hacked joomla, how to use olde backup and add other things from new

Discussion regarding Joomla! 3.x security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
CoyoteKG
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Thu May 19, 2016 7:46 am

hacked joomla, how to use olde backup and add other things from new

Post by CoyoteKG » Thu May 19, 2016 8:27 am

Problem Description :: Forum Post Assistant (v1.2.7) : 19th May 2016 wrote:Hacked site
Forum Post Assistant (v1.2.7) : 19th May 2016 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.3.6-Stable (Ember) 01-October-2014
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Writable (644) | Owner: ftp2670732 (uid: 1/gid: 1) | Group: site2670732 (gid: 1) | Valid For: 3.3
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 1 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-604.16.2.lve1.3.54.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/.sites/563/site2670732/web | System TMP Writable: Yes

PHP Configuration :: Version: 5.6.20 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: E_ALL & ~E_NOTICE | Log Errors To: /var/log/httpd/php.log | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /home/.sites/563/site2670732/web:/home/.sites/563/site2670732/tmp:/usr/share/pear | Uploads: 1 | Max. Upload Size: 200M | Max. POST Size: 200M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 75M

MySQL Configuration :: Version: 5.5.49 (Client:mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 67.23 MiB | #of Tables:  316
Detailed Environment :: wrote:PHP Extensions :: Core (5.6.20) | date (5.6.20) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (2.0) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | mbstring () | mcrypt () | standard (5.6.20) | mysqlnd (mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | mysqli (0.1) | mysql (1.0) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.2) | posix () | Reflection ($Id: fbcf7a77ca8e3d4cd7501de8025235b947b8240f $) | imap () | SimpleXML (0.1) | soap () | sockets () | exif (1.4 $Id: f94e075e5a1ebe5108ef2729498d2f198df3c078 $) | suhosin (0.9.38) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.12.5) | cgi-fcgi () | mhash () | Zend Engine (2.6.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (777) | components/ (777) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: components/ (777) | components/com_weblinks/api/ (777) | docindexer/ (777) | engine/ (777) | engine/cache2fd4382af12289bcf3a50e7a58539221/ (777) | kickstart/ (777) | templates/darland/ (777) | templates/darland/cached16ccfc9bc3fced6a5f9d210020d8192/ (777) | templates/darland/html/mod_search/ (777) | templates/darland/html/mod_search/bb52f78d9b6c60d7765529d182ea4b28/ (777) |
Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (3.0.0) | WF_LINK_SEARCH_TITLE (2.3.4.4) | WF_AGGREGATOR_GOOGLEMAPS_TITLE (2.3.4.4) | WF_AGGREGATOR_VIMEO_TITLE (2.3.4.4) | WF_AGGREGATOR_VINE_TITLE (2.3.4.4) | WF_AGGREGATOR_[youtube]_TITLE (2.3.4.4) | K2 Links for JCE Link (2.2) | WF_LINKS_JOOMLALINKS_TITLE (2.3.4.4) | WF_POPUPS_WINDOW_TITLE (2.3.4.4) | WF_POPUPS_JCEMEDIABOX_TITLE (2.3.4.4) | WF_FILESYSTEM_JOOMLA_TITLE (2.3.4.4) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.3.4.4) | WF_FULLSCREEN_TITLE (2.3.4.4) | WF_INLINEPOPUPS_TITLE (2.3.4.4) | WF_TEXTCASE_TITLE (2.3.4.4) | WF_ARTICLE_TITLE (2.3.4.4) | WF_SPELLCHECKER_TITLE (2.3.4.4) | WF_KITCHENSINK_TITLE (2.3.4.4) | WF_LINK_TITLE (2.3.4.4) | WF_CLEANUP_TITLE (2.3.4.4) | WF_CLIPBOARD_TITLE (2.3.4.4) | WF_AUTOSAVE_TITLE (2.3.4.4) | WF_MEDIA_TITLE (2.3.4.4) | WF_DIRECTIONALITY_TITLE (2.3.4.4) | WF_BROWSER_TITLE (2.3.4.4) | WF_NONBREAKING_TITLE (2.3.4.4) | WF_TABLE_TITLE (2.3.4.4) | WF_SOURCE_TITLE (2.3.4.4) | WF_VISUALBLOCKS_TITLE (2.3.4.4) | WF_VISUALCHARS_TITLE (2.3.4.4) | WF_CONTEXTMENU_TITLE (2.3.4.4) | WF_ANCHOR_TITLE (2.3.4.4) | WF_CHARMAP_TITLE (2.3.4.4) | WF_PRINT_TITLE (2.3.4.4) | WF_SEARCHREPLACE_TITLE (2.3.4.4) | WF_PREVIEW_TITLE (2.3.4.4) | WF_XHTMLXTRAS_TITLE (2.3.4.4) | WF_STYLE_TITLE (2.3.4.4) | WF_LISTS_TITLE (2.3.4.4) | WF_LAYER_TITLE (2.3.4.4) | WF_IMGMANAGER_TITLE (2.3.4.4) | CB Mamblog Tab (1.2) | Yanc Integration (1.2) | AcyMailing CB Plugin (1.2) | CB Profile Pro (1.0) | CB Mambo Author Tab (1.2) | com_mailto (3.0.0) |
Components :: ADMIN :: com_content (3.0.0) | com_easybookreloaded (2.5-5) | com_config (3.0.0) | JE Testimonial (3.0.2) | Akeeba (4.6.1) | AcyMailing Editor (5.2.0) | AcyMailing : Handle Click trac (5.2.0) | AcyMailing : (auto)Subscribe d (5.2.0) | AcyMailing: override Joomla ma (5.2.0) | JEvents (3.0.13) | uddeIM (3.4) | com_messages (3.0.0) | com_cpanel (3.0.0) | Spider FAQ (1.3) | com_newsfeeds (3.0.0) | JiFile (2.3) | com_search (3.0.0) | com_admin (3.0.0) | com_plugins (3.0.0) | com_postinstall (3.2.0) | com_banners (3.0.0) | Unknown (-) | JCE (2.3.4.4) | com_users (3.0.0) | com_cbprofilepro (4.0.0) | com_categories (3.0.0) | com_contenthistory (3.2.0) | com_redirect (3.0.0) | Admintools (3.6.8) | com_login (3.0.0) | COM_MATUKIO (2.1.10) | Notice board (1.0) | com_ajax (3.2.0) | com_media (3.0.0) | com_weblinks (3.0.0) | com_seminarman (2.10.2) | com_joomlaupdate (3.0.0) | com_pbbooking (2.4.0.4) | jDownloads (1.9.2.3 Beta) | com_modules (3.0.0) | com_cache (3.0.0) | com_phocamaps (3.0.0 Beta) | com_rseventspro (1.0.0) | comprofiler (1.9.1) | comprofiler (1.9.1) | com_menus (3.0.0) | com_tags (3.1.0) | templateck (2.1.11) | jfusion Language Package de-DE (1.8) | com_jfusion (1.8.0-000) | com_finder (3.0.0) | mod_kunenamenu (3.0.5) | plg_system_kunena (-) | plg_kunena_gravatar (3.0.5) | plg_finder_kunena (3.0.5) | plg_kunena_joomla (3.0.5) | plg_kunena_uddeim (3.0.5) | plg_kunena_comprofiler (3.0.5) | plg_kunena_community (3.0.5) | plg_kunena_kunena (3.0.5) | plg_kunena_alphauserpoints (3.0.5) | plg_kunena_finder (3.0.5) | com_kunena (3.0.5) | com_checkin (3.0.0) | Doc Indexer (1.5.0) | com_installer (3.0.0) | com_languages (3.0.0) | com_templates (3.0.0) |

