Spymeta!
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Apprentice
- Posts: 9
- Joined: Mon Jul 10, 2006 5:15 pm
Spymeta!
My site http://www.hgam.dk has been hacked by Spymeta!
I cant remove it and the only way i can stop it from being the only thing to see on the site is by deleting my index.php! It is not some kind of meta link in the index but something else.. i dont know what
Please help me!
Regards
I cant remove it and the only way i can stop it from being the only thing to see on the site is by deleting my index.php! It is not some kind of meta link in the index but something else.. i dont know what
Please help me!
Regards
- nathandiehl
- Joomla! Champion
- Posts: 6044
- Joined: Fri Aug 19, 2005 3:03 pm
- Location: Indiana, USA
- Contact:
Re: Spymeta!
simply replace the index.php file with a NEW index.php file from a clean install of Joomla!.
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503
http://nathandiehl.com | Find out what makes me tick
http://nathandiehl.com | Find out what makes me tick
-
- Joomla! Apprentice
- Posts: 9
- Joined: Mon Jul 10, 2006 5:15 pm
Re: Spymeta!
Does not help! i have tried that as a first! Any other ideas?
- PhilTaylor-Prazgod
- Joomla! Ace
- Posts: 1403
- Joined: Sat Aug 20, 2005 12:32 pm
- Location: Jersey, Channel Islands
- Contact:
Re: Spymeta!
This looks like a server hack.
index.php
index2.php
/administrator/index.php
are all hacked.
index.php
index2.php
/administrator/index.php
are all hacked.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
-
- Joomla! Apprentice
- Posts: 9
- Joined: Mon Jul 10, 2006 5:15 pm
Re: Spymeta!
I guess soo.. but im not that much into all this - but have do i remove it? is it my domainhost?
-
- Joomla! Apprentice
- Posts: 9
- Joined: Mon Jul 10, 2006 5:15 pm
Re: Spymeta!
I have a fresh copy of Joomla 1.0.10 on the site.. and i have re-copied new files on the site aswell.. Just to remove the potential hacks on index ect.!
- PhilTaylor-Prazgod
- Joomla! Ace
- Posts: 1403
- Joined: Sat Aug 20, 2005 12:32 pm
- Location: Jersey, Channel Islands
- Contact:
Re: Spymeta!
To remove a hack you first have to toally understand what it has done and how it originated.
If you do not have that knowledge then you have to employ someone else (with that experience) to do that for you.
It is impossible for this forum to give you an accurate solution without the full information
If you do not have that knowledge then you have to employ someone else (with that experience) to do that for you.
It is impossible for this forum to give you an accurate solution without the full information
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
-
- Joomla! Apprentice
- Posts: 9
- Joined: Mon Jul 10, 2006 5:15 pm
Re: Spymeta!
Okay - thanks for the help.
But there is nothing to see! everything seems normal on the ftp. nothing new has happend there! Thats why i can't understand it. My joomla is a new copy and no files are changed from its original.. Can hackers simply change the startpage without touching my files or editing them?
If they have changed my files, that means if i remove the whole site - then it will disappear?
But there is nothing to see! everything seems normal on the ftp. nothing new has happend there! Thats why i can't understand it. My joomla is a new copy and no files are changed from its original.. Can hackers simply change the startpage without touching my files or editing them?
If they have changed my files, that means if i remove the whole site - then it will disappear?
- albi
- Joomla! Explorer
- Posts: 273
- Joined: Fri Aug 19, 2005 12:47 pm
- Contact:
Re: Spymeta!
have a look at tmp folder
maybe they have left there their hacking scripts, and run them time by time
maybe they have left there their hacking scripts, and run them time by time
Demetris Dimarelis
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania
-
- Joomla! Apprentice
- Posts: 9
- Joined: Mon Jul 10, 2006 5:15 pm
Re: Spymeta!
tmp folder? where? on my ftp?albi wrote: have a look at tmp folder
maybe they have left there their hacking scripts, and run them time by time
-
- Joomla! Apprentice
- Posts: 9
- Joined: Mon Jul 10, 2006 5:15 pm
Re: Spymeta!
Too give some info to you:
What version of Joomla do you have?
I had 1.0.9 when i was hacked - i have updated now since i still have control over my ftp.
What version of PHP/MySQL/Apache do you have?
The newest
What kind of hosting do you have?
Unoeuro
Do you have access to the access logs of the server?
