Joomla! Discussion Forums

Do you get an error message or what?

i've just replaced the configuration.php aswell with the details in configuration.php-dist and now i get this error:

removing those files and installing the expose patch will not fix your site. That just patches expose. Depending on what files the hackers modified you may need to restore a backup. Mainly the index.php and configurartion.php from others have said.

i havent made any backups before..

i downloaded joomla again, and i replaced the index.php and configuration.php with the 'default' ones and made the appropriate changes... is this enough?

also how do i know which files the hacker has made changes to?


this is the error:

Something is clearly wrong.

**On a side note I would highly recommend backing up your site just in case anything happens, I had my SMF Forum hacked once and didnt have a current backup at the time, so I can completely understand the problems.**

If you try replacing the entire "includes" directory with the one of the ones in the default Joomla ZIP file, does that work?
Call your hosting provider to see if they may have a backup too  Sometimes they backup the servers.

Lastly, try this:

- Export your MySQL DB
- Backup your current Joomla File Structure (verify that its a good backup)
- reinstall Joomla
- restore your DB
- Drag over your custom folders (i.e. Templates, Components, Administrator folders, mambots etc...)

That might work also.

Good Luck,

Josh

i replaced all the .php files in 'includes'

.. still get the same error.. but the file is definitely there!!! araghh...

would the CHMOD settings make a difference for the dir and files? - currently set at 0644

as long as the files are 644 and the directories are 755, I dont see any issues. Did you ask your Hosting Provider about a backup? They must backup their systems.

When did all this happen.
I thought you had a patch for uploadimg.php now your saying to just delete that.
So confused.
Does this work with 1.0.13

We did originally patch those files and after looking further into it, we found that it would be best to entirely remove that function to prevent future attacks on the same files. We are working on a new / better way to upload background images (thats all that file did, has nothing to do with stand photo uploads). Once it is done and stable we will update the package for testing.

Sorry for the trouble.

I was also hacked by a group called "d.o.m Team" (spain 2007). I applyed the patch, removed 4 files from the img directory, cleared the cache directory (here a file called function.php was installed), removed a file called index.htm in the root and replaced the index.php in the root, but nothing changed. So I searched again, and I found that my com_content.php has also been changed and all my content in the jos_content table in the database had been overwritten with HTML-Code for showing the defaced-screen. I changed the com_content.php under /administrator/components to the original one and cleared the jos_content Table and the homepage was in the old state (but without the article content). All other things (the images in expose, a guestbook, perForm Forms, aso.) worked now.

Hans

Here is what I did, but I still have a problem, any ideas please help!!!

1. I removed expose completely using the unistall in joomla
2. went to joomlaexplorer and completely removed the expose folder
3. changed the index.php content to what it should be (it was modified by the hacker), I used a index.php from another site and just copied it
4. the site comes up, but nw I have an error: at the top of my page: (beneath my error is my site)

Warning: Cannot modify header information - headers already sent by (output started at /home/content/A/I/A/AIAE10/html/joomla/index.php:2) in /home/content/A/I/A/AIAE10/html/joomla/includes/joomla.php on line 697

my site is: http://www.aiae.net/joomla

what do I do next???

thanks,
Laura

Synchronize your site with a backup to search for modified files, or when you don't have one, synchronize with a standard Joomla installation package. Fixed my site twice in no time with this trick.

No problem I was just a little confused.

Thanks for Expose man I love it!

Hello, I paid for your expose gallery for my commerical website.

You guys should be held responsible everyone's site your company compromised with a very reckless bug in your expose gallery.

I've download your patch, uploaded it to my server, and the site still gets hacked. I then completely remove your gallery. But it looks like your gallery punched a lot more holes into my site from what I read from Joomla forums.

Why is this not addressed in the front page of http://www.gotgtek.com? And why are the answers no where to be found on the front page?

"Since 1998, we have built a reputation for creating a positive return on investment for our clients." - gtek

I paid for a software that allowed hackers to walk in and out of my site. Your software has ruined the trust of my clients.

If your software was shiny car rims, your rims will have a button that says "press here to steal." It would completely bypass all car security opening all the doors and starting the engine for the car thieves. Everyone would deserve a recall. Those who PAID for this reckless code should be compensated completely.

The user implementing third party software is responsible himself.

If it were different Microsoft would have gone bankrupt by now because of all the lawsuits of guys who got hacked because of the never-ending chain of security holes M$ provides us with since years.

