Site hacked - v2.5.8 w/ PW protected Admin dir

[Faldinio]

Hi,

After being hacked recently, I deleted everything and uploaded a backup. Already running 2.5.8 and after the hack I also password protected my admin directory. I had an index.html file acting as a holding page.
My .htaccess file had only an allow access to 403.shtml and a block of the previous IP range that had hacked the site last time.

I was hacked again and the hacker changed the index.html file... logs show they accessed the following files:

/administrator/index.php 11/21/12 9:50 PM (multiple times in same minute)
//templates/beez/index.php 11/21/12 9:51 PM
//templates/rhuk_milkyway/index.php 11/21/12 9:51 PM
//templates/system/index.php 11/21/12 9:51 PM
//templates/beez/index.php 11/21/12 10:20 PM
//templates/rhuk_milkyway/index.php 11/21/12 10:20 PM
//templates/rhuk_milkyway/index.php 11/21/12 10:20 PM
//templates/system/index.php 11/21/12 10:20 PM
//?option=com_user&view=reset&layout=confirm 11/21/12 10:20 PM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/2008111317 Firefox/3.0.4
//?option=com_user&task=confirmreset 11/21/12 10:20 PM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/2008111317 Firefox/3.0.4

I must have missed this site when deleting unused templates. Several of my sites on the same VPS were hacked at the same time so I had to repeat the steps for each one. I must have missed this one.

My admin dir is password protected...how did they gain access?
What are the final 2 URLs doing and why do only those show a User Agent entry?
How did they edit/replace my index.html if FTP is disabled?

FPA below:

Hacked even on 2.5.8 with pw protected admin dir

Joomla! Instance :: Joomla! 2.5.8-Stable (Ember) 8-November-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Writable (644) | Owner: c6ers (uid: 1/gid: 1) | Group: c6ers (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-274.7.1.el5 | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/c6ers/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.17 | PHP API: cgi | Session Path Writable: Unknown | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: | Register Globals: 0 | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 12M | Max. POST Size: 12M | Max. Input Time: 600 | Max. Execution Time: 300 | Memory Limit: 128M

MySQL Configuration :: Version: 5.1.65-cll (Client:5.1.65) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 3.23 MiB | #of Tables:  61

PHP Extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dbase () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | session () | iconv () | standard (5.2.17) | json (1.2.1) | mbstring () | mcrypt () | mhash () | mime_magic (0.1) | mysql (1.0) | SimpleXML (0.1) | posix () | pspell () | Reflection (0.1) | imap () | SPL (0.2) | mysqli (0.1) | soap () | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.8.11) | cgi () | timezonedb () | suhosin (0.9.32.1) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::

Components :: SITE :: com_wrapper (2.5.0) | com_mailto (2.5.0) |
Components :: ADMIN :: com_categories (2.5.0) | com_checkin (2.5.0) | com_newsfeeds (2.5.0) | com_redirect (2.5.0) | com_menus (2.5.0) | com_cache (2.5.0) | com_users (2.5.0) | com_weblinks (2.5.0) | com_plugins (2.5.0) | com_installer (2.5.0) | com_media (2.5.0) | com_banners (2.5.0) | com_login (2.5.0) | com_templates (2.5.0) | com_admin (2.5.0) | com_search (2.5.0) | com_modules (2.5.0) | com_cpanel (2.5.0) | com_finder (2.5.0) | com_languages (2.5.0) | com_content (2.5.0) | com_config (2.5.0) | com_joomlaupdate (2.5.0) | com_messages (2.5.0) |

