SOLVED So, I was hacked. I'd love to hear best practices from this point forward
-
-
- Stan Sacha
- Sr. Rocketeer
- Posts: 190
- Thanks: 10
SOLVED So, I was hacked. I'd love to hear best practices from this point forward
Posted 9 years 6 months ago-
Part of the message is hidden for the guests. Please log in or register to see it.
So, I just learned one of my sites was hacked.
I first deleted about a zillion fake advertisement files that they loaded on the host. I've been monitoring their activity over the last 24 hrs to get an idea what they're up to. They are still getting in, periodically placing little .php's with the same code each time out there at the /public_html/ level. Here's an example of these php's that get posted as a set to this directory with names like "progress.php", "tendency.php", "thank.php", "wife.php", and "woman.php":
<?php $target_urls = array ( 'http://dj34ek.net/?a=370951&c=wl_con&s=06YM4', 'http://2f87up.net/?a=370951&c=wl_con&s=06YM4', 'http://skbahf.net/?a=370951&c=wl_con&s=06YM4', ); $n = mt_rand(0,count($target_urls)-1); $rand_url=$target_urls[$n]; ?> <meta http-equiv="refresh" content="2; url=<?php echo $rand_url;?> ">
They don't affect the appearance of the website generally speaking, but they are clearly using the server as their own to do nefarious things.
I see they modify the joomla files in some respects, and seem quite sophisticated and knowledgeable about how to hack Joomla. Some of these changes have crippled some of the backend functionality however.
So, I'd love to hear the folowing from the experts:
1. What are the proper steps going forward? I see this out there , but I can't tell if it's up-to-date, or if you folks agree.
2. I'd love to know what technique is being used to hack it.
3. What's the best practices to avoid this with an up-to-date Joomla/Rockettheme template?
Thanks in advance for your responses. - Last Edit: 9 years 6 months ago by Stan Sacha.
-
-
-
- DanG
- Preeminent Rocketeer
- Posts: 36750
- Thanks: 3229
- Custom work done
Re: SOLVED So, I was hacked. I'd love to hear best practices from this point forward
Posted 9 years 6 months ago-
GoForIT wrote:
3. What's the best practices to avoid this with an up-to-date Joomla/Rockettheme template?
Thanks in advance for your responses.
First of let me say I truly feel for you. All that hard work and some idiots try to take advantage of it.
If your site is Hacked, check these links for help:
http://www.ogosense.com/blog/31-is-your-joomla-site-hacked-now-what
http://brian.teeman.net/joomla/246-help-my-joomla-web-site-has-been-hacked
http://www.themexpert.com/blog/how-to-fix-a-hacked-joomla-website
https://www.gavick.com/documentation/joomla/how-to-secure-your-joomla-3-1-site-against-hacker-attacks
http://www.inmotionhosting.com/support/website/joomla/fix-joomla-hack-and-upgrade-for-security
Also invest in two of the best anti-hacking tools out there, for before the fact Akeeba Admin Tools and hopefully not, after the fact Akeeba Backup -
The following users have thanked you: Stan Sacha
-
-
-
- CMYKreative
- Elite Rocketeer
- Posts: 706
- Thanks: 15
Re: SOLVED So, I was hacked. I'd love to hear best practices from this point forward
Posted 9 years 6 months ago-
Agreed, althoough we don't use Joomla as often as we used to do, no site gets built without Akeeba Admin Tools in place for Joomla or Wordfence for Wordpress.
It's also worthwhile ensuring your cPanel/Hosting account is suitably secured with a very strong (12 character) random password that you don't write down anywhere (or is secured in a strong password manager).
After cleaning up a number of client sites that got hacked, immediately reset/change all your cpanel, FPT, admin and email etc passwords (all of them, everything) to something stronger, also work with your hosting company to determine which files have been affected or altered, as often an innocuous .php file can be left around or a file has been modified that you don't notice and this will continue to reinfect the site.
As always, prevention is better than cure. Wordfence for example continually scans for modified files and sends a warning out to us, most often this is a plugin upgrade, but we get notified immediately and can take action straight away if something is amiss.
We've also come across a situation where a "subdomain" (and those spam php files) was created on one website by another (but completely separate) user on the same server (some flaw in cpanel as far as I can determine). -
The following users have thanked you: Stan Sacha
- CMYKreative : Graphic Design , Web Design , Printing , Banner Ads , Branding and more.
