Joomla! :: View topic - Hacked for 3rd time!

Last night I got hacked again. And not only the site that has been hacked in the past, but also my other 3 sites. They did it differently then in the past and I don't think I will even be able to recover them.

I have read everything I could about security issues on this forum and have taken all precautions, I thought. Any ideas on how this keeps happening?

Do you want to share?

I am curious are all three sites hosted by the same company? Also, were the sites defaced, files changed, password changed?

Also, it would be very helpful if you could find out all the components installed, even if you have to get your host to do a directory listing of the following:

I wish I could hire someone, but sunk all my money into doing these sites. Grrr

Thank you, I appreciate it.

My host is trying to put the sites up for me, but he is not too familur with Joomla so it is hard to say if they can be saved.

Author:	joomlakat [ Tue Jan 23, 2007 12:17 am ]
Post subject:	Hacked for 3rd time!
Last night I got hacked again. And not only the site that has been hacked in the past, but also my other 3 sites. They did it differently then in the past and I don't think I will even be able to recover them. I have read everything I could about security issues on this forum and have taken all precautions, I thought. Any ideas on how this keeps happening?

Author:	niemothk [ Tue Jan 23, 2007 12:55 am ]
Post subject:	Re: Hacked for 3rd time!
katers wrote: Last night I got hacked again. And not only the site that has been hacked in the past, but also my other 3 sites. They did it differently then in the past and I don't think I will even be able to recover them. I have read everything I could about security issues on this forum and have taken all precautions, I thought. Any ideas on how this keeps happening? yes.

Author:	joomlakat [ Tue Jan 23, 2007 12:57 am ]
Post subject:	Re: Hacked for 3rd time!
Do you want to share?

Author:	zimv20 [ Tue Jan 23, 2007 1:18 am ]
Post subject:	Re: Hacked for 3rd time!
katers wrote: Do you want to share? if you expect any non-sarcastic help, you might want to share complete details of your situation, including versions of everything installed, exactly what went wrong, what kind of hosting you have (including details and version of that stuff), and exactly what you've read and tried. otherwise -- how can anyone really help you?

Author:	joomlakat [ Tue Jan 23, 2007 1:29 am ]
Post subject:	Re: Hacked for 3rd time!
Yes a non-sarcastic reply would be appreciated. I have had a bad enough day. I cannot get access to anything to tell you exact versions, except to say that everything, joomla, mosets tree, noah's classified's were the latest versions as of 2 weeks ago. I also don't know what you mean by what kind of hosting I have. I know the basics of putting together a site, but do not know the terminology for most of it. Kathy

Joomla! http://forum.joomla.org/

Hacked for 3rd time! http://forum.joomla.org/viewtopic.php?f=267&t=133911	Page 1 of 1

Author:	jefe [ Tue Jan 23, 2007 1:57 am ]
Post subject:	Re: Hacked for 3rd time!
Hi Katers, Well since you don't know what type of hosting...I'm going to guess shared hosting. First of all I hope you do regular backups. Do you still have FTP access? Do you still have admin access? If so, change the passwords to both immediately, if you haven't already. For future reference I would strongly encourage you to use .htaccess for your administrator folder if you are not already. I am curious are all three sites hosted by the same company? Also, were the sites defaced, files changed, password changed? If this is shared hosting, you could very easily have your host chown & chmod all your files to fix the access issue, unless of course they have been deleted. Also your host should be able to give you their version info, i.e. Platform (Linux distribution & kernel version) WebServer (Apache, Lighttpd, & version) PHP Version MySQL Version <-is this local or remote sql server May be good idea to ask your host if other users have been experiencing similar problems...if they are willing to admit... It could be your host, I've seen countless careless web hosts, surprising from some of the larger ones. We know your stressed, but people are much more able, and willing to help when you give us the resources to help you. Also, it would be very helpful if you could find out all the components installed, even if you have to get your host to do a directory listing of the following: /somefolder/yourfolder/yoursite/components That will at least let the community know what components that are/were installed in your site. Look forward to hearing back.

