The Joomla! Forum ™

My site host (2M Host) automated notifications told me the site is using too much disc and so as usual I planned to go in and clear my expired cache and do any other admin tasks. I know I need to upgrade from J 1.5.22 to most recent version so that's also on my to-do list.

This time, when I tried to login as normal, using my usual username and p/w, all I get is a blank page So I tried page refresh, still the same. Tried using another browser (originally Firefox, now tried Chrome also) still no joy. Now I start to wonder if the site has been hacked?

I ask myself "What has changed?" I know that 2M host upgraded to PHP 5.3.10 on 15th March. 2M host tech support (Thanks Ramy ) just flagged up the possible OPENID/PHP 5.3.10 incompatibility. This might be another possibility.

Site is running on linux, using apache 2.2.11, mysql 5.0.95. My hosting access to cPanel is fine, it's only the Joomla back end that I can't get into.

Does this look like its been hacked? Or does the OPENID/PHP 5.3.10 possibility make more sense?

Perhaps the following error message (which appears many times in the error log) supports this possibility;
"PHP Deprecated: Function ereg() is deprecated in /home/myusername/public_html/administrator/components/com_xmap/extensions/com_content.php on line 330"

I'm not aware of using OPENID in the site, and now I can't get in to take a look. I also can't uninstall it unless I can get into the backend (or is there another way?).

Thanks in anticipation of any ideas or approaches you might be able to suggest.

Perhaps the Mods could consider whether this post might be better placed in another section? When I first posted it, my question was purely about a possible hack, but now its been edited to reflect two evolving options, maybe other views are needed.

Well it is not proven one way or the other yet if you were hacked.

I do not believe openid is enabled by default and that shouldn't prevent the login screen from displaying. I also do not think there are any issues with Joomla and php 5.3.10.

Now, I think your site has been hacked just based upon what you have written. This is why:

1.) your Joomla version is way out of date. Current version is 1.5.26
2.) your issues appeared around the time frame multiple hosts and thousands of php sites were hit with a hack.
3.) Xmap is on the VEL list and since your site is out of date, it (and maybe other extensions) are probably also out of date and vulnerable to hacking.
http://docs.joomla.org/Vulnerable_Extensions_List#xmap


You need to follow what is provided below in order to properly recover your site.
When fixing your site, use the 1.5.26 version of Joomla. Do Not use the 2.5.xx version as it is not compatible with what you currently have. So don't create further issues to fix. Security checklist 7 also contains the link to the doc page for restoring your super-admin user and password, though this is not your real issue at this point.


[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file. Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory), and fresh copies of extensions and templates used. Upload the copy of your configuration file. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories More detail can be found in the security Checklist 7 link below.

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

Note: The forum post tool will work with 1.0.x, J1.6.x, J1.7.x, 2.5.x versions of Joomla.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

to follow on from phild post;
general comment- in the time it took you to write the first post and said you didnt have time to update, you could have (if you had admintools installed) updated your site. average update time is 13 seconds

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

PhilD
Thanks for taking the time to write that very helpful procedure and I'm working on that.
After this problem occurred, I also decided that I should improve my technical knowledge and so I engaged on a course to (start to) learn about PHP and javaScript. I'm now doing that as well, hopefully it will help me to be more effective and efficient in administering my site.
No excuses, but I have to fit this around some conflicting work and personal priorities so I appreciate your kind patience.
Permissions continue to be set at 755.
In ftp (cPanel) I don't see anything which says "anonymous ftp". Could it be called anything else? There is "DirectFTP" but I haven't launched that.
I'm working on updating to 1.5.26 currently, see below.

mandville
Thanks for the encouragement.
The attached screen shot is the current situation at my host. I've always made my updates by fantastico and perhaps I became a little dependent on it. When it wasn't updated I asked my host admin to make the updates. They're still working on it. I wonder if there is any possible technical (or commercial) reason why they haven't done this? (we're communicating and they say they're on it, but no action yet).

Here is the latest comment from the hosting provider, after i asked AGAIN for fantastico to be updated to provide a link to 1.5.26;

"Hi,
Our servers receive daily updates for fantastico, the latest release will appear in your account once we get it.
Please let me know if you need further help." (Saturday 28th of April 2012 09:35:37)

Can anyone see any reason why fantastico shouldn't have been updated with the latest Joomla version? Is it perhaps a licencing issue?

I'd like to advise the hosting provider that J1.5.26 has been out for a while now. How do I find out the release date?

Thanks for any advice.

fantastico does their own updates (as do other auto installs) and simply pushes the updated installs out to your host. The fantastico timetable is beyond the control of your host.

Generally it is much better to do your own install of Joomla and then you can update as soon as a release is made if you wish. It will also remove all the extra garbage that fantastico needs when it installed your Joomla site.

Make a backup first before starting anything.
Then You can usually save a copy of the configuration.php file, write down what extensions you are using, what templates you are using, and overwrite your current install with a fresh copy of the full install package of 1.5.26 minus the installation directory, and then update any extensions that are out of date. If you modified and used the default templates then copy back the css and any other alterations you made such as the logo file. This procedure won't necessarily completely remove any hack files though.

Since you were hacked you can also just save a copy of the configuration.php file, save any extension data and setup info that you may need, along with any template modifications you may have made and delete everything except the configuration.php file associated with the Joomla install and replace it with the fresh 1.5.26 full install copy (minus the install directory). Reinstall your extensions, templates etc. and any additional files needed that were saved. This will best clean your site and also get you away from the fantastico install scripts allowing you to install any updates as soon as they come out.

Also consider going to Joomla 2.5 platform as it has a one click Joomla core update available that will do the update work for you in a few seconds. As more extensions take advantage of the capabilities in 2.5 they to will become one click updates allowing one to completely update their Joomla install quickly and easily.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Thanks Phil.

I guess a backup of my current site would include hacked files and so do you think it might it be best to go back to an earlier backup, before the hacks?

I'll need to figure out a procedure before deleting the site (having never done a manual load of Joomla before - don't laugh too much ) its my first site but now getting over 600 unique visits per day which may not be huge but I still want to keep my readers happy). Still, I guess its all good learning experience, although not one I would have chosen.

Your point Re 2.5 makes good sense. As long as my generic template, articles and blogs (a few hundred) remain compatible with 2.5.

note: cpanel are slowly removing fantastico from instals
they now seem to be going with instaltron (which to my mind is better in some ways)
It will email account holders if an update to scripts is released and a reseller account can batch update all installs on its servers in one go while making a backup.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Thanks mandville.