0
Welcome Guest! Login
0 items Join Now

Hacked Joomla Site

Last Post
Search Topic

  • Hacked Joomla Site

    Posted 14 years 2 months ago
    • Hi Forum

      looking for a bit of advise please... today one of my joomla sites was hacked (see image below)- its runin joomla 1.5.22 and all components, plugins and modules are upto date and have been taken from 'reliable' sources. I have not made any change to the site within the last 3 months or so, then all of a sudden, its taken down.

      I was not able to login to the back end as super user so I went via phpmyadmin and chaged the password to give me access, all looked to be fine from the back end. When browsing my FTP i did not notice any starghe files at the root, I noticed some of the folders would not open though- administrator, images, plugins and modules... I contacted my host and they restored the site immediatly, however they tell me they have found suspicious files, which are as follows;

      /home/saffron/public_html/.htaccess: Suspicious(RewriteRule): RewriteRule ^(.*)$ in
      /home/saffron/public_html/tmp/install_4d39d50ef1336/files/elements/plugins/system/nonumberelements/elements/license.php: Suspicious(base64_decode): s=';eval( base64_decode( 'ZXZhbCg
      /home/saffron/public_html/administrator/components/com_virtuemart/html/shop.pdf_output.php: Suspicious(passthru): passthru( "/usr/bi
      /home/saffron/public_html/administrator/components/com_admin/tmpl/sysinfo_phpinfo.php: Suspicious(phpinfo): : sysinfo_phpinfo.php 10381
      /home/saffron/public_html/administrator/components/com_admin/tmpl/navigation.php: Suspicious(phpinfo): <a id="phpinfo">
      /home/saffron/public_html/templates/beez/html/mod_login/default.php: Suspicious(base64_decode): 64_encode(base64_decode($return).
      /home/saffron/public_html/plugins/system/nonumberelements/elements/license.php: Suspicious(base64_decode): s=';eval( base64_decode( 'ZXZhbCg
      /home/saffron/public_html/plugins/editors/jce/tiny_mce/plugins/spellchecker/classes/pspellshell.php: Suspicious(shell_exec): $data = shell_exec($cmd);

      can i get your guys advise please on if you think whats detailed above is cause for concern? My site is up and running again now, but im worried incase it happens again. I thought i had followed all the steps to protect myself, clearly not. Any advise would be greatly appreciated.

      Many Thanks


      This image is hidden for guests.
      Please log in or register to see it.
    #624504
    • prim's Avatar
    • prim
    • Preeminent Rocketeer
    • Posts: 17290
    • Thanks: 217

    Re: Hacked Joomla Site

    Posted 14 years 2 months ago
    • Check if any of the extensions are marked as unsafe on the Joomla Extensions Directory.

      You should also check your permissions.

      Try to ask the hackers how they did it. Many of them are willing to share their technique.
    • Please reply with a direct link to the issue & create a new thread for each new issue.

      A template is only as good as the content that goes into it ;) - DanG
    #624888

  • Re: Hacked Joomla Site

    Posted 14 years 2 months ago
    • Prim, thanks for the advice.. i am currently locked into some very strange chat with my hackers! :oops:
    #625241
    • MrCodexCY's Avatar
    • MrCodexCY
    • Rocketeer
    • Posts: 73
    • Thanks: 0
    • Web Design Specialist

    Re: Hacked Joomla Site

    Posted 14 years 1 month ago
    • strange chat? what do you mean by that mate?
    • Even a broken clock is right twice every day.
    #627294
    • JEM's Avatar
    • JEM
    • Preeminent Rocketeer
    • Posts: 17917
    • Thanks: 4

    Re: Hacked Joomla Site

    Posted 14 years 1 month ago
    • Once you get you site sorted, I recommend taking regular back up so you have something to revert to in this situation.

      One place to look for advice about securing your site is here:

      www.rockettheme.com/forum/index.php?f=15&t=54455&rb_v=viewtopic

      under 'Joomla Security and Configuration'

      Maybe your password wasn't secure enough, maybe you have some extensions that are unsecure?

      Anyway, I got hacked a few months ago, but because I am in the habit of backing up my site before installing any component, version upgrades, adding content, etc., I was able to dump the site after the hack and restore to just the day before, changing the user pass to something that was much stronger (I'd gotten lazy with my passwords...) and doing some other security related maintenance.

      Not a solution, but food for thought...
    • Thanks,
      jim
    #627319

  • Re: Hacked Joomla Site

    Posted 14 years 1 month ago
    • You ask your hackers how they did the hack, how do you start that conversation? I Mean how do you contact them ?

      Thanks
    #629899
    • prim's Avatar
    • prim
    • Preeminent Rocketeer
    • Posts: 17290
    • Thanks: 217

    Re: Hacked Joomla Site

    Posted 14 years 1 month ago
    • Often they will leave a trace, like nickname or group in the code. Some even include an e-mail address.
    • Please reply with a direct link to the issue & create a new thread for each new issue.

      A template is only as good as the content that goes into it ;) - DanG
    #629904

Time to create page: 0.078 seconds