Website under attack ... help needed

[Carol Haynes]

A website I set up and host has been compromised but I am not sure what to do.

I can restore a backup before the attack but I really want to avoid it happening again.

The sits is based on Joomla. All frontend (public) pages redirect to random websites after about 15 seconds. In the backend this does not happen.

Anyone got any idea where to look for how this is happening?

I have looked at index.php and .htaccess and can't see any obvious changes in the code. Only two of us have admin rights on the website and the forum is not available without logging in. Even then normal uses are restricted to BBCODE and can't use any scripts or HTML. None of the site is open for comments.

The site is hosted under a CPanel account on a Linux server.

All passwords are long and random and the backend of the website uses a non-standard URL to get access with a 20+ character pin code just get to the login form.

Panicking a bit as I am a bit out of my depth with this sort of stuff.

[rgdot]

Header file (not index) injected with a redirect code is one likely source.

Often in an up to date, 'secure' install that is on a shared server, another user getting compromised is enough.

[Carol Haynes]

Header file (not index) injected with a redirect code is one likely source.

Often in an up to date, 'secure' install that is on a shared server, another user getting compromised is enough.

-rgdot (February 11, 2013, 04:14 PM)

It is on a VPS - I don't seem to have any other sites compromised.

When you say header file do you mean an insert file (sucha as a function file) in the template or somewhere else?

Trouble is I have no idea how to track this down. I can restore the site but without knowing what has happened it is just likely to happen again??

[mouser]

I have not much guidance to offer, just a few things:

1. take a deep breath.  these things happen.  don't panic don't stress too much.
2. if the exploit came because of a known issue that has been since patched, then updating your site software (joomla and extensions) will be sufficient after restoring from a backup.

the fact that this happens AFTER 15 seconds suggests to me that it's probably some javascript inserted into every page:

All frontend (public) pages redirect to random websites after about 15 seconds.

So,

visit a page with javascript disable do it doesnt redirect, view source, and identify the snippet of code causing the redirect.

then try to search+find files on your server that contain this code.

[wraith808]

^ I had it happen to me when I was using Joomla, and this was exactly what had happened, so good advice (and on the relaxing.  Easy to say, hard to do, but it works) 

[Carol Haynes]

Thanks I will take a look.

I have found a JPG in the root folder of the website that is not ours (relates to Memorial of Gaza Martyrs) which is a bit worrying.

[Carol Haynes]

Update: Doesn't seem to be Javascript - I disabled Javascript and it still redirects.

[wraith808]

replace the index file with a blank index file and see if it still redirects.

[40hz]

replace the index file with a blank index file and see if it still redirects.

-wraith808 (February 11, 2013, 04:48 PM)

+1. Check index.php to see if they've loaded a script in there that's generating urls. I've seen it done that way before. Unfortunately, that's only one of several ways to do this sort of hack.

There's a page on StackOverflow that discusses a similar hack. Look here. Some good suggestions for how to proceed and where to look.

You really need to take your site offline - actually remove the files from the server and identify what type of hack this is.

First though I would suggest turning off javascript in your browser and visiting your page - do you still get redirected?

If not - then the problem is either:

a) a javascript file has been added to your site - or an existing javascript file has been edited. Examine all the .js files loading in the page.

b) an sql injection has added javascript directly into your articles (perhaps each and every article

Assuming you ARE redirected while is javascript turned off - then you are looking at either: a) an edited .htaccess file redirecting you elsewhere b) an edited (or 'included') php file setting headers and taking you elsewhere.

<more>

Luck.

[Carol Haynes]

Thanks guys - all ideas really appreciated.

Suffering brain meltdown at the mo - I will continue in the morning when I am fresher!

[mouser]

I didn't realize it was possible to use standard html to redirect after some delay, but it seems it is:
see: http://stackoverflow...irect-from-html-page

In that case it sounds like you might want to search your files for:

[Select]

http-equiv="refresh"

[f0dder]

If it's not too massive amounts of data, be sure to grab a copy of the entire site (via FTP or similar) before you proceed. There's hacks out there that spit out different content to the "end-user" depending on various factors (this has been used to insert SEO-hack-crap only in case the "end-user" is a search engine bot - which means you would not see that if you check a hax0red site in your web browser).

[40hz]

The more significant challenge will be establishing whether it's just the website that's been hacked - or if the entire server has been compromised. If the Linux server is virtual (or not too heavily customized) I'd probably be more inclined to just load up a clean server image (or at least a 'known clean' webstack) after I got to the bottom of the problem with the website(s).

That's the real problem with getting hacked. It's often difficult or impossible to accurately determine exactly where and how far in they got.

[Rover]

Look @ .htaccess your file too.

I saw an attack where the injected code was not "seeable" via cat/less/vi.  All it did was inject porn images in place of the normal ones, but check everything.

[ewemoa]

That's the real problem with getting hacked. It's often difficult or impossible to accurately determine exactly where and how far in they got.

-40hz (February 11, 2013, 09:43 PM)

Would it be practical to compare files and directories from backups to see what might have changed?

[Carol Haynes]

Thanks everyone - the common thread to the sites that have been affected seem to be out of date Joomla installations. I don't as a matter of course update Joomla websites for clients when they won't pay for support so some are still on Joomla version 1.5, and some have to by necessity because they use extensions not available for 1.6 onwards.

Having updated the affected sites to 1.5.26 (the final version in the 1.5 lifecycle) and replaced the .htaccess on each site everything now seems to be back to normal.

I have a lot more accounts running other stuff and none of those seem to have been infected so it looks like a Jommla 1.5.22 and earlier vulnerability that has been exploited.

I am going to start migrating websites to Joomla 2.5 as soon as possible!

In the meantime I will download each site to my hard disk and scan against a factory install of Joomla 1.5.22 to look for differences.

What a PITA, but thanks everyone for so many suggestions and quick help last night - esp. Josh who worked through a lot of stuff with me via IM.

[Dormouse]

Thanks everyone - the common thread to the sites that have been affected seem to be out of date Joomla installations. I don't as a matter of course update Joomla websites for clients when they won't pay for support

-Carol Haynes (February 12, 2013, 04:11 AM)

I don't know what more you could be expected to do, so long as they are aware of the risk they take by not having their sites regularly updated by you. I'm not sure if you could offer an update service fee that would be lower than your support fee.

[wraith808]

Thanks everyone - the common thread to the sites that have been affected seem to be out of date Joomla installations. I don't as a matter of course update Joomla websites for clients when they won't pay for support

-Carol Haynes (February 12, 2013, 04:11 AM)

I don't know what more you could be expected to do, so long as they are aware of the risk they take by not having their sites regularly updated by you. I'm not sure if you could offer an update service fee that would be lower than your support fee.

-Dormouse (February 12, 2013, 07:39 AM)

This.  And perhaps a retainer so that when updates come around, it's not as large an expense.  I have a client that does this- pays me monthly a smaller amount, and when I have to do things, I take it out of that.