Modules :: SITE :: mod_users_latest (3.0.0) | mod_menu (3.0.0) | mod_syndicate (3.0.0) | mod_random_image (3.0.0) | mod_login (3.0.0) | Speed Up Manager (3.2) | CB Online (1.9) | News Show SP2 (2.9) | JFusion Whos Online Module (1.8.0-000) | mod_footer (3.0.0) | System - Google Maps (3.2) | mod_tags_similar (3.1.0) | mod_banners (3.0.0) | Planyo.com online reservation (2.3) | Susnet Facebook Like Box (1.0.7) | AcyMailing Module (3.7.0) | mod_articles_popular (3.0.0) | JEvents View Switcher (3.0.13) | mod_search (3.0.0) | DB Show (0.9) | mod_matukio (2.1.10) | MyPuzzle Sudoku (1.1.0) | mod_tags_popular (3.1.0) | Notice board general (1.02) | mod_articles_archive (3.0.0) | mod_custom (3.0.0) | mod_articles_latest (3.0.0) | JEvents Legend (3.0.13) | mod_wrapper (3.0.0) | Latest JEvents (3.0.13) | mod_weblinks (3.0.0) | mod_languages (3.0.0) | MOD_VISITORCOUNTER (3-3) | Spider FAQ Lite (2.2.1) | mod_articles_news (3.0.0) | JEvents Calendar (3.0.13) | mod_related_items (3.0.0) | mod_finder (3.0.0) | JFusion Login Module (1.8.0-000) | mod_stats (3.0.0) | mod_articles_category (3.0.0) | JFusion User Activity Module (1.8.0-000) | JFusion Activity Module (1.8.0-000) | MOD_DB8SITELASTMODIFIED (2.6) | mod_seminarman_schedule (1.1.3) | mod_breadcrumbs (3.0.0) | uddeIM Notifier (3.4) | mod_articles_categories (3.0.0) | CB Login (1.9.1) | mod_whosonline (3.0.0) | Freetobook Widget (1.0.0) | mod_sw_kbirthday (1.9.0) | CB Workflows (1.9.1) | mod_feed (3.0.0) | mod_accordionfaq (3.0.4) | Sj Basic News (3.0) | JEvents Filter (3.0.13) | Birthday List (1.0.0) | MOD_RSEVENTSPRO_ATTENDEES (1.0) | MOD_SEMINARMAN_CALENDAR (1.2.5) |
Modules :: ADMIN :: mod_status (3.0.0) | mod_menu (3.0.0) | mod_latest (3.0.0) | mod_login (3.0.0) | MOD_VISITORCOUNTER_BACKEND_INF (3-3) | mod_stats_admin (3.0.0) | mod_version (3.0.0) | mod_custom (3.0.0) | mod_popular (3.0.0) | mod_multilangstatus (3.0.0) | mod_ccc_matukio_icons (2.1.10) | mod_submenu (3.0.0) | mod_ccc_matukio_overview (2.1.10) | mod_toolbar (3.0.0) | mod_quickicon (3.0.0) | mod_ccc_matukio_promotion (2.1.10) | mod_ccc_matukio_update (2.1.10) | mod_logged (3.0.0) | mod_feed (3.0.0) | mod_title (3.0.0) | mod_ccc_matukio_newsfeed (2.1.10) |

