Virus/malware modifying .htaccess on Joomla CMS we

2019-05-28 06:20发布

I have a Joomla 1.0 website running on a shared host which I don't have shell access (only FTP available). Recently my website has been marked as malware site by Google and I notify that the .htaccess file is modified with malicious contents. These redirections rule to a website called 'depositpeter.ru' are added to the .htaccess:

ErrorDocument 400 http://depositpeter.ru/mnp/index.php
ErrorDocument 401 http://depositpeter.ru/mnp/index.php ...

If I clean this .htaccess file, it will be modified back with malicious contents a few minutes later.

I suspect there are some backdoor PHP and javascript has been injected to our codebase which constantly modifies the .htaccess file. However I have no idea how these malware landed on my site in the first place. I'm pretty sure that no FTP users have uploaded those to my site. A virus scan found that there is a user-uploaded image being injected with PHP.ShellExec malware (I'm not sure how this PHP.ShellExec work and if it is related to the .htaccess virus though).

My question is how should I start troubleshooting and cleaning this malware? I'm pretty clueless and have little experience dealing with web malware. Any help is greatly appreciate!

2条回答
孤傲高冷的网名
2楼-- · 2019-05-28 06:24

It might be beyond your power to fix this yourself. But here are some things that you should do.

  • Download any apache/php logs you have - these can point to the security holes being exploited. If you can find the entries, make sure the holes are covered.
  • Remove the image that is indicated as infected.
  • Contact your host - several hosting companies have automated solutions to find and clean up common vulnerabilities. Also, if your site is infected, odds are, other clients on the same server are, too.
    • Conversely, it might be another client on the same server that's causing this problem for you.
  • Add an .htaccess file in the uploads directory that would prevent access to anything other than uploaded images. It might look something like this:

    Order deny,allow
    Deny from all
    <FilesMatch "\.(jpe?g|bmp|png)$">
    Allow from all
    </FilesMatch>

  • If your host hasn't blocked functions that allow php to invoke system commands (you'd be surprised) and you know what to do, you can mimic shell access with a custom php script using system, exec, popen and some other functions. I use a script I made myself: https://github.com/DCoderLT/Misc_Tools/blob/master/sh/sh.php . It's fairly primitive, but got the job done when I needed it to.

Future considerations:

  • Make backups. Your hosting company might provide these going back a certain period of time.
  • Keep an eye on the updates. Subscribe to the Joomla announcements mailing list. Apply these updates as quickly as you can. Popular applications like Joomla and WordPress are a frequent and easy target for script kiddies and automated bots.
  • Make backups.
  • Make sure your hosting company has the server set up properly, so that user A cannot affect user B's files (file permissions, suexec or similar). I don't know how common this is these days, but it used to be a frequent oversight in the past.
  • Make backups.
  • Don't leave write permissions enabled on files and folders that don't need it.
  • Make backups.
查看更多
唯我独甜
3楼-- · 2019-05-28 06:26

What kind of PHP-Framework/CMS are you running there? First thing would be to get an update there. Second idea would be to remove the write-right on these directories, where the PHP-Shell gets put. Third thing I'd do is to remove the php-shell (try to find files that dont belong to your cms/framework).

good luck

查看更多
登录 后发表回答