Hi. Just spent hours and hours trying to debug a hack with redirects to verticalpigeon.com. I've lost control of the admin interface, i.e., I cannot log out and the admin seems publicly available without needing to log in. I can navigate the interface but cannot save any changes. There is a user ID of "0" keeping the page open but un-saveable.

I've cleared the DB of the redirects but cannot find the user ID "0", whom I think is causing the trouble, to delete. I see no unusual scripts, I've deleted all users, changed by super admin account to "registered" and created another super user for myselt. I changed the DB password.

This is Joomla 2.5.4 dev site, updated regularly. The attack may have come from an older Joomla site on my server account, but my other Joomla sites on the account don't have this problem after I eliminated nasty scripts in the tmp folder and made all the above changes. The demon there was a shell script: "POST /tmp/_cache_i70btczz.php HTTP/1.1" 200 149 ". All those are deleted, AFIK. The script added redirects to the htaccess file and changed its permissions to 444.

I've been all through the files and db for hours trying to find how to eliminate this unusual control. Any hints?

I've also reset the htaccess file to only be viewed by my IP address:
pi17.artsouthend.com. If you can see the site, then that would help in determining what level the attack exists on. And if you see the site, add "administrator" to the URL and you should be able to see the admin screen. (see attached clip). Logging out does nothing but refresh the page.


FYI, a screenshot of verticalpigeon.com's assessment of my shared server:


I know I've asked a lot of questions. Any help or insight would be greatly appreciated.

Hi Allfive,

When I try to visit your page I get an error message that you have a redirection loop. Which means that redirection is endless. Some things you can try,

1. replace the .htaccess file with a generic one from another installation.
2 Look through all your directories for another htaccess file.
3. Check your cpanel to see if you have any redirections set up on cpanel as well, and if you do that they are correct.

Check out thosem, then let us know.

Ed

Ed:
>1. replace the .htaccess file with a generic one from another installation.
>2 Look through all your directories for another htaccess file.
>3. Check your cpanel to see if you have any redirections set u

Hi, Ed. Took me a while to get back to this. Had to move on to other projects. I checked all the above and nothing changes.

I had to set the .htaccess file to:
RewriteEngine On
RewriteCond %{REMOTE_HOST} !72\.93\.168\.28
RewriteCond %{REQUEST_URI} !offline\.html
RewriteCond %{REQUEST_URI} !(\.png|\.jpg|\.gif|\.jpeg|\.bmp|\.swf|\.css|\.js)$
RewriteRule (.*) offline.html [R=307,L]
SetEnvIfNoCase User-Agent "verticalpigeon" badBot Deny from env=badBot

If I didn't do that, anyone going to /admininistrator would see the backend. There is a super admin there with an ID 0 that I can't find in the db or anywhere to delete. I can access most anything but the buttons to save are gone, so there is no way to change and save things like permissions. Those seem to be set for the "public" to access the backend.

I can let you look around if I knew when you were able to. I don't want to let the site open like that for very long.

I know when the attack took place so I suppose I could start replacing Joomla folders/files that were changed on that date? Maybe not. <G>

Any advice would be welcome.

Hi allfive,

Before you do anything, please be sure to make a backup of your hacked site so that you can test it later if needed.

Then give our brand-new Joomla Security class a try :)
www.ostraining.com/courses/class/joomla-25/security/view/

Specially, give the "Fixing Your Hacked Site" tutorial a try:
www.ostraining.com/courses/session/jooml...ng-your-hacked-site/

Let us know if you have any questions or need any help along the way.

Kind regards,
Nick

Thanks, Nick and Ed. The links were helpful and led me to the conclusion that I deleted some core files needed by Joomla when cleaning out the malicious code. The backups I had were subsequent to the hack so I'll have to start with a fresh Joomla installation and will try to integrate the modified template from the hacked site (Gantry basic). If you have any links or general advice, I'd welcome them; otherwise I'll proceed and find out much I know or have learned. <G>

best

don

Hi Don,

Do you have access to the Joomla Backend? If so, you can use the following tutorial to reset all your Joomla core files:
www.ostraining.com/blog/joomla/how-to-up...min-tools-extension/

If not, let me know what version you're using and I can give you directions how to upload the files manually.

Kind regards,
Nick

Nick:
Ah, that was a great idea, Nick. I reinstalled the core files and the latest Joomla version via Admin Tools. At first I got locked out of the admin area, then Joomla Admin Tools sent me an update notification with an auto log-in link. I used that and managed to get in the backend. I created a new user in the Super User group because the existing super user had problems saving changes to the db.

My only question is how can I change the SuperAdmin ID to the new user I created?

Admin Tools Pro and Akeeba Pro are well worth the money.

Thanks much!

don

Hi Allfive,

Are you trying to put a specific id to your new user? If so, that is not possible since each row is unique to an id. However, you can regenerate your superadmin id with Admin Tools then change your username/password in the user manager after it is recreated.

Hi Don,

You're welcome!

Did you get the Admin ID issue sorted?

By the way, another way that you can do it is User Manager :)

Kind regards,
Nick

Thanks, Tess and Nick.

Didn't get the Admin ID solved, but I'm in site fine and my user ID is not the default Joomla Super User ID. Admin Tools won't let me change to their default ID for Super Admin, but it is already a value different than the default Joomla ID, which I suppose is somewhere in the 60's? Anyhow, I'm the only user and I might have deleted all users earlier(the one that had ATools default Super Admin ID and also deleted the Super Admin ID that AdminTools encrypts and keeps as a place holder for the default Joomla Super ID.

Interestingly, the DB shows only one user with my ID, but there is no value for the Admin Tools Pro ID, even though the component won't let me change to that.

Perhaps this is a VERY geeky question for Admin Tools Pro?

As long as I don't have the default Joomla Super Admin ID, I should be OK? Am I right in assuming the 2.5.x versions don't have a single Super Admin, just Super Users?

Thanks.

The default joomla admin id is 42. In the newest upgrade, joomla is allowing you to change that or will pick a random number.

You are correct about one thing, though, the geeks at Akeeba will know much more about this than we do. I must say that collectively we constitute a lot of brain power, but those guys know their business ;)

You can check your user id numbers in the data base using phpMyadmin and actually change them there as well if you need to. I don't know for sure if you an change the number 42 however.

Check with the guys at Akeeba and see what they say.

Cheers,
Ed

Ed:
I think I'm good, then. I'm not a 42.

That is cool.

Yes, they would definitely know what happens when the script looks for ID 42 to change finds no ID with that number. I definitely agree you are not expected to know how those details are managed. :-)

Many thanks. You've all been very helpful.

Hi Don,

You're very welcome! We're glad we could be of help! :)

Kind regards,
Nick