Plugins :: SITE :: plg_search_weblinks (3.0.0) | plg_search_seminarman_courses (1.0.3) | Search - Doc Indexer (1.0) | plg_search_tags (3.0.0) | plg_search_contacts (3.0.0) | plg_search_content (3.0.0) | plg_search_newsfeeds (3.0.0) | plg_search_seminarman_tutors (1.0.3) | Search - JEvents (3.0.13) | plg_search_categories (3.0.0) | Search - JiFile (2.1) | plg_search_seminarman_categori (1.0.3) | plg_editors_tinymce (4.1.2) | plg_editors_codemirror (3.15) | plg_editors_jce (2.3.4.4) | AcyMailing Editor (5.2.0) | plg_seminarman_pdflist (1.0.2) | plg_seminarman_smanprices (1.2.1) | OSG Seminarman Advanced Bookin (1.4RC4) | plg_installer_webinstaller (1.0.5) | plg_content_emailcloak (3.0.0) | plg_content_loadmodule (3.0.0) | plg_content_vote (3.0.0) | plg_content_pagenavigation (3.0.0) | GJFields - a set of additional (1.0.27) | PLG_CONTENT_AUTOREADMORE_TITLE (4.0.7) | plg_content_vouchnote (1.0) | plg_content_joomla (3.0.0) | plg_content_finder (3.0.0) | plg_content_pagebreak (3.0.0) | Content - Load Spider FAQ (1.3) | Include Content Item (3.0.12) | plg_kunena_uddeim (3.0.5) | plg_kunena_kunena (3.0.5) | plg_kunena_gravatar (3.0.5) | plg_kunena_joomla (3.0.5) | plg_kunena_alphauserpoints (3.0.5) | plg_kunena_comprofiler (3.0.5) | plg_kunena_community (3.0.5) | AcyMailing Tag : VirtueMart in (4.9.3) | AcyMailing Tag : Subscriber in (5.2.0) | AcyMailing : share on social n (1.0.0) | AcyMailing Tag : Date / Time (5.2.0) | AcyMailing : Statistics Plugin (3.7.0) | AcyMailing Tag : Call To Actio (1.1.2) | AcyMailing Tag : Manage the Su (5.2.0) | AcyMailing Manage text (1.0.0) | AcyMailing Tag : CB User infor (3.7.1) | AcyMailing Template Class Repl (5.2.0) | AcyMailing Tag : content inser (3.7.0) | AcyMailing Tag : Joomla User I (5.2.0) | AcyMailing Tag : Website links (3.7.0) | AcyMailing : trigger Joomla Co (3.7.0) | AcyMailing : Inbox actions (5.2.0) | AcyMailing table of contents g (1.0.0) | AcyMailing Geolocation : Tag a (5.2.0) | AcyMailing : Handle Click trac (5.2.0) | AcyMailing Tag : Insert a Modu (5.2.0) | plg_editors-xtd_cbppmagicwindo (1.1.0) | PLG_EDITORS-XTD_TOOLTIPS (3.7.9FREE) | plg_editors-xtd_article (3.0.0) | plg_editors-xtd_readmore (3.0.0) | plg_editors-xtd_vouchbutton (-) | plg_editors-xtd_image (3.0.0) | plg_editors-xtd_pagebreak (3.0.0) | plg_extension_joomla (3.0.0) | plg_twofactorauth_yubikey (3.2.0) | plg_twofactorauth_totp (3.2.0) | plg_captcha_recaptcha (3.0.0) | plg_finder_weblinks (3.0.0) | plg_finder_tags (3.0.0) | plg_finder_contacts (3.0.0) | plg_finder_content (3.0.0) | plg_finder_jevents (3.0.13) | plg_finder_newsfeeds (3.0.0) | plg_finder_categories (3.0.0) | PLG_SYSTEM_BACKUPONUPDATE_TITL (3.7) | plg_system_redirect (3.0.0) | AcyMailing: override Joomla ma (5.2.0) | PLG_SYSTEM_TOOLTIPS (3.7.9FREE) | RSEvents!Pro Offline payment (1.0.0) | plg_system_p3p (3.0.0) | System - Admin Tools (3.6.8) | plg_system_debug (3.0.0) | eorisis_jquery (1.2.2) | plg_system_languagefilter (3.0.0) | AcyMailing : Handle Click trac (5.2.0) | plg_system_sef (3.0.0) | PLG_SYSTEM_JQUERYEASY (1.5.5) | Hikashop - VirtueMart Fallback (1.0.0) | AcyMailing : (auto)Subscribe d (5.2.0) | PLG_SYSTEM_NNFRAMEWORK (15.1.2) | plg_system_jdownloads (2.5) | plg_system_kunena (3.0.5) | PLG_SYSTEM_AKEEBAUPDATECHECK_T (1.1) | plg_system_log (3.0.0) | System - RSEvents!Pro PDF plug (1.3.0) | plg_system_highlight (3.0.0) | plg_system_logout (3.0.0) | PLG_JSCSSCONTROL (3.1.0) | plg_system_remember (3.0.0) | System - Google Analytics (4.6.1) | plg_system_cache (3.0.0) | System - Perfect Joomla! 3 Use (1.8) | plg_system_languagecode (3.0.0) | plg_user_seminarman (1.0.6) | plg_user_profile (3.0.0) | plg_user_joomla (3.0.0) | plg_user_contactcreator (3.0.0) | My courses (0.1) | RSEvents!Pro - JomSocial plugi (1.0) | Unknown (-) | Teacher courses (0.1) | plg_quickicon_extensionupdate (3.0.0) | plg_quickicon_kunena (3.0.5) | plg_quickicon_akeebabackup (1.0) | plg_quickicon_joomlaupdate (3.0.0) | plg_quickicon_jcefilebrowser (2.3.4.4) | plg_authentication_gmail (3.0.0) | plg_authentication_cookie (3.0.0) | plg_authentication_ldap (3.0.0) | plg_authentication_joomla (3.0.0) |
Templates Discovered :: wrote:Templates :: SITE :: darland (2.5.0) | templatecreatorck (1.0.0) | Clever (3.1) | Cleanlogic-for-Joomla-3.X (1.2) | beez3 (3.1.0) | protostar (1.0) | clubys (3.0) |
Templates :: ADMIN :: hathor (3.0.0) | isis (1.0) |
Hello, I'm new with Joomla, and last few days I tried to google solution, and read here on this forum, but i can't find solution for now.

My friend have some site, and he is victim of few malware. Sending spam, and now site not works anymore...

I downloaded that backup, installed it locally on xampp, scan folder with few antiviruses, and with malwarebytes.
I deleted about 15 reported malware files... I checked them also on virustotal, and few viruses was reported with more then 30 AVs...

I tried to clean it, but I don't have experience with Joomla, not even PHP... I'm not developer :). I'm just some kind of system administrator.

I removed what I think it is OK, but I have problems with few sides and errors on pages...

So, my question is,
is it possible to install old clean backup (I have from October), and somehow merge it with this current state?
Just to copy clean files, update tables in database, etc....

I believe this procedure is normal, and somewhere must be described, but I don't know how to google it... Which folder need to be copied, which tables from databases, etc...
Last edited by toivo on Thu May 19, 2016 9:11 am, edited 1 time in total.
Reason: mod note: moved to 3.x Security

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3507
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: hacked joomla, how to use olde backup and add other things from new

Post by ribo » Thu May 19, 2016 10:25 am

Your problem is that :
1. Your joomla is not updated
2. If you was not update your joomla then you probably not update and your third party extensions was not updated too. Also check this https://vel.joomla.org/live-vel
3. You have many folders that have 777 permission. 777 permission means that you have back door open to get hacked.
So in a clean joomla site you must update your joomla, you must update your third party extensions, you must have permissions in folders 755 , in files 644 and in configuration.php 444 .
If you are sure 100% that your back up is clean first clean everything from your root and then you can restore it and you can do all these steps that i told you before.
Also you must change all the passwords (of ftp, of admin, of username of database, etc) change database name.
If you are not 100% sure that your back up is not clean and you can t clean it by your shelf then export database from phpmyadmin and then you must create your joomla from the begin with the extensions that you use and then import your database and generally do all the steps that i told you in the begin. I suggest you to do it local to your pc with xampp or wamp server as you are newbie to all this.
chat room spontes : http://www.spontes.com

CoyoteKG
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Thu May 19, 2016 7:46 am

Re: hacked joomla, how to use olde backup and add other things from new

Post by CoyoteKG » Thu May 19, 2016 10:46 am

Hello @ribo,
thanks for quick respond!

