Help Finding Hacker's Back Door

Discussion regarding Joomla! 2.5 security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
Aderrick
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Tue Nov 04, 2014 6:18 pm

Help Finding Hacker's Back Door

Post by Aderrick » Tue Nov 04, 2014 6:33 pm

I am running Joomla version 2.5. I was originally hacked during the first half of 2013 when I had a very weak user/password. There was a "cleaning" in December of 2013 with the informal help of my host, Rachen at the time. I believe that the original vulnerability was never fully removed because I continue to have my site hacked from time to time even though I keep on top of updates and password security. My current exploitation is little more than an intruder repeatedly leaving a .gif in my image folder following several attempts to find and remove what appears to be the hacker's back door. The file name of the image is zxcvbnm.gif. The image is of some text which reads "hacked by removed". I did notice that after the last intrusion (today 11/4/14 at 5:51am), visitor logs in cPanel were cleaned/gone prior to 6:05am. This is not something I did. Naturally I was looking for a trail. Any help finding the hacker's way in would be appreciated. :)
Problem Description :: Forum Post Assistant (v1.2.4) : 4th November 2014 wrote:Help Finding Hacker's Back Door
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.4) : 4th November 2014 wrote:[04-Nov-2014 09:29:51 America/Chicago] PHP Fatal error: require_once() [<a href='function.require'>function.require</a>]: Failed opening required '/home/skvxmezg/public_html/includes/defines.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/skvxmezg/public_html/index.php on line 18
Actions Taken To Resolve by Forum Post Assistant (v1.2.4) 4th November 2014 wrote:Revised and strengthen cPanel passwords and Joomla password/username.
Scanned ftp machine for malware.
Visually inspected folder permissions.
Checked for cron jobs.
Disabled anonymous ftp.
Forum Post Assistant (v1.2.4) : 4th November 2014 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.27-Stable (Ember) 30-September-2014
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Writable (640) | Owner: skvxmezg (uid: 1/gid: 1) | Group: skvxmezg (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-458.6.2.lve1.2.28.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/skvxmezg/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.28 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: error_log | Last Known Error: 04th November 2014 09:29:51. | Register Globals: 0 | Magic Quotes: | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 20M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.6.17 (Client:5.6.17) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 72.10 MiB | #of Tables: 81
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.28) | date (5.3.28) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | standard (5.3.28) | Phar (2.0.1) | posix () | pspell () | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | imap () | SimpleXML (0.1) | soap () | sockets () | exif (1.4 $Id$) | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | suhosin (0.9.33) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | timezonedb (2013.8) | imagick (3.0.1) | ionCube Loader () | Zend Guard Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (2.5.0) | com_mailto (2.5.0) | WF_FONTSIZESELECT_TITLE (2.4.3) | WF_SEARCHREPLACE_TITLE (2.4.3) | WF_XHTMLXTRAS_TITLE (2.4.3) | WF_DIRECTIONALITY_TITLE (2.4.3) | WF_SPELLCHECKER_TITLE (2.4.3) | WF_STYLESELECT_TITLE (2.4.3) | WF_MEDIA_TITLE (2.4.3) | WF_PRINT_TITLE (2.4.3) | WF_VISUALCHARS_TITLE (2.4.3) | WF_FORMATSELECT_TITLE (2.4.3) | WF_CONTEXTMENU_TITLE (2.4.3) | WF_CLIPBOARD_TITLE (2.4.3) | WF_FONTCOLOR_TITLE (2.4.3) | WF_ARTICLE_TITLE (2.4.3) | WF_PREVIEW_TITLE (2.4.3) | WF_ANCHOR_TITLE (2.4.3) | WF_CHARMAP_TITLE (2.4.3) | WF_INLINEPOPUPS_TITLE (2.4.3) | WF_NONBREAKING_TITLE (2.4.3) | WF_LISTS_TITLE (2.4.3) | WF_TABLE_TITLE (2.4.3) | WF_FONTSELECT_TITLE (2.4.3) | WF_CLEANUP_TITLE (2.4.3) | WF_IMGMANAGER_TITLE (2.4.3) | WF_TEXTCASE_TITLE (2.4.3) | WF_STYLE_TITLE (2.4.3) | WF_VISUALBLOCKS_TITLE (2.4.3) | WF_FULLSCREEN_TITLE (2.4.3) | WF_KITCHENSINK_TITLE (2.4.3) | WF_AUTOSAVE_TITLE (2.4.3) | WF_SOURCE_TITLE (2.4.3) | WF_BROWSER_TITLE (2.4.3) | WF_LINK_TITLE (2.4.3) | WF_LAYER_TITLE (2.4.3) | WF_FILESYSTEM_JOOMLA_TITLE (2.4.3) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.4.3) | K2 Links for JCE Link (2.2) | WF_LINKS_JOOMLALINKS_TITLE (2.4.3) | WF_LINK_SEARCH_TITLE (2.4.3) | WF_AGGREGATOR_VINE_TITLE (2.4.3) | WF_AGGREGATOR_VIMEO_TITLE (2.4.3) | WF_AGGREGATOR_[youtube]_TITLE (2.4.3) | WF_POPUPS_WINDOW_TITLE (2.4.3) | WF_POPUPS_JCEMEDIABOX_TITLE (2.4.3) |
Components :: ADMIN :: com_content (2.5.0) | com_messages (2.5.0) | com_templates (2.5.0) | Akeeba (4.0.5) | com_weblinks (2.5.0) | RSForm! (1.4.0 R45) | RokSprocket (2.1.2) | com_banners (2.5.0) | com_redirect (2.5.0) | com_checkin (2.5.0) | com_config (2.5.0) | com_cache (2.5.0) | com_categories (2.5.0) | RokCandy (2.0.1) | com_modules (2.5.0) | JW_DISQUS (3.2) | com_menus (2.5.0) | com_installer (2.5.0) | com_newsfeeds (2.5.0) | com_languages (2.5.0) | com_finder (2.5.0) | Admintools (2.6.0) | com_search (2.5.0) | com_joomlaupdate (2.5.0) | com_users (2.5.0) | com_media (2.5.0) | com_advancedmodules (4.17.0FREE) | com_admin (2.5.0) | JCE (2.4.3) | Unknown (-) | com_xmap (2.3.2) | Gantry (4.1.26) | com_plugins (2.5.0) | com_cpanel (2.5.0) | com_login (2.5.0) |

