My joomla websites are all down

[tabaqui]

only got this problem so far on my mambo install on taurus
my joomla install looks still ok

noticed also that my index.php files from the templates are changed on the 6th of jan while i haven't been on that side of mambo since a month or so

[suzigeek]

Even if your sites are operating o.k. I would check the files in your website. They might have injected code into your files that are writable and They are injecting htaccess files and redirecting to their ad pages, check your 404 pages also. I'm putting in a support ticket today...

[tabaqui]

filled in a support ticket today HOV-97696-345
joomla site is also infected same as my coppermine gallery
now walking through every other site i'm hosting.

[DarkSorrow]

Could be a MySQL upgrade. When I transfered over my MySQL database was a newer version than what was being run on the server I was on. HG had to upgrade the servers MySQL to fix the problem. They might have upgraded your versions of mySQL causing the sites to show blank pages.

[suzigeek]

Quote:

Could be a MySQL upgrade. When I transfered over my MySQL database was a newer version than what was being run on the server I was on. HG had to upgrade the servers MySQL to fix the problem. They might have upgraded your versions of mySQL causing the sites to show blank pages.

No mysites were definitely hacked. There were corrupted files and files put on my server that where never there before. I beleive the hackers corrupt your site in hopes that it throws up the 404 page which then redirects to their website.

The errors I was gettng where becuase the last line on my pages with public write permissions were stripped off making the code on that page fail.

I have the files they injected. The are base64 encoded so you cant see whats coded on them.

[christer]

I hope we will find a solution fast. Anyway if it's a server hack or a php conflict. It's still hg problem and at this moment I can't see anyone from hg who gives support. If i want to restore my account I have to pay 15 dollar for something that is not my mistake.
I hope someone from Hg will respond.

[suzigeek]

The only response I recieved from support was I could back up using their system at $15. per back up which isn't going to happen. Nothing about what happened or if their is still a security issue or not.

I've got all but one website up so far. I'll be migrating them to another server soon.

[gregw]

Anybody been able to trace the IP range where this attack originated from? I would like to block them in cpanel.

[christer]

I would like to know that also. Can someone figure it out. Than I can block him also.

[salubrium]

I just dealt with 20 Mambo sites with this problem yesterday and still finishing them off today. We are on the Mazda server. I have some sites on the Acura server and they seem to be fine.

So, the problem occurs in every directory where you have 777 permissions and every file where you have 777 permissions.

What this hacker's script does: In the directory the script places 3 files, which you can usually tell by the timestamp but they are not always named the same: Some examples are guest.php, include.php and always .htaccess. It also searches through 777 files and injects some code so that when your mambo site loads, it calls the other files it has placed on your server. It does this in EVERY world writeable directory and file it can find in your account.

For the majority of Mambo sites, if you enter your mambots/ directory and clear out the files in that folder, it should bring your website up. If you are seeing errors in the php code, you have bigger problems and will either a) Have to get Hostgator to restore (usually if you have special components, this will be necessary) or if you haven't got any special modules, components etc installed, you can probably do the following:

a) Go to cpanel and download a backup of your home directory **very important**
b) Delete everything EXCEPT your templates/ directory and your configuration.php file
c) Download from mamboforge or joomla website the exact version of the Mambo/Joomla you had installed
d) rename your templates directory to templates_ and configuration.php to configuration.php_
d) Upload it (some people may not know you can upload the zip / tar.gz file and then use Cpanel File Manager to unzip it on the server.. a big time saver)
e) Delete the templates/ directory and configuration.php that the new install of MAmbo / Joomla placed there
f) Rename your files back to original (reverse of what you did in step d)

If you had quite a few special modules / components installed ..you are better off paying your $15 to hostgator to have the site restored, if you only have one or two components, try this:

a) Unzip your backup copy on your local machine using Winrar http://www.rarlab.com/ or something else that can handle .tar.gz format.
b) Go to the /components, administrator/components and modules/ directories and upload the files and folders that are related to the modules and components you had installed
d) FTP them the equivalent directory on your Mambo / Joomla installation on your server.
e) Some of these files may have been corrupted by the hackers, so go and check your website, both in the frontend and the admin area.. check every menu etc..
f) As you receive any error, have a look at what file/component it is referring to and go and download this component again from Mamboforge... Make SURE you get the same version from Mamboforge as what you originally used on the site.
g) Unzip the module/component or whatever on your local machine and upload the file that is causing the error overwriting the file that is on the server