I understand all of that, and I will protect after seting site online.
But firstly I need to set site to work...

So my question is, if I have clean OLD backup. And after that old backup, mine friend works on site, update texts, images, etc...
So if I restore old backup, I will not have those changes...

How to merge those changes with this current unworkable site?
How to pickup all correct data from current hacked site, and update that old backup?

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3507
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: hacked joomla, how to use olde backup and add other things from new

Post by ribo » Thu May 19, 2016 10:58 am

For example, if you have not some images in your back up, then you can take the images from your hacked site and upload them in the right path of your restored back up. If in your back up is missing for example articles then you can import your database of your hacked site in your restored back up.
chat room spontes : http://www.spontes.com

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3507
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: hacked joomla, how to use olde backup and add other things from new

Post by ribo » Thu May 19, 2016 11:07 am

If you are missing extensions, first you must install the extension in your restored back up and then you can import the database of your hacked site.
chat room spontes : http://www.spontes.com

CoyoteKG
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Thu May 19, 2016 7:46 am

Re: hacked joomla, how to use olde backup and add other things from new

Post by CoyoteKG » Thu May 19, 2016 11:09 am

OK, i Think I have all extensions the same in both backups.
So just articles and images.

Thank's a lot

CoyoteKG
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Thu May 19, 2016 7:46 am

Re: hacked joomla, how to use olde backup and add other things from new

Post by CoyoteKG » Tue May 24, 2016 2:57 pm

Hello,
I do like you said,
I installed clean backup (i hope so that is cleaned).
Before that I scanned those files with few anti-malware software...

I imported last dumped DB (from hacked site).
And after that I copied from hacked site files that I need.

So, now site looks good, and friend tells me that everything is probably OK.

But now I wan't to secure site.
I mentioned yet that this is my first contact with joomla.

Firstly, I see in admin panel that my version of joomla is 3.3.6, and I updated it to 3.5.1.
Now I have small problems, text from homepage is lighten then before, background missing... This is on first view... I hope so that's all :).
How to fix that? I though that problem can appear only if I update theme (like on WP)

Also what I need to do to secure site?
Is there an free plugin or extension for security, like WordFence or Sucuri for WP? For blocking bruteforce login, scanning vurneabilities on site, etc...?

Are permissions OK on this site? I can't change it, but maybe I can contact hosting company to fix it.


Here I found some steps to do
https://www.siteground.com/tutorials/jo ... curity.htm
1. Keep Joomla and its extensions up-to-date - Done, I broke some stiles, but Ill try how to fix it
2. Use Strong Login Details - done
3. Use Proper File Permissions & Ownership - this is done I think, where I can see that? In fpa report?
4. Use Joomla Security Extensions - please, what is the best combination for free extensions?
5. Often Backup your Joomla Site - done
6. Protect Your Administrative Page - done

here is my fpa report, please if you have will help me :)
Forum Post Assistant (v1.2.7) : 24th May 2016 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.3.6-Stable (Ember) 01-October-2014
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Writable (640) | Owner: vu2073 (uid: 1/gid: 1) | Group: vu2073 (gid: 1) | Valid For: 3.3
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 1 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 3.2.0-4-amd64 | Technology: x86_64 | Web Server: Apache/2.2.22 (Debian) | Encoding: gzip, deflate | Doc Root: /var/www/virtual/shiatsu-austria.at/htdocs | System TMP Writable: Yes