Author:	joomlakat [ Tue Jan 23, 2007 2:18 am ]
Post subject:	Re: Hacked for 3rd time!
I checked again and I now have access to cpanel and admin. I got this response from my host earlier today It looks like something to do with joomla and smf hacking. I've checked other clients using phpbb,smf forum and invision boards and there sites are fine. So that eliminates the database problem. They prolly tracked your sites doing a whois search and found my site also. This clients site is on your server and it works fine thats why I say there hacking again. The backups I have are only database backups not full sites. Platform (Linux distribution & kernel version)= WHM 10.8.0 cPanel 10.9.0-C117 \ CentOS 4.4 Kernel version 2.6.9-42.0.3.ELsmp WebServer (Apache, Lighttpd, & version)= Apache version 1.3.37 (Unix) PHP Version = PHP version 4.4.4 including php5 support MySQL Version <-is this local or remote sql server = MySQL version 4.1.21-standard-log Thank you

Author:	jefe [ Tue Jan 23, 2007 2:53 am ]
Post subject:	Re: Hacked for 3rd time!
Hmmm, sounds like a typical host answer, do you do any type of logging, or can you get a hold of any logs from your host? Also, it sounds like you are not doing regular backups, I'm uploading a couple scripts you may want to look at if your hosts will allow cronjobs. The SQL one only requires four variables, username/password, host & email, it has been around for a while and is a very thorough SQL db archiver. The other one I wrote for my own sites, but used it when I still had shared hosting. The only real variable to update is the EXCLUDED variable, the two there already are the backup directory, and for my sites I kept my cache outside of the web root. The file backup script takes one variable at runtime, full. i.e., ./file_backup.sh full. If you leave this off it will perform an incremental backup and a latest "patch" backup. I'll wait to here back on what info you get from your host, but those may be useful in the future. If my site were completely wiped out, I could have backups from that morning up and running in a few minutes. Just thought that might be helpful for the future.

Author:	joomlakat [ Tue Jan 23, 2007 2:56 am ]
Post subject:	Re: Hacked for 3rd time!
Thank you, I appreciate it. My host is trying to put the sites up for me, but he is not too familur with Joomla so it is hard to say if they can be saved.

Author:	joomlakat [ Tue Jan 23, 2007 3:25 am ]
Post subject:	Re: Hacked for 3rd time!
jefe wrote: I am curious are all three sites hosted by the same company? Also, were the sites defaced, files changed, password changed? Also, it would be very helpful if you could find out all the components installed, even if you have to get your host to do a directory listing of the following: All the sites are hosted by the same place. All have different url's. passwords were not changed during the hackings. Componanents from one site are as follows (this site was just done last week, so everything was newly uploaded) RSGallery Linx Art Banner Xe-GuestWall V1 Other site... Art banners Joomla Explorer Noah's Classified Moset's Tree Virtue Mart The third site is a smf forum and the forth site is one I had just started and nothing had been added to it yet.

Author:	alamgir99 [ Tue Jan 23, 2007 3:49 am ]
Post subject:	Re: Hacked for 3rd time!
The weakest thing about Joomla is its simplicity in making a site. We can do that in 15 minutes without knowing anything! This makes everyone a webmaster. Truth is hosting a site or two and maintaining them requires skill and knowledge on a number of things. Katers: if you dont know what type hosting you are on, then I doubt you have read the security FAQs in the stickies. The only thing that can help you know how the attack came in is the "Raw access log". See if you can get that from cPanel. alamgir

Author:	joomlakat [ Tue Jan 23, 2007 3:58 am ]
Post subject:	Re: Hacked for 3rd time!
I got the raw access files and downloaded them, but can't open them. I will see what I can do.

Author:	alamgir99 [ Tue Jan 23, 2007 4:26 am ]
Post subject:	Re: Hacked for 3rd time!
You cant open them, cos probably is has got an extension of .com (same as your domain), rename to txt and open in Wordpad (notepad cant open big file). alam

