Joomla Front Page Hacked

[jas19500504]

Hi All

I hope someone can help me here.

On my joomla website, 1.5, I have some articles that I display on the front page.
Recently a new article appeared which I did not add.
I checked Front Page Manger and the article was not there.

The content was some Russian Search box and content.

Can someone advise on where I can find where this hacked content is.
It ends up on my home page but do not know how it got there or where it comes from.
I need to delete it urgently

Thanks

[ranwilli]

please read:

http://docs.joomla.org/Security_Checkli ... or_defaced

[jas19500504]

Read it but I am just a newbie

Has anyone else had similar issue that could perhaps help me

[ranwilli]

Well, the answer I gave you should have spelled out pretty completely what you need to do...

Is your host using cpanel for your interface? (The software you hook up to to manage your website)

[jas19500504]

Yes, CPanel and I can also FTP to site

[ranwilli]

Then here is your next step:

Using the htaccess method (cpanel)

You can limit access to certain resources of your website by password protecting the directories they are in.

To password protect directory with CPanel Hosting Control Panel:-

Login into your CPanel and click on Password Protect Directories

Once you click on Password Protect Directories, you will see a list of directories

Click on the directory that you wish to password protect

Fill in a Username and Password at the bottom of the page, and click Add / modify authorized user

Once user created successfully, just click “Go Back”

Now, Check the Directory requires a password to access via the web

Fill in Protected Resource Name, actually this is just the message that will show in the login window then, Highlight the user you just created from the Active Users list and click on Save button below the Protected Resource Name

To ensure you directory has been password protected, launch your browser and visit the folder, if browser prompts you to login, your directory has been protected by password!

[jas19500504]

I am not sure why I need to password protect everything

The illegal content is on my front page which the public has access to.
Since the content is already there, I do not understand what password protection will do.

Am I missing something

[ranwilli]

The idea is to get the site OFFLINE so that you can repair the hacks. DO it, or don't do it. It's up to you in the end, but the security checklist has been carefully crafted with the security and safety of your site and your visitors in mind and has been used successfully by a LOT of people.

[jas19500504]

You repair though based on knowing where to look.

That's my problem, I do not know where to start

[ranwilli]

I just told you where to start, but if you won't take the site offline, the 2nd step is:

Run the forum post assistant and security tool The simple Instructions are available here. More detailed instructions are included in the download package. You will need to unzip this package and upload the fpa-en.php file to your server Joomla root The FPA is also available in a tar.gz package for those who desire or need a unix style package. The fpa-en.php file from the package will need to be uploaded to your server Joomla root.

[jas19500504]

I uploaded the fpa-en.php file and ran it.

There was definitely tons of information which is a bit greek to me.

What is supposed to happen

[ranwilli]

did you read the instructions?

[jas19500504]

The following is is my web info per the FPA

Front Page Hacked

[15-Mar-2013 17:06:10 America/New_York] PHP Warning: Parameter 1 to plgContentLoginToRead::onAfterDisplayTitle() expected to be a reference, value given in /home/schemb82/public_html/libraries/joomla/event/event.php on line 67

Joomla! Instance :: Joomla! 1.5.26-Stable (senu takaa ama busani) 27-March-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: schemb82 (uid: 1/gid: 1) | Group: schemb82 (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 1 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 1 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-379.14.1.lve1.1.9.9.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: | Doc Root: /home/schemb82/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.22 | PHP API: apache2handler | Session Path Writable: Yes | Display Errors: 0 | Error Reporting: 30711 | Log Errors To: error_log | Last Known Error: 15th March 2013 17:06:10. | Register Globals: 0 | Magic Quotes: 1 | Safe Mode: 0 | Open Base: /home/schemb82/public_html:/usr/lib/php:/usr/local/lib/php:/tmp | Uploads: 1 | Max. Upload Size: 128M | Max. POST Size: 32M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.1.68-cll (Client:5.1.68) | Host: --protected-- (--protected--) | Collation: latin1_general_ci (Character Set: latin1) | Database Size: 36.62 MiB | #of Tables: 165