PHP Configuration :: Version: 5.4.45-0+deb7u2 | PHP API: fpm-fcgi | Session Path Writable: Yes | Display Errors: 0 | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /var/www/virtual/shiatsu-austria.at/:/usr/share/php/:/dev/random:/dev/urandom | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.49-0+deb7u1 (Client:mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 55.72 MiB | #of Tables:  316
Detailed Environment :: wrote:PHP Extensions :: Core (5.4.45-0+deb7u2) | date (5.4.45-0+deb7u2) | ereg () | libxml () | openssl () | pcre () | zlib (2.0) | bcmath () | bz2 () | calendar () | ctype () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gettext () | SPL (0.2) | iconv () | json (1.2.1) | mbstring () | session () | posix () | Reflection ($Id: f6367cdb4e3f392af4a6d441a6641de87c2e50c4 $) | standard (5.4.45-0+deb7u2) | shmop () | SimpleXML (0.1) | soap () | sockets () | Phar (2.0.1) | exif (1.4 $Id: 05041c5f0094cb46d9b516bd624d593b90cc38f9 $) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | zip (1.11.0) | cgi-fcgi () | mysqlnd (mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $) | PDO (1.0.4dev) | curl () | gd () | imap () | intl (1.1.0) | mcrypt () | memcached (2.0.1) | mysql (1.0) | mysqli (0.1) | pdo_mysql (1.0.2) | imagick (3.1.0RC1) | mhash () | ionCube Loader () | Zend Engine (2.4.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (750) | components/ (750) | modules/ (750) | plugins/ (750) | language/ (750) | templates/ (750) | cache/ (750) | logs/ (750) | tmp/ (750) | administrator/components/ (750) | administrator/modules/ (750) | administrator/language/ (750) | administrator/templates/ (750) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (3.0.0) | WF_ARTICLE_TITLE (2.3.4.4) | WF_XHTMLXTRAS_TITLE (2.3.4.4) | WF_LAYER_TITLE (2.3.4.4) | WF_TABLE_TITLE (2.3.4.4) | WF_SPELLCHECKER_TITLE (2.3.4.4) | WF_DIRECTIONALITY_TITLE (2.3.4.4) | WF_PRINT_TITLE (2.3.4.4) | WF_MEDIA_TITLE (2.3.4.4) | WF_BROWSER_TITLE (2.3.4.4) | WF_CLEANUP_TITLE (2.3.4.4) | WF_CLIPBOARD_TITLE (2.3.4.4) | WF_IMGMANAGER_TITLE (2.3.4.4) | WF_VISUALBLOCKS_TITLE (2.3.4.4) | WF_CHARMAP_TITLE (2.3.4.4) | WF_ANCHOR_TITLE (2.3.4.4) | WF_INLINEPOPUPS_TITLE (2.3.4.4) | WF_STYLE_TITLE (2.3.4.4) | WF_KITCHENSINK_TITLE (2.3.4.4) | WF_TEXTCASE_TITLE (2.3.4.4) | WF_LISTS_TITLE (2.3.4.4) | WF_SOURCE_TITLE (2.3.4.4) | WF_CONTEXTMENU_TITLE (2.3.4.4) | WF_LINK_TITLE (2.3.4.4) | WF_NONBREAKING_TITLE (2.3.4.4) | WF_AUTOSAVE_TITLE (2.3.4.4) | WF_SEARCHREPLACE_TITLE (2.3.4.4) | WF_PREVIEW_TITLE (2.3.4.4) | WF_VISUALCHARS_TITLE (2.3.4.4) | WF_FULLSCREEN_TITLE (2.3.4.4) | K2 Links for JCE Link (2.2) | WF_LINKS_JOOMLALINKS_TITLE (2.3.4.4) | WF_LINK_SEARCH_TITLE (2.3.4.4) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.3.4.4) | WF_POPUPS_WINDOW_TITLE (2.3.4.4) | WF_POPUPS_JCEMEDIABOX_TITLE (2.3.4.4) | WF_FILESYSTEM_JOOMLA_TITLE (2.3.4.4) | WF_AGGREGATOR_[youtube]_TITLE (2.3.4.4) | WF_AGGREGATOR_VINE_TITLE (2.3.4.4) | WF_AGGREGATOR_VIMEO_TITLE (2.3.4.4) | WF_AGGREGATOR_GOOGLEMAPS_TITLE (2.3.4.4) | CB Mambo Author Tab (1.2) | AcyMailing CB Plugin (1.2) | Yanc Integration (1.2) | CB Mamblog Tab (1.2) | com_wrapper (3.0.0) |
Components :: ADMIN :: com_weblinks (3.0.0) | JEvents (3.0.13) | com_modules (3.0.0) | Notice board (1.0) | com_cache (3.0.0) | JE Testimonial (3.0.2) | COM_MATUKIO (2.1.10) | com_languages (3.0.0) | com_redirect (3.0.0) | com_checkin (3.0.0) | JiFile (2.3) | com_finder (3.0.0) | com_rseventspro (1.0.0) | com_templates (3.0.0) | com_admin (3.0.0) | com_easybookreloaded (2.5-5) | com_newsfeeds (3.0.0) | com_login (3.0.0) | com_postinstall (3.2.0) | Doc Indexer (1.5.0) | com_menus (3.0.0) | com_banners (3.0.0) | com_joomlaupdate (3.0.0) | com_pbbooking (2.4.0.4) | com_media (3.0.0) | templateck (2.1.11) | jDownloads (1.9.2.3 Beta) | com_jfusion (1.8.0-000) | jfusion Language Package de-DE (1.8) | com_cbprofilepro (4.0.0) | com_content (3.0.0) | com_config (3.0.0) | Spider FAQ (1.3) | com_seminarman (2.8.1) | com_ajax (3.2.0) | AcyMailing (4.9.3) | AcyMailing : (auto)Subscribe d (4.9.3) | AcyMailing : trigger Joomla Co (3.7.0) | AcyMailing Template Class Repl (4.9.3) | AcyMailing Tag : Insert a Modu (4.9.3) | AcyMailing : Handle Click trac (4.9.3) | AcyMailing Tag : Manage the Su (4.9.3) | AcyMailing Tag : content inser (3.7.0) | AcyMailing Tag : Joomla User I (4.9.3) | AcyMailing : Handle Click trac (4.9.3) | AcyMailing Manage text (1.0.0) | AcyMailing : Statistics Plugin (3.7.0) | AcyMailing Module (3.7.0) | AcyMailing Tag : Date / Time (4.9.3) | AcyMailing Tag : VirtueMart in (4.9.3) | AcyMailing Geolocation : Tag a (4.9.3) | AcyMailing table of contents g (1.0.0) | AcyMailing Tag : Subscriber in (4.9.3) | AcyMailing: override Joomla ma (4.9.3) | AcyMailing Tag : CB User infor (3.7.1) | AcyMailing Editor (4.9.3) | AcyMailing : Inbox actions (4.9.3) | AcyMailing Tag : Website links (3.7.0) | AcyMailing : share on social n (1.0.0) | com_plugins (3.0.0) | com_phocamaps (3.0.0 Beta) | com_cpanel (3.0.0) | plg_kunena_gravatar (3.0.5) | plg_kunena_kunena (3.0.5) | plg_finder_kunena (3.0.5) | plg_kunena_joomla (3.0.5) | plg_kunena_comprofiler (3.0.5) | plg_kunena_uddeim (3.0.5) | plg_kunena_community (3.0.5) | plg_kunena_finder (3.0.5) | plg_kunena_alphauserpoints (3.0.5) | mod_kunenamenu (3.0.5) | plg_system_kunena (-) | com_kunena (3.0.5) | com_installer (3.0.0) | JCE (2.3.4.4) | Unknown (-) | com_users (3.0.0) | com_categories (3.0.0) | comprofiler (1.9.1) | comprofiler (1.9.1) | com_search (3.0.0) | com_tags (3.1.0) | com_contenthistory (3.2.0) | com_messages (3.0.0) | uddeIM (3.4) |

