Another hacked site..

[CodiBear]

I don't know if I am doing this properly, but below is the output from forum post assistant.

My site has been hacked, the attack replaces my index.php file. I have a backup of the file but ever time I replace it the attacker modifies it. I really don't know what to do. The site is Joomal! 1.5, but I have no idea how to go about updating it as I did not create it.
I do have admin access to the back end, not that that seems to help me much.

If anyone can see any obvious problems other than an outdated Jommla! install I would love to hear from them.
Thanks in advance.

My index.php file keeps being replaced. I have a backup but the file is overwritten by someone. While they do not do any real damage it is very annoying. I have checked the file and folder permissions and they seem ok. I hope someone can help me.

Just the \'new\' front page, informing me I have been hacked.

Confirm file permissions, reset passwords.

Joomla! Instance :: Joomla! 1.5.26-Stable (senu takaa ama busani) 27-March-2012
Joomla! Configured :: Yes | Read-Only (440) | Owner: ashleysc (uid: 1/gid: 1) | Group: ashleysc (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-531.17.1.lve1.2.60.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate | Doc Root: /home/ashleysc/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.28 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: | Last Known Error: | Register Globals: 0 | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 64M | Max. POST Size: 64M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.37-cll (Client:5.5.37) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 1.15 MiB | #of Tables:  48

PHP Extensions :: Core (5.3.28) | date (5.3.28) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | posix () | pspell () | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | standard (5.3.28) | imap () | SimpleXML (0.1) | soap () | exif (1.4 $Id$) | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | suhosin (0.9.33) | Phar (2.0.1) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | pdo_mysql (1.0.2) | timezonedb (2014.2) | SQLite (2.0-dev) | ionCube Loader () | Zend Guard Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (---) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::

Components :: SITE :: User (1.5.0) | MailTo (1.5.0) | Wrapper (1.5.0) |
Components :: ADMIN :: Module Manager (1.5.0) | Trash (1.0.0) | User Manager (1.5.0) | Installation Manager (1.5.0) | Mass Mail (1.5.0) | Newsfeeds (1.5.0) | PhocaDownload (1.3.3) | Messaging (1.5.0) | Plugin Manager (1.5.0) | Menus Manager (1.5.0) | Banners (1.5.0) | Content Page (1.5.0) | Frontpage (1.5.0) | Polls (1.5.0) | GCalendar (2.1.2) | Weblinks (1.5.0) | JCE (1.5.7.1) | Media Manager (1.5.0) | Cache Manager (1.5.0) | Control Panel (1.5.0) | Language Manager (1.5.0) | Configuration Manager (1.5.0) | Template Manager (1.5.0) | Search (1.5.0) | Contact Items (1.0.0) | PhocaMaps (1.1.0) |

Modules :: SITE :: Latest News (1.5.0) | JA Bulletin (1.0) | JA Twitter Update (1.0.0) | Poll (1.5.0) | Phoca Download Tree Module (1.3.5) | Footer (1.5.0) | Banner (1.5.0) | Archived Content (1.5.0) | Feed Display (1.5.0) | Phoca Download Section Menu Mo (1.3.5) | GCalendar Overview (2.1.2) | Random Image (1.5.0) | Twitter Feed (1.0.0a) | Login (1.5.0) | Most Read Content (1.5.0) | Newsflash (1.5.0) | Syndicate (1.5.0) | JA Slideshow2 (1.0.0) | JA Content Slider 1.2 (1.0.4) | Who\'s Online (1.0.0) | JA Tabs (1.5.0) | GCalendar Upcoming Events (2.1.2) | Sections (1.5.0) | Search (1.0.0) | JA News 1.3.1 (1.3.1) | Statistics (1.5.0) | Custom HTML (1.5.0) | Breadcrumbs (1.5.0) | Wrapper (1.0.0) | Menu (1.5.0) | Related Items (1.0.0) |
Modules :: ADMIN :: User Status (1.5.0) | Admin Menu (1.0.0) | Latest News (1.0.0) | Popular Items (1.0.0) | Online Users (1.0.0) | Logged in Users (1.0.0) | Footer (1.0.0) | Feed Display (1.5.0) | Toolbar (1.0.0) | Title (1.0.0) | Login Form (1.0.0) | Unread Items (1.0.0) | Items Stats (1.0.0) | Custom HTML (1.5.0) | Admin Submenu (1.0.0) | Quick Icons (1.0.0) |

Plugins :: SITE :: Search - Content (1.5) | Search - GCalendar (2.1.2) | Search - Sections (1.5) | Search - Newsfeeds (1.5) | Search - Weblinks (1.5) | Search - Categories (1.5) | Search - Contacts (1.5) | User - Example (1.0) | User - Joomla! (1.5) | System - Backlinks (1.5) | System - Legacy (1.5) | System - Log (1.5) | System - Remember Me (1.5) | System - Cache (1.5) | System - Mootools Upgrade (1.5) | System - SEF (1.5) | System - Debug (1.5) | Content - Example (1.0) | JA Tabs for Joomla! 1.5 (1.0) | Phoca Maps Plugin (1.1.0) | Content - Code Highlighter (Ge (1.5) | Content - Email Cloaking (1.5) | Content - Vote (1.5) | Content - Load Modules (1.5) | Content - Page Navigation (1.5) | Content - Pagebreak (1.5) | Button - Readmore (1.5) | Button - Image (1.0.0) | Button - Pagebreak (1.5) | Authentication - Example (1.5) | Authentication - OpenID (1.5) | Authentication - GMail (1.5) | Authentication - Joomla (1.5) | Authentication - LDAP (1.5) | XML-RPC - Blogger API (1.0) | XML-RPC - Joomla API (1.0) | Editor - JCE 1.5.7.1 (1.5.7.1) | Editor - XStandard Lite for Jo (1.0) | Editor - TinyMCE 3 (3.2.6) | Advanced Code Editor (1.5.7.1) | Media Object support (1.5.7.1) | Paste (1.5.7.1) | File Browser (1.5.7.1) | Paste (1.5.7.1) | Advanced Link (1.5.7.1) | Joomla! Links for Advanced Lin (1.2.1) | Image Manager (1.5.7.1) | JCE SPELLCHECKER TITLE (1.5.7.1) |

Templates :: SITE :: JA_Lead (1.0) | rhuk_milkyway (1.0.2) | beez (1.0.0) | JA_Purity (1.2.0) |
Templates :: ADMIN :: Khepri (1.0) |

[toivo]

http://forum.joomla.org/viewtopic.php?f=432&t=475313

Your site has a very old version of JCE editor. There are published exploits how to upload files to take over a site like yours, running a vulnerable version of JCE: https://www.joomlacontenteditor.net/new ... s-security

The site is Joomal! 1.5, but I have no idea how to go about updating it as I did not create it.

There is plenty of documentation and both free and paid tools available for migrating a Joomla 1.5 site to a supported version, and also consultants who could do it for you.

[pe7er]

Besides the outdated & vulnerable JCE version as toivo pointed out,
you should not forget to install the 1.5.26 security patch:
http://joomlacode.org/gf/project/joomla ... m_id=31626
And make sure that you update all 3rd party extensions to their latest 1.5 versions.

Furthermore, crackers tend to leave backdoor scripts in your site that they might use after you've patched the current vulnerabilities.
To really clean your website use the checklist: http://docs.joomla.org/Security_Checkli ... or_defaced

[crusonweb]

And to add to the above suggestions, change all of your passwords, both back end and administrator control panel.