You pay for the usage but not for a security warranty.

Sorry dude!

Since I was hacked to I really feel sorry for you but I don't agree with your statements. 

You really need to understand what you are getting and be a little more professional with your comments. Bruno and myself both work on this software on our free time. Here are a few things you need to take into consideration:

• This component is a bridge for the main Expose Gallery found at http://www.slooz.com, We have full permission from Ivan to give away this bridge as open source as long as the main expose gallery (what we call the core) stays in full tact
• You Paid for the Expose Gallery Rights for commercial Use (as said above, Thank You JoomlaJasper) not for any guarantees that it will never get hacked
• We (Bruno and Myself) have full time Jobs and do this for **FREE** on our spare time, we only receive about $10 a month in donations. This doesnt even cover my server costs/bandwidth

I mean non of this out of disrespect, but just want you and others to realize the full story before you go accusing us of neglect. Most of this software is written late at night and it is easy to overlooka missing semi-colon or a "valid MOS tag". This is why we always HIGHLY recommend daily backups just in case. This should be a good security practice for anyone using Web Applications.

The reason this was not on my frontpage (gotgtek.com) is because that is mainly for personal things and does not have much to do with Expose. That is why we have an external Demo site (thanks to http://www.modus.ie). They have been very generous in donating space to host our demo site.

If you have any other questions I am here.

-Josh

I got the same type of message.  So when I used JoomlaXplorer to look around, the expose folder is completely gone from the components section.  I didn't uninstal it.  In fact, it's still in the component menu.  But the whole folder containing it and all the images are gone.  Doubly sad for me is that I don't have a back-up of the site nor a back-up of all the text I typed into it.  I typed it all straight into Expose.

At this point I doubt I'm going to reinstall Expose.  As much as I loved what it did, if it keeps getting hacked into, it's not worth it.  Not right now.

The security hole has been fixed in 4.6.1, but as long as you don't remove the files that the hacker added/changed on your server (can be all over the site, but usually they are located in the expose folder), they can access your site at any time, even when using our updated release, or even when removing the expose component completely.
All you need to do is verify your site with the latest clean backup, and all differences will appear. I fixed my site in a few minutes doing so, but since you don't have one this will be difficult...
I would try to reinstall your Joomla site locally (use wamp or so) with clean install packages then use my ftp-compare trick to get yours back in the state it was before. When finished, keep this copy as backup. You only need to make a safety copy of your database from time to time (there are some components who can do this for you).

If someone notices a fix at the Expose homepage please post it here as well so we all are up to date on the latest

Thanks

We are working a new version of the component that will have a small notification area in the check system script. This will help tell you what the latest version of the release is. We will also post security hole fixes there as needed. Its too hard for us to develop a component and remember to update the 20 different forums (including ours, Tokapi and myself) that we belong too. If you have any other ideas we are here to listen.

This link doe snot work.

~R

Use 2nd link (http://joomlacode.org/gf/project/expose/frs/) and search in the files for a patch or latest release.

New version of this nice piece of software is out:
http://joomlacode.org/gf/project/expose/frs/

Cheers

Seems there is still a vulnerability.

I have patch my install, remove dubious files and my site was hacked again today..
I found two php files in the img directory  r57.php and c99.php

I have talen off tis component until it get sorted.

Did you remove the two files as described in the readme, or just patched it ?
Did you check your site for more changed/added files also?

Yeap did all of that You mean the uploadimg.php & uploadimage.php
and all of the above and checked all the folders for other suspicious php files...
~R

Well.. I was hacked too, but I'm not have espose stuff here.  I came to this topic thru forum search tool (hacker name).

I'm trying to find "where is the hole" here, what is the component etc...  I will post more info later.

I had my expose hacked as well. I did remove the required files and added the patch and still got hacked. Here is the message I received when I went to view my gallery in expose:

hacked by_crab muslým hackers.org

Is there anything else I can do to keep expose from being hacked as i have my design portfolio there and it's getting old being hacked now 3 times.

Thanks,

Alyn

I got hacked as well when I had RC4 installed on my site.
I completely removed the component and all maps from the server.

Next I installed the latest version of Expose 4 which is 4.6.1
The version can be found here ...............
http://joomlacode.org/gf/project/expose/frs/

This version has the patch inside and is working for me.

Arkomat