What to look for in log files?

[Pmoney]

My site has been getting hacked repeatedly. I can't figure out how they are getting in. I'm a bit unexperienced in this but I would like to know what to look for in the log files.

The hacker modified almost all the index.php and index.html files in my Joomla installation, but not in other non-joomla directories. They added an iframe to every page.

I can see when the files were modified and they were all about the same time, but my logs do not show anything out of the ordinary at those times, what do I look for?

Thanks.

[Pmoney]

After looking through some past days where it was attacked, I found a lot of lines in the log that look like this

Code: Select all

79.135.181.122 - - [27/Feb/2008:07:22:23 -0500] "GET /components/com_jcalpro/images/minipics/.info.php?id=head%20-1%20paster.txt%20%3E%3E%20/data/9/0/74/154/563806/user/575230/htdocs/site/administrator/includes/pcl/index.html HTTP/1.1" 200 - "-" "googlebot"

There are several of these lines, all beginning with the jcalpro component and at the end they all have a different index.html listed, and these were the files changed.

Could this be when I was under attack?

[RussW]

Please review the following FAQ's ASAP, you will find a wealth of information related to your issues.

Security & Performance FAQ

It is not recommended to leave your sites publicly available and exploited, as it will only serve to promote the offenders ego and kudos and potentially expose the rest of the server to attack.

The above mentioned FAQ will provide with more than enough information to assist you in further securing your sites.

Particular entries of note and to pay attention to, are;

Joomla! Administrator's Security Checklist

Help! My site's been compromised. Now what?

Vulnerable Extension List


Other useful posts and tools;

Joomla! Tools Suite
How can I check my Joomla! installation's overall security and health?

What does Joomla! have to do with file permissions?

How do I find exploits using the *NIX shell?

Potential Exploit Checking Script

Auto-Change, Admin Password Script

[hr]
In most cases, your hosts will be more than willing to assist, a compromised site is also a risk to the rest of the server, thus it is in their interest to help you resolve these issues in the most expediant manner.

[FatherShawn]

Do the original poster's log entries raise any concerns for the JCal-Pro component as a security risk?

[Pmoney]

Version 1.5.3 and register_globals ON (host will not turn off) -> if this is the issue then I will gladly move my website, I just have an agreement with the host that isn't easy to change.

[RussW]

It is adviseable to talk with the JCal project (or any extension for that matter that may be, being targeted)n but also bear in mind that many many blind probes occur all the time irrespective of any known issues with any software.

PHP register_globals being ON, is always a concern, if the host appears not to understand the full implications of their actions, maybe it is time to find a host that does.