Mobile app version of vmapp.org
Login or Join
Odierno851

: How can I avoid being hacked? I have a website built on Joomla/PHP and it was going well until I found a RewriteCond directive in my .htaccess file to a website with porn content. RewriteEngine

@Odierno851

Posted in: #Hacking #Phishing #Security

I have a website built on Joomla/PHP and it was going well until I found a RewriteCond directive in my .htaccess file to a website with porn content.

RewriteEngine On
RewriteCond %{HTTP_ACCEPT} "text/vnd.wap.wml|application/vnd.wap.xhtml+xml" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "android|BlackBerry|htc|iPad|iPhone|iPod|kindle|lg|midp|mmp|mobile|mot|nokia|o2|opera mini|J2ME" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "palm|pocket|psp|sgh|smartphone|sonyericsson|symbian|treo mini|up.browser|up.link|vodafone|wap" [NC]
RewriteCond %{HTTP_USER_AGENT} !Googlebot-Mobile [NC]
RewriteRule ^(.*)$ seokirja.com [L,R=302]

RewriteCond %{HTTP:Accept-Encoding} gzip
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|.php|.html|.htm|.feed|.pdf|.raw|/[^.]*)$ [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]


The host company said that they have found some spam tries to some PHP files. I checked them and I've found some encrypted code.

I also checked file permissions and PHP functions, but it seems OK.

How can I avoid being the victim of this hacking method?

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Odierno851

2 Comments

Sorted by latest first Latest Oldest Best

 

@Goswami781

Cross-site scripting (XSS) is a type of computer security vulnerability. XSS enables attackers to inject client-side script into webpages viewed by other users. Add this to the .htaccess file in the website main directory.

<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>



This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header.


Source: www.owasp.org/index.php/List_of_useful_HTTP_headers

10% popularity Vote Up Vote Down


 

@Si4351233

No hacking method has been described, rather the result of an unknown method of access that has allowed the ability to change or add files to the server filesystem.

First step is to find out how they got in to change such a low level file. You need to determine whether:


They were able to gain access to either your cPanel, ssh or sftp via weak, guessable passwords.
They were able to gain access via hacking a workstation that was used to maintain the website.
Joomla or its plugins have not been kept up to date or have a vulnerability that allows them to get server file write access.
They were able to gain access to Joomla's backend and install a file manager that allows them to modify files on the server.
Other scripts created by you or your website maintainer have serious programming flaws.
Server configurations were lax and allowed other means of injecting files onto the server.


Only after the method used to break in has been determined and fixed can you begin to either cleanse the server of these scripts or better yet, nuke the server and restore from known good uninfected backups.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme