Site was hacked, can't get rid of html file

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
SomeGuyFromCali
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Jul 18, 2016 12:52 am

Site was hacked, can't get rid of html file

Postby SomeGuyFromCali » Mon Jul 18, 2016 12:58 am

One of my older sites got hacked recently. I believe the problem was simply that I left the permissions for the images folder open on accident.

They created an HTML file that loads when you go to the example URL
http://www.______.com/images/installs/c ... urale.html

I deleted the installs folder completely but the URL still loads when I go there. How do I completely remove the link to this page?


Also, how do I completely disable user registration? There were many new users in the user list that I did not create which I have now deleted.

User avatar
sozzled
Joomla! Guru
Joomla! Guru
Posts: 685
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Site was hacked, can't get rid of html file

Postby sozzled » Mon Jul 18, 2016 1:11 am

When you're fighting these kinds of fires, it's always a good idea to learn from the professional firefighters:

1) Contain the blaze—stop it from spreading;

2) Rescue the victims

3) Put out the fire and fire-proof the environment so that it doesn't happen again. In other words, J! 2.5 is vulnerable and at risk from being attacked; better to migrate your site the latest version of J! 3.x instead of trying to "protect" it with outdated software.

SomeGuyFromCali wrote:One of my older sites got hacked recently. I believe the problem was simply that I left the permissions for the images folder open on accident.
The Forum Post Assistant will help you locate folders that have elevated privileges

SomeGuyFromCali wrote:I deleted the installs folder completely but the URL still loads when I go there. How do I completely remove the link to this page?
It is probable that the link was injected from another file on your site (very likely in the template default.php, but that's just a guess).

SomeGuyFromCali wrote:Also, how do I completely disable user registration? There were many new users in the user list that I did not create which I have now deleted.
See https://docs.joomla.org/Disabling_user_registration
@sozzled2904 - http://www.kuneze.com/blog
If you think I'm wrong then say "I think you're wrong." If you say "You're wrong!", how do you know?

SomeGuyFromCali
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Jul 18, 2016 12:52 am

Re: Site was hacked, can't get rid of html file

Postby SomeGuyFromCali » Mon Jul 18, 2016 2:02 am

sozzled wrote:When you're fighting these kinds of fires, it's always a good idea to learn from the professional firefighters:

1) Contain the blaze—stop it from spreading;

2) Rescue the victims

3) Put out the fire and fire-proof the environment so that it doesn't happen again. In other words, J! 2.5 is vulnerable and at risk from being attacked; better to migrate your site the latest version of J! 3.x instead of trying to "protect" it with outdated software.

SomeGuyFromCali wrote:One of my older sites got hacked recently. I believe the problem was simply that I left the permissions for the images folder open on accident.
The Forum Post Assistant will help you locate folders that have elevated privileges

SomeGuyFromCali wrote:I deleted the installs folder completely but the URL still loads when I go there. How do I completely remove the link to this page?
It is probable that the link was injected from another file on your site (very likely in the template default.php, but that's just a guess).

SomeGuyFromCali wrote:Also, how do I completely disable user registration? There were many new users in the user list that I did not create which I have now deleted.
See https://docs.joomla.org/Disabling_user_registration


Thank you, I am going to assume they exploited the older version or an older plugin. I have taken the site offline and am manually moving all of the content over article at a time to be certain none of the compromised code get's moved over with it.


Return to “Security in Joomla! 2.5”

Who is online

Users browsing this forum: No registered users and 8 guests