NYCPHP Meetup

NYPHP.org

[joomla] question about redirect - remediating hacked Joomla website

Scott Wolpow scott at wolpow.com
Tue Sep 4 19:36:27 EDT 2012 

Shared Platforms are always at risk because of security.
In order to allow the user to upload via a webpage, the site has to be 
part of the Apache group.
Read this

http://blog.stuartherbert.com/php/2007/11/21/the-challenge-with-securing-shared-hosting/
To really overcome this requires one of these:
1) Customizing Apache
2) Having very high server overhead
3) Kernel modification

Scott Wolpow


On 9/4/2012 5:53 PM, David Roth wrote:
> Scott, that's an interesting comment. Do you think on a shared hosting 
> account it's being hacked because of the permissions on the .htaccess 
> or possibly other files? Thanks!
>
> David Roth
>
> On Tue, Sep 4, 2012 at 5:49 PM, Scott Wolpow <scott at wolpow.com 
> <mailto:scott at wolpow.com>> wrote:
>
>     Each time I have found that hack it was on a shared hosting platform.
>     Though Blue Host and their sister companies have stepped up
>     security on this.
>     SW
>     On 9/4/2012 5:18 PM, David Roth wrote:
>>     Hi Mark.
>>
>>     I'm so sorry to hear about someone doing this to your website.
>>
>>     I think you have done a noble job of damage control on this. You
>>     mentioned it was on Joomla 1.5. If possible, I would create a new
>>     installation of Joomla with 2.5 and do a migration
>>     if feasible. The concern to go to Joomla 2.5 is because of
>>     security. I don't know how your website was hacked, but there
>>     have been security updates since 1.5.
>>
>>     You mentioned the .htaccess, the problem could be a re-write
>>     issue. Also, check to see if the SEO stuff is on or off. I don't
>>     recall how 1.5 did this or if you needed an extension to do it.
>>
>>     David Roth
>>
>>     On Tue, Sep 4, 2012 at 4:01 PM, Mark Simko <masimko at verizon.net
>>     <mailto:masimko at verizon.net>> wrote:
>>
>>         I've fixed up a Joomla 1.5 based web site that was hacked to
>>         redirect to a malware site.
>>
>>         I was not able to find any of the Joomla files changed, nor
>>         did I find any changes in the database.
>>
>>         What I did find is that the .htaccess file was changed. In
>>         addition, several other .htaccess files were added in several
>>         subdirectories of the site.
>>         Also found several php files in the tmp directory with the
>>         redirect url encoded with a preg_replace function. The
>>         evaluation string had another string encased in single quotes
>>         inserted to it.
>>
>>         I was able to ftp the whole site preserving the time stamps
>>         on the files. I removed all the .htaccess files and replaced
>>         the original one with an unadulterated one.
>>
>>         that set most of the site back to normal. I have one
>>         persistent problem.
>>
>>         I have looked through the database using string search, and I
>>         have replaced all the joomla core with newest version.
>>
>>         And I've looked for index.html files that might be
>>         adulterated, but haven't found any.
>>
>>         The problem ... (finally!)
>>
>>         When I direct a browser to:
>>
>>         http://affectedsite.com/adminstrator/index.php
>>
>>         I can get to the administrator console.
>>
>>         I cannot get to the admin console with
>>
>>         http://affectedsite.com/administrator
>>
>>         for that I get an error message in the browser window
>>
>>         Illegal variable _files or _env or _get or _post or _cookie
>>         or _server or _session or globals passed to script.
>>
>>         and the address in the browser is
>>
>>         http://affectedsite.com/kunend/homepages/4/changed/htdocs/administrator/htttp://reltime2012(dont
>>         <http://affectedsite.com/kunend/homepages/4/changed/htdocs/administrator/htttp://reltime2012%28dont>
>>         try it)ru/frunleh?9
>>
>>         Note the second malformed url inserted at the end!
>>
>>         ======
>>
>>         Does anyone know where I can look to find where this is
>>         coming from. I thought perhaps a plugin, but I haven't been
>>         able to find anything. I also checked for an index.html file,
>>         but none is there.
>>
>>         Thanks,
>>         Mark
>>
>     -- 
>     Scott Wolpow
>     718 275 7765 <tel:718%20275%207765>
>     -------------------
>     I am participating in the
>     MS Charity Bike ride to raise
>     Money for this good cause,
>     can you please support my ride.
>     <http://main.nationalmssociety.org/site/TR/Bike/NYNBikeEvents?px=2240208&pg=personal&fr_id=18354>
>     <http://main.nationalmssociety.org/site/TR/Bike/NYNBikeEvents?px=2240208&pg=personal&fr_id=18354>
>
>
>
>
> _______________________________________________
> New York PHP SIG: Joomla! Mailing List
> http://lists.nyphp.org/mailman/listinfo/joomla
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php

-- 
Scott Wolpow
718 275 7765
-------------------
I am participating in the
MS Charity Bike ride to raise
Money for this good cause,
can you please support my ride. 
<http://main.nationalmssociety.org/site/TR/Bike/NYNBikeEvents?px=2240208&pg=personal&fr_id=18354>
<http://main.nationalmssociety.org/site/TR/Bike/NYNBikeEvents?px=2240208&pg=personal&fr_id=18354> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/joomla/attachments/20120904/59616e08/attachment.html>

More information about the Joomla mailing list