Joomla! Forum - community, help and support

It seems our site has been hacked, and we no longer have admin access. The index.php file is no longer within the administrator site. I have read what I need to do with regards to deleting all joomla files and making a copy of the config file. However, excuse my ignorance but when reinstalling joomla and new extensions would this not make me lose all previous work? layouts? and many hours inputing data?

Again excuse my ignorance, I just need to know what I am letting myself in for before starting. Any help/advice would be greatly appreciated.

Problem Description :: Forum Post Assistant (v1.2.4) : 10th March 2015 wrote:No administrator access

Log/Error Message :: Forum Post Assistant (v1.2.4) : 10th March 2015 wrote:403 Forbidden

Forum Post Assistant (v1.2.4) : 10th March 2015 wrote:

Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.15-Stable (Ember) 06-November-2013
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: 11328 (uid: /gid: ) | Group: 2523 (gid: ) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-531.29.2.lve1.3.11.3.el5h.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /var/www/vhosts/northernfootballclub.co.uk/httpdocs | System TMP Writable: Yes

PHP Configuration :: Version: 5.4.36 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 32767 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: -1 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.41-cll-lve (Client:5.5.41) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 8.74 MiB | #of Tables:  261

Detailed Environment :: wrote:PHP Extensions :: Core (5.4.36) | date (5.4.36) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7) | zlib (2.0) | bz2 () | calendar () | ctype () | curl () | hash (1.0) | filter (0.11.0) | ftp () | gettext () | gmp () | SPL (0.2) | iconv () | pcntl () | readline (5.4.36) | Reflection ($Id: f6367cdb4e3f392af4a6d441a6641de87c2e50c4 $) | session () | standard (5.4.36) | shmop () | SimpleXML (0.1) | mbstring () | tokenizer (0.1) | xml () | cgi-fcgi () | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_pgsql (1.0.2) | wddx () | bcmath () | gd () | mysql (1.0) | fileinfo (1.0.5) | sockets () | zip (1.11.0) | xmlwriter (0.1) | snmp (0.1) | pgsql () | json (1.2.1) | exif (1.4 $Id: 637ebf9289b40d157fdf8edcdddeb3d907b28d9b $) | ldap () | sysvmsg () | sysvshm () | soap () | odbc (1.0) | xmlrpc (0.51) | sysvsem () | pspell () | mysqli (0.1) | imap () | dom (20031129) | pdo_sqlite (1.0.1) | Phar (2.0.1) | xmlreader (0.1) | posix () | mcrypt () | PDO_ODBC (1.0.1) | xsl (0.1) | mhash () | ionCube Loader () | Zend Engine (2.4.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe

Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: HaniXavi/root/dev/shm/ (777) | test/app/ (777) | test/app/mejdi/ (777) | test/app/mejdi/Snd/ (777) | test/app/mejdi/Snd/rz/ (777) | test/app/mejdi/css/ (777) | test/app/mejdi/img/ (777) | test/app/mejdi/js/ (777) | test/app/mejdi/js/contrib/ (777) | test/app/mejdi/js/languages/ (777) |

Extensions Discovered :: wrote:Components :: SITE :: com_mailto (2.5.0) | com_wrapper (2.5.0) | Default (3.0.1) | Default (3.0_Alpha1.2) |
Components :: ADMIN :: com_messages (2.5.0) | RokGallery (2.22) | com_admin (2.5.0) | com_search (2.5.0) | com_config (2.5.0) | com_banners (2.5.0) | RokSprocket (2.0.2) | com_cpanel (2.5.0) | Gantry (4.1.12) | com_media (2.5.0) | com_weblinks (2.5.0) | com_finder (2.5.0) | com_content (2.5.0) | com_modules (2.5.0) | com_menus (2.5.0) | RokCandy (2.0.0) | com_flashmagazinedeluxe (3.0.0 (build ) | com_languages (2.5.0) | com_templates (2.5.0) | com_installer (2.5.0) | com_checkin (2.5.0) | com_login (2.5.0) | com_categories (2.5.0) | com_redirect (2.5.0) | com_newsfeeds (2.5.0) | JoomSport (2.9.3) | com_users (2.5.0) | com_plugins (2.5.0) | Community (3.0.1) | Community (3.0.1) | com_cache (2.5.0) | com_joomlaupdate (2.5.0) | com_jckman (5.3) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | JTreeLink (1.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | JoomlaCK Pugin Manager Control (1.0.0 DEVELOP) |