Modules :: SITE :: mod_articles_categories (3.0.0) | MOD_RSEVENTSPRO_ATTENDEES (1.0) | mod_related_items (3.0.0) | JFusion Login Module (1.8.0-000) | Sj Basic News (3.0) | JEvents Legend (3.0.13) | uddeIM Notifier (3.4) | CB Online (1.9) | mod_accordionfaq (3.0.4) | JFusion Activity Module (1.8.0-000) | mod_weblinks (3.0.0) | mod_tags_similar (3.1.0) | JFusion User Activity Module (1.8.0-000) | mod_tags_popular (3.1.0) | CB Login (1.9.1) | News Show SP2 (2.9) | mod_whosonline (3.0.0) | mod_wrapper (3.0.0) | DB Show (0.9) | mod_custom (3.0.0) | mod_articles_category (3.0.0) | Spider FAQ Lite (2.2.1) | mod_sw_kbirthday (1.9.0) | mod_syndicate (3.0.0) | mod_articles_archive (3.0.0) | mod_finder (3.0.0) | mod_articles_latest (3.0.0) | AcyMailing Module (3.7.0) | mod_seminarman_schedule (1.1.3) | mod_languages (3.0.0) | CB Workflows (1.9.1) | JEvents View Switcher (3.0.13) | MOD_DB8SITELASTMODIFIED (2.6) | MOD_VISITORCOUNTER (3-3) | JEvents Calendar (3.0.13) | mod_matukio (2.1.10) | mod_footer (3.0.0) | Notice board general (1.02) | mod_search (3.0.0) | mod_random_image (3.0.0) | Susnet Facebook Like Box (1.0.7) | mod_menu (3.0.0) | Birthday List (1.0.0) | Freetobook Widget (1.0.0) | MOD_SEMINARMAN_CALENDAR (1.0.7) | mod_stats (3.0.0) | mod_articles_news (3.0.0) | JEvents Filter (3.0.13) | Planyo.com online reservation (2.3) | MyPuzzle Sudoku (1.1.0) | Latest JEvents (3.0.13) | mod_feed (3.0.0) | mod_banners (3.0.0) | JFusion Whos Online Module (1.8.0-000) | mod_users_latest (3.0.0) | mod_breadcrumbs (3.0.0) | mod_articles_popular (3.0.0) |
Modules :: ADMIN :: mod_toolbar (3.0.0) | mod_logged (3.0.0) | mod_multilangstatus (3.0.0) | mod_ccc_matukio_overview (2.1.10) | mod_ccc_matukio_newsfeed (2.1.10) | mod_stats_admin (3.0.0) | mod_quickicon (3.0.0) | mod_custom (3.0.0) | mod_status (3.0.0) | mod_login (3.0.0) | mod_latest (3.0.0) | mod_title (3.0.0) | mod_submenu (3.0.0) | mod_ccc_matukio_icons (2.1.10) | mod_menu (3.0.0) | mod_version (3.0.0) | mod_feed (3.0.0) | mod_ccc_matukio_update (2.1.10) | mod_ccc_matukio_promotion (2.1.10) | mod_popular (3.0.0) | MOD_VISITORCOUNTER_BACKEND_INF (3-3) |

Plugins :: SITE :: plg_editors-xtd_article (3.0.0) | plg_editors-xtd_image (3.0.0) | PLG_EDITORS-XTD_TOOLTIPS (3.7.9FREE) | plg_editors-xtd_readmore (3.0.0) | plg_editors-xtd_vouchbutton (-) | plg_editors-xtd_pagebreak (3.0.0) | plg_editors-xtd_cbppmagicwindo (1.1.0) | plg_search_seminarman_categori (1.0.3) | plg_search_weblinks (3.0.0) | plg_search_seminarman_courses (1.0.3) | Search - JEvents (3.0.13) | Search - JiFile (2.1) | plg_search_seminarman_tutors (1.0.3) | plg_search_content (3.0.0) | plg_search_contacts (3.0.0) | Search - Doc Indexer (1.0) | plg_search_newsfeeds (3.0.0) | plg_search_tags (3.0.0) | plg_search_categories (3.0.0) | plg_system_logout (3.0.0) | RSEvents!Pro Offline payment (1.0.0) | plg_system_p3p (3.0.0) | AcyMailing: override Joomla ma (4.9.3) | plg_system_languagefilter (3.0.0) | plg_system_kunena (3.0.5) | PLG_SYSTEM_TOOLTIPS (3.7.9FREE) | Hikashop - VirtueMart Fallback (1.0.0) | System - RSEvents!Pro PDF plug (1.3.0) | AcyMailing : (auto)Subscribe d (4.9.3) | plg_system_jdownloads (2.5) | System - Perfect Joomla! 3 Use (1.8) | PLG_SYSTEM_JQUERYEASY (1.5.5) | plg_system_debug (3.0.0) | plg_system_sef (3.0.0) | plg_system_remember (3.0.0) | eorisis_jquery (1.2.2) | plg_system_redirect (3.0.0) | plg_system_highlight (3.0.0) | AcyMailing : Handle Click trac (4.9.3) | System - Google Analytics (4.6.1) | plg_system_languagecode (3.0.0) | plg_system_log (3.0.0) | plg_system_cache (3.0.0) | PLG_SYSTEM_NNFRAMEWORK (15.1.2) | plg_kunena_alphauserpoints (3.0.5) | plg_kunena_comprofiler (3.0.5) | plg_kunena_kunena (3.0.5) | plg_kunena_joomla (3.0.5) | plg_kunena_community (3.0.5) | plg_kunena_uddeim (3.0.5) | plg_kunena_gravatar (3.0.5) | My courses (0.1) | Teacher courses (0.1) | Unknown (-) | RSEvents!Pro - JomSocial plugi (1.0) | plg_finder_jevents (3.0.13) | plg_finder_weblinks (3.0.0) | plg_finder_content (3.0.0) | plg_finder_contacts (3.0.0) | plg_finder_newsfeeds (3.0.0) | plg_finder_tags (3.0.0) | plg_finder_categories (3.0.0) | plg_authentication_cookie (3.0.0) | plg_authentication_joomla (3.0.0) | plg_authentication_ldap (3.0.0) | plg_authentication_gmail (3.0.0) | plg_twofactorauth_yubikey (3.2.0) | plg_twofactorauth_totp (3.2.0) | plg_captcha_recaptcha (3.0.0) | OSG Seminarman Advanced Bookin (1.4RC4) | plg_seminarman_pdflist (1.0.2) | plg_seminarman_smanprices (1.2.1) | plg_editors_jce (2.3.4.4) | plg_editors_codemirror (3.15) | AcyMailing Editor (4.9.3) | plg_editors_tinymce (4.1.2) | plg_content_loadmodule (3.0.0) | plg_content_vote (3.0.0) | plg_content_joomla (3.0.0) | plg_content_pagenavigation (3.0.0) | plg_content_finder (3.0.0) | Content - Load Spider FAQ (1.3) | plg_content_vouchnote (1.0) | Include Content Item (3.0.12) | plg_content_pagebreak (3.0.0) | GJFields - a set of additional (1.0.27) | PLG_CONTENT_AUTOREADMORE_TITLE (4.0.7) | plg_content_emailcloak (3.0.0) | plg_installer_webinstaller (1.0.5) | plg_quickicon_kunena (3.0.5) | plg_quickicon_joomlaupdate (3.0.0) | plg_quickicon_extensionupdate (3.0.0) | plg_quickicon_jcefilebrowser (2.3.4.4) | AcyMailing Tag : content inser (3.7.0) | AcyMailing Tag : Date / Time (4.9.3) | AcyMailing : share on social n (1.0.0) | AcyMailing Tag : Joomla User I (4.9.3) | AcyMailing Tag : CB User infor (3.7.1) | AcyMailing Tag : Subscriber in (4.9.3) | AcyMailing : trigger Joomla Co (3.7.0) | AcyMailing Tag : VirtueMart in (4.9.3) | AcyMailing : Statistics Plugin (3.7.0) | AcyMailing Tag : Website links (3.7.0) | AcyMailing Geolocation : Tag a (4.9.3) | AcyMailing : Inbox actions (4.9.3) | AcyMailing table of contents g (1.0.0) | AcyMailing : Handle Click trac (4.9.3) | AcyMailing Tag : Manage the Su (4.9.3) | AcyMailing Template Class Repl (4.9.3) | AcyMailing Manage text (1.0.0) | AcyMailing Tag : Insert a Modu (4.9.3) | plg_extension_joomla (3.0.0) | plg_user_joomla (3.0.0) | plg_user_seminarman (1.0.6) | plg_user_contactcreator (3.0.0) | plg_user_profile (3.0.0) |
Templates Discovered :: wrote:Templates :: SITE :: protostar (1.0) | Cleanlogic-for-Joomla-3.X (1.2) | beez3 (3.1.0) | templatecreatorck (1.0.0) | clubys (3.0) | darland (2.5.0) | Clever (3.1) |
Templates :: ADMIN :: hathor (3.0.0) | isis (1.0) |

