The Joomla! Forum ™

Hi,
My website has been hacked.
As I result I had my homepage and my admin password changed.

I temporarily restored the website, only by changing the index.php with a backupped one. Site works. I reset the passwords in phpmyadmin.

I'd like to have an expertize on
1. what to do next. Should I replace the files with an old backup or it is not necessary?
2. How can I figure out how they hacked my site?
Someone told me it could be an unsafe component but I think it was because of a virus I had on a pc I used to mangae my joomla site but I'm not sure. Do anyone know how they usually do this kind of hacks?
3. Is there's a way to know for how long the website has been hacked?

Thank you very much

what you have done so far is a wast e of time
follow this checklist and concentrate on checklist 7 -safe route to recovery

[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

2. nope - you should be able to know what you have installed on your site
3. no (see item 2)

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Thank you Mandville: about point 1 ok It's pretty clear, I already read the same in an other of your post.

About point 2 and 3: my question was a little different; I trying to explain it better. I have my website on a shared hosting plan.
At first I thought that there were a problem on the server that affected mine website too.
The company that rents me the hosting plan told me that these kind of hacks could be frequently due to one of the following things:

- a joomla addon recently installed
- a weak password and username
- a virus on an infected pc

I can exclude number 1 because I didn't install anything dangerous (nothing included in the vulnerable extension list you showed me is installed on my site, and furthermore I didn't install anything new in the last month and website has been hacked yesterday). And number 2 because my password was pretty strong.

Number 3 could be possible; I don't know what kind of virus but I guessed it could be some kind of spyware that could have stolen my admin password while managing my website from an infected pc.
What's your opinion about this? Could a virus on an infected pc cause in some way a hack to my site?
What the hosting company is saying is possible?

Mandville: I ran the Forum Post Assistant / FPA, I'm sending you the code via pm hope you don't mind but I'am afraid it may contain personal datas
Thank you if you could give it a look

PM deleted without being read asper signature

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

I further investigated and I found inside the logs folder named jcontroller.log.php
this code:


The name between brackets is the same of the hacker is this just a coincidence?

All... right It was not a requested help pm it was just that I can't understand well the codes and I was afraid it could contain some personal data anyway it seems it doesn't so I'm adding the code here.
The code from FPA I mean:




Thanks

What difference would it make if it contained personal data ? After all you followed the other instructions yes ? The instructions that included deleting all the files and changing the personal data.

And the server data will be known to the hacker anyway.

_________________
http://weblinksonline.co.uk/joomla-faq.html

I didn't explain myself well (I'm not english mothertongue). What I meant was simply that I didn't want to post by mistake any personal data. Actually in the FPA there was the name of my login and now I hid it with asterisks.

But anyway, did anyone found something odd on those datas I posted?
In the meantime I scanned my website with an antivirus and it said my website was clean but two websites hosted on my shared server are infected. Is this possible?
Then I forgot this and it's relevant: I have another joomla website on another server, I manage it from the same pcs and has not been touched by a hacker ever.




I have not done it yet, I was asking if it would be safe to use the backups on my pc or not. Would those be more or less safe than the one that can be restored by the server company?

Your site has been hacked therefore the hacker knows that login.
Your site has been hacked therefore you will have changed your login
Your site has been hacked therefore you will have deleted everything

Therefore putting the information for all to see does not matter because

1. That information is already known to the hacker
   and
2. That information is no use to anyone because you have changed it. At least you should have done.

_________________
http://weblinksonline.co.uk/joomla-faq.html

...[/quote]
Your site has been hacked therefore you will have deleted everything
[/quote]

Sorry do you mean:

I should delete everything
or
the hacker deleted everything
?
Site has been apparently only defaced.

I can delete everything but I need to restore the database and files.
Now I can reinstall a clean copy of joomla as suggested, but I need to reupload my files.
Do you think it's safe to use my saved backups for both database and files?
Should I reinstall all the extensions too or just restore them trough backup?
Thank you

I mean that if you followed the instructions posted by mandville "Delete all files in your Joomla installation" .... then you will have deleted everything. That includes any files the hacker may have placed on the server. (from mandville's post) "Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories"

You can save your configuration.php file but you need to check it.

You don't have a clean backup ? Then you have to replace the Joomla and extension folders/files manually. Then when you have done that you will have files that match your database and no extra hacking files.

