Joomla! Discussion Forums

My site has just recently been hacked on pair.com

when i try and access:
http://www.mysite.com/jtspost_en.php
I end up with a blank page.

I spoke to tech support, and they responded by:
"This file has the same ownership and permissions as your index.php, which executes and produces the hacker's front page. That the jtspost_en.php is not producing the proper output that you'd expect is not because you can't execute it, but because, due to whatever the hacker did, it's unable to find the data it expects in order to produce a page. There is nothing wrong with the server environment."

I am on joomla 1.5.14
I have replaced the index.php in the root as well as the template/index.php file
Anyone have any ideas?

This is from my host:

By searching for some of the text from the altered frontpage shown by the index.php for this site, it looks like the file /includes/defines.php was defaced. However, judging by the fact this file was last altered on Oct. 22 at 4:11am EST, I would examine any file with that timestamp, which unfortunately appears to be a great many files in your Joomla installation. That defines.php file, however, would be where I would start, because it contains the data that brings up that defaced front page.

I'm guessing, without an intimate knowledge of the code involved in Joomla, that this defines.php file probably also should contain data that would be accessed by other PHP scripts, including but not limited to jtspost_en.php. When these files look for defined variables, they look to the defines.php file, is my assumption, which only contains the hacker's page, and no longer contains definitions for Joomla. This could very well cause the blank page you're seeing.

Greetings:

After cleaning up, do upgrade to 1.5.15.

From our own experience, Joomla often gets hacked due to any of the following being true:

* Vulnerable add ons are being used.

* http://docs.joomla.org/Category:Security_Checklist was not followed

* Joomla version is not the latest; upgrades should be done within one business day of the release (same day of the release if able).

* The server is not secured or was secured but never kept secured (there is no such thing as a one time server hardening).

* mod_security from http://www.modsecurity.org/ is not being used.

* FTP and Joomla admin/super admin passwords are less than 12 wide and/or contain phrases.

* FTPeS or FTPS is not being used; just regular FTP.

* FTP passwords are stored on the computer.

* Passwords are not changed often.

* Machines with FTP, admin, or super admin access are not scanned on a regular basis (daily is best, weekly is next to best) for virus, trojans, spyware, malware, etc.

* No one reviews the Joomla user manager area on a regular basis (daily or weekly) for who is an admin and who is a super admin.

* Site and server logs are not reviewed on a regular basis to see who might be trying to break in and how.

Thank you.