The Joomla! Forum ™

Download

Demo


Board index » Joomla! Older Version Support » Joomla! 1.5 » Security in Joomla! 1.5

Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 9 posts ] 
  Print view Previous topic | Next topic 
Author Message
agua
PostPosted: Tue Apr 24, 2012 7:04 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Feb 20, 2007 4:26 am
Posts: 36
Hi - I got a site which got Malwared - I followed all the security proceedures I could (shared host, couldn't find mods, plugins, components etc)

Does this look like I got most/all of it?

%%%%%%%%%% was my username

Thanks

Problem Description :: Forum Post Assistant (v1.2.1) : 24th April 2012 wrote:
Malware http://sucuri.net/malware/malware-entry-mwhta7
Actions Taken To Resolve by Forum Post Assistant (v1.2.1) 24th April 2012 wrote:
Upgraded to Joomla 1.5.26.
Added htaccess protection to administrator directory
Changed database table name prefix
Changed default Super Administrator level to registered and blocked
Checked and fixed file and directories permissions
Purged of your tmp & log directory
Changed database collation
Repaired and optimised all database tables & Purge and optimise the sessions table.
Went through 7 step Joomla security checklist
Forum Post Assistant (v1.2.1) : 24th April 2012 wrote:
Basic Environment :: wrote:
Joomla! Instance :: .- ()
Joomla! Configured :: Yes | Read-Only (444) | Owner: %%%%%%%%%% (uid: 766/gid: 766) | Group: %%%%%%%%%% (gid: 766) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-238.19.1.el5 | Technology: x86_64 | Web Server: Apache/2.2.11 (Unix) | Encoding: gzip, deflate | Doc Root: /home/%%%%%%%%%%/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.8 | PHP API: cgi | Session Path Writable: Unknown | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: | Last Known Error: | Register Globals: 0 | Magic Quotes: 0 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: -1 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.0.95-community (Client:5.0.95) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 348.17 KiB | #of _FPA_TABLE: 59
Detailed Environment :: wrote:
PHP Extensions :: zip (1.8.11) | xmlwriter (0.1) | libxml () | xmlrpc (0.51) | dom (20031129) | xmlreader (0.1) | xml () | tokenizer (0.1) | session () | pcre () | SimpleXML (0.1) | sockets () | soap () | SPL (0.2) | standard (5.2.8) | Reflection (0.1) | pspell () | posix () | mysqli (0.1) | mysql (1.0) | mime_magic (0.1) | mhash () | mcrypt () | mbstring () | json (1.2.1) | imap () | iconv () | hash (1.0) | gettext () | gd () | ftp () | filter (0.11.0) | exif (1.4 $Id: exif.c,v 1.173.2.5.2.26 2008/08/03 12:11:13 jani Exp $) | date (5.2.8) | curl () | ctype () | calendar () | bz2 () | bcmath () | zlib (1.1) | openssl () | cgi () | Zend Engine (2.2.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:
Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: None
Extensions Discovered :: wrote:
Components :: SITE :: MailTo (1.5.0) | User (1.5.0) | Wrapper (1.5.0) |
Components :: ADMIN :: Admintools (2.2.5) | Akeeba (3.4.3) | Banners (1.5.0) | Cache Manager (1.5.0) | Configuration Manager (1.5.0) | Contact Items (1.0.0) | Content Page (1.5.0) | Control Panel (1.5.0) | Frontpage (1.5.0) | ]iF[TinyMCE (1.0.0) | Installation Manager (1.5.0) | JCE (1.5.7.10) | Language Manager (1.5.0) | Mass Mail (1.5.0) | Media Manager (1.5.0) | Menus Manager (1.5.0) | Messaging (1.5.0) | Module Manager (1.5.0) | Newsfeeds (1.5.0) | Plugin Manager (1.5.0) | Polls (1.5.0) | Search (1.5.0) | Template Manager (1.5.0) | Trash (1.0.0) | User Manager (1.5.0) | Weblinks (1.5.0) | Agora Plugin (1.0.0) | CMS Shop Builder Plugin (1.5.0) | Contacts Plugin (1.0.1) | Content Plugin (1.5.1) | Eventlist Plugin (1.0.0) | Gallery2 Bridge Plugin (1.0.2) | Glossary Plugin (1.5.2) | Hot Property Plugin (1.0.1) | JCALPro Plugin (1.0.0) | JDownloads Plugin (1.5.1) | JEvents Plugin (1.0.3) | JMovies Plugin (1.5.0) | Jomres Plugin (1.0) | JoomDOC Extension (1.0.0) | JoomGallery Plugin (1.5.1) | KnowledgeBase Plugin (1.0.0) | Kunena Plugin (1.0.2) | Mosets Tree Plugin (1.0.1) | MyBlog Plugin (1.5.1) | Rapid Recipe Plugin (1.0.0) | RD-Autos Plugin (1.5.0) | Remository Plugin (1.0.3) | JoomSuite Resources Plugin (1.0.0) | Rokdownloads Plugin (1.0.4) | RSGallery2 Extension (1.0.0) | SectionEx Plugin (1.0.2) | SOBI2 Plugin (1.5.1) | Virtuemart Plugin (1.1.4) | Web Links Plugin (1.5.1) | DOCman Plugin (1.5.0) | lknAnswers Plugin (1.5.0) | Yoflash XMap Plugin (0.0.1) | Zoo Plugin (1.0.4) | AcyMailing Plugin (1.0.0) | Xmap (1.2.14) |

