SpyWare BeWare!

Security & Privacy => The Wild Wild Web => Topic started by: amyrose33 on December 29, 2015, 01:24:43 PM

Title: URL-Injection
Post by: amyrose33 on December 29, 2015, 01:24:43 PM

I read, "ASAP ensures that quality support and assistance will be freely available"  That's super fabulous, tremendously generous - because I need HELP!!!!!

I am a novice who has been tasked with migrating a site from Joomla 1.0.15 to Joomla 3.x.  I know; I know.  This site belongs to a highly regarded non-profit, who has and does help homeowners who have received inferior (sometimes unlivable homes) from unscrupulous builders / contractors.  I am having trouble migrating the site, but constant hacking assaults keep forcing me to take 2 steps back for every one forward. 

Google (Webmaster Tools) has notified me that we are hacked AGAIN.  This time the hack is different.  Google called it, url-injection (examples below).  In the past, I was always able to find the infected FILES.  I'm not having any luck this time, even though I've researched online for two weeks, now.

I read that I can protect the site with htaccess entries such as:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^page\: [NC]
​​RewriteRule .* - [L,G]

On the flip side, I read that "Using .htaccess files slows down your Apache http server.";  AND in the first trial (content above) the Google results disappeared for awhile, but now they show up again when I do a search for: 'site:****.org pharmacy'

Examples of hack:  (I'm new to this forum & don't know the policy about links.)
http://www (http://www).****.org/?aciclovir-costco-otau&Id=890&aciclovir
http://www (http://www).****.org/?alli-ebay-uk-otau&Id=2127&alli

I did (stupidly, but I think my comp did not catch anything) open the two pages above, and looked at the source-code.  The hackers injected their url into the 'top of page' link and our PayPal module.  I have removed the 2 PayPal files (php & xml) for the time being.  I plan to update that code with prepared statements (having a little trouble).

How do I find (or debug) all the injected script?  How do I clean it?

With much appreciation,

Title: Re: URL-Injection
Post by: amyrose33 on January 03, 2016, 11:42:02 AM
I just discovered that when I remember to use 'Site:' in my Google-pharmacy search, the hacked pages show up, NOT when I forget to use 'Site:'.  It's possible that the hacked pages never did actually disappear.

Upon Deeper Investigation:

Using https://aw-snap.info/file-viewer (https://aw-snap.info/file-viewer) (with User Agent, Googlebot), the first of the pharmacy search results, 'http://****.org/ydhu-watch arjuna online' gives a "404 Not Found" result.

One of results, 'http://www (http://www).****.org/?page%3Abuy-online-steinberg-cubase-5%26page_id%3D4353&usg=AFQjCNHCzTsITLDmMWakqwOrrxPPbyBUWA&bvm=bv.110151844,d.eWE' gives a response of: "200 OK", "Set-Cookie: 864854e11328f635937114a993643a94=-; path=/", and "Content after the < /html> tag should be considered suspicious. < !-- 1451837145 --> "

Giving the fully decoded url of 'http://www (http://www).****.org/?page:buy-online-steinberg-cubase-5&page_id=4353&usg=AFQjCNHCzTsITLDmMWakqwOrrxPPbyBUWA&bvm=bv.110151844,d.eWE', the result is "410 Gone".

Using that decoded weblink with https://aw-snap.info/base64-decoder/ (https://aw-snap.info/base64-decoder/) outputs:
1:  hxxp://****.org/?page:buy-online-steinberg-cubase-5

I still don't know the rules about including one's url; I did not see any on the forum pages that I visited.  Are one's urls only for PM's?

With much appreciation,