Warning: Something's Not Right Here!


#21

Sure you fixed it?:

$ date
Sat Mar 24 21:04:26 PDT 2012
$ wget -O - --header "Referer: http://www.google.com" http://ppmegahelpsite.org | more
--2012-03-24 21:04:28--  http://ppmegahelpsite.org/
Resolving ppmegahelpsite.org... 208.97.136.162
Connecting to ppmegahelpsite.org|208.97.136.162|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://ca-ba.ru/example/status.php [following]
--2012-03-24 21:04:28--  http://ca-ba.ru/example/status.php
Resolving ca-ba.ru... 95.163.67.212
Connecting to ca-ba.ru|95.163.67.212|:80... connected.
HTTP request sent, awaiting response... 200 OK

2012-03-24 21:04:29 (6.80 MB/s) - `-' saved [121]

<html>
<head>
<script type="text/javascript">
location.replace("http://so-me.ru/in.cgi?7");
</script>
</head>
</html>

#22

It did appear to be fixed, but it seems you’ve been re-exploited. If you’re online now I’ll give you a hand to check for any remote shells on the account. If not, take a look through your logs when you get back on as they will likely give you an idea of who’s doing what, and how.


#23

[quote=“sXi, post:22, topic:57317”]
If you’re online now I’ll give you a hand to check for any remote shells on the account.[/quote]

You, sir, are very kind!


#24

I’m facing the exact same issue / exploit.

I’ve disabled the shell account from the DH panel allowing only ftp access and changed the password.
I then deleted a number of the edited .htacess files, but still new ones are generated.

I’ve gone through the WIKI’s but I can’t seem to find anything changed other than the .htaccess files.

Any good suggestions?
Thanks in advance,
-Martin


#25

See this post for help. There’s a “quick fix” - but as you can read from the post, it’s not recommended
http://forum.joomla.org/viewtopic.php?f=432&t=705101


#26

When something doesn’t actually fix anything, one should probably refrain from using the term :wink:


#27

sXi you’re right - anyway a quick update on the situation.
I removed the tmp/joscore.php file and deleted the .htaccess files in the web root and account root. Then updated joomla to the latest version and the account hasn’t been re-infected.

And surely updated ftp/ssh user and db passwords.

For what it’s worth - that’s my solution so far.


#28

Very good advice to anyone affected :slight_smile:

Another important thing to check is that any themes and modules we use are not listed as vulnerable (Google will help here).