Solved

Hacked or not

Posted on 2012-03-14
11
528 Views
Last Modified: 2013-11-13
We have a Joomla website and it appears it may have been hacked. The site URL gets rewritten from

https://www.ourdomain.ie/index.php?option=com_enrolcourses&view=enrolcourses&courseid=4&Itemid=18&countrytabs=0

to

https://www.ourdomain.ie/?option=com_enrolcourses&view=enrolcourses&courseid=4&Itemid=18&countrytabs=0

ntice the index.php is removed. This only happens with the https used in teh URL without https the page displays fine.

The rsult of the above is that our site will not take course enrolments. Mission critical.

Thanks for any guidance as to how I can resolve this.

Ciaran
0
Comment
Question by:Needy11
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 3

Expert Comment

by:MikeyLLB
ID: 37722628
This doesn't look hacked. Check your .htaccess file and replace with a clean copy from the original joomla files if neccessary. I suspect something's been messed up there.
0
 

Author Comment

by:Needy11
ID: 37722780
I have replaced the .htaccess file by the previous without any success. Also attached here. its odd hte problem only happens with the HTTPS URL , this URL is needed for the e-commerce bit.

ANy other thoughts as to how I would troubleshoot this? Maybe its not a hack problem but its certainly very odd!

Ciaran
htaccess--2-.txt
0
 
LVL 3

Expert Comment

by:MikeyLLB
ID: 37722811
When did it last work properly?

I would get in touch with the developers of the Enrol Course component and see if they are aware of any HTTPS issues...

Other than that I'm not sure, Joomla is full of nasty little surprises...
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:Needy11
ID: 37722874
It was working over the weekend, seems to have just decided to stop. No website changes since. Did you see anything in the .htaccess that would rewrite the index.php part of teh URL or do you think that is a red herring??

Tx
0
 
LVL 3

Expert Comment

by:MikeyLLB
ID: 37722876
There are parts in the .htaccess which will re-write the index.php part of the URL.

Can you try renaming .htaccess to htaccess.txt and see what you get?
0
 

Author Comment

by:Needy11
ID: 37722940
I have tried that but with no change.  However t doesn't look like the problem is with the enrolcourses component . Even if I go to the main domain root with https it takes me to an incorrect page.

The domain is https://www.icepe.ie where as drop teh s in teh https s and all seems wekk untill you get to course enrol stuff.

No matter what page I try to hit using https it always displays the same page. The page it displays is the most recent one added to the system i..e has the highest ID???

Odd very odd...

Ciaran
0
 
LVL 3

Expert Comment

by:MikeyLLB
ID: 37722953
What WebServer are you using?

I suspect that this may be a server config issue.
0
 
LVL 3

Expert Comment

by:MikeyLLB
ID: 37722967
Are you using the "force SSL" setting?

Check your "configuration.php" file for "var $force_ssl = '1';" If it is set to 1 change to 0
0
 
LVL 3

Accepted Solution

by:
MikeyLLB earned 500 total points
ID: 37722992
It looks like all requests over SSL are being sent to a wordpress installation, not your joomla. Check your bindings in your webserver and confirm that the joomla website is bound on port 443 and (at least for now, ONLY your joomla website is on 443)
0
 

Author Closing Comment

by:Needy11
ID: 37724433
Thankyou yes this fixed it. Our VPS seemed to have reassigned the SSL IP for our domain. When I hard coded it back in to the .conf file all was fine and fixed.

Very responsive help Mike. Thankyou

Ciaran
0
 
LVL 3

Expert Comment

by:MikeyLLB
ID: 37724435
Looking great now :-)

It's nice when webservers take it upon themselves to decide what happens.
0

Featured Post

SendBlaster Pro 4 - Bulk Email Sending Software

SendBlaster 4 Pro - Best Bulk Emailing Sending Software
Automatic Subscribe / Unsubscribe Processing
Great for Newsletters & Mass Mailings
Optional HTML & Text Composition
Integration with Google Features
Built in Spam Score Checking
Free Professional Templates - Feature Packed!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question