I have asked Unoeuro for a copy
Which third party extensions do you have installed? (Components, modules, plugins/mambots)
I have: ExtCalender, akocomment, docman, facileforms, joomlaboard, performs.
Which informations do you have from your provider? Did they send you something in addition?
Nope nothing nej.
Do you have a backup?
I have a complete copy of the system.
Have you checked the folder permissions?
Yes
Have you really been hacked?
Yes!
What version of Joomla do you have?
I had 1.0.9 when i was hacked - i have updated now since i still have control over my ftp.
What version of PHP/MySQL/Apache do you have?
The newest
What kind of hosting do you have?
Unoeuro
Do you have access to the access logs of the server?
I have asked Unoeuro for a copy
Which third party extensions do you have installed? (Components, modules, plugins/mambots)
I have: ExtCalender, akocomment, docman, facileforms, joomlaboard, performs.
Which informations do you have from your provider? Did they send you something in addition?
Nope nothing nej.
Do you have a backup?
I have a complete copy of the system.
Have you checked the folder permissions?
Yes
Have you really been hacked?
Yes!
- albi
- Joomla! Explorer
- Posts: 273
- Joined: Fri Aug 19, 2005 12:47 pm
- Contact:
Re: Spymeta!
They used this vulnerability that Extcalendar have to hack youI have: ExtCalender, akocomment, docman, facileforms, joomlaboard, performs.
http://forum.joomla.org/index.php/topic ... #msg389163
I removed this component and till now everything is OK
Demetris Dimarelis
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania
- albi
- Joomla! Explorer
- Posts: 273
- Joined: Fri Aug 19, 2005 12:47 pm
- Contact:
Re: Spymeta!
Ask hosting provider to have a look at this folder.Laus0028 wrote:tmp folder? where? on my ftp?albi wrote: have a look at tmp folder
maybe they have left there their hacking scripts, and run them time by time
My hosting provider looked at this folder and found 2 files
Demetris Dimarelis
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania
-
- Joomla! Apprentice
- Posts: 9
- Joined: Mon Jul 10, 2006 5:15 pm
Re: Spymeta!
Thanks guys.. you have really been a help.. Unoeuro is on the job and i hope the files in the tmp can get rid of it all...
Thanks
Regards
Thanks
Regards
-
- Joomla! Fledgling
- Posts: 1
- Joined: Wed Sep 14, 2005 9:07 am
Re: Spymeta!
We had the same attack only the index.php was defaced. I had a joomla 1.0.9 version.
I downloaded the access log and we saw that they used a perl script to gain access to the site.
this is wat i found in the accesslogs
***************
we are currently looking for more clues, hope this wil help others a bit in the search for clues !
--- EDITED ---
Access log info removed for security reasons. thanks,
I downloaded the access log and we saw that they used a perl script to gain access to the site.
this is wat i found in the accesslogs
***************
we are currently looking for more clues, hope this wil help others a bit in the search for clues !
--- EDITED ---
Access log info removed for security reasons. thanks,
Last edited by duvien on Mon Jul 10, 2006 10:29 pm, edited 1 time in total.
-
- Joomla! Intern
- Posts: 52
- Joined: Sun Apr 23, 2006 8:20 pm
Re: Spymeta!
Also got hacked ... Currently i'm transfering a backup ... But there is no solution for the extcalendar security problem?!
- Elpie
- Joomla! Guru
- Posts: 903
- Joined: Wed Aug 17, 2005 11:26 pm
- Contact:
Re: Spymeta!
The original developer has apparently abandoned ExtCalendar BUT a new version is on its way
If you are comfortable with editing the files, you can go into each file that ExtCalendar has placed on your site and add this code to the top of each one.
This goes directly under the at the top of each file.
This line protects ExtCalendar against most of the latest exploits.
If you are comfortable with editing the files, you can go into each file that ExtCalendar has placed on your site and add this code to the top of each one.
Code: Select all
// Don't allow direct linking
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
Code: Select all
<?php
This line protects ExtCalendar against most of the latest exploits.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info
Open Source Research & Best Practice: http://osprojects.info
-
- Joomla! Intern
- Posts: 52
- Joined: Sun Apr 23, 2006 8:20 pm
Re: Spymeta!
Thank you for your fast reply I've already found that solution in a german joomla forum (joomlaos.de) ... but again, thank you for your fast reply.