PHP Extensions :: Core (5.3.22) | date (5.3.22) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | posix () | pspell () | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | standard (5.3.22) | imap () | SimpleXML (0.1) | soap () | sockets () | exif (1.4 $Id$) | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | apache2handler () | trader (0.3.0) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | ionCube Loader () | Zend Guard Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Apache Modules :: core | mod_authn_file | mod_authn_default | mod_authz_host | mod_authz_groupfile | mod_authz_user | mod_authz_default | mod_auth_basic | mod_include | mod_filter | mod_deflate | mod_log_config | mod_logio | mod_env | mod_expires | mod_headers | mod_unique_id | mod_setenvif | mod_version | mod_ssl | prefork | http_core | mod_mime | mod_status | mod_autoindex | mod_asis | mod_info | mod_suexec | mod_cgi | mod_negotiation | mod_dir | mod_actions | mod_userdir | mod_alias | mod_rewrite | mod_so | mod_hostinglimits | mod_bwlimited | mod_ruid2 | mod_proctitle | mod_php5 | Apache |
Potential Missing Modules :: mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (766) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: JTS2/css/modules/ (777) | modules/mod_fuofb/assets/ (777) | modules/mod_sestimer_site/images/ (777) | modules/mod_showip/images/ (777) | tmp/install_4df4530806481/ (777) | tmp/install_4df4530806481/__MACOSX/ (777) | tmp/install_4df4530806481/resetpassword/administrator/components/com_resetpassword/views/ (777) | tmp/install_4df4530806481/resetpassword/components/ (777) | tmp/install_4df4530806481/resetpassword/components/com_resetpassword/views/ (777) | whois5/ (777) |

Components :: SITE :: Default (1.5.10) | User (1.5.0) | MailTo (1.5.0) | Wrapper (1.5.0) |
Components :: ADMIN :: RD_RSS (1.0.0) | RD_RSS (1.0.0) | RD_RSS (1.0.0) | Reset Password (0.1) | Reset Password (0.1) | Saxum IPLogger (2.1) | Automatic_Menu (2.0) | System - Jumi Router (2.0.3) | Jumi (2.0.3) | Jumi (2.0.3) | Jumi (2.0.3) | Plugin Manager (1.5.0) | J!Position (1.0.2) | Messaging (1.5.0) | ijoomla_rss (3.0.7) | English language iJoomla RSS F (0.0.01) | Menus Manager (1.5.0) | Module Manager (1.5.0) | Installation Manager (1.5.0) | JCrawler (1.6 Beta) | easysql (1.27) | Content Page (1.5.0) | Polls (1.5.0) | sh404sef (1.0.19_Beta) | Contact Items (1.0.0) | Media Manager (1.5.0) | Populate (1.5.1) | Joomap (2.06 Beta2) | PUdba (1.0.0) | Rquotes (1.5) | Media RSS (1.0.0) | RokDownloads (1.0.2) | My RSS Reader (0.7.2) | Mass Mail (1.5.0) | RokDownloads Bundle (1.0.2) | Content Plugin (1.0.2) | Xmap (1.2) | ccquery (0.1.0) | Horoscopo (1.2) | Template Manager (1.5.0) | Configuration Manager (1.5.0) | Banners (1.5.0) | Cache Manager (1.5.0) | Control Panel (1.5.0) | SEF Translate (1.0.0 Free) | Trash (1.0.0) | Newsfeeds (1.5.0) | DOCman (1.5.10.ru) | Latest logged downlods - admin (1.5) | Latest added documents - admin (1.5) | DOCman - Standard Buttons (1.5.9) | dmtestplugin (1.5) | Search - DOCman (1.5.1.stable) | DOCman - DOCLink (1.5.9) | DOCman Latest Downloads (1.5) | DOCman Lister (1.5) | Unapproved Documents - admin m (1.5) | DOCman Most Downloaded (1.5) | Most downloaded documents - ad (1.5) | Latest news from www.joomlatoo (1.5) | DOCman Category (1.5) | Frontpage (1.5.0) | Art [removed] (1.2.0) | Search (1.5.0) | User Manager (1.5.0) | Language Manager (1.5.0) | BCA-RSS-Syndicator (1.5.2.3) | SimpleLists (1.5.1.5) | Akeeba (3.4.3) | SaxumNumerology (1.2) | Mobile Joomla! (1.0 RC6) | removeme (1.5) | JCE (1.5.1) | Weblinks (1.5.0) | Mayancal (1.0) | SectionEx (1.5.0.13.e) | UserInfo (v1.0.0 - 2008) |

