Joomla 1.5 [* spam *] Issue, can't access administrator

[arfharwinder]

Hi,

Site having 1.5.26 Joomla showing [* spam *] hack error.

Whenever I click any link, it redirects to [* spam *] hack. You can check by yourself: [Mod Note:Don't post links to infected sites on this forum]

So please provide me the best solution, and some recommended me to upgrade to the latest version 2.5, but dunno how to do it exactly as I don't have access to administrator because whenever I enter it, it redirects to the same [* spam *] url.

So help me how can I upgrade to 2.5 via FTP.

I would be thankful to all of you.

[redknite]

upload with FTP.

[arfharwinder]

how can I upload via FTP? I mean direct 1.5.26 to 2.5?

[humvee]

[Mod note: Moved from 3.0 Upgrade Forum to 1.5 Security Forum;]

Read and follow the detailed advice in this topic http://forum.joomla.org/viewtopic.php?f=621&t=582854. Provide the reports to your thread at the points requested when the security experts will be able to assist you further with any additional issues.

Before you even attempt to migrate to 2.5 you must eradicate the crack issue.
Once this is done and your site is clean, then make a backup of it - and learn to back up on a regular basis in the future.
Then test the migration to 2.5.x on a localhost testing server before doing the same on the live site or indeed copying the successful migration from the localhost to the remote host to replace the current site and database. Note that is replace not overwrite.
But deal with the current issue first

[mandville]

[ ] Download and RUN the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Post the generated results in your security/been hacked topic. NOTE: Do not download the FPA from any other website or links found on the Internet.

[ ] Ensure you have the latest version of Joomla for your 1.5 or 2.5 version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.

[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.

[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories More detailed information can be found in the Security Checklist 7

[arfharwinder]

Whenver i click from homepage, it redirects to canada pharmacy [* spam *] page under the same site URL.

Canada pharmacy [* spam *] hack on whole site

Any link from homepahe redirect to [* spam *] page

Redirect under my site to canada pharmacy content

I tried by scanning all files for malware, but unfortunately failed to resolve.

Joomla! Instance :: Joomla! 1.5.26-Stable (senu takaa ama busani) 27-March-2012
Joomla! Configured :: Yes | Writable (705) | Owner: 7520258 (uid: /gid: ) | Group: 100450 (gid: ) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-279.2.1.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /var/chroot/home/content/58/7520258/html | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.17 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 8M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 60 | Memory Limit: 128M

MySQL Configuration :: Version: 5.0.92-log (Client:5.5.19) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 35.54 MiB | #of Tables:  119

PHP Extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | apc (3.1.9) | bcmath () | calendar () | ctype () | curl () | dba () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | session () | iconv () | json (1.2.1) | mbstring () | mcrypt () | mhash () | mysql (1.0) | SimpleXML (0.1) | SPL (0.2) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | pspell () | Reflection (0.1) | standard (5.2.17) | mysqli (0.1) | soap () | SQLite (2.0-dev) | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.8.11) | cgi-fcgi () | Zend Engine (2.2.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe

Core Folders :: images/ (705) | components/ (705) | modules/ (705) | plugins/ (705) | language/ (705) | templates/ (705) | cache/ (705) | logs/ (705) | tmp/ (705) | administrator/components/ (705) | administrator/modules/ (705) | administrator/language/ (705) | administrator/templates/ (705) |

Elevated Permissions (First 10) ::

Database _FPA_STATS :: Uptime: 864610 | Threads: 8 | Questions: 125165724 | Slow queries: 0 | Opens: 10935 | Flush tables: 1 | Open tables: 9360 | Queries per second avg: 144.766 |

Components :: SITE :: MailTo (1.5.0) | User (1.5.0) | default (1.0.0) | Wrapper (1.5.0) |
Components :: ADMIN :: XCloner-BackupandRestore (3.0.4) | Akeeba (3.2.3) | Weblinks (1.5.0) | VirtueMart (1.1.4) | User Manager (1.5.0) | Trash (1.0.0) | Template Manager (1.5.0) | sh404sef (1.5.9.434) | sh404sef similar urls plugin (1.5.9.434) | Search (1.5.0) | Polls (1.5.0) | Plugin Manager (1.5.0) | Newsfeeds (1.5.0) | mtwMigrator (0.2.1) | Module Manager (1.5.0) | Messaging (1.5.0) | Menus Manager (1.5.0) | Media Manager (1.5.0) | Mass Mail (1.5.0) | Language Manager (1.5.0) | JCE (1.5.7) | Installation Manager (1.5.0) | Frontpage (1.5.0) | FacileForms (1.7.0 Stable ) | eXtplorer (2.1.0b5) | em_header (1.00.9) | Control Panel (1.5.0) | Content Page (1.5.0) | Contact Items (1.0.0) | Configuration Manager (1.5.0) | Cache Manager (1.5.0) | Banners (1.5.0) | Secured (1.5.0) | xmlrss1 (1.0) | Migrator (1.5) | J!Update (1.5.1) |

