.htaccess File Being Rewritten Every 30 Minutes on Joomla

We have worked with weird Joomla problems before, but this problem took the concept of weirdness to a whole new level! Here’s what was happening:

  1. The .htaccess file is hacked (hacking the .htaccess file is common and is easily remediable) and is redirecting traffic to the website when using Google Chrome to google.com, while traffic from both Mozilla Firefox and Internet Explorer was redirecting to a virus infected website.
  2. We upload a clean version of the .htaccess file and the site works fine.

  3. After 30 minutes, the .htaccess file is automatically changed to the hacked version.

  4. Repeat the above forever. (or at least until we knew the real reason of the problem)

Our first guess at the problem was that the permissions on the .htaccess were wrong, and so we set to them to 444 (which are the normal permissions on such critical files – if someone wants to change the .htaccess file then he’ll need to do it manually). This hasn’t worked, and the problem still existed.

We then called the hosting company to ask them if they have any tools that log file changes (e.g. which process/file is making a change to a file, which user is doing that change, and when is that change taking place). They said that they don’t maintain such logs.

We then wondered, what about the web logs? And so we checked them to see if there were any weird calls in these logs, and there were. In fact, we saw requests every 30 minutes from a specific IP (starting with the number 5) which was calling a file called .cache_*.php (located under images/banners), where * is usually a combination of 6 characters. That file was actually a duplicate of the file administrator/includes/toolbar.php with one difference: at the end of that file there was a very long preg_replace command, which was the actual hack! We deleted that file, and everything went OK – for a while!

A few hours later, the problem re-appeared, and the file .cache_*.php was restored. The thing is, there was another file, with a very innocent name, called script.php (located under the root of the website), which was being called if the .cache_*.php file was deleted. So, in other words, a program on the hacker’s end was doing the following:

  • Calling images/banners/.cache_*.php every 30 minutes and rewriting the .htaccess file to redirect to a malware site.
  • If it doesn’t find the .cache_*.php after approximately 10 retries, it was calling the file script.php, which will recreate the .cache_*.php, and then it will run the code in the .cache_*.php

We have to admit that this was one of the more advanced hacking techniques we have seen – but we did fix it by deleting the two files above and temporarily setting the permissions on the images/banners directory to 555 (r-xr-xr-x). It took us several hours to do that, but we did fix it eventually! And our customer couldn’t be happier as she was able to enjoy her weekend!

So what was the cause of this hack?

Well, the website was running Joomla 1.5.26 – which is now an unsupported version of Joomla since May of 2012 – which means that any vulnerabilities that exist on this version will no longer be addressed by the Joomla team. We have educated our customer about the benefits (especially when it comes to security) of migrating to Joomla 2.5.x as well as the complexity of such migration. We’re happy to say that our customer was convinced and has decided to migrate all her websites to the latest version of Joomla, which means a cleaner Internet for us all!

If your .htaccess file on your Joomla website is being changed every 30 minutes (or every hour), then try to fix it by following the above guide (once you clean your website then it’s recommended that you enhance its security by following our Joomla security tips). If you can’t, then fear not, all you need to do is to contact us and we’ll fix it for you in no time and at a very reasonable rate. We are also the nicest people that anyone can work with!

8 Responses to “.htaccess File Being Rewritten Every 30 Minutes on Joomla”
  1. Comment by Kent — September 1, 2012 @ 9:05 am

    Thanks, I am looking for this solution for few days.

  2. Comment by Fadi — September 2, 2012 @ 12:04 pm

    Hi Kent,

    Good we were able to help. We have noticed that this htaccess hack is very common nowadays (We had 5 cases since we have written this post, and that was a week ago).

  3. Comment by C. H. — September 3, 2012 @ 2:28 am

    I’ve got the same problem. Did a little digging and it appears the culprit on my Joomla 1.5.26 site is an old version of JCE (editor). The exploit will allow auto shell uploading. If the JCE is version 2.0.10 or earlier it’s vulnerable.

    I had a story.php file rather than script.php in my html/images/stories directory. That file had what looked to be a paswd in there. I tried plugging it into the .cache_6chars.php but didn’t ‘log in’. Not sure what the paswd is/was, but I’m uninstalling JCE and upgrading my site (as you suggest) to 2.5.x anyway. Just thought I’d pass this info on. Thanks for the page. It helped me dig deeper.

  4. Comment by Fadi — September 3, 2012 @ 7:49 am

    Hi C.H.,

    Thanks for your feedback – the number of people having this problem is increasing by the day. You’re right about the JCE editor.

    Further input on this issue:

    – Some really hit website have a hacked .htaccess in every top level directory (seems that whoever is hacking the website is too lazy to hit second level directories).

    – Sometimes there’s a malicious file in the root directory called clean.php.

    – The cache.php file located under the images/banners/ can be called something like .lib_*.php where * can be a random combination of characters.

  5. Pingback by Joomla 1.5.26 Is No Longer Secure! | itoctopus — September 3, 2012 @ 8:09 pm

    […] All these websites using Joomla 1.5.26 are being hacked at the moment – one by one, and repeatedly! […]

  6. Comment by jedi — September 10, 2012 @ 7:30 am

    We have the same problem. One file we’ve deleted was images/banners/ .lib_*.php

    But we can’t find the second file at the moment…

  7. Comment by Fadi — September 10, 2012 @ 8:09 am

    Hi Jedi,

    There’s not necessary 2 files. In any case, if you find any of the following files in the root directory of your website or any top level directories then they are most likely inserted by the hacker (and need to be deleted – but please check their contents first):

    web.php, init.php, core.php, engine.php, bootstrap.php, info.php

    Please note that it might be possible that these files look legitimate at first glance – so it’s very important to be thorough.

  8. Pingback by Is Joomla 1.5 Still Supported? | itoctopus — November 17, 2012 @ 1:22 am

    […] 1.5 websites (most of these websites are already upgraded to Joomla 1.5.26). The hacks vary from an .htaccess file that keeps being rewritten every 30 minutes or so (and redirecting to malicious websites), to the googlebot Joomla hack that displays different […]

Leave a comment