Modules :: SITE :: Archived Content (1.5.0) | Articles Items (1.0.3) | Banner (1.5.0) | Breadcrumbs (1.5.0) | Custom HTML (1.5.0) | Feed Display (1.5.0) | Footer (1.5.0) | Latest News (1.5.0) | Login (1.5.0) | Menu (1.5.0) | MoeDesigns Random Article (0.1.11) | Most Read Content (1.5.0) | Newsflash (1.5.0) | Poll (1.5.0) | Random Image (1.5.0) | Random News with Intro (1.0.0) | Related Items (1.0.0) | Search (1.0.0) | Sections (1.5.0) | Statistics (1.5.0) | Syndicate (1.5.0) | Who\'s Online (1.0.0) | Wrapper (1.0.0) | Extended Menu (1.1.0 (build ) |
Modules :: ADMIN :: Akeeba Backup Notification Mod (3.2.4) | Admin Tools Joomla! Upgrade No (2.2.5) | Custom HTML (1.5.0) | Feed Display (1.5.0) | Footer (1.0.0) | Latest News (1.0.0) | Logged in Users (1.0.0) | Login Form (1.0.0) | Admin Menu (1.0.0) | Online Users (1.0.0) | Popular Items (1.0.0) | Quick Icons (1.0.0) | Items Stats (1.0.0) | User Status (1.5.0) | Admin Submenu (1.0.0) | Title (1.0.0) | Toolbar (1.0.0) | Unread Items (1.0.0) |

Plugins :: SITE :: Authentication - Example (1.5) | Authentication - GMail (1.5) | Authentication - Joomla (1.5) | Authentication - LDAP (1.5) | Authentication - OpenID (1.5) | Content - Email Cloaking (1.5) | Content - Example (1.0) | Content - Code Highlighter (Ge (1.5) | Content - Load Modules (1.5) | Content - Pagebreak (1.5) | Content - Page Navigation (1.5) | Content - Vote (1.5) | Advanced Link (1.5.0 Stable) | Joomla! Links for Advanced Lin (1.1.0) | Editor - ]iF[TinyMCE 2.1 (2.1.2) | Advanced Code Editor (1.5.7.10) | Advanced Link (1.5.7.10) | Joomla! Links for Advanced Lin (1.2.1) | File Browser (1.5.7.10) | Paste (1.5.7.10) | Image Manager (1.5.7.10) | Media Object support (1.5.7.10) | Paste (1.5.7.10) | JCE SPELLCHECKER TITLE (1.5.7.10) | Editor - JCE (1.5.7.10) | Editor - TinyMCE 3 (3.2.6) | Editor - XStandard Lite for Jo (1.0) | Button - Image (1.0.0) | Button - Pagebreak (1.5) | Button - Readmore (1.5) | Search - Categories (1.5) | Search - Contacts (1.5) | Search - Content (1.5) | Search - Newsfeeds (1.5) | Search - Sections (1.5) | Search - Weblinks (1.5) | System - Admin Tools (2.2.5) | Akeeba Backup Lazy Scheduling (3.2.4) | System - Backlinks (1.5) | System - Cache (1.5) | System - Debug (1.5) | System - Legacy (1.5) | System - Log (1.5) | System - Mootools Upgrade (1.5) | System - Remember Me (1.5) | System - SEF (1.5) | User - Example (1.0) | User - Joomla! (1.5) | XML-RPC - Blogger API (1.0) | XML-RPC - Joomla API (1.0) |
Templates Discovered :: wrote:
Templates :: SITE :: beez (1.0.0) | if_default (1.0) | if_home (1.0) | ifbrochure_v1.5.1_baseinstall (1.0) | JA_Purity (1.2.0) | rhuk_milkyway (1.0.2) |
Templates :: ADMIN :: Khepri (1.0) |