Modules :: SITE :: mmSlideShow - Free (1.0.3 - Free) | Password Generator (0.9) | Custom HTML (1.5.0) | Weather Forecaster (1.0.3) | JoomlaPoetry - Horoscope (1.0) | Custom Code (1.0) | Euro Exchange Rate Converter (1.5.0) | Sections (1.5.0) | Ephemeris for Joomla (1.1) | Random Image (1.5.0) | Newsflash (1.5.0) | ulti Clocks (2.0.9) | Special HTML (1.2) | Sourcerer! Module (1.0.0) | Your Ip is (1.0) | Latest News (1.5.0) | Header (1.0 RC6) | Compago Blank Module (1.1) | PHP Module (1.0.0.Beta) | Rquotes (1.5-rc3) | JV Yahoo Weather (1.5.2.2) | Login Register (1.5.3) | Custom HTML advanced (JTricks. (1.0) | Show IP (1.4) | Google Translate (1.5.0) | Related Items (1.0.0) | Wrapper (1.0.0) | Most Read Content (1.5.0) | Extended Menu (1.0.6 (build ) | TP Metric Conversion (1.5.0) | JooFox Content Header (0.1) | Rokdownloads Latest Downloads (1.0.2) | Flexi Custom Code (1.0) | TP Metric Conversion Temperatu (1.5.0) | Syndicate (1.5.0) | DOCman Latest Downloads (1.5) | World Time (1.0) | BNR Simple Login (1.0.0) | Counts up (2.0.0) | MiniFrontPage Module for J! 15 (1.2.2) | MagpieRSS (1.5.0beta) | Sifi Converter (1.1) | Mayan Calendar Module (1.0) | RokDownloads Most Downloaded (1.0.2) | Banner (1.5.0) | AutGen menu (2.0) | jPageTranslator (1.0.2) | Live Currency Cross Rates (1.5.2) | Who is Online (1.0.0) | Who\'s Online (1.0.0) | DOCman Lister (1.5) | JSL No Script (1.0.0) | Jumi (2.0.3) | Registered user Counter (1.0) | Search (1.0.0) | New User Registration (1.55) | Browser Expose! Module (1.0) | Weather (1.0.3) | Tarot Reader (1.0) | JComments Latest (2.5.6) | Horoscope by Question Kit (1.0.1) | Breadcrumbs Super Plus (1.5.1) | DOCman Most Downloaded (1.5) | QCategories (1.0.1) | Footer (1.5.0) | GD - GEO IP Tools (1.0.1) | Time Zone Clock (3.9.4) | Login (1.5.0) | Smug Translate (1.0) | Moon Phase (1.0) | Mobile Menu (1.0 RC6) | MultiTrans (15v72) | Statistics (1.5.0) | Archived Content (1.5.0) | Go Mylo Countdown (1.5.4) | Art Clock (2.1.0) | Simple Currency Rates (1.5.1) | Markup Chooser (1.0 RC6) | Poll (1.5.0) | Place Here (1.5.0) | News Scan Ticker (1.0.0) | Unit Converter (1.5.0) | Feed Display (1.5.0) | Breadcrumbs Advanced (1.5.0) | yr.no Weather (0.9) | Modulo Horoscopo (1.1) | Who's Online - NOT (2.0.0) | Find Us on Facebook (1.1.3) | TP Metric Conversion Volume (1.5.0) | Jquery Translator (1.0) | Session Meter Site (1.2) | Breadcrumbs (1.5.0) | Google Weather (1.0) | Member Statistics (1.0.0) | Menu (1.5.0) | PWD-GEN J! J1.6 (1.6-1) | BCA RSS Syndicator (1.5.7.3) | Easy Script (1.5.0) | DOCman Category (1.5) | Weather Widget by TickWidget (1.1) | Media RSS (1.0.0) | Solar System Viewer (1.0) | Rokdownloads Recently Updated (1.0.2) | DWho's Online (1.7.0) | UserInfo (v1.0.0 - 2008) |
Modules :: ADMIN :: Custom HTML (1.5.0) | Latest News (1.0.0) | Latest logged downlods - admin (1.5) | Logged in Users (1.0.0) | Online Users (1.0.0) | Latest added documents - admin (1.5) | Popular Items (1.0.0) | Quick Icons (1.0.0) | User Status (1.5.0) | Admin Submenu (1.0.0) | Title (1.0.0) | Admin Menu (1.0.0) | Unapproved Documents - admin m (1.5) | Footer (1.0.0) | Login Form (1.0.0) | Items Stats (1.0.0) | Most downloaded documents - ad (1.5) | Unread Items (1.0.0) | Latest news from www.joomlatoo (1.5) | Missing Metadata Items (1.0.0) | Feed Display (1.5.0) | Akeeba Backup Notification Mod (3.4.3) | Recent Activity (1.1) | Toolbar (1.0.0) | Mobile Joomla! CPanel Icon (1.0 RC6) | Welcome! Admin (1.0.0) | JooFox Content Analyzer (0.1) | Session Meter (1.3) |

