OK, I got hacked. Seems they got into my templates. I deleted and replaced them and the site was back up. Problem is if I click a read more button, it goes to a blank page.
I checked the data base and it's there. I am no MySQL wizard by any means.
I uploaded a fresh version of 1.5.23 and still get the blank page. I didn't delete everything prior to this. Just overwrote.
All suggestions are welcome!
Thanks!
Tim
PS: I found the hack files if anyone wants to look at them.
Hacked - 1.5.23, Got me good this time
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
-
bikervalley
- Joomla! Fledgling
- Posts: 4
- Joined: Tue Oct 11, 2011 1:27 am
-
mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Hacked - 1.5.23, Got me good this time
painting over the cracks is no goo.
[ ] Run the forum post assistant and security tool Instructions available here
[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories
[ ] Review Vulnerable Extensions List
[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.
[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.
[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.
[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755
[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).
[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.
[ ] Run the forum post assistant and security tool Instructions available here
[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories
[ ] Review Vulnerable Extensions List
[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.
[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.
[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.
[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755
[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).
[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
bikervalley
- Joomla! Fledgling
- Posts: 4
- Joined: Tue Oct 11, 2011 1:27 am
Re: Hacked - 1.5.23, Got me good this time
Hi Mandville,
Here is the output from the security script. I am also canning now with Spybot Search & Destroy.
[quote="JTS-post Problem Description"]Site hacked. Pages blank. [/quote][quote="JTS-post Actions Taken To Resolve"]Will have to delete all files and re-install[/quote]
####Thanks - Tim
Here is the output from the security script. I am also canning now with Spybot Search & Destroy.
[quote="JTS-post Problem Description"]Site hacked. Pages blank. [/quote][quote="JTS-post Actions Taken To Resolve"]Will have to delete all files and re-install[/quote]
JTS-post Diagnostic Information wrote:Joomla! Version: Joomla! 1.5.23 Stable [ senu takaa ama baji ] 04-March-2011 18:00 GMT
configuration.php: Not Writable (Mode: 444 ) | Architecture/Platform: Linux 2.6.18-338.19.1.el5.lve0.8.36 ( x86_64) | Web Server: Apache | PHP Version: 5.2.17
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): Yes | iconv Support (1.5 or above): Yes | save.session_path: Writable | Max.Execution Time: 60 seconds | File Uploads: Enabled
MySQL Version: 5.0.92-community ( Localhost via UNIX socket )
JTS-post Extended Information wrote:SEF: Disabled (without ReWrite) | Legacy Mode: Disabled | FTP Layer: Disabled | htaccess: Implemented
PHP/suExec: User and Web Server accounts are not the same. (PHP/suExec probably not installed)
PHP Environment: API: cgi-fcgi | MySQLi: Yes | Max. Memory: 64M | Max. Upload Size: 20M | Max. Post Size: 20M | Max. Input Time: 90 | Zend Version: 2.2.0
Disabled Functions: posix_getpwuid,posix_getpwnam,exec,shell_exec
MySQL Client: 5.0.92 ( latin1 )
####Thanks - Tim
-
bikervalley
- Joomla! Fledgling
- Posts: 4
- Joined: Tue Oct 11, 2011 1:27 am
Re: Hacked - 1.5.23, Got me good this time
OK. I got the site working but...no articles or anything else are coming up. The database username and pass are working, the database is there. Still the site is blank.
I did not install sample data since everything for the site is in the database.
Not sure what to do next.
Thanks again,
Tim
I did not install sample data since everything for the site is in the database.
Not sure what to do next.
Thanks again,
Tim
-
mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Hacked - 1.5.23, Got me good this time
bikervalley wrote: PHP/suExec: User and Web Server accounts are not the same. (PHP/suExec probably not installed)
this is also worrying
check the error log for the reasons why you arent getting output.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
bikervalley
- Joomla! Fledgling
- Posts: 4
- Joined: Tue Oct 11, 2011 1:27 am
Re: Hacked - 1.5.23, Got me good this time
I found the hacker deleted everything in the database. Users, articles, etc. Fortunately I had a SQL backup and am restoring the tables, one at a time. I also found old backups for vulnerable extensions and I'm deleting those too in case there's a back door somehow.
I'm getting output now and the users are back.
I'll ask the host about PHP/suExec too. Just wondering, what does it do? When I contact them, I can sound like I know what I'm talking about. Thanks!
I'm getting output now and the users are back.
I'll ask the host about PHP/suExec too. Just wondering, what does it do? When I contact them, I can sound like I know what I'm talking about. Thanks!
