The British Caving Association

Any views expressed are not necessarily those of the BCA
It is currently Sun 19 Aug 2018 02:26

All times are UTC [ DST ]




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: Website hacked?
PostPosted: Sun 28 Oct 2012 16:12 
Offline
Site Admin

Joined: Thu 29 Dec 2005 23:22
Posts: 290
Location: Axbridge, Somerset, UK
Mike wrote:
Our HCCW site (hccw.org.uk) has developed a very annoying fault which I've not managed to fix. If you go to it a http://hccw.org.uk everything works fine, but if you use http://www.hccw.org.uk it redirects to a Russian search engine http://ya.ru The problem seems to be browser and OS dependent. It happens consistently with IE9 (both 32-bit and 64-bit) on Win 7, and sometimes with Firefox and Chrome on Win 7. It doesn't happen with Firefox on Ubuntu 12.04. Needless to say, most of the links to the site and the search engines come up with the non-working url and most of the users are using IE, so I'm getting lots of complaints.     

I've checked the DNS entries for http://www.hccw.org.uk and it's fine. The highlandmoos.org.uk and dyo.org.uk sites are also unaffected. What I have found is that something seems to have changed the .htaccess file, possibly a malicious hack. I don't really understand the htaccess file but what had been there was a fairly complicated affair created by Joomla! to protect the site from tampering. This seems to have been replaced by something that looks like it's intending to redirect references to search engines into ya.ru  I've tried to swap this back to the original by renaming files, leaving the incorrect version there as 'oldhtaccess' in my public_html directory. However, this hasn't fixed it (yet). I'm not sure if the Apache instance needs to be re-started to notice that the .htaccess file has changed or whether I'm off on completely the wrong tack.

Is it possible for me to re-start my Apache instance? Any ideas on how to fix this would be gratefully received as I'm getting lots of complaints from users.

_________________
Dave Cooke
BCA Web Services, National Cave Registry Co-ordinator, CSCC Treasurer


Top
 Profile  
 
 Post subject: Re: Website hacked?
PostPosted: Sun 28 Oct 2012 16:21 
Offline
Site Admin

Joined: Thu 29 Dec 2005 23:22
Posts: 290
Location: Axbridge, Somerset, UK
Hi Mike,

yes you've been hacked. Be prepared for a tough time dealing with the little git!

Yes the .htaccess file is relevant. Currently I'm not getting the symptoms since it looks like you have restored the .htaccess file. I've set it's permissions to 644 rather than 777 which is safer.

The .htaccess file is re-read every time there is a request, so no need to restart Apache. Might be worth clearing the cache on your browser.

However that is unlikely to be the whole story. There is probably a vulnerability in your Joomla. Is it up to date?

I searched for recently added files. There are a few that look odd. I'll email you them separately.

It is worth considering how your hacker got in. Check your Joomla is as secure as possible. Are there any other parts of your site that might be insecure? Change your passwords.

_________________
Dave Cooke
BCA Web Services, National Cave Registry Co-ordinator, CSCC Treasurer


Top
 Profile  
 
 Post subject: Re: Website hacked?
PostPosted: Sun 28 Oct 2012 16:39 
Offline
Site Admin

Joined: Thu 29 Dec 2005 23:22
Posts: 290
Location: Axbridge, Somerset, UK
Googling 'djeu84m' (found in the hacking .php), first link gives some useful info.

See http://forum.joomla.org/viewtopic.php?f=432&t=746279&view=previous

_________________
Dave Cooke
BCA Web Services, National Cave Registry Co-ordinator, CSCC Treasurer


Top
 Profile  
 
 Post subject: Re: Website hacked?
PostPosted: Sat 30 Mar 2013 22:29 
Offline

Joined: Wed 27 Mar 2013 20:44
Posts: 1
Hi, I have had a similar issue where my site is being redirected to the same Russian search engine. I have never been hacked before, and I am not quite sure how to go about getting my site back online. I would really like to know how you were able to solve this issue? Would it help if I change my website hosting? Any help would be greatly appreciated as I am growing very frustrated. Thanks!


Last edited by Cris D on Sun 07 Apr 2013 17:32, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Website hacked?
PostPosted: Mon 01 Apr 2013 11:18 
Offline
Site Admin

Joined: Thu 29 Dec 2005 23:22
Posts: 290
Location: Axbridge, Somerset, UK
Hi Chis,

sorry, I can't directly help you since your site is not hosted on our server.

However the steps you need to take our the ones I mentioned in my post above.

Yes, that did resolve the problem but to some extent it depends how persistent your hacker is. No system is invulnerable, all you can do is make it so hard to hack it's not worth the effort.

Best of luck.

_________________
Dave Cooke
BCA Web Services, National Cave Registry Co-ordinator, CSCC Treasurer


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC [ DST ]


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group