SpyWare BeWare! ASAP
March 29, 2017, 05:48:51 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News:
 
   Home   Help Search Calendar Donations Login Register Chat  



Google It!
Pages: [1]   Go Down
  Print  
Author Topic: URL-Injection  (Read 764 times)
0 Members and 1 Guest are viewing this topic.
amyrose33
Newbie
*
Offline Offline

Date Registered:December 29, 2015, 12:55:05 PM
Posts: 2


« on: December 29, 2015, 01:24:43 PM »

Hi,

I read, "ASAP ensures that quality support and assistance will be freely available"  That's super fabulous, tremendously generous - because I need HELP!!!!!

I am a novice who has been tasked with migrating a site from Joomla 1.0.15 to Joomla 3.x.  I know; I know.  This site belongs to a highly regarded non-profit, who has and does help homeowners who have received inferior (sometimes unlivable homes) from unscrupulous builders / contractors.  I am having trouble migrating the site, but constant hacking assaults keep forcing me to take 2 steps back for every one forward. 

Google (Webmaster Tools) has notified me that we are hacked AGAIN.  This time the hack is different.  Google called it, url-injection (examples below).  In the past, I was always able to find the infected FILES.  I'm not having any luck this time, even though I've researched online for two weeks, now.

I read that I can protect the site with htaccess entries such as:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} ^page\: [NC]
​​RewriteRule .* - [L,G]

On the flip side, I read that "Using .htaccess files slows down your Apache http server.";  AND in the first trial (content above) the Google results disappeared for awhile, but now they show up again when I do a search for: 'site:****.org pharmacy'

Examples of hack:  (I'm new to this forum & don't know the policy about links.)
http://www.****.org/?aciclovir-costco-otau&Id=890&aciclovir
http://www.****.org/?alli-ebay-uk-otau&Id=2127&alli

I did (stupidly, but I think my comp did not catch anything) open the two pages above, and looked at the source-code.  The hackers injected their url into the 'top of page' link and our PayPal module.  I have removed the 2 PayPal files (php & xml) for the time being.  I plan to update that code with prepared statements (having a little trouble).

How do I find (or debug) all the injected script?  How do I clean it?

With much appreciation,
Amy
Logged
amyrose33
Newbie
*
Offline Offline

Date Registered:December 29, 2015, 12:55:05 PM
Posts: 2


« Reply #1 on: January 03, 2016, 11:42:02 AM »

I just discovered that when I remember to use 'Site:' in my Google-pharmacy search, the hacked pages show up, NOT when I forget to use 'Site:'.  It's possible that the hacked pages never did actually disappear.

Upon Deeper Investigation:

Using https://aw-snap.info/file-viewer (with User Agent, Googlebot), the first of the pharmacy search results, 'http://****.org/ydhu-watch arjuna online' gives a "404 Not Found" result.

One of results, 'http://www.****.org/?page%3Abuy-online-steinberg-cubase-5%26page_id%3D4353&usg=AFQjCNHCzTsITLDmMWakqwOrrxPPbyBUWA&bvm=bv.110151844,d.eWE' gives a response of: "200 OK", "Set-Cookie: 864854e11328f635937114a993643a94=-; path=/", and "Content after the < /html> tag should be considered suspicious. < !-- 1451837145 --> "

Giving the fully decoded url of 'http://www.****.org/?page:buy-online-steinberg-cubase-5&page_id=4353&usg=AFQjCNHCzTsITLDmMWakqwOrrxPPbyBUWA&bvm=bv.110151844,d.eWE', the result is "410 Gone".

Using that decoded weblink with https://aw-snap.info/base64-decoder/ outputs:
1:  hxxp://****.org/?page:buy-online-steinberg-cubase-5
2:  AFQjCNHCzTsITLDmMWakqwOrrxPPbyBUWA

I still don't know the rules about including one's url; I did not see any on the forum pages that I visited.  Are one's urls only for PM's?

With much appreciation,
Amy
Logged
Pages: [1]   Go Up
  Print  
 
Jump to:  


Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!