Joomla Sites Hacked. All index.php and Default.php modified
Posted: Sat Jan 28, 2012 1:35 am
I am running WAMP server on Windows 2003
(Apache 2.058, PHP 5.2.8 and MYSQL 5.1.36)
We are hosting Joomla, Contado and other CMS system all using PHP/MYSQL
The 16th our server was hacked. We Restored and Now the 27th if was hacked again
We have about 30 websites.
25 of them are Joomla sites from version 1.5.23-.1.7
Customers are adding modules and plugins all the time and we have no control over this
What I found out is the following:
All joomla sites running 1.5.23 up to 1.7 have all got all index.php and Default.php modified and a php code has been added to the bottom of all of this files.
The code causes the browser not to read the <jdoc:include ...> statement
Here some examples:
[removed]
I have checked the apache log files. no "POST" in loggs
I have checked FTP and there are nothing comming from there
Mysql are OK. not touched
I therefore thing they must use a vonurability in Joomla or one extention
So here some questions
1. Anyone agrees with this?
2. How can I narrow down to whats causing the problem?
3. Can anyone use a vonurability in Joomla/Extention and manage to write to php files?
4. Can I make a contra script that delete a php code from all index and default.php
I am just alittle stuck on where to start looking
any help would be much appresiated
Thanks in advance
Brann
(Apache 2.058, PHP 5.2.8 and MYSQL 5.1.36)
We are hosting Joomla, Contado and other CMS system all using PHP/MYSQL
The 16th our server was hacked. We Restored and Now the 27th if was hacked again
We have about 30 websites.
25 of them are Joomla sites from version 1.5.23-.1.7
Customers are adding modules and plugins all the time and we have no control over this
What I found out is the following:
All joomla sites running 1.5.23 up to 1.7 have all got all index.php and Default.php modified and a php code has been added to the bottom of all of this files.
The code causes the browser not to read the <jdoc:include ...> statement
Here some examples:
[removed]
I have checked the apache log files. no "POST" in loggs
I have checked FTP and there are nothing comming from there
Mysql are OK. not touched
I therefore thing they must use a vonurability in Joomla or one extention
So here some questions
1. Anyone agrees with this?
2. How can I narrow down to whats causing the problem?
3. Can anyone use a vonurability in Joomla/Extention and manage to write to php files?
4. Can I make a contra script that delete a php code from all index and default.php
I am just alittle stuck on where to start looking
any help would be much appresiated
Thanks in advance
Brann