-
- Joomla! Apprentice
- Posts: 48
- Joined: Thu Dec 01, 2005 4:59 am
- Contact:
Re: Spymeta!
I just got hacked as well. They left the index.php file alone and changed the configuration.php instead. I was running joomla 1.0.8 and extcalendar.
-
- Joomla! Virtuoso
- Posts: 3173
- Joined: Sun Apr 16, 2006 12:20 am
- Location: 127.0.0.1
Re: Spymeta!
1. upgrade to 1.0.10Goosemoose wrote: I just got hacked as well. They left the index.php file alone and changed the configuration.php instead. I was running joomla 1.0.8 and extcalendar.
2. extcalendar has some security holes (http://forum.joomla.org/index.php/topic,75390.0.html)
3. you might want to try this: http://forum.joomla.org/index.php/topic,75376.0.html
4. if you know the general IP range of where the hacker came from, you might want to temporarily block that IP range for a few days
Backup, backup, backup!
The "Master" .htacess file by Nicholas http://snipt.net/nikosdion/the-master-htaccess
The "Master" .htacess file by Nicholas http://snipt.net/nikosdion/the-master-htaccess
-
- Joomla! Apprentice
- Posts: 22
- Joined: Fri Feb 10, 2006 3:43 pm
Re: Spymeta!
I also suggest you look to see if the hacker has dropped in an index.html in the adminstrator folder.PhilTaylor-Prazgod wrote: This looks like a server hack.
index.php
index2.php
/administrator/index.php
are all hacked.
Open it up in your text editor and you might possibly see this:
HACKED By SPYMETA
body {scrollbar-base-color: #000000; scrollbar-arrow-color: #00ff00; scrollbar-3dlight-color: #ffffff; scrollbar-highlight-color: #000000; scrollbar-shadow-color: #000000; scrollbar-darkshadow-color: #000000; background-color: #000000;
}
SPYMETA WAS HERE !
Take it from me check everything - I was hacked too!
- Elpie
- Joomla! Guru
- Posts: 903
- Joined: Wed Aug 17, 2005 11:26 pm
- Contact:
Re: Spymeta!
Blocking IP's is not a good idea unless you do it at the time attempts are being made obstensibly from a certain IP.igeoffi wrote: 4. if you know the general IP range of where the hacker came from, you might want to temporarily block that IP range for a few days
Hackers do not usually stay on the same IP for very long at all. They may not even be on that IP (IP spoofing is not uncommon) and blocking a "general range" can have unintended consequences. In the last few weeks I have had to deal with site admins that have inadvertantly blocked their own IP, and others that have accidentally denied access to their entire customer base (they thought they were blocking one entire country and instead blocked their own). IP blocking has its uses, but these rarely extend beyond the time of an actual attack.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info
Open Source Research & Best Practice: http://osprojects.info
- theDagda
- Joomla! Fledgling
- Posts: 2
- Joined: Fri Mar 03, 2006 1:37 am
- Location: Naas, Ireland
Re: Spymeta!
One of my sites was also hacked yesterday. Thanks to everyone's advice in these forums I got it sorted out pretty quickly.
Thanks everyone!
Think I was lucky though, it only got at my configuration.php from what we can tell. But it also cleared the .htaccess.
Running 1.010 with ExtCalander
Just wanted to say thanks again folks!
Respect
Thanks everyone!
Think I was lucky though, it only got at my configuration.php from what we can tell. But it also cleared the .htaccess.
Running 1.010 with ExtCalander
Just wanted to say thanks again folks!
Respect
Last edited by theDagda on Wed Jul 26, 2006 4:36 pm, edited 1 time in total.
- Elpie
- Joomla! Guru
- Posts: 903
- Joined: Wed Aug 17, 2005 11:26 pm
- Contact:
Re: Spymeta!
Make sure you are running the latest security update for ExtCalendar. The old version had more problems for security than just the ability to directly access the files.theDagda wrote: Running 1.010 with ExtCalander
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info
Open Source Research & Best Practice: http://osprojects.info
- theDagda
- Joomla! Fledgling
- Posts: 2
- Joined: Fri Mar 03, 2006 1:37 am
- Location: Naas, Ireland
Re: Spymeta!
Thanks Elpie,Make sure you are running the latest security update for ExtCalendar...
I've removed ExtCalendar altogether. I cant risk the site getting hacked again too soon, so I decided to use something else. Testing out 'Events' now, seems like a decent alternative for me.
Thanks again mate