Spymeta!

[Laus0028]

My site http://www.hgam.dk has been hacked by Spymeta!

I cant remove it and the only way i can stop it from being the only thing to see on the site is by deleting my index.php! It is not some kind of meta link in the index but something else.. i dont know what 

Please help me!

Regards

[nathandiehl]

simply replace the index.php file with a NEW index.php file from a clean install of Joomla!.

[Laus0028]

Does not help! i have tried that as a first! Any other ideas?

[PhilTaylor-Prazgod]

This looks like a server hack.

index.php
index2.php
/administrator/index.php

are all hacked.

[Laus0028]

I guess soo.. but im not that much into all this - but have do i remove it? is it my domainhost?

[Laus0028]

I have a fresh copy of Joomla 1.0.10 on the site.. and i have re-copied new files on the site aswell.. Just to remove the potential hacks on index ect.!

[PhilTaylor-Prazgod]

To remove a hack you first have to toally understand what it has done and how it originated.

If you do not have that knowledge then you have to employ someone else (with that experience) to do that for you.

It is impossible for this forum to give you an accurate solution without the full information

[Laus0028]

Okay - thanks for the help.

But there is nothing to see! everything seems normal on the ftp. nothing new has happend there! Thats why i can't understand it. My joomla is a new copy and no files are changed from its original.. Can hackers simply change the startpage without touching my files or editing them?

If they have changed my files, that means if i remove the whole site - then it will disappear?

[albi]

have a look at tmp folder

maybe they have left there their hacking scripts, and run them time by time

[Laus0028]

have a look at tmp folder

maybe they have left there their hacking scripts, and run them time by time

tmp folder? where? on my ftp?

[Laus0028]

Too give some info to you:   

What version of Joomla do you have?

I had 1.0.9 when i was hacked - i have updated now since i still have control over my ftp.

What version of PHP/MySQL/Apache do you have?

The newest

What kind of hosting do you have?

Unoeuro

Do you have access to the access logs of the server?

I have asked Unoeuro for a copy

Which third party extensions do you have installed? (Components, modules, plugins/mambots)

I have: ExtCalender, akocomment, docman, facileforms, joomlaboard, performs.

Which informations do you have from your provider? Did they send you something in addition?

Nope nothing nej.

Do you have a backup?

I have a complete copy of the system.

Have you checked the folder permissions?

Yes
Have you really been hacked?

Yes!

[albi]

I have: ExtCalender, akocomment, docman, facileforms, joomlaboard, performs.

They used this vulnerability that Extcalendar have to hack you

http://forum.joomla.org/index.php/topic ... #msg389163

I removed this component and till now everything is OK

[albi]

have a look at tmp folder

maybe they have left there their hacking scripts, and run them time by time

tmp folder? where? on my ftp?

Ask hosting provider to have a look at this folder.
My hosting provider looked at this folder and found 2 files

[Laus0028]

Thanks guys.. you have really been a help.. Unoeuro is on the job and i hope the files in the tmp can get rid of it all...

Thanks

Regards

[CaptKiwi]

We had the same attack only the index.php was defaced. I had a joomla 1.0.9 version.

I downloaded the access log and we saw that they used a perl script to gain access to the site.

this is wat i found in the accesslogs
***************

we are currently looking for more clues, hope this wil help others a bit in the search for clues !

--- EDITED ---

Access log info removed for security reasons. thanks,

[xpla]

Also got hacked ... Currently i'm transfering a backup ... But there is no solution for the extcalendar security problem?!

[Elpie]

The original developer has apparently abandoned ExtCalendar BUT a new version is on its way
If you are comfortable with editing the files, you can go into each file that ExtCalendar has placed on your site and add this code to the top of each one.

Code: Select all

// Don't allow direct linking
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' ); 

This goes directly under the

Code: Select all

<?php

at the top of each file.

This line protects ExtCalendar against most of the latest exploits.

[xpla]

Thank you for your fast reply I've already found that solution in a german joomla forum (joomlaos.de) ... but again, thank you for your fast reply.

[Goosemoose]

I just got hacked as well. They left the index.php file alone and changed the configuration.php instead. I was running joomla 1.0.8 and extcalendar.

[Geoff]

I just got hacked as well. They left the index.php file alone and changed the configuration.php instead. I was running joomla 1.0.8 and extcalendar.

1. upgrade to 1.0.10
2. extcalendar has some security holes (http://forum.joomla.org/index.php/topic,75390.0.html)
3. you might want to try this: http://forum.joomla.org/index.php/topic,75376.0.html
4. if you know the general IP range of where the hacker came from, you might want to temporarily block that IP range for a few days

[welby]

This looks like a server hack.

index.php
index2.php
/administrator/index.php

are all hacked.

I also suggest you look to see if the hacker has dropped in an index.html in the adminstrator folder.
Open it up in your text editor and you might possibly see this:

HACKED By SPYMETA


body {scrollbar-base-color: #000000; scrollbar-arrow-color: #00ff00; scrollbar-3dlight-color: #ffffff; scrollbar-highlight-color: #000000; scrollbar-shadow-color: #000000; scrollbar-darkshadow-color: #000000; background-color: #000000;
}






SPYMETA WAS HERE !




Take it from me check everything - I was hacked too!

[Elpie]

4. if you know the general IP range of where the hacker came from, you might want to temporarily block that IP range for a few days

Blocking IP's is not a good idea unless you do it at the time attempts are being made obstensibly from a certain IP.
Hackers do not usually stay on the same IP for very long at all. They may not even be on that IP (IP spoofing is not uncommon) and blocking a "general range" can have unintended consequences. In the last few weeks I have had to deal with site admins that have inadvertantly blocked their own IP, and others that have accidentally denied access to their entire customer base (they thought they were blocking one entire country and instead blocked their own).  IP blocking has its uses, but these rarely extend beyond the time of an actual attack.

[theDagda]

One of my sites was also hacked yesterday. Thanks to everyone's advice in these forums I got it sorted out pretty quickly.
Thanks everyone!
Think I was lucky though, it only got at my configuration.php from what we can tell. But it also cleared the .htaccess.

Running 1.010 with ExtCalander

Just wanted to say thanks again folks!

Respect

[Elpie]

Running 1.010 with ExtCalander

Make sure you are running the latest security update for ExtCalendar. The old version had more problems for security than just the ability to directly access the files.

[theDagda]

Make sure you are running the latest security update for ExtCalendar...

Thanks Elpie,

I've removed ExtCalendar altogether. I cant risk the site getting hacked again too soon, so I decided to use something else. Testing out 'Events' now, seems like a decent alternative for me.

Thanks again mate