Modules :: SITE :: mod_wrapper (2.5.0) | Art Sexy Lightbox (2.0.70) | mod_articles_news (2.5.0) | mod_articles_latest (2.5.0) | mod_stats (2.5.0) | RokNavMenu (2.0.7) | mod_weblinks (2.5.0) | mod_languages (2.5.0) | mod_footer (2.5.0) | mod_articles_popular (2.5.0) | mod_articles_categories (2.5.0) | mod_whosonline (2.5.0) | mod_feed (2.5.0) | mod_articles_category (2.5.0) | mod_custom (2.5.0) | RokSprocket Module (2.1.2) | mod_finder (2.5.0) | mod_users_latest (2.5.0) | mod_menu (2.5.0) | mod_syndicate (2.5.0) | RokTwittie (1.8) | mod_random_image (2.5.0) | mod_breadcrumbs (2.5.0) | RokAjaxSearch (2.0.3) | mod_banners (2.5.0) | mod_related_items (2.5.0) | mod_login (2.5.0) | mod_search (2.5.0) | mod_articles_archive (2.5.0) | RSForm! Pro Module (1.4.0) | Art Sexy Lightbox HTML (1.0.1) |
Modules :: ADMIN :: mod_version (2.5.0) | mod_latest (2.5.0) | mod_feed (2.5.0) | mod_status (2.5.0) | mod_custom (2.5.0) | mod_multilangstatus (2.5.0) | mod_title (2.5.0) | mod_menu (2.5.0) | mod_toolbar (2.5.0) | mod_logged (2.5.0) | mod_quickicon (2.5.0) | mod_popular (2.5.0) | mod_login (2.5.0) | mod_submenu (2.5.0) |

Plugins :: SITE :: plg_captcha_recaptcha (2.5.0) | Content - RokSocialButtons (1.5.2) | plg_content_pagenavigation (2.5.0) | plg_content_finder (2.5.0) | DISQUS Comments for Joomla! (b (3.2) | plg_content_pagebreak (2.5.0) | plg_content_emailcloak (2.5.0) | Content - RSForm! Pro (1.4.0) | Art Sexy Lightbox (2.0.69) | plg_content_loadmodule (2.5.0) | Content - RokInjectModule (1.6) | plg_content_joomla (2.5.0) | plg_content_vote (2.5.0) | plg_content_geshi (2.5.0) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_article (2.5.0) | Button - RokCandy (2.0.1) | plg_editors-xtd_image (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_content (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_weblinks (2.5.0) | plg_editors_jce (2.4.3) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.5.4.1) | System - Admin Tools Update Em (1.0) | System - Admin Tools (2.6.0) | System - Admin Tools Joomla! U (1.0) | System - RokExtender (2.0.0) | System - RSForm! Pro Constant (1.4.0) | PLG_SYS_MOOTABLE (1.0.8) | PLG_SYSTEM_ADVANCEDMODULES (4.17.0FREE) | System - DISQUS Comments for J (3.2) | System - RokCommon (3.1.11) | plg_system_remember (2.5.0) | plg_system_redirect (2.5.0) | System - One Click Action (2.1) | plg_system_highlight (2.5.0) | plg_system_cache (2.5.0) | System - RokBooster (1.1.13) | plg_system_sef (2.5.0) | System - RokCandy (2.0.1) | PLG_SYSTEM_NNFRAMEWORK (14.10.3) | PLG_SYSTEM_AKGEOIP (1.0.1) | System - RokSprocket (2.1.2) | plg_system_p3p (2.5.0) | plg_system_languagecode (2.5.0) | plg_system_debug (2.5.0) | plg_system_log (2.5.0) | plg_system_languagefilter (2.5.0) | System - Gantry (4.1.26) | plg_system_logout (2.5.0) | Xmap - Content Plugin (2.0.4) | Xmap - WebLinks Plugin (2.0.1) | plg_user_profile (2.5.0) | plg_user_contactcreator (2.5.0) | plg_user_joomla (2.5.0) | plg_search_contacts (2.5.0) | plg_search_content (2.5.0) | plg_search_categories (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_weblinks (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_jcefilebrowser (2.4.3) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) | plg_extension_joomla (2.5.0) | plg_authentication_gmail (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_joomla (2.5.0) |
Templates Discovered :: wrote:Templates :: SITE :: beez5 (2.5.0) | beez_20 (2.5.0) | rt_kirigami (1.5) | atomic (2.5.0) |
Templates :: ADMIN :: hathor (2.5.0) | bluestork (2.5.0) |
Top
User avatar
sitesrus
Joomla! Ace
Joomla! Ace
Posts: 1469
Joined: Mon Nov 12, 2012 10:48 pm

