Call Today 425.401.9523

21 May 2010 Troy

Large Joomla hack in progress - bots and writedoor2.php

Hey world - hopefully this helps other hosts out there, we just learned of a spam hack that took place - although the holes aren't completely patched I have a good temporary workaround until we can do more research.  This hack is brand new, involves Joomla sites, and a file called writedoor2.php.

Here are some files you'll see in every Joomla installation if you are vulnerable:

/home/USERNAME/public_html/modules/footer_t.php
/home/USERNAME/public_html/modules/defaults.php
/home/USERNAME/public_html/modules/mod_mainmenu/extra/
     extra/feed3.php  extra/index.php  extra/mi.php  extra/writedoor2.php

The easy to find file is writedoor2.php, mi.php, or footer_t.php.

These files combine to insert code at the top of your site with links to hidden menu items on YOUR site that are full of spam link html files.  The link will probably be at the top of the page, visible with a view-source.

As a workaround, if you don't want to restore hundreds of sites to backups on a whim - I came up with a very basic workaround.

Be sure you understand ROOT access and the console.  Do NOT break your server and complain on forums.  If you want my help you can call our office and ask for Troy.

Step 1.

# locate footer_t.php

You will get an output showing all the paths this file is in.  Copy this entire output to notepad.

Step 2.

# mkdir /root/hackfix
# touch /root/hackfix/defaults.php
# touch /root/hackfix/footer_t.php

These files will have only read permissions by default hopefully, so the hackers can't write over them - they are blank so including them in your sites will have no effect.

Step 3.

In notepad, do a replace, take the string /home/ and replace ALL with:

/bin/cp /root/hackfix/* /home

and replace /footer_t.php with /

Step 4.

Paste the first line into your console and make sure that site is 'patched' - if it worked, paste in the whole file.

This is a workaround.

Hopefully someone with scripting skills can comment on a version of this process that is like one linux command.

Comments  

 
0 #1 neltglatoesia 2011-08-19 03:21
buy tadalafil cialis ?cialisonline1's Channel?? - YouTube cheap generic cialis Canada Cialis cheap cialis Buy Viagra Cialis Levitra Allegra Online with Overnight ... cialis pill cialis dosis ; cialis italia ; cialis generique generic cialis online Cialis combien ca coute, cialis a vendre, cialis europe ... cialis canada & cialis tadalafil Order Cialis online for lowest prices. Testimonials | Contact us | FAQ | Policies | Track Order. cheap cialis,buy cialis online,cheapest cialis,buy cheap cialis canada cialis Generic Cialis Online - Your Instantaneous and Lengthy ... cialis pill Cialis UK - Buy Cialis Online 20mg 10mg Lilly Pills On ...
 

Tell Google you like us:

 

Recent Posts

  1. Google Plus One Button plugin for Joomla
    troy - 06-04-2011
  2. Nooku Server - alpha installation
    troy - 03-28-2011
  3. A Great Landing Page - Marketing Guide
    troy - 02-08-2011
  4. All SOBI2 Templates now FREE!
    admin - 12-06-2010
  5. Bad Reviews will hurt search results - from google
    admin - 12-02-2010
  6. Joomla ACL - from brian teeman
    admin - 12-02-2010
  7. SEO help - number 4, facebook ads (not so much seo.)
    admin - 08-11-2010
  8. SEO help - number 3, Links to your site (backlinks) - and what they do for you
    troy - 05-29-2010
  9. SEO help - number 2, Search Engine Friendly navigation and URL structure
    troy - 05-29-2010
  10. SEO help - number 1, how to succeed in google local
    troy - 05-27-2010
  11. Large Joomla hack in progress - bots and writedoor2.php
    troy - 05-21-2010
  12. Microsoft signs agreement to contribute to Joomla open-source project
    troy - 04-28-2010
  13. New SOBI Template - Amazing Real Estate Template
    troy - 04-05-2010
  14. New Site - qaglass.com - Seattle Auto Glass
    troy - 03-23-2010
  15. New Site - Search Engine Placement - ArtisanCustomFraming.com
    troy - 03-12-2010
  16. New SOBI template - Store Locator
    troy - 03-09-2010
  17. A good list - top 50 joomla apps to install
    troy - 03-05-2010
  18. New customer website launched - parnitascatering.com
    troy - 02-21-2010
  19. Website shape - time to go widescreen!
    troy - 02-20-2010
  20. New SOBI template - Menu List (catering, restaurant, etc)
    troy - 02-13-2010
  21. New SOBI template - Staff List
    troy - 02-03-2010
  22. HOWTO: Social Media Marketing, and our Joomla websites
    troy - 02-01-2010
  23. Kill-IE6 Campaign gaining traction, Google ramping up
    troy - 02-01-2010
  24. HOWTO - Create an article and link it on your main menu
    troy - 01-29-2010
  25. joined twitter - and the 21st century..
    troy - 01-23-2010
  26. 10 Stupidest Administrator Tricks
    ed - 01-22-2010
  27. What is Joomla? and Why should I use it?
    ed - 01-22-2010
  28. How to spot a phishing scam
    ed - 01-21-2010
  29. And yet another Scam - watch out for this one
    ed - 01-20-2010
  30. Assigning a different template to the front page
    ed - 01-16-2010
  31. Publish Joomla blog or Article via Microsoft Word directly – metablog api
    troy - 01-15-2010
  32. How To Create a Glossary using Joomla Core
    ed - 01-12-2010
  33. Caution - Phishing Scam
    ed - 01-07-2010
  34. Email Marketing Tool - Autoresponder, better than constant contact
    troy - 12-11-2009
  35. What's Wrong With My Email?
    ed - 12-07-2009
  36. Washington State Tax Rate Lookup tool - wa state tax
    troy - 11-21-2009
  37. Nice Paypal Buttons
    ed - 08-05-2009
  38. Ed's Joomla Morfeo Show Observations
    admin - 08-03-2009
  39. Make GroupJive work in Joomla 1.5 with Community Builder
    troy - 06-03-2009
  40. Need a site to track a customer's job or file?
    admin - 05-25-2009