The Joomla! Forum ™

Download

Demo


Board index » Joomla! 2.5 - Ask Support Questions Here » Security in Joomla! 2.5

Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  Page 1 of 1
  [ 3 posts ] 
  Print view Previous topic | Next topic 
Author Message
flimh
PostPosted: Wed May 23, 2012 7:26 am 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Wed Aug 17, 2011 5:23 am
Posts: 188
hosting company dotnet-host.com HACKED..

It is so unfortunate that probably the cheapest hosting company i found so far became the latest victim of hacking. All customers websites were replaced with thier logo, but the hackers actually just added files, in my account, no files have been deleted, which is a good news, All users have to do is to clean the 9 files that they added to every directory (as in every folder), sounds like forever, so I developed here a little script that can clean the joomla installation in less than a minute.. please read carefully the script, not all situations are alike.

Code:
<?php 
class unhack
   {
   public $filesToDelete;
    public $stat;
 
    // $statOfFiles is described by the PHP stat return values
    // refer to http://us2.php.net/manual/en/function.stat.php
    public function __construct($filesToDelete = array(), $stat = array())
        {
        // assign arguments to properties
        if(is_array($filesToDelete) && !empty($filesToDelete))
            {
            $this->filesToDelete = $filesToDelete;
            }
        if(is_array($stat) && !empty($stat))
            {
           $this->stat = $stat;
            }
        }

   // method to clean the directory using the properties 
    public function clean($dir)
      {
      // display the directory name
      echo '<p/>' . 'Directory name: ' . $dir . '<br />';

      // get a listing of all files in the directory supplied in the function argument
      $allFiles = scandir($dir);

      // go thru all the files in the array
      foreach($allFiles as $entry)
         {
         // check if the entry is a file, dir, '.', or '..'
         if(($entry != '.') && ($entry != '..'))
            {
            // break down the name to determine if its a file or a folder
            $broken = explode('.', $entry);

            // test if entry is a file or directory
            if(count($broken) < 2)
               {
               // if its a subdirectory, make function recursive
               $this->clean($dir . '/' . $entry);
               }
            else
               {
               if(in_array($entry, $this->filesToDelete))
                  {
                  // double check for the $stat
                  $statFile = stat($dir . '/' . $entry);
                  
                  if(($this->stat['size'] == $statFile['size']) && ($this->stat['mtime'] == $statFile['mtime']))
                     {
                     // to display the hacked files use echo,
                     // echo 'hacked ';

                     // to delete the hacked files use unlink
                     unlink($dir . '/' . $entry);
                     }                           
                  }
               }         
            }
         }
      }
    }

// encode manually the files you need to delete
$filesToDelete = array('default.asp','default.cfm','default.htm','default.php','default.html','index.asp','index.cfm','index.htm','index.php');

// this stats are the stats of the hacker files, it could be different for each user, so do the needfull
// run the stat PHP function to 1 of the files added to verify if its the same
$stat = array('size' => 5606, 'mtime' => 1335650153);

//instantiate the class
$un = new unhack($filesToDelete, $stat);

//call the clean up function
$un->clean(getcwd());
?>


WARNING, this is only tested on my single test site running Joomla 1.7 and Joomla 2.5
Please do all the needful research before running this script becuase not all situations are alike, please contact me if you need help.

STEPS:
1.) Logon to the PANEL
panel.dotnet-host.com

2.) Create a backup of all files, databases, and everything (THIS STEP IS OF THE UTMOST IMPORTANCE)

3.) Create a new file like [unhack.php] on the root directory and paste the code above

4.) Open the php file using a browser, like: [yoursite.com/unhack.php]
Top
 Profile  
 
humvee
PostPosted: Wed May 23, 2012 8:17 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Wed Aug 17, 2005 10:27 pm
Posts: 14709
Location: Kent, England
[Mod note: Moved from General Forum to Security Forum.] Follow the advice in the first few stickies on this forum.
Top
 Profile  
 
mandville
PostPosted: Wed May 23, 2012 9:16 am 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 11629
Location: The Girly Side of Joomla in Sussex
Normally we would remove all urls in topic posts.
several questions and comments
1. why did you not have a back up before this?
2. why back up a hacked site to manually clean it?
3. the script (you should put the warning in 150px at the start of the topic) is likely to remove more than just the "hacked" files
4. why are you running a 1.7 site? its out of date / end of life
5. have you read http://www.webhostingtalk.com/showthread.php?t=1150820?
6. have you read the stickies in the security forum.

now here is our method of resolving a hacked site


[ ] Download and RUN the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Post the generated results in your security/been hacked topic.

[ ] Ensure you have the latest version of Joomla for your 1.5 or 2.5 version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.

[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.

[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories More detailed information can be found in the security Checklist 7 link below.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 3 posts ] 


Board index » Joomla! 2.5 - Ask Support Questions Here » Security in Joomla! 2.5

Who is online

Users browsing this forum: Majestic-12 [Bot], Yahoo [Bot] and 13 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group