Modules :: SITE :: S5 News Ticker (2.0.0) | mod_whosonline (2.5.0) | mod_related_items (2.5.0) | mod_breadcrumbs (2.5.0) | mod_articles_news (2.5.0) | mod_articles_latest (2.5.0) | mod_articles_categories (2.5.0) | mod_wrapper (2.5.0) | mod_footer (2.5.0) | mod_login (2.5.0) | mod_banners (2.5.0) | mod_feed (2.5.0) | mod_menu (2.5.0) | mod_users_latest (2.5.0) | mod_weblinks (2.5.0) | mod_articles_popular (2.5.0) | mod_articles_category (2.5.0) | mod_finder (2.5.0) | mod_custom (2.5.0) | mod_random_image (2.5.0) | mod_syndicate (2.5.0) | mod_search (2.5.0) | mod_languages (2.5.0) | mod_articles_archive (2.5.0) | mod_stats (2.5.0) |
Modules :: ADMIN :: mod_version (2.5.0) | mod_submenu (2.5.0) | mod_latest (2.5.0) | mod_title (2.5.0) | mod_toolbar (2.5.0) | mod_login (2.5.0) | mod_feed (2.5.0) | mod_status (2.5.0) | mod_menu (2.5.0) | mod_multilangstatus (2.5.0) | mod_popular (2.5.0) | mod_quickicon (2.5.0) | mod_custom (2.5.0) | mod_logged (2.5.0) |

Plugins :: SITE :: plg_system_log (2.5.0) | plg_system_highlight (2.5.0) | plg_system_debug (2.5.0) | plg_system_languagecode (2.5.0) | plg_system_cache (2.5.0) | plg_system_remember (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_p3p (2.5.0) | plg_system_logout (2.5.0) | plg_system_sef (2.5.0) | plg_system_redirect (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_user_joomla (2.5.0) | plg_user_profile (2.5.0) | plg_user_contactcreator (2.5.0) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.5.4.1) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_content (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_contacts (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_vote (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_finder (2.5.0) | plg_content_joomla (2.5.0) | plg_content_geshi (2.5.0) | plg_content_loadmodule (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_categories (2.5.0) | plg_search_content (2.5.0) | plg_search_weblinks (2.5.0) | plg_search_contacts (2.5.0) | plg_authentication_gmail (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_joomla (2.5.0) | plg_captcha_recaptcha (2.5.0) | plg_extension_joomla (2.5.0) |

Templates :: SITE :: beez_20 (2.5.0) | atomic (2.5.0) | beez5 (2.5.0) | C6-ERS (1.1) |
Templates :: ADMIN :: hathor (2.5.0) | bluestork (2.5.0) |

[Webdongle]

...
After being hacked recently, I deleted everything and uploaded a backup. Already running 2.5.8 and after the hack I also password protected my admin directory. I had an index.html file acting as a holding page....

Your backup may have contained compromised files.(Often the site is hacked months before the hack is activated).
Your computer may have a Trojan.

Please see http://forum.joomla.org/viewtopic.php?f=621&t=582854 for other actions(that you have not mentioned) to take.


Addendum
what is the url ?

[Faldinio]

Site was uploaded on 15/11 hacked the first time on 18/11, so the backup was basically the first, clean install.
I ran malwarebytes, tdskiller, avira and hitman pro on my PC the same day I was hacked (the first time) and found nothing.
I never use anonymous FTP.
Only 1 third party extension used, from a paid source and not on the vulnerable extensions list.

URL: http://www.c6ers .co.uk

[Webdongle]

Site was uploaded on 15/11 hacked the first time on 18/11, so the backup was basically the first, clean install.....

Translation for USA users 15/11 = 15th November and 18/11 = 18th November

A backup is not a clean install. Where was the site created ? Was it originally on another server. Is there anything thing else on the server ?

Have you checked the server logs to see if anything stands out ?

Has anyone else got edit/upload etc. rights to the site ?

[Faldinio]

It was on my local machine, had never been on any other server. My machine is clean as per previous posts. When the site was hacked I deleted everything and uploaded the site again from my local machine.

Nobody else has FTP/cpanel/CMS access.
The only logs I see that stand out are on the posts above. I'm not sure what accessing "www.mysite.co.uk//?option=com_user&view ... ut=confirm" or "www.mysite.co.uk/?option=com_user&task=confirmreset" does to the site but it was the last thing that was done by the hacker. The strange thing is on the second hack, they didnt change the admin username/password either. And yes I did change all passwords after the first hack.

[Webdongle]

And the other sites(that you created) which are on the same IP address are unaffected ?

