ROCKETTHEME IS CLOSING ON JUNE 30, 2025. As a thank-you to our community, enjoy 50% off all themes with the promo code THANKYOU before we shut down.
Read our Farewell Blog Post for more details.
Compromised Website
-
-
- JeremyLeeDesigns
- Jr. Rocketeer
- Posts: 30
- Thanks: 0
- Web Developer
-
Hello all,
I have a site that I manage that was recently compromised and wanted to see if anyone had any ideas on how they were able to get in.
We noticed that there was rewrite in our .htaccess file:
RewriteRule buy/(.*)/ ?item=$1
We also found in the includes/js/tabs/ folder a new unknown folder also called js. Inside of here were multiple php pages that has similar content in each (I removed the site name and replaced with *** to protect the site). The code is below:
<?php
$site = stripslashes('di-software.net');
$progName = stripslashes('1Password 3 for Mac');
$progID = stripslashes('1Password-3-for-Mac.html');
$price = stripslashes('14.00');
$meta1 = stripslashes('Cheap OEM Software');
$meta2 = stripslashes('OEM Sale');
$meta3 = stripslashes('OEM Version');
$meta4 = stripslashes('Cheap');
$meta5 = stripslashes('License OEM Software');
$descr = stripslashes('Introducing the ImTOO iPhone with rendering and lighting Vista 7 1Password 3 for Mac an all in one. Choose exactly the type is an ideal choice M4A AAC AC3 and. You can splittrim video XP 2003 for video production enabling is supported for you to preview the original AMR and SUN AU. Support Windows all When an impressive tool that enables you to backup. Supports various MP3 very useful if a videos automatically from YouTube burning music CD directly monitoring your online activity. All reports are generated with lightning <strong>1Password 3 for Mac</strong> and its approachable exterior lies by Windows AddRemove program. Morever this BlackBerry Movie backup software with flexible but Uninstall Expert can XP+SP2 XP+SP3 Windows XP Professional x64 Edition (64 of the most versatile video by building in Storm BlackBerry 9530 Storm an easy <strong>1Password 3 for Mac</strong> use. Still users can pick or WMAs seamlessly or Cookies button to wipe.');
$link1 = stripslashes('<a href="http://***/buy/adobe-photoshop-cs4-extended/">Adobe Photoshop CS4 Extended</a>');
$link2 = stripslashes('<a href="http://***/buy/joboshare-mobile-phone-video-converter/">Joboshare Mobile Phone Video Converter</a>');
$link3 = stripslashes('<a href="http://***/buy/lynda-autocad-2010-new-features/">Lynda AutoCAD 2010 New Features</a>');
$link4 = stripslashes('<a href="http://***/buy/guitar-pro-5/">Guitar Pro 5</a>');
$country = stripslashes('UK');
include('func.php');
include('log.php');
?>
If you have seen anything like this or have any information this would be greatly helpful.
Thanks,
Jeremy Lee
-
-
-
- Cliff Pfeifer
- Preeminent Rocketeer
- Posts: 8444
- Thanks: 20
- Website Developer
-
Hi, it looks like someone is trying to hijack your website with a spoofing / spam scam of some kind. I would immediately delete all of these extra files and change all of your passwords - Joomla, Hosting, Database, FTP, cPanel, ECT - every single password. Also, double check your hosting and make sure there were no additional FTP accounts or subdomains set up on your account, if there were, delete them. Final thing is to check the .htaccess file for modifications, or just upload a new one from a Joomla package.
Unfortunately, the info you have provided here doesn't give any insight into how they got in. If you have an idea of when this happened, you can check the server logs for file activity. That may point to an out of date extension that was compromised, if so, update or get rid of the extension. If your Joomla version isn't current, that may be how they got in.
I would install Akeeba Admin Tools, which is free, and use that to secure your site. The paid version offers more security features and it's pretty cheap. Make some changes and see if they hold, usually the hackers will come back so it can turn into a chess match until you figure out how they got in. Keep clean backups of everything to restore just in case. Hope that helps. - The difficult we do immediately, the impossible takes a little longer.
-
Time to create page: 0.080 seconds