Website was infested with malware – now error 500 after cleaning it up

Forums    Joomla Templates Club    JA Teline V    Website was infested with malware - now error 500 after cleaning it up
Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • iguinee Friend
    May 3, 2016 at 11:51 pm #926224

    Hello,

    I am running Teline V on the latest Joomla! (I hope I managed to keep up!)

    My website has been working fine until towards the end of April when my hosting account was suspended by the provider – due to the account being infested with malware (including Ebola, Malaria, HIV, etc. etc.). The hosting provider cleaned it all up today, for a fee.

    Now, I am seen an error (HTTP ERROR 500) when I try accessing the website.

    The hosting company tried to fix but they said that some vital files have been badly corrupted. They mentioned something like Moses code (please don’t ask me as I don’t have a clue what that means).

    I seriously need some urgent assistance in this matter as the website has now been offline for 5 days.

    These are the different errors coming up:

    PHP Notice: Undefined index: HTTP_REFERER in /home5/xxx/public_html/comet/images.php on line 20
PHP Warning: require_once(/home5/xxx/public_html/includes/defines.php): failed to open stream: No such file or directory in /home5/xxx/public_html/index.php on line 49
PHP Fatal error: require_once(): Failed opening required '/home5/xxx/public_html/includes/defines.php' (include_path='.:/usr/php/54/usr/lib64:/usr/php/54/usr/share/pear') in /home5/xxx/public_html/index.php on line 49
PHP Notice: Undefined index: HTTP_REFERER in /home5/xxx/public_html/comet/images.php on line 20
PHP Warning: require_once(/home5/xxx/public_html/includes/defines.php): failed to open stream: No such file or directory in /home5/ufdgtwoz/public_html/index.php on line 49
PHP Fatal error: require_once(): Failed opening required '/home5/xxx/public_html/includes/defines.php' (include_path='.:/usr/php/54/usr/lib64:/usr/php/54/usr/share/pear') in /home5/xxx/public_html/index.php on line 49
PHP Notice: Undefined index: HTTP_REFERER in /home5/xxx/public_html/comet/images.php on line 20
PHP Warning: require_once(/home5/xxx/public_html/includes/defines.php): failed to open stream: No such file or directory in /home5/xxx/public_html/index.php on line 49
PHP Fatal error: require_once(): Failed opening required '/home5/xxx/public_html/includes/defines.php' (include_path='.:/usr/php/54/usr/lib64:/usr/php/54/usr/share/pear') in /home5/xxx/public_html/index.php on line 49
PHP Notice: Undefined index: HTTP_REFERER in /home5/xxx/public_html/comet/images.php on line 20
PHP Warning: require_once(/home5/xxx/public_html/includes/defines.php): failed to open stream: No such file or directory in /home5/xxx/public_html/index.php on line 49
PHP Fatal error: require_once(): Failed opening required '/home5/xxx/public_html/includes/defines.php' (include_path='.:/usr/php/54/usr/lib64:/usr/php/54/usr/share/pear') in /home5/xxx/public_html/index.php on line 49
    Saguaros Moderator
    May 4, 2016 at 4:21 am #926317

    Hi

    Sad to hear that your site is attacked.

    As I can see that most errors in above message come from core file of Joomla, do you have any backup version before the attack? If not, you can ask your host whether they have automatic backup for your site or not so they can help to restore for you.

    iguinee Friend
    May 4, 2016 at 9:43 pm #926826

    Thank you @saguaros for your reply.

    Unfortunately they do not have a useful backup. Personally, I do not have a backup that is not compromised either.

    Apparently the damage was progressive. That means the backup I have was also compromised as I tried to use it but it could not make it better.

    Saguaros Moderator
    May 5, 2016 at 2:45 am #926861

    It’s hard in this case, please contact your host to find out which files are affected by the malware.

    Backup should be a must when running a site, you can consider to use a better security host.

    iguinee Friend
    May 6, 2016 at 11:23 pm #927748

    I have done some cleanup and site is live. Now the primary issue is that whenever I click on an article, I am redirected to another suspicious website: (firsthoteshop.com)

    Where can I go to clean this up and get the site back to normal?

    timtecsa Friend
    May 7, 2016 at 11:36 am #927854

    When your site is clean you might look at at http://extensions.joomla.org/extension/jhackguard

    We also use Admin Tools Pro on our sites. e.g.here: http://mt5j345.mwinda.org/

    For easy backup take a look at Akeeba Backup Pro too.

    Tim

    Waleed Sharo Friend
    May 7, 2016 at 12:12 pm #927875

    It seems there is a hard redirect rule hidden somewhere in .htaccess or index.php or other php file, can you post the content of your .htaccess file so we can see?

    iguinee Friend
    May 7, 2016 at 2:36 pm #927930

    ` text/plain htaccess.txt ASCII English text

    @package Joomla

    @copyright Copyright (C) 2005 – 2016 Open Source Matters. All rights reserved.

