by nedzad
over 3 years ago

Subject (JS:ScriptIP-INF (TRJ)) is what somehow cam to my hosting account. So I have few joomla sites, include beta.ba. Can I clean this in any way and does JS:ScriptIP-INF (TRJ) affect database either?

Thank you a lot.

by redleg
over 3 years ago

Your site beta.ta is doing a conditional redirect. When the referring page is Google the requests get redirected to http:// tectiljob . ru /clock/index.php which is a malicious site. Many ways to do that on a Joomla site but suggest you start by checking any/all .htaccess file(s) for the redirect.

by nedzad
over 3 years ago

what shall I looking for in htaccess?

  1. @version $Id: htaccess.txt 21101 2011-04-07 15:47:33Z dextercowley $
  2. @package Joomla
  3. @copyright Copyright © 2005 – 2011 Open Source Matters. All rights reserved.
  4. @license GNU General Public License version 2 or later; see LICENSE.txt


  2. The line just below this section: ‘Options +FollowSymLinks’ may cause problems
  3. with some server configurations. It is required for use of mod_rewrite, but may already
  4. be set by your server administrator in a way that dissallows changing it in
  5. your .htaccess file. If using it causes your server to error out, comment it out (add # to
  6. beginning of line), reload your site in your browser and test your sef url’s. If they work,
  7. it has been set by your server administrator and you do not need it set here.
  1. Can be commented out if causes errors, see notes above.
    Options +FollowSymLinks
  1. Mod_rewrite in use.

RewriteEngine On

  1. Begin – Rewrite rules to block out some common exploits.
  • If you experience problems on your site block out the operations listed below
  • This attempts to block the most common type of exploit `attempts` to Joomla!
  • Block out any script trying to base64_encode data within the URL.
    RewriteCond %{QUERY_STRING} base64_encode[^(]\([^)]\) [OR]
  • Block out any script that includes a URL.
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]s)+cript.(>|%3E) [NC,OR]
  • Block out any script trying to set a PHP GLOBALS variable via URL.
    RewriteCond {QUERY_STRING} GLOBALS(=|\[|\[0-9A-Z]{0,2}) [OR]
  • Block out any script trying to modify a REQUEST variable via URL.
    RewriteCond %{QUERY
    STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
  • Return 403 Forbidden header and show the content of the root homepage
    RewriteRule .* index.php [F]
    1. End – Rewrite rules to block out some common exploits.
    1. Begin – Custom redirects
  • If you need to redirect some pages, or set a canonical non-www to
  • www redirect (or vice versa), place that code here. Ensure those
  • redirects use the correct RewriteRule syntax and the [R=301,L] flags.
    1. End – Custom redirects


    1. Uncomment following line if your webserver’s URL
    2. is not directly related to physical file paths.
    3. Update Your Joomla! Directory (just / for root).
    1. RewriteBase /
    1. Begin – Joomla! core SEF Section.
      RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  • If the requested path and file is not /index.php and the request
  • has not already been internally rewritten to the index.php script
    RewriteCond %{REQUEST_URI} !^/index\.php
  • and the request is for something within the component folder,
  • or for the site root, or for an extensionless URL, or the
  • requested URL ends with one of the listed extensions
    RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC]
  • and the requested path and file doesn’t directly match a physical file
    RewriteCond %{REQUEST_FILENAME} !-f
  • and the requested path and file doesn’t directly match a physical folder
    RewriteCond %{REQUEST_FILENAME} !-d
  • internally rewrite the request to the index.php script
    RewriteRule .* index.php [L]
    1. End – Joomla! core SEF Section.
  • by redleg
    over 3 years ago

    Check fo a line similar to this

    RewriteRule .* http:// tectiljob . ru /clock/index.php

    when checking the file be sure to scroll all the way to the end of the file as the hackers will frequently add 100s of blank lines before their malicious code.

    if you don’t find anything in the .htaccess file you will need to start checking your php files next. The redirect code will likely be obfuscated php code, a line of php code that starts out eval(base64_decode(’ then a long string of seemingly random characters. Start by checking the files includes/defines.php and /configuration.php and the homepage index.php. The files index2.php, changelog.php, LICENSES.php, gdform.php, framework.php, and credits.php are also common targets.

    About Contact Us Terms & Conditions Privacy Policy Copyright