Re: Help Finding Hacker's Back Door

Post by sitesrus » Tue Nov 04, 2014 9:04 pm

1)Always use SSL
2)Use Cloudflare's free service, put it between your site and clients and it will resolve your DNS
3)Use very strong passwords (number,letter,wild characters, at least length 8+) and something like password gorilla on your home PC to store for retrieval (for all accounts cpanel and joomla)
4)Possibly invest in security extensions in the JED like
5)Deny access to joomla administration area using .htaccess and restrict to your IP(s) that you access from and make sure anything like phpmyadmin is setup the same if this is public facing
6)Change usernames on cpanel and joomla to something more than admin or root
7)Disable super user from front end site access/login using ACL, if you want to test something have a seperate dummy account with less privileges for that
8)Use vulnaribility scanners (even free ones or trial periods) to once over your site and see what type of exploitations there are. You can do both website and network level scanning (and even setup server side scrips to give feeback to the scanner) and get a very informative and exhaustive output of your setup
9)Add a .htaccess to your images folder with this in it "php_flag engine off" no quotes though
10)Make sure all your file (644) and folder permissions are correct (755) and they owned by the correct user
11)Make sure it's not an inside job like friends or something with a privileged account
12)Don't allow guest/public file uploads and make sure your restricting .php from being uploaded, monitor logged in users who are uploading items because you can associate files that account uploaded to your server
13)May not be joomla end, may be server end so disable all services and block all ports you don't need and again change accounts with default names to something better and use very strong passwords and password gorilla for your ssh, ftp, and etc. access
14)Make sure joomla and all third party extensions are up to date and patched for security
15)Check your PHP version and if its 5.3 or below you should probably upgrade
16)What host are you using? Check their reviews, there's millions of hosts and more secure ones if your sucks

Soo many things you can do or be compromised by...
I like working with Joomla :). I offer the following professional services: Custom extension development, SEO/marketing, maintenance/support, security and WCAG audits, and will work on websites at a reasonable rate.
Top
User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15152
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Help Finding Hacker's Back Door

Post by mandville » Tue Nov 04, 2014 11:28 pm

the two essential reads

http://forum.joomla.org/viewtopic.php?f=621&t=582854
http://docs.joomla.org/Security_Checklist_7
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Top
Aderrick
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Tue Nov 04, 2014 6:18 pm

Re: Help Finding Hacker's Back Door

Post by Aderrick » Wed Nov 05, 2014 1:05 pm

I went through these recommendations before posting and did all that I could afford first. The catch 22 is that if I carefully do everything recommended, I am deleting the site and rebuilding from scratch. Is that not correct? I was looking for something less radical before going to that extreme. Perhaps a trusted third party service or well supported security application to "search and destroy" all but the latest exploits? Something like that. Any thoughts?
Top
User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15152
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Help Finding Hacker's Back Door

Post by mandville » Wed Nov 05, 2014 2:49 pm

Aderrick wrote:I went through these recommendations before posting and did all that I could afford first.
sorry? all you could afford?
The catch 22 is that if I carefully do everything recommended, I am deleting the site and rebuilding from scratch. Is that not correct?
http://docs.joomla.org/Security_Checkli ... ter_relief
your content is in the sql database, you have the original extensions etc? you are not rebuilding from scratch. unless you dont cure the hack then you will be refixing it every so often
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Top
Aderrick
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Tue Nov 04, 2014 6:18 pm

Re: Help Finding Hacker's Back Door

Post by Aderrick » Wed Nov 05, 2014 6:10 pm

"Afford" as in "time is money". Either I do it at the cost of other productive time or I pay someone.

I will reread the advice guidance provided. I was under the impression that the database would be just as suspect and would have to be rebuilt to fully cleans the site. There are 100's of hours in it. I am overwhelmed. I fully understand that I brought it on myself. Thank you for the input and advice.
Top
Locked

Return to “Security in Joomla! 2.5”