Website hacked?

Discussion about BCA's Internet Hosting Service
David Cooke
Site Admin
Posts: 303
Joined: Thu 29 Dec 2005 23:22
Location: Axbridge, Somerset, UK

Website hacked?

Post by David Cooke » Sun 28 Oct 2012 16:12

Mike wrote:Our HCCW site (hccw.org.uk) has developed a very annoying fault which I've not managed to fix. If you go to it a http://hccw.org.uk everything works fine, but if you use http://www.hccw.org.uk it redirects to a Russian search engine http://ya.ru The problem seems to be browser and OS dependent. It happens consistently with IE9 (both 32-bit and 64-bit) on Win 7, and sometimes with Firefox and Chrome on Win 7. It doesn't happen with Firefox on Ubuntu 12.04. Needless to say, most of the links to the site and the search engines come up with the non-working url and most of the users are using IE, so I'm getting lots of complaints.     

I've checked the DNS entries for http://www.hccw.org.uk and it's fine. The highlandmoos.org.uk and dyo.org.uk sites are also unaffected. What I have found is that something seems to have changed the .htaccess file, possibly a malicious hack. I don't really understand the htaccess file but what had been there was a fairly complicated affair created by Joomla! to protect the site from tampering. This seems to have been replaced by something that looks like it's intending to redirect references to search engines into ya.ru  I've tried to swap this back to the original by renaming files, leaving the incorrect version there as 'oldhtaccess' in my public_html directory. However, this hasn't fixed it (yet). I'm not sure if the Apache instance needs to be re-started to notice that the .htaccess file has changed or whether I'm off on completely the wrong tack.

Is it possible for me to re-start my Apache instance? Any ideas on how to fix this would be gratefully received as I'm getting lots of complaints from users.
Dave Cooke
BCA IT Working Party, BCA Web Services, National Cave Registry Co-ordinator, CSCC Webmaster

David Cooke
Site Admin
Posts: 303
Joined: Thu 29 Dec 2005 23:22
Location: Axbridge, Somerset, UK

Re: Website hacked?

Post by David Cooke » Sun 28 Oct 2012 16:21

Hi Mike,

yes you've been hacked. Be prepared for a tough time dealing with the little git!

Yes the .htaccess file is relevant. Currently I'm not getting the symptoms since it looks like you have restored the .htaccess file. I've set it's permissions to 644 rather than 777 which is safer.

The .htaccess file is re-read every time there is a request, so no need to restart Apache. Might be worth clearing the cache on your browser.

However that is unlikely to be the whole story. There is probably a vulnerability in your Joomla. Is it up to date?

I searched for recently added files. There are a few that look odd. I'll email you them separately.

It is worth considering how your hacker got in. Check your Joomla is as secure as possible. Are there any other parts of your site that might be insecure? Change your passwords.
Dave Cooke
BCA IT Working Party, BCA Web Services, National Cave Registry Co-ordinator, CSCC Webmaster

David Cooke
Site Admin
Posts: 303
Joined: Thu 29 Dec 2005 23:22
Location: Axbridge, Somerset, UK

Re: Website hacked?

Post by David Cooke » Sun 28 Oct 2012 16:39

Googling 'djeu84m' (found in the hacking .php), first link gives some useful info.

See http://forum.joomla.org/viewtopic.php?f ... w=previous
Dave Cooke
BCA IT Working Party, BCA Web Services, National Cave Registry Co-ordinator, CSCC Webmaster

Cris D
Posts: 1
Joined: Wed 27 Mar 2013 20:44

Re: Website hacked?

Post by Cris D » Sat 30 Mar 2013 22:29

Hi, I have had a similar issue where my site is being redirected to the same Russian search engine. I have never been hacked before, and I am not quite sure how to go about getting my site back online. I would really like to know how you were able to solve this issue? Would it help if I change my website hosting? Any help would be greatly appreciated as I am growing very frustrated. Thanks!
Last edited by Cris D on Sun 07 Apr 2013 17:32, edited 1 time in total.

David Cooke
Site Admin
Posts: 303
Joined: Thu 29 Dec 2005 23:22
Location: Axbridge, Somerset, UK

Re: Website hacked?

Post by David Cooke » Mon 01 Apr 2013 11:18

Hi Chis,

sorry, I can't directly help you since your site is not hosted on our server.

However the steps you need to take our the ones I mentioned in my post above.

Yes, that did resolve the problem but to some extent it depends how persistent your hacker is. No system is invulnerable, all you can do is make it so hard to hack it's not worth the effort.

Best of luck.
Dave Cooke
BCA IT Working Party, BCA Web Services, National Cave Registry Co-ordinator, CSCC Webmaster

Post Reply