2

My website has been hacked again. There are many foreign URLs such as here.

I've checked the database and there is nothing strange in my database. Does anyone know what kind of hack attack is like this?

Then I have to execute all files with exit (); and I quit "on /libraries/import.legacy.php".

If I give exit () under

JLoader :: register ('JRoute', JPATH_PLATFORM. '/joomla/application/route.php');

the result is that my website is still able to walk, but with the strange link.

But if I give exit() in the above

JLoader :: register ('JRoute', JPATH_PLATFORM. '/joomla/application/route.php')

The result is that the website stops.

this my error log

Software: Joomla Platform 12.2.0 Stable [ Neil Armstrong ] 21-September-2012 00:00 GMT

#Fields: datetime   priority    category    message
2014-02-07T09:50:19+00:00   INFO    joomlafailure   Username and password do not match or you do not have an account yet.
2014-02-20T02:46:05+00:00   INFO    joomlafailure   Username and password do not match or you do not have an account yet.
2014-02-20T19:49:05+00:00   INFO    joomlafailure   Username and password do not match or you do not have an account yet.
2014-02-25T14:25:09+00:00   INFO    joomlafailure   Username and password do not match or you do not have an account yet.
2014-03-02T09:51:23+00:00   INFO    joomlafailure   Username and password do not match or you do not have an account yet.
2014-03-03T03:47:15+00:00   INFO    joomlafailure   Username and password do not match or you do not have an account yet.
2014-03-04T09:36:38+00:00   INFO    joomlafailure   Username and password do not match or you do not have an account yet.
2014-03-04T09:36:58+00:00   INFO    joomlafailure   Username and password do not match or you do not have an account yet.
2014-03-05T04:14:22+00:00   INFO    joomlafailure   Username and password do not match or you do not have an account yet.
2014-03-05T12:27:10+00:00   INFO    joomlafailure   Username and password do not match or you do not have an account yet.
2014-03-09T01:17:12+00:00   INFO    joomlafailure   Username and password do not match or you do not have an account yet.
2014-03-11T15:03:30+00:00   INFO    joomlafailure   Username and password do not match or you do not have an account yet.
2014-03-11T15:03:38+00:00   INFO    joomlafailure   Username and password do not match or you do not have an account yet.


i found this.. Resolve..

$word = "b" . "a" . "s" . "e" . "6" . "4" . "_" . "d" . "e" . "c" . "o" . "d" . "e";
$wp1 = "g" . "z" . "u" . "n" . "c" . "o" . "m" . "p" . "r" . "e" . "s" . "s";
eval/**test*/(/**test*/$wp1/**test*/(/**test*/$word('Code)));

Thank you all

  • possible duplicate of [How do I deal with a compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – Jens Erat Mar 11 '15 at 09:15
  • i do restore and i have same result. that link stop if give exit() in the above JLoader :: register ('JRoute', JPATH_PLATFORM. '/joomla/application/route.php'); – Evelyn Raditya Mar 11 '15 at 09:27
  • @JensErat As the question is about a specific type of target (Joomla), I think it should not be closed as a duplicate of the canonical question. – S.L. Barth Mar 11 '15 at 09:29
  • can you explain this problem mr.@S.L.Barth .. I was very confused to explain my problem^,^ thank you – Evelyn Raditya Mar 11 '15 at 10:51
  • I'm voting to close this question as off-topic because there are not enough details to provide an answer. Posting relevant error logs, and/or details on how you determined you were hacked would help. – RoraΖ Mar 11 '15 at 11:20
  • If you think my edit was wrong, you can undo it: click on the "edited ... ago" link. That takes you to the edit history. There you can roll back to a previous version. – S.L. Barth Mar 11 '15 at 11:41
  • I'm not familiar enough with Joomla to help you explain the problem better, I'm afraid. But as @raz says, it might help if you have relevant logs. You can edit them into the question using the "edit" link. – S.L. Barth Mar 11 '15 at 11:43
  • @raz . pls open my link url sir.. link did not come from database. and also the existing content on the website. can you understand sir? – Evelyn Raditya Mar 11 '15 at 11:45

2 Answers2

3

JRoute is the module tasked with dealing with internal urls. The evil code is hooking there to make such urls show their spam page.

You could see what they changed by comparing the files with the official ones from Joomla. In the end, you should replace the compromised Joomla php files with the original ones.

Ángel
  • 18,188
  • 3
  • 26
  • 63
  • i use git. if there are different would be found out. Thank you.. :-) . I am still looking for strange files outside of public_html. like in tmp folder on the root. – Evelyn Raditya Mar 11 '15 at 09:40
  • Maybe the evil code is in the settings file? Perhaps then referencing some other file not tracked by git, but the initial hook should be inside Joomla. Also look at .htaccess files, but doesn't seem the case. – Ángel Mar 11 '15 at 10:05
  • The first injected, the most clean I have ever tasted. the problem, this url is more than 200 who had been my detection. such as mirroring curl or another. but why the result is very clean. only in the content body. LOL. I also had to print all the requests. and the result is nothing strange incoming transfers. K2 plugin only a rather strange ... i will found the evil code :-( – Evelyn Raditya Mar 11 '15 at 10:27
-2

You read like a Markov chain generator, hopefully its just translation software and not a not invasion :)

A modified .htaccess file could be the source of your unwanted URL/content. I would also recommend that you run joomscan on your website to check for known vulnerabilities.

wireghoul
  • 5,755
  • 2
  • 17
  • 26
  • . i will test with joomscan thank you :-) I still redict the page .. and you can not see the page.. sorry:-).. if you want to see I will open it back. – Evelyn Raditya Mar 11 '15 at 22:26