Modules :: SITE :: Community - Dating Search (3.0.1) | mod_articles_latest (2.5.0) | mod_languages (2.5.0) | mod_articles_categories (2.5.0) | Community - Photos Module (3.0.1) | Community - Hello Me (3.0.1) | Community - Active Groups (3.0.1) | Community - Quick Search Modul (3.0.1) | mod_banners (2.5.0) | mod_weblinks (2.5.0) | Community - Latest group posts (3.0.1) | Community - JomSocial Connect (3.0.1) | Community - Photo Comments (3.0.1) | Community - Activity Stream (3.0.1) | mod_articles_category (2.5.0) | mod_breadcrumbs (2.5.0) | RokAjaxSearch (2.0.0) | mod_syndicate (2.5.0) | mod_users_latest (2.5.0) | mod_articles_popular (2.5.0) | Community - Events Module (3.0.1) | RokGallery Module (2.22) | Community - Whos Online (3.0.1) | mod_feed (2.5.0) | mod_custom (2.5.0) | mod_wrapper (2.5.0) | mod_menu (2.5.0) | Community - Latest Discussion (3.0.1) | Community - JomSocial Statisti (3.0.1) | mod_related_items (2.5.0) | mod_articles_archive (2.5.0) | mod_random_image (2.5.0) | Community - Videos Module (3.0.1) | Community - Jomsocial Notifica (3.0.1) | mod_login (2.5.0) | Flash Magazine Deluxe - Archiv (3.0.0 (build ) | mod_articles_news (2.5.0) | Community - Groups Module (3.0.1) | Community - Video Comments (3.0.1) | mod_finder (2.5.0) | mod_search (2.5.0) | Community - Members Module (3.0.1) | mod_whosonline (2.5.0) | RokNavMenu (2.0.3) | mod_footer (2.5.0) | mod_stats (2.5.0) | RokSprocket Module (2.0.2) | Community - Top Members (3.0.1) |
Modules :: ADMIN :: mod_quickicon (2.5.0) | mod_latest (2.5.0) | mod_status (2.5.0) | mod_popular (2.5.0) | mod_multilangstatus (2.5.0) | mod_feed (2.5.0) | mod_custom (2.5.0) | mod_menu (2.5.0) | mod_toolbar (2.5.0) | mod_logged (2.5.0) | mod_login (2.5.0) | mod_submenu (2.5.0) | mod_version (2.5.0) | mod_title (2.5.0) | JoomlaCK Pugin Manager Control (1.0.0 DEVELOP) |

