• Home
  • Shell
    • Emacs
    • Perl
    • screen
    • sed
  • Ubuntu
    • VNC
  • Web Development
    • Javascript
    • Joomla
    • MySQL
    • osTicket
  • Windows
    • Gimp

Joomla> Repair c99madshell hacked site

Jun07
2011
Written by Scott Rowley

This is information on removing the c99madshell hack that can get into some Joomla 1.5 sites. Most of this content is an original article of News Blog. I was only able to find one portion of this myself before finding their article, kudos and thanks go to them.

If you see the following Joomla error appearing on most Joomla pages including admin section

File Not Found The requested URL was not found on this server
OR
If you have a list of spam links

then your installation has likely been compromised. There is a security bug in Joomla 1.5 allowing a hacker to reset your admin password.

You should take the following steps to get rid of the error message and secure your Joomla:


1. Backup your files and SQL database to an external location.
2. Delete three files with c99madshell backdoor script

/plugins/content/articles.php
/plugins/content/articles.xml
/plugins/content/articles_joomla.php


3. Change /plugins/content/ folder owner to any but apache user and change it’s mask to 555
Note: This next one I need clarification on as response.php has multiple ob_start entries within it and I don’t know which one to comment out and how much of the code following it needs to be commented out along with it. I will edit this post if the original poster gets back to me.
4. Open /libraries/joomla/environment/response.php file on line 197 and comment php code starting with ob_start
5. Change /libraries/joomla/environment/response.php file owner to any but apache user and change it’s mask to 644
6. Delete /libraries/joomla/cache/button.gif file and create an empty one
7. Change /libraries/joomla/cache/button.gif file owner to any but apache user and change it’s mask to 644
8. Check if /topnews/ and /hotnews/ exist. Delete folders unless you installed.
9. Set disable_functions in /etc/php.ini to

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,parse_ini_file,show_source


10. Change in /components/com_user/models/reset.php file on line 116

$db->setQuery(’SELECT id FROM #__users WHERE block = 0 AND activation = ‘.$db->Quote($token));


to

$db->setQuery(’SELECT id FROM #__users WHERE block = 0 AND activation = \”.$db->Quote($token).’\”);


The error message or spam should be gone, backdoor script removed and the Joomla security hole patched now.
If you have done everything right then you should now also be able to remove the button.gif we mentioned before and it should no longer be regenerated.

Posted in Joomla, Web Development - Tagged button.gif, c99madshell, file, found, hack, Joomla, not, response.php, spam, tw4x
« Linux> Command line shortcuts
» Linux> Aliases

Corrections? Questions? Comments?

Find an error?
Everything work out great for you?
Have some feedback?
Like to see something added to the article?

PLEASE leave us a comment after the article and let us know how we are doing, or if something needs corrected, improved or clarified.

Thank you!
- The Management

Advertisement

Sudo Bash
By Geeks - For Geeks

Back to Top