[Faldinio]

Yes. I have around half a dozen on the same VPS. After 4 got hacked, I took steps to protect them after rolling them back to a good backup. The only thing I did different with this one was forget to delete the unused pre-installed templates. The logs show the hacker accessing the pre-installed templates, but then I have no idea how they swapped my index.html for a different one. I had an index.html acting as a pseudo holding page as the site is still being developed. They changed it. I know you can edit the index.php of the template via admin backend but I wasn't aware you could edit other files in public_html via Joomla.

[Webdongle]

Yes. I have around half a dozen on the same VPS. After 4 got hacked, I took steps to protect them after rolling them back to a good backup. ...

As stated before in this thread (and by PhilD in other threads) a hack can be present months before it is noticed. Therefore using backups can just put the hack back on the server.

... The only thing I did different with this one was forget to delete the unused pre-installed templates. The logs show the hacker accessing the pre-installed templates, but then I have no idea how they swapped my index.html for a different one...

The question is did the hacker gain access through those Templates or alter them after gaining access ?

Methinks the files were altered after the hacker gained access. Once access is gained then any file can be altered. A hacker has the same control over the files as you have.

You say the pre-installed templates are unused ... therefore you are using 3rd party extensions. Templates are extensions but you won't find them in the VEL because the VEL only lists vulnerable extensions that had been listed in the Joomla extension directory.

Where did you download the Templates from ? There are some well known Template sites that are renowned for supplying hacked Templates.

[Faldinio]

The templates I am talking about are the ones that come pre-installed with Joomla. Beez5, Beez20 and Atomic.

[Webdongle]

But you said you deleted those pre-installed Templates. If you deleted those how do you view your site unless you downloaded and installed a 3rd party Template ?

The fpa says you have ' C6-ERS' Template ... where did you download that from ?

[Faldinio]

I create my own templates.

[Webdongle]

From scratch or by modifying an existing Template ?

[Faldinio]

I create individual templates from scratch.

[Webdongle]

Including the one for your site and all the javascript ?
What about images ? Where do you get those from ?

[Faldinio]

My own site isn't built on Joomla.
The images are usually stock images from reputable websites such iStock Photo. I normally write any Javascript myself and in cases where I don't, I get code from reputable sources and I know exactly what the scripts do.

[SusanLooms45]

I was just going to move over to Joomla as I thought it would be less vulnerable than WP. What happened to Faldinio is now scaring me.

[Webdongle]

Been doing some research. The code in your logs was used to hack sites prior to 1.5.6 ... several years ago. It worked independent of the default site Template. Unless you have (or had) an old hacked 1.5 site then that was a failed hack attempt. What were the header codes returned for it ?

If you want to PM me the site logs then I can have a look.

[Faldinio]

I have never used 1.5.x
I started using Joomla at 1.7 and moved to 2.5 shortly after it was released. I have never had a published site on anything less than 2.5.x

Gah... I think I may have deleted the raw logs when I purged everything from the server after the 2nd hack.

[Webdongle]

I have never used 1.5.x
....

Then that access record was just a failed attempt ... script kiddies will try various hacks on a site to see if any work. Once on your site they can edit, delete or add any file they like. Finding the point of entry of the original hack will be difficult without the site logs. It will also be difficult to tell how long the hack was on the site before the hacker activated it. The hacker who hacked your site is very busy .. there are a lot of sites(including yours) that he posted on a hackers wall of fame.

[mandville]

My .htaccess file had only an allow access to 403.shtml and a block of the previous IP range that had hacked the site last time.

so you werent using the default hta?

I started using Joomla at 1.7 and moved to 2.5 shortly after it was released. I have never had a published site on anything less than 2.5.x

where was you 1.7 placed then? what version was it when you went to 2.5

[Faldinio]

No I was using my own .htaccess
I never used 1.7 on any live site, I played with it locally whilst learning Joomla and binned it when 2.5 came out. I started on 2.5.1 but the site in this post was always on 2.5.8.

[Webdongle]

No I was using my own .htaccess
...

The Joomla htaccess is designed to prevent many common exploits that some servers are vulnerable.

But even if the htaccess was the hole ... your backups may still contain a hacked file.