Joomla! Discussion Forums

OK, the first time (a month ago) I considered it my fault because i was still on Joomla V1.15.2. I was just hit again by the same person (or group) using the same method.

1) My Joomla super-admin ID was replaced by a different ID. Both times the new ID was 'stone' and the email address was 'dm1@windowslive.com'
2) The first hack replaced the public_html/templates/rhuk_milkyway/index.php file to put up his own page
3) This time it was the /public_html/index.php file which was altered

Fortunately they are not doing severe damage, just whacking my home page, but this has to stop.

After the first hack I fixed my site, upgraded to the most current Joomla code and re-read the security checklist. With rare exception I had pretty well already changed all folder permissions to 755 and individual files to 644. The index.php file which was replaced was 644.

I had a minimal .htaccess file before, but after the first hack I replaced it with the suggested one in the security doc.

The sad implication is that once your site is picked for fun they return periodically to do it again.

So, how is someone replacing my super-admin ID in the first place? That would appear to be the first step to then being able to manipulate any part of the site thereafter? I am truly open to suggestion here. Please give me your thoughts.

Ken

Greetings Ken:

Being hacked or even the target of a hack is never fun.

First off, please consider working with your hosting provider support team. Hopefully they have a server security administrator on staff who can work with you to make sure everything is clean to start.

Then check how they have AND keep the server your site is on hardened. Also ask if they have mod_security setup as that can help.

Back to the current hacking, are you using complex (12 to 16 wide) passwords that contain no phrases?

Have you checked all machines with access for virus, trojans, spyware, and malware?

Have you reviewed in the Joomla user management area who has super admin access? Admin access?

Thank you.

Obviously something bad have planted into your website and you havent realised yet!
Thats why you keep hacked again and again.
There is a backdoor in your site

I think you are correct and I shudder at having to reinstall everything along with my content. I am searching for tools/queries to help me discover whatever was planted.

Ken

Peter,

Thank you for your thoughtful and helpful reply. I can answer YES to all of your questions, but have not contacted my hosting provider yet. My assumption has been that they will not help with support of my Joomla implementation. I'll give it a shot though.

I am the ONLY super-admin on my site. Although there are quite a few registered users, a manager-level user, and a half-dozen authors.

How frustrating. I believe I do know the IP of the person who did this (in Europe), and have blocked the entire range for that host from my site. Not sure if that will really help though.

Ken

I dont think that this will help!
It is easy to by pass this with a simple anonymous proxy

true. it was a move out of frustration.

Yes, i know what you've been through

I think I found the file which was planted on my site. I went through folder by folder comparing side-by-side to another Joomla site and it jumped out at me.

It is a replacement of the index.php file in the templates folder of a template I was not using. The index.php contains a eval(gzinflate(base64_decode( followed by uuencode looking text. Clearly this expands into an executable when invoked.

If anyone in the Joomla Security development team would like this file let me know how to pass it to you and I will do so. I will not post it here.

I searched around and do not see anything else out of place. Hopefully this is the end of it. I will remain as vigilant as possible though.

Ken

Yes, definitely this is it

What you have is a typical iframe hack. there are plenty of postings here on the forums about these.
Typically what may happen is the computer you use to ftp to your website is infected with malware (not all malware is easily detected by your antivirus program). This malware steals your ftp credentials from your ftp program, sending the credentials to the hacker.

Another way is by a security flaw in a 3rd party extension, failure to keep the Joomla core updated, or both.

Even server settings, server software (or lack of), or file/directory permission settings may be the issue.

At any rate of how they got in, you probably found 1 backdoor, here may be others hidden in javascript files or code, hidden in what appears to be photos or images. There are techniques that can really hide the code and the code may change some each time.

I know it is a real hassle, but with somewhere around 3000 files to check line by line, I would really think about removing all your files in public_html Joomla, and any subdirectories (for forums etc.) and replace everything with known good files. Also check the Vulnerable Extensions List Oct - Joomla! Documentation at http://docs.joomla.org/Vulnerable_Extensions_List_oct to see if any versions of extensions you use are on the list. If it is a later version of one on the list it is probably ok to use, but check with the developer for conformation.

Thanks Phil. I will do everything you have recommended. I guess my weekend just got busy.

Ken