Modules :: SITE :: Archived Content (1.5.0) | Banner (1.5.0) | Breadcrumbs (1.5.0) | Custom HTML (1.5.0) | EMSlideShow (1.0.15) | BreezingForms (1.7.0 Stable) | Feed Display (1.5.0) | Footer (1.5.0) | Latest News (1.5.0) | Login (1.5.0) | Menu (1.5.0) | Most Read Content (1.5.0) | Newsflash (1.5.0) | DJ Image Tabber (1.1.4 stable) | Poll (1.5.0) | VirtueMart Product Categories (1.1.0) | Random Image (1.5.0) | Related Items (1.0.0) | Search (1.0.0) | Sections (1.5.0) | Statistics (1.5.0) | Syndicate (1.5.0) | VirtueMart Shopping Cart (1.1.0) | VirtueMart Search (1.1.0) | Who\'s Online (1.0.0) | Wrapper (1.0.0) | YOOaccordion (1.5.10) | YOOdrawer (1.5.9) | YOOlogin (1.5.12) | YOOlogin (1.5.12) | WDBanners (1.0) |
Modules :: ADMIN :: Akeeba Backup Notification Mod (3.2.3) | Unread Items (1.0.0) | Toolbar (1.0.0) | Title (1.0.0) | Admin Submenu (1.0.0) | User Status (1.5.0) | Items Stats (1.0.0) | Quick Icons (1.0.0) | Popular Items (1.0.0) | Online Users (1.0.0) | Admin Menu (1.0.0) | Login Form (1.0.0) | Logged in Users (1.0.0) | Latest News (1.0.0) | JCE Admin Control Panel (1.0.0) | Footer (1.0.0) | Feed Display (1.5.0) | Custom HTML (1.5.0) |

Plugins :: SITE :: Authentication - Example (1.5) | Authentication - GMail (1.5) | Authentication - Joomla (1.5) | Authentication - LDAP (1.5) | Authentication - OpenID (1.5) | BreezingForms (1.7.0 Stable) | Content - Email Cloaking (1.5) | Content - Example (1.0) | Content - Code Highlighter (Ge (1.5) | Content - Load Modules (1.5) | Content - Pagebreak (1.5) | Content - Page Navigation (1.5) | Content - Vote (1.5) | Editor - JCE 1.5.5 (1.5.5) | Editor - TinyMCE 3 (3.2.6) | Editor - XStandard Lite for Jo (1.0) | SpellChecker (2.0.0) | Paste (1.5.5) | Media Manager (1.5.4) | Object Support (1.5.1) | Image Manager (1.5.2) | Paste (1.5.0) | File Browser (1.5.0 Stable) | Advanced Link (1.5.1) | Joomla! Links for Advanced Lin (1.2.1) | Advanced Code Editor (1.5.5) | Button - Image (1.0.0) | Button - Pagebreak (1.5) | Button - Readmore (1.5) | Search - Categories (1.5) | Search - Contacts (1.5) | Search - Content (1.5) | Search - Newsfeeds (1.5) | Search - Sections (1.5) | Search - Weblinks (1.5) | sh404sef similar urls plugin (1.5.9.434) | System - Backlinks (1.5) | System - Cache (1.5) | System - Debug (1.5) | Em Slideshow Plugin (1.0.15) | System - JCE Utilities 2.2.4 (2.2.4) | System - Legacy (1.5) | System - Log (1.5) | Media Object (1.5.0) | MMFuncs (1.0) | System - Remember Me (1.5) | System - SEF (1.5) | sh404SEF - system - plugin (1.5.9.434) | Akeeba Backup Lazy Scheduling (3.2.3) | System - Mootools Upgrade (1.5) | System - Ban IP Address (-) | User - Example (1.0) | User - Joomla! (1.5) | XML-RPC - Blogger API (1.0) | XML-RPC - Joomla API (1.0) |