Don't forget to check your computer and all the other things in the list.

_________________
http://weblinksonline.co.uk/joomla-faq.html

That's the point: I don't know If my backups are clean, I don't know if the attack came from an infected file on my pc. I checked with more than an antivirus and mnothing was found but how can I be sure?

If you don't know if your backup is clean you can do one of 2 things.
Either delete all the folders/files from the server and restore a backup from a month or so back. If it was not clean and your site gets reinfected then delete all the folders/files again and replace manually.
or
Delete all the folders/files and replace manually first time.

You can never be 100% sure your PC is clean but if you scan it with every antivirus/anti malware you can ... then you can be as sure as you can be. If you find nothing on your PC then the chances are it got on your site through a vulnerable extension. If that is the case then deleting the folders/files, replacing them with clean ones ... and checking your extensions are up to date and not on the VEL ... that should sort things.

_________________
http://weblinksonline.co.uk/joomla-faq.html

Thank you Webdongle you have been clear;
I'll procede as you suggest, anyway I'm trying to investigate further.
I agree Not 100% sure but likely it was not a virus in the end.

I double checked also the VEL but I don't have any vulnerable extension installed in that website.

What else could be? Something in the template? A not listed vulnerable extension?

And I have a doubt (maybe a silly one):
I have useful backups dated 10 days ago on both the server and my pc (they are rar packed) do you think they could be infected some way although they have been saved before the attack and they have never been unpacked?

There are a lot of free Templates with malicious code and hacked images.
There are many ways a site can be infected. And the results don't show for several months. How long has your site been 2.5.4 ? was it upgraded from an earlier version ?

Do you allow people to upload images ? Does anyone else have ftp access ? if so what about their computer ?

_________________
http://weblinksonline.co.uk/joomla-faq.html

My template was designed with artisteer by a friend. I then have modified from time to time the css and php when needed.
Originally the website was made with joomla 1.7; I upgraded to 2.5 almost as soon as it came out. Then updated again to 2.5.4. To do this updates I've always used the auto-installation feature inside the hoster cpanel.

I do NOT allow people to upload images.

I only have ftp access but a couple of times I had to use another pc (just one) and it seems not infected. Furthermore I have password saved in that pc's ftp software also for another joomla website that I manage and that site hasn't been affected by the hacker.
While on the pc I use for the hacked website, in the ftp software there was only the password for the hacked website not the other website, that's make me think about some malware stealing my password on this pc and then self-destroying. Possible?

If malware gets on a PC before the antivirus knows that malware is in the wild .... then the malware can prevent updates of the antivirus from seeing it. One reason to scan with more that one program.

Malware can also hide in 'system restore' so even if it's deleted it re install it's self. Turn system restore off and disconnect from the internet and hit the computer with everything you can ... is sometimes the only way to eradicate some malware.

But it sounds doubtful that your PC is infected. Is it shared Hosting ? Perhaps Goole the name of your Host with hacked ? There are many sites hacked from the server.

_________________
http://weblinksonline.co.uk/joomla-faq.html

Thank you very much for these tips.
I have checked with 2 different antivirus and with two antimalware
Now I'm going to format my pc and use ubuntu live for website managing so to be sure.
My worries are about a possible contamination of my backups.

About the server yes it's shared hosting.
I further investigated and found out that on my shared hosting there are two infected websites.
I have spent all the day emailing with the guys that work with my host provider.
Of course they say they don't have any fault.... and then although other website may be infected mine should be safe because they use Run SU_PHP on their servers and so one clients scripts can't effect another clients site or their scripts according to them.
Unfortunately I can't be sure about that and I can't be sure about my pc or my website vulnerability either.

Anyway I found out when the attack happened and from where. Then I re-read joomla security checklists. In checklist part 6 there is this tip:"List recently modified files: Before making any changes to your site, generate a list of recently modified files. Here's a php script that will list the files for you. Remove this script as soon as you have your list and don't publish a link to it!"

There is no link to the mentioned php script anymore. Do you or anyone else know a script that can do that job as suggested there?

Thanks again for your advices, very helpful

I'm going to step in a bit here and hopefully clear a few things up and make sure all readers understand certain points. The exchange I am referencing is quoted below.