As for protecting your Mambo / joomla site for future.. aah that is a difficult one. You see, when you FTP or use CPanel File manager, the correct permissions are granted to your files and folders.. and if the Apache server ran as your user, everything would be fine and dandy.. but it doesn;t.. for 'security' reasons, it runs as a user called 'nobody' and this is where our problem is. You see, with Mambo, we have to give 'nobody' permissions to write certain files and directories but when we do that via FTP, we can't choose the USER or GROUP 'nobody' , so we have to give 'EVERYONE' write permissions.

Now using something like php-shell, a user can get Command Line access to the server running as the user 'nobody' also.. then, that user can also run scripts and has permissions the same as the apache server, just as we have seen in the past 2 days that can search for all the world writeable files and folders and add/modify what it wants, as it pleases.

How can we trace and 'block' this person? It is VERY difficult.. even from Hostgator's position.. this is the reality folks. All this person needs is to be able to enter 1 person's account.. and each server might have 1000 accounts. IF he enters 1 account.. and uploads the php-shell script (or other varieties thereof) he now has access to do what he wants with our sites.

I run some dedicated servers myself.. and it's a ******* of a job to keep these guys out. There are thousands of them and one of you.. There are thousands of potential holes in servers and you don't have control of what people set their passwords to.. so the odds are against you and Hostgator.

Now.. here's the bit that can save your ass. When you are 'finished' developing your mambo / joomla website.. Go to everyfolder and change the 777 permissions to 755 permissions.. and every file that has 777 permissions to 644 permissions.

Keep a track of this.. write it down. Because when you need to uplaod a new component or template or module, you will need to 'guess what?' yes, that's right.. you need to reset the permissions to 777 again and once you are done with your modifications, then reset them back to 755/644

You may get 'stuck' with this because what happens is that when you upload files and folders via Mambo, it now has the same permissions as the apache user and you may not have access to them. From Mambo 4.5.1 (maybe 4.5.2?) upwards there is a part in the Global Site Configuration dealing with file permissions that can help with this. Also a great component here: http://mamboforge.net/projects/mamboxplorer/ that can help you deal with these problems because, as I explained.. it executes it's permission changes as the 'nobody' user.

So, it's a usability vs security problem. It's not NECESSARILY Hostgators fault although they should have something monitoring scripts that run for longer than XX seconds.. I see the changes to my own Mambo sites occurred over a 2 hour period.. and I am certain the server load would have increased while the scripts were running. Hostgator's tech's should be notified when this occurs and be able to respond rapidly.

It's very difficult to trace where this IP address comes from .. because our sites haven't been hacked from the 'frontend' but rather we have been hacked from the backend.. anyway, even if we did block the IP address... they could have done this from another Hostgator server.. ie: connect to hostgator server A.. then connect to hostgator server B and start making all the changes... the only 'activity' is seen coming from another hostgator server.. and what's the use of blocking that?

[gdwoods]

wow...that's a very extensive post salubrium...thanks!

[salubrium]

Shameless plug: If you ever need some Joomla / Mambo work done.. think of me

[tabaqui]

most backup's from HG won't help since most site's are hacked on the 6th or 7th if you look at the file date's
HG's backup's are rotated in the weekend so they only have backup's wich include's the hacked files.

Now already 10 hour's busy with reinstalling everything on 2 joomla install's and checking every other site i have.
Only prob i have is that in some directory's apache need's write access, so i don't like the setup of apache in group nobody

[Kostas]

Before 15 minutes all my sites are down again...

What happened?

[suzigeek]

Have you made sure to delete every file before you restored? I had a few files that wouldn't delete so I manually deleted the contents of each file and moved them to a folder above my root.

I hope mine don't get hacked again, I think I set my permissions correctly.
Sorry this has happened to you Kostas.

[Zolton]

This is also happening to Invision Power Board files as well.