Joomla Hacked and redirecting to dndelectric website

Question

I have searched in all my files for what could be re-directing or putting this malware into my sites to no avail. Anyone who has had this before? Its spread across multiple sites I have hosted. The common component with them is jevents but even the codes for that have not been changed.

Is there a way I can block these requests from .htaccess?

Answer 1

For your next installation, you might want to consider installing also host-based intrusion detection system OSSEC. It offers several security features, including File Integrity checking which would have detected the tampering of your .htaccess files. OSSEC is free and open-source.

Answer 2

I experienced this same .htaccess hack on my shared hosting account. I had 5 sites running Joomla! v 1.5 <---> 2.x. After hours of experimenting with permissions and every other conceivable way to thwart the malicious .htaccess files from regenerating, I found that two of my live Joomla! installs had mysterious .php files in the 'tmp' directory [joomla_root/tmp]. One file was named something like 'jos_AjnJA.php' and the other file was 'j.php'. I changed the permissions on those two files to 000, then once again restored my original .htaccess files to their respective folders. Presto! The .htaccess files finally did not get maliciously rewritten within minutes, as before. 24 hours later and everything is still working as it should on all my Joomla! installs.

I cannot stress enough: I am sure there are variations of this exploit, but do yourself a huge favor and first check all tmp folders on your Joomla! installs for any suspicious .php files!

Answer 3

You really need to take your site offline - actually remove the files from the server and identify what type of hack this is.

First though I would suggest turning off javascript in your browser and visiting your page - do you still get redirected?

If not - then the problem is either:

a) a javascript file has been added to your site - or an existing javascript file has been edited. Examine all the .js files loading in the page.

b) an sql injection has added javascript directly into your articles (perhaps each and every article

Assuming you ARE redirected while is javascript turned off - then you are looking at either: a) an edited .htaccess file redirecting you elsewhere b) an edited (or 'included') php file setting headers and taking you elsewhere.

Are any of the add-ons in your site(s) listed here: http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=joomla&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

You need to know whether it is only your site compromised or whether it is other sites on the server, or even whether the server itself has been taken over, and that is a question for your host. Immediate re-infection after rebuilding from a backups could mean: a) a cron job has been set up to re-infect you at a set period b) another account on the server is infected and is reaching out to re-infect others c) your site was compromised previously (dropped files within the site) but that these are sat dormant waiting for either an individual or a botnet to connect and take control. d) or that the server is totally compromised and the hacker just reconnects to re-infect

There are some steps you could take - but frankly this is one area where if you need to ask it is probably a sign you aren't equipped to deal with the issue without expert assistance.

1. You could grep your files for likely file patterns c99, r57, web shell, eval(base64decode(, etc.

2. You could scan for files with recent creation dates or recent modified dates/times

Files changed in the last x days (1 days in this case)

find . -mtime -1

Files changed between two dates

find . -type f -newermt "2010-01-01" ! -newermt "2010-06-01"

1. You should scan log files for suspicious activity

2. You could download the files and let your anti-virus program scan them - this can give you a place to start (don't let it delete the files though as their contents can give further clues).

3. You should block access from known automated / scripted useragents (wget, libwww, etc)

All in all though you could spend days battling this with no guarantee of success. My advice would be to get some assistance from a Joomla security expert.

Answer 4

You'll probably have to really compare directories and if you can, the original installations of the extensions you used. Check directory permissions - if you see something with 777 or unusually high permissions then that could be a good start to where the problem may be originating from. Check error logs too that may point to something missing or something that has changed and is now throwing an error.

You want to try and identify the problem/malware/virus because it will help you with the next part.

Find the last backup before you were hacked that is a good valid copy, and go from there. Best bet is to completely get rid of the current site and restore from backup (fully) - assuming the backup doesn't contain the virus/malware.

Sometimes there will just be one or two lines of code added to existing lines of code that cause the redirect - these are tough to trace down and identify, but you can do it if you compare sizes and such. Just time consuming. I hope this information helps - good luck.

Also, it sounds like your whole server is compromised if it's spreading - do not use the same password for multiple sites, or the default username (admin). Always change the passwords and the username. If you leave the username default as 'admin', hackers already have 50% of the login figured out. Make it tough on them by changing the user name. Alert your host you've been hacked - they will help in these cases, and can keep it from spreading any further than your account. Change your passwords with that host, change the passwords for each site (preferably after you've cleaned the malware/virus).