?
Solved

Hacked or not

Posted on 2012-03-14
11
Medium Priority
?
532 Views
Last Modified: 2013-11-13
We have a Joomla website and it appears it may have been hacked. The site URL gets rewritten from

https://www.ourdomain.ie/index.php?option=com_enrolcourses&view=enrolcourses&courseid=4&Itemid=18&countrytabs=0

to

https://www.ourdomain.ie/?option=com_enrolcourses&view=enrolcourses&courseid=4&Itemid=18&countrytabs=0

ntice the index.php is removed. This only happens with the https used in teh URL without https the page displays fine.

The rsult of the above is that our site will not take course enrolments. Mission critical.

Thanks for any guidance as to how I can resolve this.

Ciaran
0
Comment
Question by:Needy11
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 3

Expert Comment

by:MikeyLLB
ID: 37722628
This doesn't look hacked. Check your .htaccess file and replace with a clean copy from the original joomla files if neccessary. I suspect something's been messed up there.
0
 

Author Comment

by:Needy11
ID: 37722780
I have replaced the .htaccess file by the previous without any success. Also attached here. its odd hte problem only happens with the HTTPS URL , this URL is needed for the e-commerce bit.

ANy other thoughts as to how I would troubleshoot this? Maybe its not a hack problem but its certainly very odd!

Ciaran
htaccess--2-.txt
0
 
LVL 3

Expert Comment

by:MikeyLLB
ID: 37722811
When did it last work properly?

I would get in touch with the developers of the Enrol Course component and see if they are aware of any HTTPS issues...

Other than that I'm not sure, Joomla is full of nasty little surprises...
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 

Author Comment

by:Needy11
ID: 37722874
It was working over the weekend, seems to have just decided to stop. No website changes since. Did you see anything in the .htaccess that would rewrite the index.php part of teh URL or do you think that is a red herring??

Tx
0
 
LVL 3

Expert Comment

by:MikeyLLB
ID: 37722876
There are parts in the .htaccess which will re-write the index.php part of the URL.

Can you try renaming .htaccess to htaccess.txt and see what you get?
0
 

Author Comment

by:Needy11
ID: 37722940
I have tried that but with no change.  However t doesn't look like the problem is with the enrolcourses component . Even if I go to the main domain root with https it takes me to an incorrect page.

The domain is https://www.icepe.ie where as drop teh s in teh https s and all seems wekk untill you get to course enrol stuff.

No matter what page I try to hit using https it always displays the same page. The page it displays is the most recent one added to the system i..e has the highest ID???

Odd very odd...

Ciaran
0
 
LVL 3

Expert Comment

by:MikeyLLB
ID: 37722953
What WebServer are you using?

I suspect that this may be a server config issue.
0
 
LVL 3

Expert Comment

by:MikeyLLB
ID: 37722967
Are you using the "force SSL" setting?

Check your "configuration.php" file for "var $force_ssl = '1';" If it is set to 1 change to 0
0
 
LVL 3

Accepted Solution

by:
MikeyLLB earned 2000 total points
ID: 37722992
It looks like all requests over SSL are being sent to a wordpress installation, not your joomla. Check your bindings in your webserver and confirm that the joomla website is bound on port 443 and (at least for now, ONLY your joomla website is on 443)
0
 

Author Closing Comment

by:Needy11
ID: 37724433
Thankyou yes this fixed it. Our VPS seemed to have reassigned the SSL IP for our domain. When I hard coded it back in to the .conf file all was fine and fixed.

Very responsive help Mike. Thankyou

Ciaran
0
 
LVL 3

Expert Comment

by:MikeyLLB
ID: 37724435
Looking great now :-)

It's nice when webservers take it upon themselves to decide what happens.
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
A look at what happened in the Verizon cloud breach.
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …
Six Sigma Control Plans

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question