-
-
-
- Stan Sacha
- Sr. Rocketeer
- Posts: 190
- Thanks: 10
Re: SOLVED So, I was hacked. I'd love to hear best practices from this point forward
Posted 9 years 6 months ago-
Thanks for the comments, and the links for me to read up on.
I still haven't heard insight on HOW they are getting in based on the code example I've given. Passwords have changed. Software has been up-to-date. They hide their activities from the view of the website for the most part, so either they have lots of code hidden in side original Joomla code, or they are doing some sort of hack in that I don't even know anything about.
I guess my next plan of action is to recreate an entirely new version of the same website locally, wipe out what's there, and change all the passwords again before I push it to the live server. I'm sure I'll implement some other new security measures as well, such as two factor authentication. Then I'll see if they can get back in.
What a pain!
-
-
-
- CMYKreative
- Elite Rocketeer
- Posts: 706
- Thanks: 15
Re: SOLVED So, I was hacked. I'd love to hear best practices from this point forward
Posted 9 years 6 months ago- Your hosting company should be able to assist in tracking down when and how this occurred, most commonly it's a password that the hackers have gotten hold of somehow, a password that is too simple that their bots can crack easily, or a file or a plugin that's insecure and allow code injection.
- CMYKreative : Graphic Design , Web Design , Printing , Banner Ads , Branding and more.
-
-
-
- DanG
- Preeminent Rocketeer
- Posts: 36750
- Thanks: 3229
- Custom work done
Re: SOLVED So, I was hacked. I'd love to hear best practices from this point forward
Posted 9 years 6 months ago-
GoForIT wrote:
Thanks for the comments, and the links for me to read up on.
I still haven't heard insight on HOW they are getting in based on the code example I've given. Passwords have changed. Software has been up-to-date. They hide their activities from the view of the website for the most part, so either they have lots of code hidden in side original Joomla code, or they are doing some sort of hack in that I don't even know anything about.
I guess my next plan of action is to recreate an entirely new version of the same website locally, wipe out what's there, and change all the passwords again before I push it to the live server. I'm sure I'll implement some other new security measures as well, such as two factor authentication. Then I'll see if they can get back in.
What a pain!
If you have any extensions that accept input from a user, such as a contact form, and the extension doesn't adequately protect against script injection then...your HACKED
-
The following users have thanked you: Stan Sacha
-
-
-
- Stan Sacha
- Sr. Rocketeer
- Posts: 190
- Thanks: 10
Re: SOLVED So, I was hacked. I'd love to hear best practices from this point forward
Posted 9 years 6 months ago-
Thanks Dan. That's an interesting comment you just made.
I don't use any form-related input extensions in this website, but the use of them is a very interesting topic that I've often examined. Luckily, most of my clients choose not to go that route, and I haven't been burned yet by it. I have a general policy of NEVER storing sensitive data online for clients, but that's a murky discussion.
The main question would be... "How does one know if the extension adequately protects you from SQL injections?" Most of us are not qualified to look at the source code and definitively determine that question. Even if we were, we would have to do regression tests to prove that any changes to the extension have not created a new vulnerability. For most of us, it's really a question of faith.
I know this is a loaded question, and one that most would not answer, but is there a list of reliable form extensions?
-
-
-
- DanG
- Preeminent Rocketeer
- Posts: 36750
- Thanks: 3229
- Custom work done
Re: SOLVED So, I was hacked. I'd love to hear best practices from this point forward
Posted 9 years 5 months ago-
GoForIT wrote:
I know this is a loaded question, and one that most would not answer, but is there a list of reliable form extensions?
For complex forms I use " RSForm!Pro " and for simple Contact Us froms I use " Aikon Easy Form Builder "
-
-
-
- CMYKreative
- Elite Rocketeer
- Posts: 706
- Thanks: 15
Re: SOLVED So, I was hacked. I'd love to hear best practices from this point forward
Posted 9 years 5 months ago- Try Ninja Forms and CleanTalk, work well together.
-
The following users have thanked you: DanG
- CMYKreative : Graphic Design , Web Design , Printing , Banner Ads , Branding and more.
-
Time to create page: 0.062 seconds