Author:	joomlakat [ Tue Jan 23, 2007 4:48 am ]
Post subject:	Re: Hacked for 3rd time!
This doesn't look like what you want, but this is what it says. #!/bin/bash BCK=site_backups/file/ ORIGINAL=site_backups/file/snapshot.snar COPY=site_backups/file/increment.snar PATCH=site_backups/file/patch.snar DATE=`date +\%Y\%m\%d` EXCLUDED="--exclude=cache --exclude=site_backups" cd /hsphere/local/home/staph777 if [ "$1" = "full" ] then echo "PERFORMING FULL BACKUP: " ${DATE} rm -f ${BCK}.snar tar pczf "${BCK}old/${DATE}.tar.gz" ${BCK} --exclude ${BCK}old rm -f ${BCK} rm -fR ${BCK}increment mkdir ${BCK}increment tar pczf ${BCK}base_${DATE}.tar.gz -g ${ORIGINAL} ${EXCLUDED} ./ else echo "PERFORMING INCREMENTAL BACKUP: " ${DATE} if [ ! -e ${COPY} ] then cp -f ${ORIGINAL} ${COPY} fi tar pczf ${BCK}increment/increment_${DATE}.tar.gz -g ${COPY} ${EXCLUDED} ./ echo "PERFORMING LATEST PATCH BACKUP: " ${DATE} cp -f ${ORIGINAL} ${PATCH} rm -f ${BCK}latest_* tar pczf ${BCK}latest_${DATE}.tar.gz -g ${PATCH} ${EXCLUDED} ./ fi

Page 1 of 1	All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/

Author:	alamgir99 [ Tue Jan 23, 2007 5:03 am ]
Post subject:	Re: Hacked for 3rd time!
it's shell script that was used to backup your site! Not access log. I'd honestly suggest you hire or get someone with good knowledge. al

Author:	jefe [ Tue Jan 23, 2007 5:12 am ]
Post subject:	Re: Hacked for 3rd time!
That is the script I uploaded a few posts ago for you...maybe you just got them mixed up? Will wait to here back...

Author:	alamgir99 [ Tue Jan 23, 2007 5:14 am ]
Post subject:	Re: Hacked for 3rd time!
What do I say al

Author:	joomlakat [ Tue Jan 23, 2007 5:21 am ]
Post subject:	Re: Hacked for 3rd time!
Oh good grief, I am loosing my mind! Ok, I renamed the right file and opened it in word, however it is in some kind of code. And I wish I could hire someone, but sunk all my money into doing these sites. Grrr

Author:	zimv20 [ Tue Jan 23, 2007 5:25 am ]
Post subject:	Re: Hacked for 3rd time!
katers wrote: I wish I could hire someone, but sunk all my money into doing these sites. Grrr ahhh, trial by fire. read, search, read, search, read, search.... that's how i learned.

Author:	jefe [ Tue Jan 23, 2007 5:37 am ]
Post subject:	Re: Hacked for 3rd time!
Yes by fire, sometimes by nuclear fallout, sometimes worse... Katers, could you just upload what you have...and M$ editors handle page breaks and new line characters differently, probably Word not knowing the encoding so making it look like garbage.

Author:	joomlakat [ Tue Jan 23, 2007 5:46 am ]
Post subject:	Re: Hacked for 3rd time!
It is not letting me upload it. I will have to have someone do it for me tomorrow.

Author:	niemothk [ Tue Jan 23, 2007 12:18 pm ]
Post subject:	Re: Hacked for 3rd time!
katers wrote: Thank you, I appreciate it. My host is trying to put the sites up for me, but he is not too familur with Joomla so it is hard to say if they can be saved. I apologize for my sarcastic answer earlier It is frustrating to see the cries for help that arent helpful. Still, its a natural outburst on your part and I should have been more understanding. anyway... 1st plan of action. Dont plan on "saving anything" your jos_components and Jos_modules tables should show what you have installed, even if you cant get to the physical directories to list them directly. You should blow them away anyway, totally clean, and check for CRON processes that may have been setup. Since they had access to your server, and by extension, access to YOU (the risk of a browser injected Trojan or virus while currently somewhat small, is serious enough to require you do a full Virus/rootkit scan of your PC,change passwords etc.) You may want to (and depending on your state, be forced to) report this to your users and have them take precautions as well. Wipe everything clean. put in an HTACCESS file that restricts access to your server while you reinstall Do a full base RE install of Joomla 1.012 install your components and modules (after checking the 3rd party security advisories ) Do a LOCK DOWN of your permissions. selectively restore in phpMyAdmin your joomla content and info ( start a new thread for how to and PM one of us who responded here so we dont miss it) list if you could, the name of your host, the exact version of SMF you were using and those of the mods/add ons as well. Moderators: would it be too hard to do a mod that forces first time posters in this particular board to read a sticky or fill out a trouble form that evokes information that would be useful in getting the help going (and advises against posting info that would not? i.e. diatribes against the hacker,etc?)

Author:	joomlakat [ Tue Jan 23, 2007 1:42 pm ]
Post subject:	Re: Hacked for 3rd time!
I will start now, thanks.