Contrary to a recent statement that could be interpreted a number of ways, it does make a difference if the FPA were to disclose such personal information to the forum in the form of user names and passwords. That would be irresponsible on our part. We will as forum moderators also not publicly ask for such information to be disclosed. Never disclose this information to regular forum users who ask. We have no control over what information you disclose if you have agreed by other methods to allow a regular forum user to help clean and repair your site.


The FPA does not display any personal information such as the database user name and password or provide them in the generated data that is to be posted in the forums. That information is not needed by us in the public forum areas to help diagnose the issues your having with your site.

The FPA script results does display some path information and some server information that could be considered sensitive with the default information privacy radio check box, but this information is helpful for certain diagnosis and is why it is included. The FPA user can always select the Strict radio check box before generating the post information and then the additional information that could be considered sensitive would not be included in the post.

The FPA script does have to look at certain information in the configuration.php file in order to gain access to certain data that is needed to help diagnose issues with your site. Because of this necessary access, the FPA script does have the potential to allow the possibility of a hacker accessing the script to gain information about your site such as the data the configuration.php file contains. The FPA script should not be left on your website after you have used it to make the forum posting.

This is why I have added the security notice and the link to automatically remove the script from your site to the latest version of the FPA script. You should also close the browser tab or window that the FPA results are displayed in after removal of the FPA script.


@rosponius

If you have a modified template and you do not have a known clean copy to replace it with when you do the cleaning, then I would suggest that you inspect each of the modified files (files like index.php, the css file(s), and any added logo or image files) closely for unauthorized modifications. Then you can replace the template with a freshly downloaded clean copy and replace the necessary files with your modified ones to get your template structure back.

Since the database and the information it contains does not get replaced when cleaning your site, be sure to check for any added names that may be super-admins or otherwise have access to the administrator in the
Joomla database. If any are found, or you are unsure of certain users then delete them.

Be sure to follow what mandville posted in her checklist and pay special attention to the checklist 7 where it says to use multiple malware scanners on any computer that accesses your website. No program will detect 100% of malware so it is best to use a good mainstream antivirus program and also periodically use something like malwarebytes anti-malware scanner.

Yes sites can be hacked across accounts on shared hosting. It depends on a number of factors but could be a cause. The host is not going to admit this to you or anyone else as it is not in their best interest financial wise to do so.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Hi PhilD

thanks for the note.
Of course I was sure you didn't need or ask for password.
To further clarify can you please explain me what is the section where FPA write about owner and group?



That's exactly what I did!


This maybe a silly question but: How do I know which are the modified files? And: any clue on the script that I talked about in the previous post and that was mentioned in Joomla security checklist #6?



I guess there's nothing I can do here nor find evidence if that happened in my case or is there a way?

The script I am looking for was suggested here: http://docs.joomla.org/Security_and_Per ... ow_what.3F

Point #3 "List recently modified files: Before making any changes to your site, generate a list of recently modified files. Here's a php script that will list the files for you. Remove this script as soon as you have your list and don't publish a link to it!"

But there's no link anymore, where can I find that or a similar script?

To directly answer the question, I don't know what 'script' the doc was talking about.

While there is much good reading on the official Joomla wiki about security etc., not all of it is up to date or may be missing something such as what you found. You should be following the checklist mandville posted and I will explain why in a minute. I have posted essentially the same thing here at the bottom of this post for convenience.

First. Security is an always changing target. As such, the documentation has to change along with the times. Yes, there is much other documentation with pointers and suggestions to follow that can be found on the Joomla wiki as wel as elsewhere (much of which is essentially copied from the official Joomla wiki docs). The quality of this documentation as it relates to security is varied from up to date and maintained, to extremely out of date or wrong.

The security moderators and a select few other very knowledgeable people have created documentation specifically dealing with site hacks, how to efficiently recover from the hacks and how to prevent site hacks from reoccurring. The information is a collection of current best practices and procedures and is what we generally use day to day to clean, fix, and prevent hacked sites. The information provided is generally under the control of the security moderators and a select few other forum members and is kept up to date with the latest recommended security practices and security information. This documentation essentially consists of three main things:

1. the FPA script. This script is to provide both the script user and the helpful people on the security forum with detailed information about the site in question. The script can save hours of work and many times we can use the posted results to point to an area of the site to focus on first.