Plugins :: SITE :: Docman-Thanks Upload Email Plu (1.0.0) | DOCman - Standard Buttons (1.5.9) | DOCman - Notify (1.5.1) | DOCman - Thumbs (1.5.0) | Docman-Thanks Email Plugin (1.0.0) | System - Admin Forever (0.9.2) | System - kareebu Secure (1.0.1) | System - JRPassphrase (1.55) | System - Modules Anywhere (1.11.7) | System - Saxum IPLogger (1.0) | System - User activity log (1.2) | System - Admin Bar Unlocker (0.9.1) | System - NoNumber! Elements (2.8.3) | System - Jumi Router (2.0.3) | System - CustomHeadTag (1.0.2) | System - Debug (1.5) | System - AdminBar Docker (1.4.7) | System - Sourcerer! (1.0.0) | System - Remember Me (1.5) | Mobile Joomla! (1.0 RC6) | System - Cache (1.5) | System - SEOSimple (1.3) | System - osolCaptcha (1.0.6) | Reset Password (1.0.0) | System - jNoRightClick (1.0) | System - phider (1.0) | System - Mootools Upgrade (1.5) | sh404SEF - system - plugin (Version_1.0.B) | System - SEOGenerator (1.0) | Akeeba Backup Lazy Scheduling (3.3) | System - Backlinks (1.5) | System - Redirect Failed Login (1.51) | System - Auto Purge Cache (1.5.3) | SubmitMailer Pro (2.0) | System - SEF (1.5) | System - Log (1.5) | System - Legacy (1.5) | System - AntiCopy (1.3) | System - JBackup (1.5.3) | Search - DOCman (1.5.1.stable) | Search - Weblinks (1.5) | Search - Categories (1.5) | Search - RokDownloads (1.0.2) | Search - Content (1.5) | Search - Contacts (1.5) | Search - Newsfeeds (1.5) | Search - Sections (1.5) | Search - contentseo (1.5) | Editor - JoomlaFCK (2.6.3) | Editor - JCE 1.5.2 (1.5.2) | SpellChecker (2.0.0) | Advanced Code Editor (1.5.0) | Object Support (1.5.1) | Paste (1.5.1) | Advanced Link (1.5.1) | Joomla! Links for Advanced Lin (1.2.0) | File Browser (1.5.0 Stable) | Image Manager (1.5.2) | Paste (1.5.0) | Editor - XStandard Lite for Jo (1.0) | Editor - TinyMCE 3 (3.2.6) | Content - Code Highlighter (Ge (1.5) | Joomla Popin Plugin (1.5.2) | Content - Hider (1.50) | Readmore Link (1.0) | Content - Pagebreak (1.5) | Content - Email Cloaking (1.5) | Content - RokDownloads Link (1.0.2) | JooFox Content Title (0.1) | Content - Example (1.0) | load module into article (1.0.0) | Content - Load Modules (1.5) | Content - fsGeoIP (0.3) | webReader (1.3.0) | UberPageBreak (by JoomlaWorks) (1.0) | Jumi (2.0.3) | Content - Vozme (15j) | Content - Login to Read Full T (1.6) | AllVideos (by JoomlaWorks) (2.5.3) | Mobile Content Switch plugin f (2.0) | Content - Affiliate Link Cloak (3.0) | Content - DropdownTOC (1.3) | DirectPHP (1.55) | rss Feed (2.0) | Content - Page Navigation (1.5) | ToHeader (0.5) | Content - Vote (1.5) | Authentication - Example (1.5) | Authentication - GMail (1.5) | Authentication - Joomla (1.5) | Authentication - LDAP (1.5) | Authentication - OpenID (1.5) | Button - Modules Anywhere (1.11.7) | Button - Pagebreak (1.5) | Editor Button - Sourcerer! (1.0.0) | Button - RokDownload Link (1.5.0) | Button - Image (1.0.0) | DOCman - DOCLink (1.5.9) | Readmore 2 (1.0) | Button - Readmore (1.5) | User - Protect Logged in User (1.1) | User - Example (1.0) | User - MailIPAddress (1.0) | User - Joomla! (1.5) | User - Saxum IPLogger (2.0) | User - Login Protector (1.0.3) | Mobile - TeraWURFL (1.0 RC6) | Mobile - Forever (1.0 RC6) | Mobile - Domains (1.0 RC6) | Mobile - Simple (1.0 RC6) | XML-RPC - Blogger API (1.0) | XML-RPC - Joomla API (1.0) | Joomla Remote Plugin (1.0.0) |