    @license GNU General Public License version 2 or later; see LICENSE.txt

    READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE!

    #

    The line just below this section: ‘Options +FollowSymLinks’ may cause problems

    with some server configurations. It is required for use of mod_rewrite, but may already

    be set by your server administrator in a way that disallows changing it in

    your .htaccess file. If using it causes your server to error out, comment it out (add # to

    beginning of line), reload your site in your browser and test your sef url’s. If they work,

    it has been set by your server administrator and you do not need it set here.

    No directory listings

    IndexIgnore *

    Can be commented out if causes errors, see notes above.

    Options +FollowSymlinks Options -Indexes

    Mod_rewrite in use.

    RewriteEngine On

    Begin – Rewrite rules to block out some common exploits.

    If you experience problems on your site block out the operations listed below

    This attempts to block the most common type of exploit attempts to Joomla!

    #

    Block out any script trying to base64_encode data within the URL.

    RewriteCond %{QUERY_STRING} base64encode[^(]([^)]_) [OR]

    Block out any script that includes a tag in URL.

    RewriteCond %{QUERY_STRING} (<|%3C)([^s]s)+cript.(>|%3E) [NC,OR]

    Block out any script trying to set a PHP GLOBALS variable via URL.

    RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]

    Block out any script trying to modify a _REQUEST variable via URL.

    RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})

    Return 403 Forbidden header and show the content of the root homepage

    RewriteRule .* index.php [F] #

    End – Rewrite rules to block out some common exploits.

    Begin – Custom redirects

    #

    If you need to redirect some pages, or set a canonical non-www to

    www redirect (or vice versa), place that code here. Ensure those

    redirects use the correct RewriteRule syntax and the [R=301,L] flags.

    #

    End – Custom redirects

    Uncomment following line if your webserver’s URL

    is not directly related to physical file paths.

    Update Your Joomla! Directory (just / for root).

    RewriteBase /

    Begin – Joomla! core SEF Section.

    RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    If the requested path and file is not /index.php and the request

    has not already been internally rewritten to the index.php script

    RewriteCond %{REQUEST_URI} !^/index.php

    and the requested path and file doesn’t directly match a physical file

    RewriteCond %{REQUEST_FILENAME} !-f

    and the requested path and file doesn’t directly match a physical folder

    RewriteCond %{REQUEST_FILENAME} !-d

    internally rewrite the request to the index.php script

    RewriteRule .* index.php [L] #

    End – Joomla! core SEF Section.`

    iguinee Friend
    May 7, 2016 at 2:38 pm #927931

    This is the index.php

    
text/x-generic index.php 
PHP script text
<?php
/**
 * @package    Joomla.Site
 *
 * @copyright  Copyright (C) 2005 - 2016 Open Source Matters, Inc. All rights reserved.
 * @license    GNU General Public License version 2 or later; see LICENSE.txt
 */

/**
 * Define the application's minimum supported PHP version as a constant so it can be referenced within the application.
 */
define('JOOMLA_MINIMUM_PHP', '5.3.10');

if (version_compare(PHP_VERSION, JOOMLA_MINIMUM_PHP, '<'))
{
    die('Your host needs to use PHP ' . JOOMLA_MINIMUM_PHP . ' or higher to run this version of Joomla!');
}

// Saves the start time and memory usage.
$startTime = microtime(1);
$startMem  = memory_get_usage();

/**
 * Constant that is checked in included files to prevent direct access.
 * define() is used in the installation folder rather than "const" to not error for PHP 5.2 and lower
 */
define('_JEXEC', 1);

if (file_exists(__DIR__ . '/defines.php'))
{
    include_once __DIR__ . '/defines.php';
}

if (!defined('_JDEFINES'))
{
    define('JPATH_BASE', __DIR__);
    require_once JPATH_BASE . '/includes/defines.php';
}

require_once JPATH_BASE . '/includes/framework.php';

// Set profiler start time and memory usage and mark afterLoad in the profiler.
JDEBUG ? $_PROFILER->setStart($startTime, $startMem)->mark('afterLoad') : null;

// Instantiate the application.
$app = JFactory::getApplication('site');

// Execute the application.
$app->execute();
    Waleed Sharo Friend
    May 7, 2016 at 2:58 pm #927934

    Your .htaccess and index.php seems normal, I suspect there is a routing redirect somewhere in the php files, it maybe hard coded using base64 encode, you can contact me on my Skype (can be found on my profile page).

  • Author
    Posts
Viewing 10 posts - 1 through 10 (of 10 total)

This topic contains 9 replies, has 4 voices, and was last updated by  Waleed Sharo 8 years, 6 months ago.

We moved to new unified forum. Please post all new support queries in our New Forum

Important Notice :

New Unified Portal is live

Must Read

Jump to forum

Categories