After being hacked recently, I deleted everything and uploaded a backup. Already running 2.5.8 and after the hack I also password protected my admin directory. I had an index.html file acting as a holding page.
My .htaccess file had only an allow access to 403.shtml and a block of the previous IP range that had hacked the site last time.
I was hacked again and the hacker changed the index.html file... logs show they accessed the following files:
/administrator/index.php 11/21/12 9:50 PM (multiple times in same minute)
//templates/beez/index.php 11/21/12 9:51 PM
//templates/rhuk_milkyway/index.php 11/21/12 9:51 PM
//templates/system/index.php 11/21/12 9:51 PM
//templates/beez/index.php 11/21/12 10:20 PM
//templates/rhuk_milkyway/index.php 11/21/12 10:20 PM
//templates/rhuk_milkyway/index.php 11/21/12 10:20 PM
//templates/system/index.php 11/21/12 10:20 PM
//?option=com_user&view=reset&layout=confirm 11/21/12 10:20 PM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/2008111317 Firefox/3.0.4
//?option=com_user&task=confirmreset 11/21/12 10:20 PM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/2008111317 Firefox/3.0.4
I must have missed this site when deleting unused templates. Several of my sites on the same VPS were hacked at the same time so I had to repeat the steps for each one. I must have missed this one.
My admin dir is password protected...how did they gain access?
What are the final 2 URLs doing and why do only those show a User Agent entry?
How did they edit/replace my index.html if FTP is disabled?
FPA below:
Problem Description :: Forum Post Assistant (v1.2.3) : 22nd November 2012 wrote:Hacked even on 2.5.8 with pw protected admin dir
Forum Post Assistant (v1.2.3) : 22nd November 2012 wrote:Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.8-Stable (Ember) 8-November-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Writable (644) | Owner: c6ers (uid: 1/gid: 1) | Group: c6ers (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes
Host Configuration :: OS: Linux | OS Version: 2.6.18-274.7.1.el5 | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/c6ers/public_html | System TMP Writable: Yes
PHP Configuration :: Version: 5.2.17 | PHP API: cgi | Session Path Writable: Unknown | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: | Register Globals: 0 | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 12M | Max. POST Size: 12M | Max. Input Time: 600 | Max. Execution Time: 300 | Memory Limit: 128M
MySQL Configuration :: Version: 5.1.65-cll (Client:5.1.65) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 3.23 MiB | #of Tables: 61Detailed Environment :: wrote:PHP Extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dbase () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | session () | iconv () | standard (5.2.17) | json (1.2.1) | mbstring () | mcrypt () | mhash () | mime_magic (0.1) | mysql (1.0) | SimpleXML (0.1) | posix () | pspell () | Reflection (0.1) | imap () | SPL (0.2) | mysqli (0.1) | soap () | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.8.11) | cgi () | timezonedb () | suhosin (0.9.32.1) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions ::
Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: NoFolder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
Elevated Permissions (First 10) ::Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (2.5.0) | com_mailto (2.5.0) |
Components :: ADMIN :: com_categories (2.5.0) | com_checkin (2.5.0) | com_newsfeeds (2.5.0) | com_redirect (2.5.0) | com_menus (2.5.0) | com_cache (2.5.0) | com_users (2.5.0) | com_weblinks (2.5.0) | com_plugins (2.5.0) | com_installer (2.5.0) | com_media (2.5.0) | com_banners (2.5.0) | com_login (2.5.0) | com_templates (2.5.0) | com_admin (2.5.0) | com_search (2.5.0) | com_modules (2.5.0) | com_cpanel (2.5.0) | com_finder (2.5.0) | com_languages (2.5.0) | com_content (2.5.0) | com_config (2.5.0) | com_joomlaupdate (2.5.0) | com_messages (2.5.0) |
Modules :: SITE :: S5 News Ticker (2.0.0) | mod_whosonline (2.5.0) | mod_related_items (2.5.0) | mod_breadcrumbs (2.5.0) | mod_articles_news (2.5.0) | mod_articles_latest (2.5.0) | mod_articles_categories (2.5.0) | mod_wrapper (2.5.0) | mod_footer (2.5.0) | mod_login (2.5.0) | mod_banners (2.5.0) | mod_feed (2.5.0) | mod_menu (2.5.0) | mod_users_latest (2.5.0) | mod_weblinks (2.5.0) | mod_articles_popular (2.5.0) | mod_articles_category (2.5.0) | mod_finder (2.5.0) | mod_custom (2.5.0) | mod_random_image (2.5.0) | mod_syndicate (2.5.0) | mod_search (2.5.0) | mod_languages (2.5.0) | mod_articles_archive (2.5.0) | mod_stats (2.5.0) |
Modules :: ADMIN :: mod_version (2.5.0) | mod_submenu (2.5.0) | mod_latest (2.5.0) | mod_title (2.5.0) | mod_toolbar (2.5.0) | mod_login (2.5.0) | mod_feed (2.5.0) | mod_status (2.5.0) | mod_menu (2.5.0) | mod_multilangstatus (2.5.0) | mod_popular (2.5.0) | mod_quickicon (2.5.0) | mod_custom (2.5.0) | mod_logged (2.5.0) |
Plugins :: SITE :: plg_system_log (2.5.0) | plg_system_highlight (2.5.0) | plg_system_debug (2.5.0) | plg_system_languagecode (2.5.0) | plg_system_cache (2.5.0) | plg_system_remember (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_p3p (2.5.0) | plg_system_logout (2.5.0) | plg_system_sef (2.5.0) | plg_system_redirect (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_user_joomla (2.5.0) | plg_user_profile (2.5.0) | plg_user_contactcreator (2.5.0) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.5.4.1) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_content (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_contacts (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_vote (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_finder (2.5.0) | plg_content_joomla (2.5.0) | plg_content_geshi (2.5.0) | plg_content_loadmodule (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_categories (2.5.0) | plg_search_content (2.5.0) | plg_search_weblinks (2.5.0) | plg_search_contacts (2.5.0) | plg_authentication_gmail (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_joomla (2.5.0) | plg_captcha_recaptcha (2.5.0) | plg_extension_joomla (2.5.0) |Templates Discovered :: wrote:Templates :: SITE :: beez_20 (2.5.0) | atomic (2.5.0) | beez5 (2.5.0) | C6-ERS (1.1) |
Templates :: ADMIN :: hathor (2.5.0) | bluestork (2.5.0) |