After server was hacked cannot login in admin

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
corrado444
Joomla! Guru
Joomla! Guru
Posts: 860
Joined: Thu Jul 06, 2006 8:30 am
Location: Sacramento
Contact:
Contact corrado444

After server was hacked cannot login in admin

Post by corrado444 » Sat Jun 01, 2013 1:26 am

Problem Description :: Forum Post Assistant (v1.2.3) : 31st May 2013 wrote:After sever was hacked admin username and password return no longer work
Log/Error Message :: Forum Post Assistant (v1.2.3) : 31st May 2013 wrote:Username and password do not match
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.3) : 31st May 2013 wrote:[31-May-2013 20:07:45] PHP Fatal error: Class 'Cezpdf' not found in /home/hondagb5/public_html/components/com_fireboard/sources/fb_pdf.php on line 88
Actions Taken To Resolve by Forum Post Assistant (v1.2.3) 31st May 2013 wrote:



Our server was hacked quite brutally the other day and we found the following issues:

1) about half the sites (some 2.5, some 3.0 and some 1.5 that were waiting for migration) had their username and password changed to "admin" and a common password. In some cases the index.php template file was defaced, but by generating a new password with an MD5 generator we were able at least to get into the site and start fixing it.

2) The other half instead seemed untouched, except that passwords no longer work for any user group. Changing the password in phpmyadmin with one generated via an MD5 generator doesn't seem to work at all.

In one case, trying to resolve the issue, I imported the jos_user table as well as all the "aero" tables from a backup to a compromised database. It was still impossible to login or generate a new MD5 password that would work.

Unfortunately, our backups are too old for a simple restore. We will use them if we have to, but some sites have an active community and we would lose a lot of data.

I would like to find out how to get around the access denial. From what I can tell, if I could just get in with a single account I would be able to repair these sites and continue migrating the 1.5 sites to 3.0

How could they have created this situation?
I looked in the plugins and the Joomla access plugin is set properly as is the user access in the user record (it's not set to deny access). I can't see any other setting in the database that would prevent a correct username and password from accessing the site admin (or the front end for that matter. Every user is locked out).

Thank you.

Forum Post Assistant (v1.2.3) : 31st May 2013 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.8-Production/Stable (Wohnaiki) 10-November-2008
Joomla! Configured :: Yes | Writable (644) | Owner: hondagb5 (uid: 1/gid: 1) | Group: hondagb5 (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 1 | FTP Layer: 0 | SSL: N/A | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-308.16.1.el5 | Technology: i686 | Web Server: Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/0.9.8i DAV/2 mod_bwlimited/1.4 | Encoding: gzip,deflate,sdch | Doc Root: /home/hondagb5/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.17 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: 31st May 2013 20:07:45. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 200M | Max. POST Size: 200M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M