Plugins :: SITE :: Unknown (-) | Community - My Latest Videos (3.0.1) | Unknown (-) | Community - Events (3.0.1) | Community - Friend's Location (3.0.1) | Community - Latest Photos (3.0.1) | Unknown (-) | Community - Invite (3.0.1) | Unknown (-) | My twitter updates (3.0.1) | Community - Walls (3.0.1) | Kunena Groups (2.0.3) | Unknown (-) | Community - Feeds (3.0.1) | Unknown (-) | Community - My Contacts (3.0.1) | My Forum Menu (2.0.3) | Community - My Tagged Videos (3.0.1) | Unknown (-) | Community - My Articles (3.0.1) | Community - Input Processor (3.0.1) | Community - Wordfilter (3.0.1) | My Forum Posts (2.0.3) | Unknown (-) | Community - My Google Ads (3.0.1) | Community - My kunena updates (3.0.1) | plg_extension_joomla (2.5.0) | User - Jomsocial User (3.0.1) | plg_user_profile (2.5.0) | plg_user_contactcreator (2.5.0) | plg_user_joomla (2.5.0) | plg_system_redirect (2.5.0) | plg_system_p3p (2.5.0) | System - RokSprocket (2.0.2) | plg_system_highlight (2.5.0) | System - RokBox (2.0.4) | plg_system_remember (2.5.0) | System - Jomsocial Redirect (3.0.1) | System - Gantry (4.1.12) | plg_system_sef (2.5.0) | System - RokCandy (2.0.0) | system - EUCookieDirectiveLite (1.0.9) | System - JCK Typography (3.5.0) | System - RokUpdater (1.0. | plg_system_languagecode (2.5.0) | Azrul System Mambot For Joomla (3.0.1) | plg_system_cache (2.5.0) | System - RokExtender (2.0.0) | Abivia.net SuperTable Plus Plu (1.8.2) | System - RokCommon (3.1.6) | plg_system_debug (2.5.0) | System - RokBooster (1.1. | plg_system_log (2.5.0) | plg_system_logout (2.5.0) | System - RokGallery (2.22) | System - JCK Modal (1.0) | plg_system_languagefilter (2.5.0) | Jomsocial Update (3.0.1) | System - Jomsocial Facebook Co (3.0.1) | Flash Magazine Deluxe - Button (3.0.0 (build ) | Button - RokBox (2.0.4) | Button - RokCandy (2.0.0) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_readmore (2.5.0) | Button - RokGallery (2.22) | plg_captcha_recaptcha (2.5.0) | plg_authentication_gmail (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_joomla (2.5.0) | Editor - RokPad (2.1.5) | Editor - JoomlaCK (6.5.3) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (1.0) | Unknown (0.1) | Unknown (0.1) | System - JCK Typography (3.5.0) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.5.4.1) | Content - RokBox (2.0.4) | Flash Magazine Deluxe - Conten (3.0.0 (build ) | plg_content_szaki_table (1.2) | plg_content_emailcloak (2.5.0) | plg_content_pagenavigation (2.5.0) | Content - RokInjectModule (1.5) | plg_content_joomla (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_geshi (2.5.0) | plg_content_vote (2.5.0) | plg_content_finder (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_content (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | plg_search_categories (2.5.0) | plg_search_weblinks (2.5.0) | plg_search_contacts (2.5.0) | plg_search_content (2.5.0) | plg_search_newsfeeds (2.5.0) |

Templates Discovered :: wrote:Templates :: SITE :: beez_20 (2.5.0) | rt_fracture (1.5) | beez5 (2.5.0) | atomic (2.5.0) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |

Where did you read that you have to delete all your Joomla files to fix the hack?

In any case, try re-uploading the whole administrator folder to your website (don't delete the current one) and then you should clean your website from the hack and ensure that your website is secured and updated to the latest secure version of Joomla (you are running a very old version of Joomla, which is 2.5.15).

itoctopus wrote:Where did you read that you have to delete all your Joomla files to fix the hack?

In any case, try re-uploading the whole administrator folder to your website (don't delete the current one) and then you should clean your website from the hack and ensure that your website is secured and updated to the latest secure version of Joomla (you are running a very old version of Joomla, which is 2.5.15).

In the sticky it says

Ensure you have the latest version of Joomla for your version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

Am I misreading/understanding.

Thank you for the advice, I have the original administrator file at home and will try that tonight.

you just need to upload all core files (after download a fresh version of the same version of yours) to replace core infected files.
But in you have deleted your template folder i hope you've got a backup...
All your content is contained in the database and is not deleted.
If you don't have a backup of your website try to ask your host, maybe he can reinstall a backup of your files

I have tried uploading just the administrator file, but when I go to the admin login page it shows blank.

Looks like I will have to replace the core folders.

Again excuse my ignorance but Is there an easy way to back up my template? Is it as easy as copying the template folder and re-uploading?

Also I use rocketlauncher from rockettheme, would it be as easy as deleting all folders and reinstalling. Seeing as all content is kept in the database? Would I need to copy the current config file and re-upload it?

The instructions for deleting and replacing the core files are so that you delete any shell scripts and malware hidden.
Your install is very old.
Some of your extensions are old .
You have 777 folder permissions.

mandville wrote:The instructions for deleting and replacing the core files are so that you delete any shell scripts and malware hidden.
Your install is very old.
Some of your extensions are old .
You have 777 folder permissions.

I have done as suggested but now my website just shows a blank screen? I am quite lost as what to do next.

The 777 folder permissions are what I believe "the hack".