[joomla] question about redirect - remediating hacked Joomla website
David Roth
davidalanroth at gmail.com
Tue Sep 4 17:18:59 EDT 2012
Hi Mark.
I'm so sorry to hear about someone doing this to your website.
I think you have done a noble job of damage control on this. You mentioned
it was on Joomla 1.5. If possible, I would create a new installation of
Joomla with 2.5 and do a migration if feasible. The concern to go to Joomla
2.5 is because of security. I don't know how your website was hacked, but
there have been security updates since 1.5.
You mentioned the .htaccess, the problem could be a re-write issue. Also,
check to see if the SEO stuff is on or off. I don't recall how 1.5 did this
or if you needed an extension to do it.
David Roth
On Tue, Sep 4, 2012 at 4:01 PM, Mark Simko <masimko at verizon.net> wrote:
> I've fixed up a Joomla 1.5 based web site that was hacked to redirect to a
> malware site.
>
> I was not able to find any of the Joomla files changed, nor did I find any
> changes in the database.
>
> What I did find is that the .htaccess file was changed. In addition,
> several other .htaccess files were added in several subdirectories of the
> site.
> Also found several php files in the tmp directory with the redirect url
> encoded with a preg_replace function. The evaluation string had another
> string encased in single quotes inserted to it.
>
> I was able to ftp the whole site preserving the time stamps on the files.
> I removed all the .htaccess files and replaced the original one with an
> unadulterated one.
>
> that set most of the site back to normal. I have one persistent problem.
>
> I have looked through the database using string search, and I have
> replaced all the joomla core with newest version.
>
> And I've looked for index.html files that might be adulterated, but
> haven't found any.
>
> The problem ... (finally!)
>
> When I direct a browser to:
>
> http://affectedsite.com/adminstrator/index.php
>
> I can get to the administrator console.
>
> I cannot get to the admin console with
>
> http://affectedsite.com/administrator
>
> for that I get an error message in the browser window
>
> Illegal variable _files or _env or _get or _post or _cookie or _server or
> _session or globals passed to script.
>
> and the address in the browser is
>
>
> http://affectedsite.com/kunend/homepages/4/changed/htdocs/administrator/htttp://reltime2012(donttry it)ru/frunleh?9
>
> Note the second malformed url inserted at the end!
>
> ======
>
> Does anyone know where I can look to find where this is coming from. I
> thought perhaps a plugin, but I haven't been able to find anything. I also
> checked for an index.html file, but none is there.
>
> Thanks,
> Mark
> _______________________________________________
> New York PHP SIG: Joomla! Mailing List
> http://lists.nyphp.org/mailman/listinfo/joomla
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/joomla/attachments/20120904/d55d8493/attachment.html>
More information about the Joomla
mailing list