MySQL Configuration :: Version: 5.0.96-community (Client:5.0.96) | Host: --protected-- (--protected--) | Collation: utf8_unicode_ci (Character Set: utf8) | Database Size: 8.99 MiB | #of Tables:  208
Detailed Environment :: wrote:PHP Extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | session () | iconv () | standard (5.2.17) | json (1.2.1) | mbstring () | mcrypt () | mhash () | mime_magic (0.1) | mysql (1.0) | SimpleXML (0.1) | posix () | pspell () | Reflection (0.1) | imap () | SPL (0.2) | mysqli (0.1) | soap () | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.8.11) | cgi-fcgi () | ffmpeg (0.6.0-svn) | timezonedb () | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
Database Information :: wrote:Database _FPA_STATS :: Uptime: 4555027 | Threads: 6 | Questions: 356882514 | Slow queries: 349 | Opens: 4021105 | Flush tables: 1 | Open tables: 1024 | Queries per second avg: 78.349 |
Extensions Discovered :: wrote:Components :: SITE :: MailTo (1.5.0) | User (1.5.0) | default (1.0.0) | Wrapper (1.5.0) | WF_CLIPBOARD_TITLE (2.3.2.4) | WF_CLEANUP_TITLE (2.3.2.4) | WF_BROWSER_TITLE (2.3.2.4) | WF_INLINEPOPUPS_TITLE (2.3.2.4) | WF_FULLSCREEN_TITLE (2.3.2.4) | WF_ANCHOR_TITLE (2.3.2.4) | WF_VISUALBLOCKS_TITLE (2.3.2.4) | WF_LAYER_TITLE (2.3.2.4) | WF_CHARMAP_TITLE (2.3.2.4) | WF_CONTEXTMENU_TITLE (2.3.2.4) | WF_IMGMANAGER_TITLE (2.3.2.4) | WF_TEXTCASE_TITLE (2.3.2.4) | WF_SPELLCHECKER_TITLE (2.3.2.4) | WF_KITCHENSINK_TITLE (2.3.2.4) | WF_MEDIA_TITLE (2.3.2.4) | WF_DIRECTIONALITY_TITLE (2.3.2.4) | WF_SOURCE_TITLE (2.3.2.4) | WF_NONBREAKING_TITLE (2.3.2.4) | WF_PREVIEW_TITLE (2.3.2.4) | WF_PRINT_TITLE (2.3.2.4) | WF_STYLE_TITLE (2.3.2.4) | WF_AUTOSAVE_TITLE (2.3.2.4) | WF_SEARCHREPLACE_TITLE (2.3.2.4) | WF_VISUALCHARS_TITLE (2.3.2.4) | WF_LINK_TITLE (2.3.2.4) | WF_ARTICLE_TITLE (2.3.2.4) | WF_LISTS_TITLE (2.3.2.4) | WF_TABLE_TITLE (2.3.2.4) | WF_XHTMLXTRAS_TITLE (2.3.2.4) | WF_LINKS_JOOMLALINKS_TITLE (2.3.2.4) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.3.2.4) | WF_POPUPS_JCEMEDIABOX_TITLE (2.3.2.4) | WF_POPUPS_WINDOW_TITLE (2.3.2.4) | WF_FILESYSTEM_JOOMLA_TITLE (2.3.2.4) | WF_LINK_SEARCH_TITLE (2.3.2.4) | WF_AGGREGATOR_[youtube]_TITLE (2.3.2.4) | WF_AGGREGATOR_GOOGLEMAPS_TITLE (2.3.2.4) | WF_AGGREGATOR_VIMEO_TITLE (2.3.2.4) | comprofiler (1.2 RC 2) | CB SOBI2 (1.0.1) | CB Auto Welcome (1.2 RC) | Acajoom CB Plugin (1.0) | CB Mambo Author Tab (1.2) | CB Captcha (1.0.2) | GJ Fireboard (1.1) | CB ProfileBook (1.0) | CB Public Mail (1.0) | Groupjive Tab (1.1) | GJ Fireboard Extended (1.1) | CB Mamblog Tab (1.2) | Yanc Integration (1.2) |
Components :: ADMIN :: Search (1.5.0) | Polls (1.5.0) | joomgallery (1.0 BETA 1 BU) | Plugin Manager (1.5.0) | ReReplacer (2.1.7) | System - ReReplacer (2.1.7) | Installation Manager (1.5.0) | tag ($Id: tag.xml ) | Media Manager (1.5.0) | Mass Mail (1.5.0) | Seyret (0.2.8.1) | Seyret All In One (0.3) | fireboard (1.0.4) | VirtueMart (1.1.2) | Language Manager (1.5.0) | Trash (1.0.0) | RecommendFriends (2.0.1) | Frontpage (1.5.0) | Banners (1.5.0) | ContentSubmit (1.5) | Weblinks (1.5.0) | EventList (1.0 Beta) | Content Page (1.5.0) | Configuration Manager (1.5.0) | Control Panel (1.5.0) | eXtplorer (2.0.0 (final)) | Menus Manager (1.5.0) | Joomap (2.06 Beta2) | Cache Manager (1.5.0) | Contact Items (1.0.0) | Easy Search (0.0.1) | QContacts (1.0.3) | Acajoom (3.0.7) | Acajoom Content Bot (2.0.0) | Module Manager (1.5.0) | Unknown (-) | Unread messages (1.0.0) | Versions (1.0.0) | Memory usage (1.0.0) | Users online (1.0.0) | Free diskspace (1.0.0) | Logout (1.0.0) | Load values (1.0.0) | External Preview (1.0.0) | EasyToolbar2 (2.0.1) | Unknown (-) | JCE (2.3.2.4) | JCE (2.3.2.4) | JCE (1.5.0 Stable) | JCE Admin Control Panel (1.0.0) | Messaging (1.5.0) | Template Manager (1.5.0) | Newsfeeds (1.5.0) | sh404sef (1.0.11_Beta) | comprofiler (1.2 RC 2) | JoomlaPack (1.2) | User Manager (1.5.0) | AdsManager (2.2.2) | SOBI2 (RC 2.9.0) | GroupJive (1.7 v0.29a Gr) |