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3507
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: hacked joomla, how to use olde backup and add other things from new

Post by ribo » Tue May 24, 2016 3:30 pm

As i saw in fpa results joomla update might not completed well.
So first issue that you must change is Max. Upload Size: 2M | Max. POST Size: 8M
Put in php.ini
upload_max_filesize = 30M
post_max_size = 30M
Second put in your folders 755 permission, in files 644 and in configuration.php 444
After that restore your back up and try to update again. Please read the guide carefully https://docs.joomla.org/J3.x:Upgrading_ ... 4.x_to_3.5
When you will have success with joomla update and also hit the fix button of database and the discover button, then update and your third party extensions
chat room spontes : http://www.spontes.com

CoyoteKG
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Thu May 19, 2016 7:46 am

Re: hacked joomla, how to use olde backup and add other things from new

Post by CoyoteKG » Tue May 24, 2016 3:37 pm

I'm sorry, somehow I pasted old fpa.

Here is new
Forum Post Assistant (v1.2.7) : 24th May 2016 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.5.1-Stable (Unicorn) 05-April-2016
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Writable (640) | Owner: vu2073 (uid: 1/gid: 1) | Group: vu2073 (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 3.2.0-4-amd64 | Technology: x86_64 | Web Server: Apache/2.2.22 (Debian) | Encoding: gzip, deflate | Doc Root: /var/www/virtual/shiatsu-austria.at/htdocs | System TMP Writable: Yes

