0
Welcome Guest! Login
0 items Join Now

Hacked a few hours after launch

Last Post
Search Topic
    • breeze's Avatar
    • breeze
    • Hero Rocketeer
    • Posts: 365
    • Thanks: 0

    Hacked a few hours after launch

    Posted 14 years 7 months ago
    • Ugghh.... what's the likelihood of being hacked within hours of launch? see attached screenshot images. A line was added to the index.php file.
      This image is hidden for guests.
      Please log in or register to see it.

      This site was a beast to complete and included some custom integrations that I really don't want to have to revisit. After cleaning this mess up and QUICKLY making my first backup of this new site, what are the 1st steps I should take to secure the site? How do I know how they wrote over the site files or whether they wrote to any other files? It's running the latest version of Joomla (1.5.20) and the latest versions of all the extensions:
      JEvents
      DT Donate
      DT Register
      Workplace
      AcyMailing
      Jobs Pro
      AEC
      JUGA
      Stalker
      Sexy Bookmarks
      Akeeba (Joompack)
    #554766
    • Roeland_A!'s Avatar
    • Roeland_A!
    • Preeminent Rocketeer
    • Posts: 10193
    • Thanks: 71

    Re: Hacked a few hours after launch

    Posted 14 years 7 months ago
    • I had a look with google for the script, maybe this is a starting point. Change all your passwords asap.
    • *Karma comes in many forms, my personal favourite is the random saucepan from the sky* J.Spencer 17-02-2009
    #555331

  • Re: Hacked a few hours after launch

    Posted 14 years 7 months ago
    • Make sure you check the vulnerable extension list out and make sure you are running the most up-to-date extensions (when they are listed as being fixed). Here's the link: docs.joomla.org/Vulnerable_Extensions_List

      I also googled the script, here's what I found: blog.unmaskparasites.com/2010/06/17/malw...d-subdomains-part-2/

      Like Roland said start by changing EVERY password you have. You'll need to check every file for the code and replace everything as needed and try to find how they got in. I've used raw access logs in the past for this.
    #555763
    • breeze's Avatar
    • breeze
    • Hero Rocketeer
    • Posts: 365
    • Thanks: 0

    Re: Hacked a few hours after launch

    Posted 14 years 7 months ago
    • yeah. I don't know. soon after scrubbing the code from over 200 files, the site was hit again... worse. This time it got over 700 files. I'm just scrubbed the site again and gotten a clean backup saved locally. I'm not sure why this is happening. The Joomla installation is the latest version with the latest security patches. All the extensions with the exception of Joompack/Akeeba are the latest available and none of extensions appear on the vulnerable extensions list at docs.joomla.org/Vulnerable_Extensions_List

      Since the second attack, I've changed the FTP password (the old password was seemingly complex too) as well as the joomla global admin username and password. The site is hosted on Media Temple's grid server and they insist that their servers are safe. Any other suggestions would be enthusiastically executed and greatly appreciated.
    #555964
    • Ben Lee's Avatar
    • Ben Lee
    • Elite Rocketeer
    • Posts: 4193
    • Thanks: 42

    Re: Hacked a few hours after launch

    Posted 14 years 7 months ago
    • Be sure to change the password for your hosting account and FTP info. If they have that, they'll get in no matter what you do with Joomla.

      Also, if you can, use SFTP and not FTP. That's FTP with a Secure connection like SSL uses.

      You can try a re-install using a new database with a new database name and password.
    #555986
    • Roeland_A!'s Avatar
    • Roeland_A!
    • Preeminent Rocketeer
    • Posts: 10193
    • Thanks: 71

    Re: Hacked a few hours after launch

    Posted 14 years 7 months ago
    • You have probably some trojan on your local, so ALL passwords have been compromised.
      So, first make sure that your local machines are completely clean.
    • *Karma comes in many forms, my personal favourite is the random saucepan from the sky* J.Spencer 17-02-2009
    #556245
    • breeze's Avatar
    • breeze
    • Hero Rocketeer
    • Posts: 365
    • Thanks: 0

    Re: Hacked a few hours after launch

    Posted 14 years 7 months ago
    • I'll need to find some Mac compatible app to scan my system. My partner develops from his PC on occasion so we'll definitely scan that. Again. thanks to everyone for the insight and advice.

      Everything was successfully scrubbed a second time, browsers upgraded, passwords changed, joomla username changed, accessing via SFTP now, purchased and installed OSE Security Suite, have automated scheduled backups now, and no longer taking site security for granted. Because it's a new site and a new client, I was particularly frustrated. I think we are making good progress now though.
    #556376
    • Roeland_A!'s Avatar
    • Roeland_A!
    • Preeminent Rocketeer
    • Posts: 10193
    • Thanks: 71

    Re: Hacked a few hours after launch

    Posted 14 years 7 months ago
    • If you didn't start off scanning your local machines, then you may have to start from scratch again. If one of your local machines has been compromised, you may find that someone is continually taking your passwords.
    • *Karma comes in many forms, my personal favourite is the random saucepan from the sky* J.Spencer 17-02-2009
    #556383

Time to create page: 0.103 seconds