The Joomla! Forum ™

Hello,
A couple months ago I was hacked. First time they just replaced my index page, second time they removed every single file off my server. Finally got things up and running again.

Yesterday I saw a warning msg on my website: warning: the website you are visiting appears to contain malware -- etc etc.

So I went to the Google Webmaster Tools and it really IS all Greek. I did a few things that I could understand, but then I sent a RE-review of my site to Google. Of course I don't expect to hear from them.

So how do I get rid of the message? I DID find a mention of a specific LINK on my site that may contain the malware. So I decided to go into the ADMIN and remove that specific article. Problem is, can't even get into my admin because of the warning. I can click on "ignore the warning" and continue, but it only brings me back to the login page. SO I have absolutely no way of getting into my admin to try and find the file to which they are referring.

Any suggestions as to how I can get into my admin? Or how I can locate the article? Where are the articles kept in Joomla if I were to go on my server?

Sure at a loss as to how to handle this situation. Meanwhile, my site is just down.

Thanks for any suggestions or help. Oh, and I've googled the warning trying to find other people who have gotten rid of it, but I'm not finding anything. So I decided to come to the Joomla forum. Didn't want to bug anyone until I'd at least done a little research on my own.

You are probably going to have to start your site over. My guess is you don't have backups? And if you do they don't go back the two months to before you were hacked? You need to get into your cPanel and access the database with PHPMyAdmin. You can change the password by following these instructions:

http://docs.joomla.org/How_you_reset_an ... assword%3F

The only thing I would feel safe recovering is the text from articles and the images. Other than that it will probably take as much time to start over as to repair.

_________________
Joomla! Day Boston 2014 | http://www.joomladayboston.com | March ??, 2014
Next Generation Solutions | http://www.nxgnsol.com

No, I DO have backups. I backup quite often in fact. I even download the entire site to my computer (when it's in good working order). I back up on my server with my host and I then download that back up to my computer from the server.

Okay, so something I don't understand. You say to go to my php to change the password. I was able to get on the ADMIN again because I deleted all the HTACCESS files that supposedly were causing the problem -- I don't understand why because it was Lunar Pages that put those on there to help prevent the hack attacks. But then I got the WARNING for malmare from Google and when I researched it, everything pointed to the htaccess files. Hmmmm . . .

Okay, so back to the password. When I was able to get into the admin online, I changed the password. But if it happens again, you're saying I can go to my cPanel on my host and change the password through PHPmyadmin??

Another question: You say the only safe thing recovering is text from articles and images. How would I recover those? Where are they located on the server? Is it all within the database? I have browsed and browsed and googled and googled trying to find where the articles in Joomla are actually kept. I've not come up with a definitive answer as to how I would retrieve the articles and images (well, the images are pretty easy as they are in a folder on the server -- I can see those). But where are the articles? If I could retrieve those, I think I'd just replace the entire site, maybe even with the newest version of Joomla, because even though I've updated my old version to 1.5.26, it no longer HAS any security updates. So I'm stuck with what I have unless I update to 2.6 (I think is the latest version?).

Thanks for any suggestions! I appreciate your help!

ok - lets try and make some sense of this
but what did you do to recover the site. if you only replaced the indedx files then you didnt cure the hack.
articles are kept in the database, or mysql or phpmyadmin.
that is normally a different type of attack. viewtopic.php?f=621&t=707099

or called mysql, you can access the article directly, edit or just delete it.

articles are in the database, images are normally in the folder structure

go through this and concentrate on checklist 7 safe route to recovery


[ ] Download and RUN the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Post the generated results in your security/been hacked topic.

[ ] Ensure you have the latest version of Joomla for your 1.5 or 2.5 version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.

[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.

[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories More detailed information can be found in the security Checklist 7 link below.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

First time I just replaced the index file. Second time, because they removed every last folder on the server, I just reuploaded the files and changed all the passwords.



Really? But are they in a format that is readable by the "amateur" eye SMILE ?? I've been on my phpMyAdmin, but didn't see anything that looked familiar like an article.


Okay, I'm going to look at this too, because after everything was uploaded and running smoothly again, then is when the Malware Warning was put on my site. That is when I couldn't get back in the admin. That is when I deleted the htaccess file because all the Google webmaster tools were pointing to one (1) article AND the htaccess files. Because I couldn't get to the article, I decided to delete the htaccess files.

Another question -- I know, I have too many for one post -- is there a reason for an htaccess file? Lunar Pages put it on my site for security reasons. Doesn't that file weaken the security because a hacker can just upload an htaccess file to override mine? So what is the point of the htaccess files?

I'm confused. You said that I can access the article directly through PHPmyadmin, or mysql, then your next quote said articles are in the database. So the articles are on the phpmyadmin within the database? and they will be easily located? I'll take a look again. I didn't see anything that looked like articles.

Thank you for all the detailed information. I will go through the check list and see how I do. Thank you again.

Phpmyadmin is the graphical interface for working with databases.
if you do not understand what it is or how to use it, them please do not mess around with it as you can doo serious damage to the database.

Backups are not how to recover a site from hacks as you have seen. You need to follow what mandville posted and follow checklist 7

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

I created the databases in my phpMyAdmin, and understand a little about databases; however I try NOT to mess around with them intentionally! SMILE The reason I used the backup for recovering the site was because Lunar Pages had me do that. I had a backup that was BEFORE the hack, and they were moving files from one server to the other and didn't even have as many of my files as I did. So I was following as per their instructions.

I have been on the Google Webmaster tools and have located a couple files in question, and deleted them. There was some issues with the htaccess files. I've yet to figure out what, because Lunar Pages put those on my Joomla websites, but from what Google is saying, the htaccess files were hacked! I removed all of those temporarily.

I don't really know what the purpose is for an htaccess file. It was supposedly supposed to help prevent malmare and hacks, but obviously, it failed! So for now, they've been removed.

I've requested a new scan from Google, as per their instructions, but so far I've heard nothing from them.

I am definitely going to go through the checklist. That is a great list and extremely helpful in outlining some things I need to do.

Thank you again!!