config file gets hacked

[Dougj]

Not getting a clear picture from the other posts if this is common or not or how to fix it.

I have one site on the same server as multiple other 1.5.22 joomla sites that keeps getting hacked. Settings seem to be the same across all systems but this site is political in nature and may actually be targeted.

Every so often we end up with a line of scrambled code,.......several hundred characters long and embedded within php tags.....at the very top of the configuration.php file.

When that code is placed, AT TIMES and only with some antivirus apps running the home page load will be redirected to some other advertising page. Seems the common thread is this site

sweepstakesandcontestsnow.com


My question is how do they get this code in my config file???

Also noticed another wierd thing that may or may not be linked. The "Whos Online" module always shows a number of guests that is much higher than what site stats show.

Any suggestions or help is appreciated as we have gone thru all the settings and permissions but find nothing outstanding

Doug

[creativesights]

Once your site has been hacked, it's very likely the hackers have left backdoor access files within the installation, despite you repairing the obvious hack attack.

There are several extensions that should be able to seek out malicious files hiding deep within the installation, but the safest bet is to reinstall a clean Joomla! installation.

Until you're site has been cleaned, the attacks will most likely continue.

[mandville]

i hate to point to this topic http://forum.joomla.org/viewtopic.php?f ... 1#p1988191 and copy and paste but


[ ] Run the forum post assistant and security tool Instructions available here

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.