The Joomla! Forum ™

I have read the items that came up about a hacked site. It has been determined by tech support for my server that the site has been hacked. Now I am trying to figure our how to get my site back.

A tagger apparently managed to install another joomla on top of my joomla and replace .htaccess with another that redirected all the links to their tag page. It appears my rather large data base is still all there. My admin password has been changed and I am unable to access the admin area.

I need help in getting my site back. I have sent an email to security at Joomla dot org and am awaiting a response.

If anyone that is rather knowledgeable about joomla is willing to help I would really appreciate it. I know just enough about joomla to be dangerous.

What I know about the hacker. They left a download link back to an audio file on darkhack.us. That domain is listed as Turkish. If anyone is willing to take some time with me to restore this site I will call you if you are willing to send me a contact phone number in The US or Canada

_________________
Toma

http://www.SalmonTrollingLures.com

If you believe your original rather large database is intact and has not been hacked, then here is what I would do to start.

Remove all traces of Joomla files or installations (not the database) on your domain.

Check the cgi directory and make sure there are no strange (not put there by you or something you installed) files there.

In your domains site administration screens (usually is c-panel) check the cron button and make sure there are no automated cron jobs you did not put there. If there are remove the file(s) it calls and then delete the cron job. Ask your host tech support if you need help.

Once you are reasonably sure there are no automated scripts or any traces of Joomla files left.

In your domains control panel, set up a new database, database user, and password for your new install of Joomla to use.
Make the user name/password different from the old database. If you can, use at least 12 characters for the database user password.
Use a combination of alphanumeric and symbols for th password.
Install the most recent full install of Joomla. Currently, this is either 1.0.15 for the 1.0 series, or 1.5.2 for the 1.5 series.

Once the install is complete and working ok, you have some choices about how to get your data back.

1.) You can add the new database user name/password to your old database using the domains database administration button. Usually on this page there is an option to add an existing user to an existing database.

Open the configuration.php for the new Joomla install in a txt editor and make the change to the database name to reflect what the old name was and save it back to where you downloaded it from. The database user name/password will stay the same if you added the database user correctly in the above step.

The new install of Joomla should now be able to use the old database and you should be able to login using the old username and password.

Once logged in as administrator of Joomla, make a super admin user with the user/password combo you used when installing the new Joomla install.

Verify the new super administrator user account works properly and then delete the old super admin user from Joomla.

This should get you a new Joomla install using your old database and do so without having to do a Joomla super admin password recover.

*******************************************

2.) You can use phpMyadmin to export the database tables and data from your old database and import them into to your new database. This method will break the Joomla admin user/password, which you will then have to use the link given to you in another post to fix or recover the password.

******************************************
General:
Review the security Faq's and make sure your directory and file permissions are correct. Make sure your using latest versions of 3rd party extensions.
Enable and use the htaccess file included in Joomla. While it has some SEO commands in it, the main purpose is for security from common exploits.
I suggest you also change any ftp passwords and change the domain password.
Make sure updates to Joomla and any extensions you use are applied when they are issued.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Phil D,

This post has been very useful. Thanks.

I did this fix and it did not work for me! I got hacked, uploaded the correct index.php file, but I can not log in as an admin. I am locked out of my site. PLEASE HELP!

viewtopic.php?f=621&t=582854 is a place to look and follow the link to security checklist 7

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

I got hacked and this is what I have done restoring the site.

Hacker was: <removed>.

first download and install phpMyAdmin onto your server.
mysql login credentials can be found in your configuration.php in your joomla folder.

First reset find the user which was changed from admin to moro or any other name via phpMyAdmin in the jos_users table or whatever prefix you use for your joomla tables;
edit the "moro" back to "admin".

then reset password via sql, still in phpMyAdmin in the sql view.
instructions how to reset are found here:
http://kb.siteground.com/article/How_to ... sword.html

then last but not least the hacker changes your template index.php so upload the index.php of your template back onto the server.
file location: <joomla-base-dir>/templates/<your-template>/index.php

I hope this is somewhat comprehensive otherwise shoot me an email.

Cheers

Cedric

the instructions you provided were and are covered in the links highlighted by phild and myself.
they also involve steps that are not suitable for unfamiliar people.
due to the age of this topic and the lack of details it will now be locked

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}