Site Hacked. Please advices
-
-
- Franck
- Elite Rocketeer
- Posts: 1049
- Thanks: 0
-
Hello,
My site is using solar sentinel template 1.5.4 and it was hacked for the second time. I'm using Joomla 1.5.22 and third party extensions.
The first attack few months ago was an SQL injection in the main menu. A malicious code was constantly injected in the menu through an iframe causing the download of a trojan for IE users. The only solution I've found was to remove the main menu from my site and create an alternative menu in the right position. Unfortunately, I was not able to fix the security whole allowing the hacker to inject the code in the main menu.
The second attack started some days ago. Avast anti-virus was detecting a malware from this site -fayoboseno1.cz.cc
I was thinking that this attack was due one more time to a sql injection but I finally found the malicious code just before the </body> tag.
If you think that is useful, I can paste the code in this thread...
The index.php file of solar sentinel template was with CHMOD 664. The solar sentinel folder and the template folder was with CHMOD 775.
FTP was not accessed by another person, just me (this information was provided by my hosting company).
The backend password is strong, so I really don't think that someone can recover the password by brute force.
I'm going to check third party extensions for security issue and update them if needed. However, I would like some advices about security.
Do you think it's necessary to change the solar sentinel template for a new one? Some files of the template maybe corrupted now by the hacker?
Do you know some good extensions I can install that check if files were modified?
I was using SecureLive extension but I had to enabled it because it was blocking too much people and I was receiving a lot of complains from visitors.
Thanks for your help and advices.
-
-
-
- prim
- Preeminent Rocketeer
- Posts: 17290
- Thanks: 217
-
"The index.php file of solar sentinel template was with CHMOD 664. The solar sentinel folder and the template folder was with CHMOD 775. "
Normally they should be 644 (files) and 755 (folders)
As for insecure extensions, you might want to look here: docs.joomla.org/Vulnerable_Extensions_List
"Do you think it's necessary to change the solar sentinel template for a new one? Some files of the template maybe corrupted now by the hacker?
Do you know some good extensions I can install that check if files were modified?"
I don't think it's the template's fault so changing that won't help. You need to Google for a file/folder comparison program that runs on your own computer. UltraCompare (comes with UEStudio) is a nice tool for Windows. - Please reply with a direct link to the issue & create a new thread for each new issue.
A template is only as good as the content that goes into it
- DanG
-
-
-
- Franck
- Elite Rocketeer
- Posts: 1049
- Thanks: 0
-
Thanks a lot Prim for your advices.
In my previous message I was wrong about CHMOD. Folders are indeed 755 and files 644. Today the hacker injected the malicious code in index.php (just before </body> tag) and also in t_styleloader.php before any other code...
I'm checking extensions for vulnerabilities but have not found anything wrong until now
-
-
-
- Yves
- Preeminent Rocketeer
- Posts: 9214
- Thanks: 5
-
Read Brian's post:
Help my Joomla web site has been hacked!!
maybe you were exploited yesterday, ready to be hacked tomorrowFor this I would recommend using a "grep" tool, especialy if you have a lot of new files, to search through the files to ensure that they do not contain strings like gzinflate and base64. - Yves
-
-
-
- Cretan Studies Association
- Hero Rocketeer
- Posts: 385
- Thanks: 0
- Social Anthropology Student
-
I've just today run into this extension, maybe it could help some people
www.mmleoni.net/sql-iniection-lfi-protection-plugin-for-joomla - You can call me George
J2.5.8, Panacea v1.6.6 - www.eks-ik.eu
J2.5.8, Syndicate 1.6.5
-
-
-
- Sophie Kovalevsky
- Hero Rocketeer
- Posts: 391
- Thanks: 0
- Student, WebMaster Freelance
-
Franck i was reading your post and it's so bad that you are in this situation.
Thanks to share this experience with us. I want to share with you this post in our forum. Could be a good idea when you have a time, read it.
www.rockettheme.com/forum/index.php?f=30...otect&rb_v=viewtopic
I hope that you can resolve your problem. And about the questions that you do, i think so that's not good remove the template. You have to look for where the craker it's injecting the malicious code on your website.
Other thing that you could do, it's try to protect your Joomla Site with the .htacess if your server hosting can allow it you. - "The smart woman is not one that have a big knowledge, but rather the woman with little knowledge do so much."
How to get a help quicker:
www.rockettheme.com/forum/index.php?f=15..._v=viewtopic#p773136
-
-
-
- Franck
- Elite Rocketeer
- Posts: 1049
- Thanks: 0
-
Hello all,
Thanks so much for your support. I decided to redirect visitors to the blog of my site temporarily (302 redirect). I deleted the main site and starting now to rebuild it in a subfolder from a backup made in November, 2009. I will rebuild the database from old backup too and will replace content and categories tables by the most recent that I have. When the restore will be done, i will remove most of the third party extensions that are not absolutely necessary and update those i have to use.
I think that the hacker have installed a script in some subfolder that give him high rights on the main site, probably thanks to a backdoor.
The blog on wp and too subfolders with joomla and solar sentinel too are not affected.
I hope to be able to have the main site live until Monday and will work on the protection intensively. It's really a bad thing what is happening and I have to work hard to satisfy my customers and pay my bills. I have read all your posts and some of your advices are really useful.
Happy new year for you all and I wish the worst year for this hacker!
-
-
-
- Franck
- Elite Rocketeer
- Posts: 1049
- Thanks: 0
-
I just reinstalled the main site. I used a backup from November, updated joomla (it was an old version on backup) and uninstalled a lot of components, modules and plugins. The website is a lot more basic at this time.
Tried to install crawlprotect script that was working on the subdomain where I was working but can't have it working on the root folder. Tried to reinstall it but the database is not installed (?)
Well, hope that the site will not be hacked again in the next hours/days! I will keep you updated and will try to find the best solution to protect the site.
-
Time to create page: 0.099 seconds