Page 1 of 1
Website hacked?
Posted: Sun 28 Oct 2012 16:12
by David Cooke
Mike wrote:Our HCCW site (hccw.org.uk) has developed a very annoying fault which I've not managed to fix. If you go to it a
http://hccw.org.uk everything works fine, but if you use
http://www.hccw.org.uk it redirects to a Russian search engine
http://ya.ru The problem seems to be browser and OS dependent. It happens consistently with IE9 (both 32-bit and 64-bit) on Win 7, and sometimes with Firefox and Chrome on Win 7. It doesn't happen with Firefox on Ubuntu 12.04. Needless to say, most of the links to the site and the search engines come up with the non-working url and most of the users are using IE, so I'm getting lots of complaints.
I've checked the DNS entries for
http://www.hccw.org.uk and it's fine. The highlandmoos.org.uk and dyo.org.uk sites are also unaffected. What I have found is that something seems to have changed the .htaccess file, possibly a malicious hack. I don't really understand the htaccess file but what had been there was a fairly complicated affair created by Joomla! to protect the site from tampering. This seems to have been replaced by something that looks like it's intending to redirect references to search engines into ya.ru I've tried to swap this back to the original by renaming files, leaving the incorrect version there as 'oldhtaccess' in my public_html directory. However, this hasn't fixed it (yet). I'm not sure if the Apache instance needs to be re-started to notice that the .htaccess file has changed or whether I'm off on completely the wrong tack.
Is it possible for me to re-start my Apache instance? Any ideas on how to fix this would be gratefully received as I'm getting lots of complaints from users.
Re: Website hacked?
Posted: Sun 28 Oct 2012 16:21
by David Cooke
Hi Mike,
yes you've been hacked. Be prepared for a tough time dealing with the little git!
Yes the .htaccess file is relevant. Currently I'm not getting the symptoms since it looks like you have restored the .htaccess file. I've set it's permissions to 644 rather than 777 which is safer.
The .htaccess file is re-read every time there is a request, so no need to restart Apache. Might be worth clearing the cache on your browser.
However that is unlikely to be the whole story. There is probably a vulnerability in your Joomla. Is it up to date?
I searched for recently added files. There are a few that look odd. I'll email you them separately.
It is worth considering how your hacker got in. Check your Joomla is as secure as possible. Are there any other parts of your site that might be insecure? Change your passwords.
Re: Website hacked?
Posted: Sun 28 Oct 2012 16:39
by David Cooke
Googling 'djeu84m' (found in the hacking .php), first link gives some useful info.
See
http://forum.joomla.org/viewtopic.php?f ... w=previous
Re: Website hacked?
Posted: Sat 30 Mar 2013 22:29
by Cris D
Hi, I have had a similar issue where my site is being redirected to the same Russian search engine. I have never been hacked before, and I am not quite sure how to go about getting my site back online. I would really like to know how you were able to solve this issue? Would it help if I change my
website hosting? Any help would be greatly appreciated as I am growing very frustrated. Thanks!
Re: Website hacked?
Posted: Mon 01 Apr 2013 11:18
by David Cooke
Hi Chis,
sorry, I can't directly help you since your site is not hosted on our server.
However the steps you need to take our the ones I mentioned in my post above.
Yes, that did resolve the problem but to some extent it depends how persistent your hacker is. No system is invulnerable, all you can do is make it so hard to hack it's not worth the effort.
Best of luck.