Seems like any action at all would be counterproductive, because it implies that you're taking responsibility for the URLs. A mass redirect to the front page is never the best idea. If you don't already have a nice human-readable 404 page, make one.

Now, technically you could rewrite certain requests to a special page that returns a numerical 404 response while physically going on to show the content of yet another page. But that's "techically" in the broad sense of "almost all things are possible".

If the site is hacked and you cant fix it or clean it up now your best bet would be to take it down and put a coming soon page up.
kill all the urls otherwise your going to have a poisoned domain if the hackers so chose to have the user land on a really bad download.

Lucy - The main problem is that the site is running on joomla 1.5. IOW, it has holes you could drive an aircraft carrier through. They are in the process of migrating to a new platform.

I did some more research and it seems that a Redirect 410 in the htaccess might work. 410 says that the resource is gone, it won't be coming back and please purge it from your indexes if you are a search engine.

That way, what should happen is (1) the hackers will be wasting their time trying to create the pages as before. (2) the search engines should drop the hack created pages from their indexes ... in a perfect word....

Bwnbwn - For them, taking the site down for 2 months isn't an option with the holiday season coming. I do agree about the risk. The 410 will work, but only for known pages ie. /example if they change that to /red-example then I'd have to add that to the htaccess.

My suggestion was that they take the site down and replace it with a joomla 2.5 bare bones site..

We'll see how things pan out.

chris

but only for known pages ie. /example if they change that to /red-example then I'd have to add that to the htaccess

I don't understand why you need to. If there's an outside link to a nonexistent page, then surely that's on them.

:: trying to work out real-life analogy involving best course of action if you move into an apartment formerly occupied by crack dealers ::

Lucy - They planted a php file that generated pages on the site such as www.example.com/example. Those pages showed in the serps. If people came to the page, the link there would take them to a malware site.

Apparently the site owner's server and installation is compromised. When I found the php file, I deleted the contents but left the file there. I changed the permissions to 000. Less than 3 hours later the file was back working with permissions of 755. I don't have control over the server and hosting. All I can do is fix what I can.

So, when the site has /example1 /example2 etc those are REAL pages on the site. Given the ease with which the site was hacked and rehacked, I had to find a way to foul them up.

I killed their php app a bit more subtly this time.. I just went in and tweaked the code a bit. I did notice in the logs that they apparently request their pages. I suppose that if they don't see their pages, they attempt to replant the hijacker.

Well now their site can generate the pages all they want. When google or anyone else comes looking for the pages, the get a 'this page is GONE forever' message.. That is just a stopgap but it appears to have derailed them for now.

Ok cmendla for the next 2 months you can deal with it. I will tell you the domain is going to be filtered and probably a manual action will take place.
Google and Bing will not allow your site to resolve much longer in their serps and frankly I would prefer the domain to be nuked because from what you have said it is a dangerous site.

This is the problem with the web a site is hacked rehacked and spreading crap to unsuspecting possible customers. The owner doesn't have the guts to take the site off cuz it will be a problem for him, so lets leave this crap up until we can fix it 2 months down the road and screw all those that got infected.

Take the crap offline this is what the website is. I am sorry to be blunt but the facts speak for themselves.

You will be hacked again they have you in their cross hairs and it will happen again if it hasn't already. They probably have more control of the server than you do.

All I can do with the client is to advise and guide, which I've done.

Given that, I can walk away or I can secure it as best as I can. The point here is that the 410 redirect seems to be successful. Their script can create the pages all it wants.. htaccess is preventing those pages from existing.

I checked webmaster tools and there is no indication of malware according to google wmt. I have seen WMT miss malware before. With the pages now gone, that should prevent any malware penalties.

The next step will be to look at incoming links they might have laid and start dealing with that. Any of their incoming links will be pointing to a page that no one can see.

If anyone else has a similar situation, I would suggest adding 410 redirects. Even if you are running joomla 3.2 with security extensions, you could still get hacked. It happens to billion dollar companies regularly.

cmendla fair enough you are doing what you can.

Interesting you said "I would suggest adding 410 redirects. Even if you are running joomla 3.2 with security extensions, you could still get hacked. It happens to billion dollar companies regularly."

Don't post it in here but can you send me how the hack happened and were you think the same hack can happen in 3.2. I am working with a site right now and this I would love to know.

probably already been here to do some research JIC here ia a good check list to go through.

http:// docs.joomla.org/Security_Checklist/You_have_been_hacked_or_defaced

[edited by: bwnbwn at 4:35 pm (utc) on Nov 27, 2013]

bwnbwn - I'll send you a link but google joomla 3.1 site hacked. There are a surprising number of posts at the joomla site and other forums.

My language wasn't precise though..

Billion dollar companies get hacked
Joomla 3.x sites get hacked

was two separate thoughts

I did not mean that as billion dollar companies running joomla 3.x get hacked.

Thanks cmdndla I got it. Seems there is no one that can make a connection on were it is coming from or how they got in. The threads I read and I looked at others are all different with different levels of access. the link I posted in my above thread is a good one to help find access entry points. I will be using that link to help see if the website I am working with has holes.
I already know there was a hack on the website I am working with, but it wasn't joomla code it was custom coding on their part. it wasn't a true hack sever side but an injection within the custom code through a bad javascript

I think I'd be inclined to lock the place down in cmendla's situation, meaning:

Turn off any/all commenting.
Back the entire site up.
Change the DB user/password.
Change all admin passwords.
Get that done and then delete entire admin section of Joomla from the server.
Delete the "hacker's" file(s) from the server.
Chmod everything to 644 or 744 depending on the server settings.

And then see if they can still get in and write files or not.

-- Yes, I understand this would make any additions/edits to the site difficult, but if they're wanting to "make it through the holidays unscathed", it's one of the best ways I can think of and if "admin needs to happen" the admin section could be uploaded for that, the deleted again.

-- If the hackers can still get in, then I'd scrape the site and save it as HTML pages (might need to save those as .php to keep the URLs the same, even though they don't need to be parsed), delete Joomla and the mod_rewrite that comes along with it, upload a the static HTML version of the site and edit the .htaccess to *not* parse .php if I had to use .php extensions to keep the URLs the same -- I'd do the same thing with permissions -- Basically, I'd convert the whole thing to static HTML rather than having someone else be able to do "who knows what you haven't found or noticed yet" to the site.

-- If they could still get in after the preceding, then a new host with the static pages from the site would be the next step.