Modules :: SITE :: Breadcrumbs (1.5.0) | VirtueMart Manufacturers (1.1.0) | SOBI2 Latest Module (1.7) | FB Birthdays (1.0.1) | JWeather (0.2.0) | MiniFrontPage Module for J! 15 (1.2.1) | Google Analytics Tracking Modu (2.1.3) | Footer (1.5.0) | Feed Display (1.5.0) | AdsManager Ads (1.0.7) | Joom Images (1.0.5) | JA Newsflash (1.0.0) | CB Online (1.2 RC 2) | CB Online (1.2 RC 2) | GJ Largest Groups (1.4a) | GJ Largest Groups (1.4a) | VirtueMart All-In-One (1.1.0) | Statistics (1.5.0) | Random Image (1.5.0) | Syndicate (1.5.0) | VirtueMart Login (1.1.0) | AllVideos Reloaded (1.0beta3) | Wrapper (1.0.0) | Who\'s Online (1.0.0) | EventListQ Calendar module (0.7) | NiceFrontPage Module for J15 (1.0.1) | AdsManager Search (1.0.5) | Seyret All In One (0.3) | fetchrss (2.0) | sobi2 Simple Featured Listings (1.0.10) | Menu (1.5.0) | Latest Events (0.9.2) | League Results Table Module (0.2.1) | My Contact (1.0.1) | VirtueMart Product Scroller (1.1.0) | Search (1.0.0) | SOBI2 Menu Module (1.7) | Poll (1.5.0) | VirtueMart Featured Products (1.1.0) | TemplatePlaza Menu (2.0.1) | Archived Content (1.5.0) | VirtueMart Search (1.1.0) | Latest Events Wide (1.0) | Acajoom Module (3.0.1) | AdsManager Menu (1.1.0) | Latest News (1.5.0) | GJ Newest Groups (1.4a) | GJ Newest Groups (1.4a) | Custom HTML (1.5.0) | TP Tab Slide (1.0) | VirtueMart Shopping Cart (1.1.0) | VirtueMart Top Ten Products (1.1.0) | Most Read Content (1.5.0) | VirtueMart Product Categories (1.1.0) | Newsflash (1.5.0) | VirtueMart Latest Products (1.1.0) | Extended Menu 1.5 (1.0.3) | CB Workflows (1.2 RC 2) | CB Workflows (1.2 RC 2) | GJ Latest bulletins (1.4) | GJ Latest bulletins (1.4) | GJ My Groups (1.4a) | GJ My Groups (1.4a) | CB Login (1.2 RC 2) | CB Login (1.2 RC 2) | Login (1.5.0) | Sponsored Links (3.0 ClickSafe) | Related Items (1.0.0) | Sections (1.5.0) | openID for Joomla 1.5 (1.0.0) | Joomla 1.5 Latest News Popup (1.5.0) | VirtueMart Module (1.1.0) | VirtueMart Random Products (1.1.0) | Banner (1.5.0) | JooTabs (1.0) |
Modules :: ADMIN :: Admin Submenu (1.0.0) | Latest News (1.0.0) | Footer (1.0.0) | Feed Display (1.5.0) | Missing Metadata Items (1.0.0) | Quick Icons (1.0.0) | Unread Items (1.0.0) | Items Stats (1.0.0) | Online Users (1.0.0) | Popular Items (1.0.0) | EasyToolbar 2 (2.0.1) | JCE File Browser (2.3.2.4) | Custom HTML (1.5.0) | Title (1.0.0) | Toolbar (1.0.0) | Login Form (1.0.0) | Easy Search Quick Icon (0.0.1) | Admin Menu (1.0.0) | User Status (1.5.0) | Logged in Users (1.0.0) | JCE Admin Control Panel (1.0.0) |

