, 2012 at 5:49 PM, Scott Wolpow <sc...@wolpow.com <mailto:sc...@wolpow.com>> wrote: 

    Each time I have found that hack it was on a shared hosting platform.
    Though Blue Host and their sister companies have stepped up
    security on this.
    SW
    On 9/4/2012 5:18 PM, David Roth wrote:

    Hi Mark.

    I'm so sorry to hear about someone doing this to your website.

    I think you have done a noble job of damage control on this. You
    mentioned it was on Joomla 1.5. If possible, I would create a new
    installation of Joomla with 2.5 and do a migration
    if feasible. The concern to go to Joomla 2.5 is because of
    security. I don't know how your website was hacked, but there
    have been security updates since 1.5.

    You mentioned the .htaccess, the problem could be a re-write
    issue. Also, check to see if the SEO stuff is on or off. I don't
    recall how 1.5 did this or if you needed an extension to do it.

    David Roth

    On Tue, Sep 4, 2012 at 4:01 PM, Mark Simko <masi...@verizon.net
    <mailto:masi...@verizon.net>> wrote:

        I've fixed up a Joomla 1.5 based web site that was hacked to
        redirect to a malware site.

        I was not able to find any of the Joomla files changed, nor
        did I find any changes in the database.

        What I did find is that the .htaccess file was changed. In
        addition, several other .htaccess files were added in several
        subdirectories of the site.
        Also found several php files in the tmp directory with the
        redirect url encoded with a preg_replace function. The
        evaluation string had another string encased in single quotes
        inserted to it.

        I was able to ftp the whole site preserving the time stamps
        on the files. I removed all the .htaccess files and replaced
        the original one with an unadulterated one.

        that set most of the site back to normal. I have one
        persistent problem.

        I have looked through the database using string search, and I
        have replaced all the joomla core with newest version.

        And I've looked for index.html files that might be
        adulterated, but haven't found any.

        The problem ... (finally!)

        When I direct a browser to:

        http://affectedsite.com/adminstrator/index.php

        I can get to the administrator console.

        I cannot get to the admin console with

        http://affectedsite.com/administrator

        for that I get an error message in the browser window

        Illegal variable _files or _env or _get or _post or _cookie
        or _server or _session or globals passed to script.

        and the address in the browser is

        
http://affectedsite.com/kunend/homepages/4/changed/htdocs/administrator/htttp://reltime2012(dont
        
<http://affectedsite.com/kunend/homepages/4/changed/htdocs/administrator/htttp://reltime2012%28dont>
        try it)ru/frunleh?9

        Note the second malformed url inserted at the end!

        ======

        Does anyone know where I can look to find where this is
        coming from. I thought perhaps a plugin, but I haven't been
        able to find anything. I also checked for an index.html file,
        but none is there.

        Thanks,
        Mark
-- Scott Wolpow 
    718 275 7765 <tel:718%20275%207765>
    -------------------
    I am participating in the
    MS Charity Bike ride to raise
    Money for this good cause,
    can you please support my ride.
    
<http://main.nationalmssociety.org/site/TR/Bike/NYNBikeEvents?px=2240208&pg=personal&fr_id=18354>
    
<http://main.nationalmssociety.org/site/TR/Bike/NYNBikeEvents?px=2240208&pg=personal&fr_id=18354>




_______________________________________________
New York PHP SIG: Joomla! Mailing List
http://lists.nyphp.org/mailman/listinfo/joomla

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php


--
Scott Wolpow
718 275 7765
-------------------
I am participating in the
MS Charity Bike ride to raise
Money for this good cause,
can you please support my ride. <http://main.nationalmssociety.org/site/TR/Bike/NYNBikeEvents?px=2240208&pg=personal&fr_id=18354> <http://main.nationalmssociety.org/site/TR/Bike/NYNBikeEvents?px=2240208&pg=personal&fr_id=18354> 
_______________________________________________
New York PHP SIG: Joomla! Mailing List
http://lists.nyphp.org/mailman/listinfo/joomla

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php

Reply via email to