My site has been getting hacked repeatedly. I can't figure out how they are getting in. I'm a bit unexperienced in this but I would like to know what to look for in the log files.
The hacker modified almost all the index.php and index.html files in my Joomla installation, but not in other non-joomla directories. They added an iframe to every page.
I can see when the files were modified and they were all about the same time, but my logs do not show anything out of the ordinary at those times, what do I look for?
Thanks.
What to look for in log files?
Moderator: General Support Moderators
Forum rules
-
- Joomla! Apprentice
- Posts: 29
- Joined: Tue Sep 05, 2006 6:49 pm
-
- Joomla! Apprentice
- Posts: 29
- Joined: Tue Sep 05, 2006 6:49 pm
Re: What to look for in log files?
After looking through some past days where it was attacked, I found a lot of lines in the log that look like this
There are several of these lines, all beginning with the jcalpro component and at the end they all have a different index.html listed, and these were the files changed.
Could this be when I was under attack?
Code: Select all
79.135.181.122 - - [27/Feb/2008:07:22:23 -0500] "GET /components/com_jcalpro/images/minipics/.info.php?id=head%20-1%20paster.txt%20%3E%3E%20/data/9/0/74/154/563806/user/575230/htdocs/site/administrator/includes/pcl/index.html HTTP/1.1" 200 - "-" "googlebot"
Could this be when I was under attack?
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: What to look for in log files?
Please review the following FAQ's ASAP, you will find a wealth of information related to your issues.
Security & Performance FAQ
It is not recommended to leave your sites publicly available and exploited, as it will only serve to promote the offenders ego and kudos and potentially expose the rest of the server to attack.
The above mentioned FAQ will provide with more than enough information to assist you in further securing your sites.
Particular entries of note and to pay attention to, are;
Joomla! Administrator's Security Checklist
Help! My site's been compromised. Now what?
Vulnerable Extension List
Other useful posts and tools;
Joomla! Tools Suite
How can I check my Joomla! installation's overall security and health?
What does Joomla! have to do with file permissions?
How do I find exploits using the *NIX shell?
Potential Exploit Checking Script
Auto-Change, Admin Password Script
[hr]
In most cases, your hosts will be more than willing to assist, a compromised site is also a risk to the rest of the server, thus it is in their interest to help you resolve these issues in the most expediant manner.
Security & Performance FAQ
It is not recommended to leave your sites publicly available and exploited, as it will only serve to promote the offenders ego and kudos and potentially expose the rest of the server to attack.
The above mentioned FAQ will provide with more than enough information to assist you in further securing your sites.
Particular entries of note and to pay attention to, are;
Joomla! Administrator's Security Checklist
Help! My site's been compromised. Now what?
Vulnerable Extension List
Other useful posts and tools;
Joomla! Tools Suite
How can I check my Joomla! installation's overall security and health?
What does Joomla! have to do with file permissions?
How do I find exploits using the *NIX shell?
Potential Exploit Checking Script
Auto-Change, Admin Password Script
[hr]
In most cases, your hosts will be more than willing to assist, a compromised site is also a risk to the rest of the server, thus it is in their interest to help you resolve these issues in the most expediant manner.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
- FatherShawn
- Joomla! Apprentice
- Posts: 33
- Joined: Thu Dec 07, 2006 4:54 pm
- Location: Hamburg, NY
- Contact:
Re: What to look for in log files?
Do the original poster's log entries raise any concerns for the JCal-Pro component as a security risk?
Trinity Episcopal Church of Hamburg, NY - http://www.trinityhamburg.org
-
- Joomla! Apprentice
- Posts: 29
- Joined: Tue Sep 05, 2006 6:49 pm
Re: What to look for in log files?
Version 1.5.3 and register_globals ON (host will not turn off) -> if this is the issue then I will gladly move my website, I just have an agreement with the host that isn't easy to change.
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: What to look for in log files?
It is adviseable to talk with the JCal project (or any extension for that matter that may be, being targeted)n but also bear in mind that many many blind probes occur all the time irrespective of any known issues with any software.
PHP register_globals being ON, is always a concern, if the host appears not to understand the full implications of their actions, maybe it is time to find a host that does.
PHP register_globals being ON, is always a concern, if the host appears not to understand the full implications of their actions, maybe it is time to find a host that does.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/