Templates :: SITE :: rhuk_milkyway (1.0.2) | mobile_pda (1.0 RC6) | mobile_wap (1.0 RC6) | beez (1.0.0) | mobile_imode (1.0 RC6) | Sunflower (1.0) | mobile_iphone (1.0 RC6) | JA_Purity (1.2.0) |
Templates :: ADMIN :: Khepri (1.0) | Joomatic Admin (0.1) |

Hopefully I did it correctly

[ranwilli]

ok, move on to the next steps

[jas19500504]

I scanned all machines for viruses

Sorry, but I really do not know what to do next but am more than willing to learn

[ranwilli]

http://docs.joomla.org/Vulnerable_Extensions_List

check this list for extensions (and version numbers) you use. refer to the fpa for your installed extensions.

[ranwilli]

Follow the steps above, and start your own thread with your fpa post.

[mandville]

I scanned all machines for viruses

Sorry, but I really do not know what to do next but am more than willing to learn

your folder permissions are also incorrect for secure hosting as you are using apache module
read through
http://docs.joomla.org/Security_Checklist_7

[jas19500504]

Sorry, but this is getting too over whelming for me.

[mandville]

[ ] Download and RUN the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Post the generated results in your security/been hacked topic. Use these links to download the FPA:
Download .tar.gz version or Download the .zip version NOTE: Do not download the FPA from any other website or links found on the Internet.

[ ] Ensure you have the latest version of Joomla for your version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.

[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.

[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories More detailed information can be found in the Security Checklist 7 document.

[jas19500504]

I checked the modules and plugins

I also password protected the folder that contained all the components but still got the hack.
I also password protected the folder that contained all the modules and still got the hack on the front page.

This suggests that it is not an extension problem.

Any suggestions on where else I could look.

[jas19500504]

I have done everything I was instructed to do with the files I had on hand and could not completely solve my problem.

I did find some file in my root labelled 7c32.php which I did not recognized.
When I deleted it, the search box that appeared on my frontpage always was now gone.
This helped a bit.

However, I am still getting some content on front page which is probably russian as it just appears as a bunch of small boxes instead of text.

I had tried new template but content was still there.

Anybody have any situations with the file I had mentioned. I did find that it was indeed a file used by hackers.

[mandville]

please follow what was written here http://forum.joomla.org/viewtopic.php?f ... 7#p3007296
indicate eachstep you take

move on to security checklist 7