Plugins :: SITE :: System - Cache (1.5) | System - JCE MediaBox (1.1.6) | sh404SEF - system - plugin (Version_1.0.B) | System - Remember Me (1.5) | System - Log (1.5) | System - Title Manager (1.0.1) | System - Smartsite (1.0) | System - SEF (1.5) | System - Legacy (1.5) | System - Debug (1.5) | System - GoogleVerify (1.1) | System - ReReplacer (2.1.7) | System - PositionBan (1.5) | juga 0.2 System Mambot (0.2) | System - Core Design Scriptegr (1.3.1) | System - Add Keywords (0.2) | System - Backlinks (1.5) | ACL - Joomla! Access Control P (1.5) | Authentication - LDAP (1.5) | Authentication - Joomla (1.5) | Authentication - GMail (1.5) | Authentication - OpenID (1.5) | Authentication - Example (1.5) | Acajoom Content Bot (2.0.0) | XML-RPC - Blogger API (1.0) | XML-RPC - Joomla API (1.0) | Editor - XStandard Lite for Jo (1.0) | Editor - JCE (2.3.2.4) | Editor - TinyMCE 2.1 (2.1.2) | Button - Pagebreak (1.5) | Button - FireboardDiscuss (1.5) | Button - Image (1.0.0) | Seyret Button (1.0) | Button - Readmore (1.5) | Editor Button - Insert Slides (1.0.0) | Search - Content (1.5) | Search - Weblinks (1.5) | Search - Newsfeeds (1.5) | Search - Categories (1.5) | Searchbot for Sigsiu Online Bu (1.00) | Search - EventList (0.9.2) | Search - QContacts (1.5) | Search - Sections (1.5) | Search FireBoard (1.2.1) | Search - Contacts (1.5) | Virtuemart Extended Search Plu (1.5) | User - Joomla! (1.5) | User - Example (1.0) | TP Box for J.15 (1.0.1) | Content - Pagebreak (1.5) | ObjectClarity Fireboard Discus (1.0.6c (for F) | Content - AllVideos Reloaded (1.0beta2) | RokAccess for JUGA (1.0) | Content - Page Navigation (1.5) | Content - Core Design Accordio (1.0.0) | inlineACL (1.0) | Content - Example (1.0) | Content - Code Highlighter (Ge (1.5) | Content - XTypo (1.3) | Joomla [youtube] Plugin (1.5.1) | Content - Load Modules (1.5) | SeyretpicPic (1.0) | Content - Vote (1.5) | VirtueMart Product Snapshot (1.1.0) | Content - Email Cloaking (1.5) | Content - Hider (1.50) | Content - SEOMeta (1.0) | MosModule (1.5.1) | mostruncateurls (1.0.0) |
Templates Discovered :: wrote:Templates :: SITE :: hondagb500 (1.0) | SacCityTennis (1.0) | modular_plazza (1.0) | beez (1.0.0) |
Templates :: ADMIN :: Khepri (1.0) | Conticreative (1.0) |
Watch the 10 Minute Joomla! Tips Video Podcast
Itunes: [url]itpc://10minutejoomlatips.blip.tv/rss/itunes[/url]
Feedburner http://feeds.feedburner.com/10MinutesJoomlaTips
Top
Locked

Return to “Security in Joomla! 1.5”