TotalPenguin - More Linux than Kernel 2.6

Hektor · #1 (**permalink**) 10-07-2007, 10:57 PM

I'm running Joomla on my server and every once in a while I'll notice external pages loading on my webpage. When I look at the source there are iframes attached to the bottom of it that should not be there. I am curious to know how they are getting there and what I should do. Anyone had this problem before? How can I fix it? I've chmod'd my files to 655 but it still happens.

#2 (**permalink**) 10-12-2007, 04:33 AM

try chmod 444, this removed write access from the files, and leaves read access there. You'll probley find that one of the pieces of websoftware you have has a sec hole in it, i would recomend you goto each website of each piece of software, and upgrade them to the latest versions, also you might find that mods or plugs for various software might be the way in as well.

**Jordan** · #3 (**permalink**) 10-12-2007, 02:10 PM

644 might work also if your server isn't running phpsuexec. But, if your server is running phpsuexec and they are attacking your site as powerspike mentions "444" would be the best route.

**Jordan** · #4 (**permalink**) 10-18-2007, 03:42 PM

If you are running an old version of Joomla! I found that the .htaccess file needs to be updated.

Add this to the bottom of the .htaccess file:

Code:

########## Begin - Rewrite rules to block out some common exploits
#                              
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
# 
########## End - Rewrite rules to block out some common exploits

Original Link and Author: http://forum.joomla.org/index.php/topic,75376.0.html

**Jordan** · #5 (**permalink**) 10-23-2007, 03:18 PM

Also check this on CodeCall - it may be the reason you are being hacked.

http://forum.codecall.net/software-s...html#post25334

Hektor · #6 (**permalink**) 10-23-2007, 07:17 PM

Hmm, that is very interesting. It looks like they have complete access with that hack.

**Jordan** · #7 (**permalink**) 11-14-2007, 02:12 PM

Yes, Joomla is very insecure.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Directory index forbidden by rule	Wanch	Linux Networking	1	06-22-2007 11:23 PM

TotalPenguin - More Linux than Kernel 2.6

User

Forum Menu

Sponsors