Hi
My website (biztalks.de) has been hacked and since then taken down by my hosting service. I had version 3.4.7 installed. They gave me a list of instructions but i am no expert and have no idea what i have to do. Also, I have no access to the site since they took it off line.
Can someone please help...
Dermot
Hacked
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
-
Bernard T
- Joomla! Guru
- Posts: 782
- Joined: Thu Jun 29, 2006 11:44 am
- Location: Hrvatska
- Contact:
Re: Hacked
Hi,
please start with http://forum.joomla.org/viewtopic.php?f=714&t=757645.
Can you share with us what were your hosting provider's findings and instructions? For security reasons please obfuscate mentions of your real website domain.
please start with http://forum.joomla.org/viewtopic.php?f=714&t=757645.
Can you share with us what were your hosting provider's findings and instructions? For security reasons please obfuscate mentions of your real website domain.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
-
mckinney
- Joomla! Apprentice
- Posts: 29
- Joined: Mon Aug 20, 2012 3:20 pm
Re: Hacked
Hi Thanks for the reply.
The host is here in germany...my german is really bad so here is the google translate! My knowledge of technology is even worse than my german, so i am doing this from a completely tech blind status.
The following file has been blocked due to malware / attacks to protect the systems:
webseiten/joomla2.5/joomla2.5/tmp/install_54a2b27ceb208/fof/model/dispatcher/meataphone.php
An audit of your web space we could find faulty scripts another may. These are located in the following directory, which we had also block due to the scripts:
webseiten/joomla2.5/joomla2.5/
We continue to disclose at this moment a file named * infiziert.txt * in the affected directory from which searches through an automated scanning the scripts by us known patterns of malicious code. You can find this file on your web space at the following location:
webseiten/joomla2.5/joomla2.5/infiziert.txt
The scan is however only complete when * 100% * Finish is in the file at the end of what can avail depending on amount of data some time. We would ask you to examine the files listed then immediately to update and remove, where appropriate, and to clean up the malicious code.
Please check also if your scripts contain vulnerabilities and close them as soon as possible in order to minimize the risk of further attacks. Note here that as a rule a large number of vulnerabilities can be closed by installation of updates for the scripts you are using.
In the file * * veraltete_software.txt we provide you with a list of obsolete installations available, which were found in an automatic scan.
Again, the list of scan is not complete and fully, if at the end * 100% * Ready appears.
Please check then the contents of the file and update immediately the outdated software:
webseiten/joomla2.5/joomla2.5/veraltete_software.txt
webseiten/joomla2.5/joomla2.5/tmp/install_54a2b27ceb208/fof/model/dispatcher/meataphone.php
webseiten/joomla2.5/joomla2.5/webseiten/joomla2.5/joomla2.5/infiziert.txt
The host is here in germany...my german is really bad so here is the google translate! My knowledge of technology is even worse than my german, so i am doing this from a completely tech blind status.
The following file has been blocked due to malware / attacks to protect the systems:
webseiten/joomla2.5/joomla2.5/tmp/install_54a2b27ceb208/fof/model/dispatcher/meataphone.php
An audit of your web space we could find faulty scripts another may. These are located in the following directory, which we had also block due to the scripts:
webseiten/joomla2.5/joomla2.5/
We continue to disclose at this moment a file named * infiziert.txt * in the affected directory from which searches through an automated scanning the scripts by us known patterns of malicious code. You can find this file on your web space at the following location:
webseiten/joomla2.5/joomla2.5/infiziert.txt
The scan is however only complete when * 100% * Finish is in the file at the end of what can avail depending on amount of data some time. We would ask you to examine the files listed then immediately to update and remove, where appropriate, and to clean up the malicious code.
Please check also if your scripts contain vulnerabilities and close them as soon as possible in order to minimize the risk of further attacks. Note here that as a rule a large number of vulnerabilities can be closed by installation of updates for the scripts you are using.
In the file * * veraltete_software.txt we provide you with a list of obsolete installations available, which were found in an automatic scan.
Again, the list of scan is not complete and fully, if at the end * 100% * Ready appears.
Please check then the contents of the file and update immediately the outdated software:
webseiten/joomla2.5/joomla2.5/veraltete_software.txt
webseiten/joomla2.5/joomla2.5/tmp/install_54a2b27ceb208/fof/model/dispatcher/meataphone.php
webseiten/joomla2.5/joomla2.5/webseiten/joomla2.5/joomla2.5/infiziert.txt
-
mckinney
- Joomla! Apprentice
- Posts: 29
- Joined: Mon Aug 20, 2012 3:20 pm
Re: Hacked
I am still totally lost. I read and dowmloaded the FPA and opened it but
I do not know where my
joomla_root / directory is.
I do not know where my
joomla_root / directory is.
-
Bernard T
- Joomla! Guru
- Posts: 782
- Joined: Thu Jun 29, 2006 11:44 am
- Location: Hrvatska
- Contact:
Re: Hacked
You will not be able to user FPA script since your website has been disabled by your hosting provider.
What you could do is to ask your hosting provider to enable back your website, but turn on "Folder Password Protection", also known as "htpasswd" or "HTTP Auth". This way you would be able to open your website in browser only by providing username and password, and then you can upload and run the FPA script to generate the report.
Joomla root directory is the first and highest directory containing your Joomla installation. It's the directory where you have "configuration.php" file. According to the excerpt from your hosting provider's email, it would be "webseiten/joomla2.5/joomla2.5/"
To clean your Joomla properly follow the steps in the sticky post http://forum.joomla.org/viewtopic.php?f ... 4#p2882538
What you could do is to ask your hosting provider to enable back your website, but turn on "Folder Password Protection", also known as "htpasswd" or "HTTP Auth". This way you would be able to open your website in browser only by providing username and password, and then you can upload and run the FPA script to generate the report.
Joomla root directory is the first and highest directory containing your Joomla installation. It's the directory where you have "configuration.php" file. According to the excerpt from your hosting provider's email, it would be "webseiten/joomla2.5/joomla2.5/"
To clean your Joomla properly follow the steps in the sticky post http://forum.joomla.org/viewtopic.php?f ... 4#p2882538
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
-
mckinney
- Joomla! Apprentice
- Posts: 29
- Joined: Mon Aug 20, 2012 3:20 pm
Re: Hacked
I really appreciate your support and your patience...thanks. I do have another silly question!
In the FPA instructions it states :
Delete ALL files in your Joomla installation.This is ONLY the files and directories in the joomla_root/ directory NOT the database!
what exactly have i to do here? i have the Joomla 2.5.6 full package... my question is...what do i delete from this package? ( I told you it was a silly question!)
In the FPA instructions it states :
Delete ALL files in your Joomla installation.This is ONLY the files and directories in the joomla_root/ directory NOT the database!
what exactly have i to do here? i have the Joomla 2.5.6 full package... my question is...what do i delete from this package? ( I told you it was a silly question!)
-
Bernard T
- Joomla! Guru
- Posts: 782
- Joined: Thu Jun 29, 2006 11:44 am
- Location: Hrvatska
- Contact:
Re: Hacked
The instructions are talking about the directory on your hosting server which contains the Joomla installation. And not the package archive file.mckinney wrote:Delete ALL files in your Joomla installation.This is ONLY the files and directories in the joomla_root/ directory NOT the database!
what exactly have i to do here? i have the Joomla 2.5.6 full package... my question is...what do i delete from this package? ( I told you it was a silly question!)
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