Templates :: SITE :: beez (1.0.0) | JA_Purity (1.2.0) | madeyourweb (1.3) | rhuk_milkyway (1.0.2) | yoo_beyond (1.5.15) | yt_beyond (1.0.3) |
Templates :: ADMIN :: Khepri (1.0) |

[pe7er]

I suppose that your website has been hacked,
and that the crackers uploaded an .htaccess file with redirects to your website.
Use FTP to disable such .htaccess files (rename to htaccess.old)

Please upgrade JCE (1.5.7) to the latest version because that version has a security flaw.
A safe JCE version has been available since April/May 2012...
And upgrade all 3rd party extensions...

[arfharwinder]

For now, I have upgrade site to 2.5.7, but its causing the error now after deleting installation folder:

Fatal error: Call to a member function get() on a non-object in /home/content/58/7520258/html/libraries/joomla/user/user.php on line 288

I have upgraded via FTP.

Please resolve my issue.

[mandville]

I don't think you actually read and or understood any of the posts by humvee or myself

[mandville]

Duplicate topics merged. Do not cross post as it wastes volunteer time and energy.

[arfharwinder]

So please provide me a better solution, I dunno whats going wrong.

[mandville]

So please provide me a better solution, .

what better solution do you want than the infomation you were offered. i even posted the entire checklist for you with links to how to sort this out yourself very very simply.

Read and follow the detailed advice in this topic http://forum.joomla.org/viewtopic.php?f=621&t=582854. Provide the reports to your thread at the points requested when the security experts will be able to assist you further with any additional issues.
redknite post was totally off topic and irrelevant in this situation.

Taking Humvees post bit by bit

Before you even attempt to migrate to 2.5 you must eradicate the crack issue.

that is the important part- updating will not cure your current hack.

Once this is done and your site is clean, then make a backup of it - and learn to back up on a regular basis in the future.

you have several backup extensions - did you bother using them and restore a clean backup?

Note that is replace not overwrite.

overwrite is what redkite told you to do. and is only painting over cracks.

I dunno whats going wrong

well here goes what i can see straight away what is wrong :
* incorrect folder permissions
* JCE out of date and vulnerable
* cloner out of date and possibly vulnerable
* sh404sef out of date and possibly vulnerable
* BreezingForms etc etc
* yt_beyond - popular on malicious file sharing sites.

now after that time i have spent removing your duplicate posts and merging the topic because you were not happy with the advice you were given in one place. it sums up to
you were hacked because your site is a easy target because you havent kept it up to date.
Pay attention to these topics
http://forum.joomla.org/viewtopic.php?f=621&t=582854
http://docs.joomla.org/Security_Checklist_7
http://docs.joomla.org/Vulnerable_Extensions_List
http://docs.joomla.org/Top_10_Stupidest ... tor_Tricks

If there is ANYTHING in there you do not understand then feel free to post it in this topic. Once your site is secure then before even considering moving to a version of joomla that is
Joomla 3.0 is a Short Term Release and it is only recommended for more experienced users and developers. Joomla 2.5 is still the recommended version for most users. It focuses on stability and will be supported into 2014. Read more about it in the official Joomla 3.0 http://www.joomla.org/announcements/rel ... eased.html news or http://community.joomla.org/blogs/commu ... 0-faq.html FAQs.

[arfharwinder]

Thanks everyone for your support.

I have fixed my site and for now did as menitoned by mandville first comment.

Changed passwords, file permissions, extensions, anonymous ftp, everything.

Just let me know now what further steps should I use to keep it secure in future.

And whats the stable way to update, I mean direct update to 2.5.7 or firstly to any other version.

Thanks again.

[Sean Clement]

Just let me know now what further steps should I use to keep it secure in future.

Make sure the core and all of your extensions are kept up-to-date.

And whats the stable way to update, I mean direct update to 2.5.7 or firstly to any other version.

When you are on the J!2.5 branch you should have two 'update modules' located within the main admin area - these will let you know when there is an update (with regards to the 'Third party plugin', these only show if the extension has a 'update server' set). You will then simply click on the respective update 'button' - this will take you to the 'update screen' in which you can update either the core of third party extensions.

[arfharwinder]

A Big Thanks and what do you recommend for a 1.5.26 version, I mean upgrade from 1.5.26 to which version of 2.5.x?

Thanks.