Top
 Profile  
 
agua
PostPosted: Tue Apr 24, 2012 12:33 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Feb 20, 2007 4:26 am
Posts: 36
Hi - I haven't experienced this before, and I thought I had followed all the steps required, and used Forum Post Assistant... did I post wrong information or follow incorrect forum procedure?
Top
 Profile  
 
PhilD
PostPosted: Wed Apr 25, 2012 12:06 am 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2694
Location: Wisconsin USA
You are the victim of the htaccess hacking making the rounds. There is a thread in both this forum and the 2.5 forum detailing more on it.

You will need to follow the info below. Make sure you follow all of it and make sure there are no insecure or out of date extensions being used.

PhilD wrote:

It is suggested to do all of the following. Failure to follow the suggestions below may leave your site vulnerable to being hacked again in the future.

You must state what version of Joomla you were using when when the site became hacked.

[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file. Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory), and fresh copies of extensions and templates used. Upload the copy of your configuration file. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories More detail can be found in the security Checklist 7 link below.

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 and 755 and 444 for the configuration.php file.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

Note: The forum post tool will work with 1.0.x, J1.6.x, J1.7.x, 2.5.x versions of Joomla.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator
Top
 Profile  
 
agua
PostPosted: Wed Apr 25, 2012 2:58 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Feb 20, 2007 4:26 am
Posts: 36
Thanks Phil... I just updated the last few extensions and have followed the other points, so fingers crossed.... the only thing I can't do is check other admins machines, but I have emailed them to check.... and password protected administrator area so they have to ask me to for logins... then I can track the person if this is the cause.

I forgot that my htaccess was compromised too - Reading through that thread now
Top
 Profile  
 
agua
PostPosted: Wed Apr 25, 2012 3:06 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Feb 20, 2007 4:26 am
Posts: 36
Is it worth removing unused templates?
Top
 Profile  
 
PhilD
PostPosted: Sat Apr 28, 2012 4:30 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2694
Location: Wisconsin USA
Probably should have done the htaccess first or in conjunction with the other cleaning. Make sure to delete anything within the Joomla /tmp directory. Make sure to delete any htaccess files found to have the added code. It is hidden to the very far right at both top and bottom. also make sure there is no htaccess file residing outside of your public_html directory. There is generally a hacked one hiding there also. There is no valid reason to have an htaccess file outside of a public_html area so any there are probably hacked ones.

At this point, I would just make sure you find all the htaccess files that are compromised (look in the root of the major directories such as public_html, above the public_html directory, the administrator directory, images directory etc.) and fix or delete them as the case warrants.

I would delete any template you do not use. Especially 3rd party ones. Deleting the default ones is up to you, but I sometimes delete those if I am not using them and I sometimes leave them.

Also uninstall and delete the directories associated with any extension you do not use. May extensions when uninstalled leave a directory in both the front end and in the administrator directory areas with at least some (if not all) files. These can possibly be used later to hack a site.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator
Top
 Profile  
 
Jarod545
PostPosted: Fri May 25, 2012 9:53 pm 
Joomla! Intern
Joomla! Intern

Joined: Fri May 25, 2012 10:25 am
Posts: 51
Thank you PhilD , my site got Malwared too and i removed some htaccess that was hidden , and uninstalled all templates that i dont use , and now its perfect

_________________
A Joomla games website http://www.jeuxgratuitflash.com
http://www.jeuxgratuitflash.com/les-jeux-en-3d.html
Top
 Profile  
 
leolam
PostPosted: Sun Jul 22, 2012 8:22 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 11984
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Jarod545 wrote:
Thank you PhilD , my site got Malwared too and i removed some htaccess that was hidden , and uninstalled all templates that i dont use , and now its perfect
I do not believe it is perfect since you have not followed all steps as outlined to make sure all is clean. You need to follow all steps since you can be assured that you have hidden scripts elsewhere as well

Leo 8)

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---
Top
 Profile  
 
mandville
PostPosted: Thu Sep 27, 2012 10:29 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 11629
Location: The Girly Side of Joomla in Sussex
Hankin - please do not hijack topics. Start your own topic.

topic locked due to no response from original poster -see viewtopic.php?f=432&t=509319

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 9 posts ] 


Board index » Joomla! Older Version Support » Joomla! 1.5 » Security in Joomla! 1.5

Who is online

Users browsing this forum: No registered users and 20 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group