I have a Joomla 1.0 website running on a shared host which I don't have shell access (only FTP available). Recently my website has been marked as malware site by Google and I notify that the .htaccess file is modified with malicious contents. These redirections rule to a website called 'depositpeter.ru' are added to the .htaccess:
ErrorDocument 400 http://depositpeter.ru/mnp/index.php
ErrorDocument 401 http://depositpeter.ru/mnp/index.php
...
If I clean this .htaccess file, it will be modified back with malicious contents a few minutes later.
I suspect there are some backdoor PHP and javascript has been injected to our codebase which constantly modifies the .htaccess file. However I have no idea how these malware landed on my site in the first place. I'm pretty sure that no FTP users have uploaded those to my site. A virus scan found that there is a user-uploaded image being injected with PHP.ShellExec malware (I'm not sure how this PHP.ShellExec work and if it is related to the .htaccess virus though).
My question is how should I start troubleshooting and cleaning this malware? I'm pretty clueless and have little experience dealing with web malware. Any help is greatly appreciate!
It might be beyond your power to fix this yourself. But here are some things that you should do.
- Download any apache/php logs you have - these can point to the security holes being exploited. If you can find the entries, make sure the holes are covered.
- Remove the image that is indicated as infected.
- Contact your host - several hosting companies have automated solutions to find and clean up common vulnerabilities. Also, if your site is infected, odds are, other clients on the same server are, too.
- Conversely, it might be another client on the same server that's causing this problem for you.
Add an .htaccess
file in the uploads directory that would prevent access to anything other than uploaded images. It might look something like this:
Order deny,allow
Deny from all
<FilesMatch "\.(jpe?g|bmp|png)$">
Allow from all
</FilesMatch>
If your host hasn't blocked functions that allow php to invoke system commands (you'd be surprised) and you know what to do, you can mimic shell access with a custom php script using system
, exec
, popen
and some other functions. I use a script I made myself: https://github.com/DCoderLT/Misc_Tools/blob/master/sh/sh.php . It's fairly primitive, but got the job done when I needed it to.
Future considerations:
- Make backups. Your hosting company might provide these going back a certain period of time.
- Keep an eye on the updates. Subscribe to the Joomla announcements mailing list. Apply these updates as quickly as you can. Popular applications like Joomla and WordPress are a frequent and easy target for script kiddies and automated bots.
- Make backups.
- Make sure your hosting company has the server set up properly, so that user A cannot affect user B's files (file permissions, suexec or similar). I don't know how common this is these days, but it used to be a frequent oversight in the past.
- Make backups.
- Don't leave write permissions enabled on files and folders that don't need it.
- Make backups.
What kind of PHP-Framework/CMS are you running there? First thing would be to get an update there. Second idea would be to remove the write-right on these directories, where the PHP-Shell gets put. Third thing I'd do is to remove the php-shell (try to find files that dont belong to your cms/framework).
good luck