2. The security checklist 7. This wiki document contains the essential requirements to clean, repair, and help prevent the hacking from reoccurring. The document also contains some helpful one line scripts; one of which will detect if any file changes on a site for any reason, and by anyone.

3. The VEL or Vulnerable Extensions List is a listing of extensions and the version(s) for Joomla that were found to be insecure and could result in a hacker using them to enter and hack your site. Mandville does an excellent job of keeping the listing up to date and this list is always changing. Used together with the FPA you can quickly determine if an extension version your using is on the listing. Any extension version you are using that is found out of date or appears on the list should be updated using the latest release from the developer. If there is no later release, then the extension should be uninstalled from the site.

That covers the three main documents and sources of information. There is one more under control of the security moderators and that is the "Before You Post" forum sticky viewtopic.php?f=621&t=582854 is for the 2.5 forum. The security mods and others will many times point to this checklist or provide a copy within an answer. The "Before you post" sticky also contains some additional pointers that may be missed when reading the checklist 7. While what is sometimes posted varies somewhat (both between security mods and the forum sticky) the essential information to follow is always contained within what is posted. This is what I am posting below.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

I just found the infected file on my website NOT on my pc.
It is in an infected php file put someway in beez2.0 template (that I'm not using but it is installed)
It is infected with the backdoor php/WebShell.A.1.

Perhaps more accurate to say ... You found part of the pay load that was left by a hacker after they entered via a different exploit.

_________________
http://weblinksonline.co.uk/joomla-faq.html

meaning in not technical language?
Possible origin?
With "part" do you mean something else could still affect my site?

"To further clarify can you please explain me what is the section where FPA write about owner and group? "

If the owner and group as listed within the FPA are different, then this can mean that there could be file and directory permission issues that will result in the site being hacked. Here is more information on file and directory permissions
http://www.joomlatutorials.com/joomla-t ... ation.html
and
http://www.joomlatutorials.com/joomla-t ... uexec.html

Both were excellently written by RussW and explain ownership and permissions very well.

"This maybe a silly question but: How do I know which are the modified files?"

I was referring to how could you keep your template modifications and still clean the site properly. "My template was designed with artisteer by a friend. I then have modified from time to time the css and php when needed."


"I guess there's nothing I can do here nor find evidence if that happened in my case or is there a way?" There are certain issues that shared servers can present. Any server can be hacked and some hosts are better at preventing hacks across customer accounts than others. Most issues result in the inability to fully control how multiple accounts are administered. Sometimes this results in server hacks. Also Cheap (as in hosting) does not necessarily mean bad and expensive does not necessarily mean good, though it has been my experience that you tend to get what you pay for. This http://www.webhostingtalk.com/ is a good site to do research on hosts on. Another way to tell a reasonably good host is to find out what large sites (such as Joomla) are hosted on. There must be some good reasons why they were selected.


Addendum:
The beez template is a favorite place to stick hack files because that directory is a core directory and is likely always there. Now the thing is you need to find the extension or other insecurity that is allowing the hack to occur and to follow the security checklist 7 delete all files and replace with fresh ones. I posted my "before you post" checklist above which will give advice and links to everything needed to fix the site.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Thank you both Phil and Webdongle for the help and tips.



That's what I did when I chose my hosting.



The chosen hosting it's right among those (I can't post the name of the company but it's positively reviewed by joomla users. Furthermore it is recommended to be used with joomla).



That's what I was going to do before to find the payload



Not easy job to figure out the reason of the hack.
Sorry to insist on this point, but with my latest information and with what I have reported above, most likely cause of the hacking?
Malware from my pc, other hosted website contaminating mine, weak extension, weak template?

Thank you for your time and patience

Can be from any one of those listed. Check all of the extensions used against the VEL, follow the checklist 7 I can't really be more specific without actually being on the site and even then, the actual root cause may not be known.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Thank you for all suggestions. One of the last quesions...than I stop bothering you people...
I read the security checklist 7 and I'm going to followe before to restore the website, now I'm just doing some more research and reading more about securityand I found out that there are some vulnerability scanner software to check for a website vulnerability. Are those software useful to have an idea of which part of my joomla site could be vulnerable or are useless?

Once I restored the site, the security extensions in the JED would be somehowhelpful in protecting the website?