PHP Configuration :: Version: 5.4.45-0+deb7u2 | PHP API: fpm-fcgi | Session Path Writable: Yes | Display Errors: 0 | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /var/www/virtual/shiatsu-austria.at/:/usr/share/php/:/dev/random:/dev/urandom | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.49-0+deb7u1 (Client:mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 55.38 MiB | #of Tables:  317
Detailed Environment :: wrote:PHP Extensions :: Core (5.4.45-0+deb7u2) | date (5.4.45-0+deb7u2) | ereg () | libxml () | openssl () | pcre () | zlib (2.0) | bcmath () | bz2 () | calendar () | ctype () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gettext () | SPL (0.2) | iconv () | json (1.2.1) | mbstring () | session () | posix () | Reflection ($Id: f6367cdb4e3f392af4a6d441a6641de87c2e50c4 $) | standard (5.4.45-0+deb7u2) | shmop () | SimpleXML (0.1) | soap () | sockets () | Phar (2.0.1) | exif (1.4 $Id: 05041c5f0094cb46d9b516bd624d593b90cc38f9 $) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | zip (1.11.0) | cgi-fcgi () | mysqlnd (mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $) | PDO (1.0.4dev) | curl () | gd () | imap () | intl (1.1.0) | mcrypt () | memcached (2.0.1) | mysql (1.0) | mysqli (0.1) | pdo_mysql (1.0.2) | imagick (3.1.0RC1) | mhash () | ionCube Loader () | Zend Engine (2.4.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (3.0.0) | WF_ARTICLE_TITLE (2.3.4.4) | WF_XHTMLXTRAS_TITLE (2.3.4.4) | WF_LAYER_TITLE (2.3.4.4) | WF_TABLE_TITLE (2.3.4.4) | WF_SPELLCHECKER_TITLE (2.3.4.4) | WF_DIRECTIONALITY_TITLE (2.3.4.4) | WF_PRINT_TITLE (2.3.4.4) | WF_MEDIA_TITLE (2.3.4.4) | WF_BROWSER_TITLE (2.3.4.4) | WF_CLEANUP_TITLE (2.3.4.4) | WF_CLIPBOARD_TITLE (2.3.4.4) | WF_IMGMANAGER_TITLE (2.3.4.4) | WF_VISUALBLOCKS_TITLE (2.3.4.4) | WF_CHARMAP_TITLE (2.3.4.4) | WF_ANCHOR_TITLE (2.3.4.4) | WF_INLINEPOPUPS_TITLE (2.3.4.4) | WF_STYLE_TITLE (2.3.4.4) | WF_KITCHENSINK_TITLE (2.3.4.4) | WF_TEXTCASE_TITLE (2.3.4.4) | WF_LISTS_TITLE (2.3.4.4) | WF_SOURCE_TITLE (2.3.4.4) | WF_CONTEXTMENU_TITLE (2.3.4.4) | WF_LINK_TITLE (2.3.4.4) | WF_NONBREAKING_TITLE (2.3.4.4) | WF_AUTOSAVE_TITLE (2.3.4.4) | WF_SEARCHREPLACE_TITLE (2.3.4.4) | WF_PREVIEW_TITLE (2.3.4.4) | WF_VISUALCHARS_TITLE (2.3.4.4) | WF_FULLSCREEN_TITLE (2.3.4.4) | K2 Links for JCE Link (2.2) | WF_LINKS_JOOMLALINKS_TITLE (2.3.4.4) | WF_LINK_SEARCH_TITLE (2.3.4.4) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.3.4.4) | WF_POPUPS_WINDOW_TITLE (2.3.4.4) | WF_POPUPS_JCEMEDIABOX_TITLE (2.3.4.4) | WF_FILESYSTEM_JOOMLA_TITLE (2.3.4.4) | WF_AGGREGATOR_[youtube]_TITLE (2.3.4.4) | WF_AGGREGATOR_VINE_TITLE (2.3.4.4) | WF_AGGREGATOR_VIMEO_TITLE (2.3.4.4) | WF_AGGREGATOR_GOOGLEMAPS_TITLE (2.3.4.4) | CB Mambo Author Tab (1.2) | AcyMailing CB Plugin (1.2) | Yanc Integration (1.2) | CB Mamblog Tab (1.2) | com_wrapper (3.0.0) |
Components :: ADMIN :: com_weblinks (3.5.0) | JEvents (3.0.13) | Admintools (3.8.3) | com_modules (3.0.0) | Notice board (1.0) | com_cache (3.0.0) | JE Testimonial (3.0.2) | COM_MATUKIO (2.1.10) | com_languages (3.0.0) | com_redirect (3.0.0) | com_checkin (3.0.0) | JiFile (2.3) | com_finder (3.0.0) | com_rseventspro (1.0.0) | com_templates (3.0.0) | com_admin (3.0.0) | com_easybookreloaded (2.5-5) | com_newsfeeds (3.0.0) | com_login (3.0.0) | com_postinstall (3.2.0) | Doc Indexer (1.5.0) | com_menus (3.0.0) | com_banners (3.0.0) | com_joomlaupdate (3.0.0) | com_pbbooking (2.4.0.4) | com_media (3.0.0) | templateck (2.1.11) | jDownloads (1.9.2.3 Beta) | com_jfusion (1.8.0-000) | jfusion Language Package de-DE (1.8) | com_cbprofilepro (4.0.0) | com_content (3.0.0) | com_config (3.0.0) | Akeeba (4.7.2) | Spider FAQ (1.3) | com_seminarman (2.8.1) | com_ajax (3.2.0) | AcyMailing (4.9.3) | AcyMailing : (auto)Subscribe d (4.9.3) | AcyMailing : trigger Joomla Co (3.7.0) | AcyMailing Template Class Repl (4.9.3) | AcyMailing Tag : Insert a Modu (4.9.3) | AcyMailing : Handle Click trac (4.9.3) | AcyMailing Tag : Manage the Su (4.9.3) | AcyMailing Tag : content inser (3.7.0) | AcyMailing Tag : Joomla User I (4.9.3) | AcyMailing : Handle Click trac (4.9.3) | AcyMailing Manage text (1.0.0) | AcyMailing : Statistics Plugin (3.7.0) | AcyMailing Module (3.7.0) | AcyMailing Tag : Date / Time (4.9.3) | AcyMailing Tag : VirtueMart in (4.9.3) | AcyMailing Geolocation : Tag a (4.9.3) | AcyMailing table of contents g (1.0.0) | AcyMailing Tag : Subscriber in (4.9.3) | AcyMailing: override Joomla ma (4.9.3) | AcyMailing Tag : CB User infor (3.7.1) | AcyMailing Editor (4.9.3) | AcyMailing : Inbox actions (4.9.3) | AcyMailing Tag : Website links (3.7.0) | AcyMailing : share on social n (1.0.0) | com_plugins (3.0.0) | com_phocamaps (3.0.0 Beta) | com_cpanel (3.0.0) | plg_kunena_gravatar (3.0.5) | plg_kunena_kunena (3.0.5) | plg_finder_kunena (3.0.5) | plg_kunena_joomla (3.0.5) | plg_kunena_comprofiler (3.0.5) | plg_kunena_uddeim (3.0.5) | plg_kunena_community (3.0.5) | plg_kunena_finder (3.0.5) | plg_kunena_alphauserpoints (3.0.5) | mod_kunenamenu (3.0.5) | plg_system_kunena (-) | com_kunena (3.0.5) | com_installer (3.0.0) | JCE (2.3.4.4) | Unknown (-) | com_users (3.0.0) | com_categories (3.0.0) | comprofiler (1.9.1) | comprofiler (1.9.1) | com_search (3.0.0) | com_tags (3.1.0) | com_contenthistory (3.2.0) | com_messages (3.0.0) | uddeIM (3.4) |

Modules :: SITE :: mod_articles_categories (3.0.0) | MOD_RSEVENTSPRO_ATTENDEES (1.0) | mod_related_items (3.0.0) | JFusion Login Module (1.8.0-000) | Sj Basic News (3.0) | JEvents Legend (3.0.13) | uddeIM Notifier (3.4) | CB Online (1.9) | mod_accordionfaq (3.0.4) | JFusion Activity Module (1.8.0-000) | mod_weblinks (3.5.0) | mod_tags_similar (3.1.0) | JFusion User Activity Module (1.8.0-000) | mod_tags_popular (3.1.0) | CB Login (1.9.1) | News Show SP2 (2.9) | mod_whosonline (3.0.0) | mod_wrapper (3.0.0) | DB Show (0.9) | mod_custom (3.0.0) | mod_articles_category (3.0.0) | Spider FAQ Lite (2.2.1) | mod_sw_kbirthday (1.9.0) | mod_syndicate (3.0.0) | mod_articles_archive (3.0.0) | mod_login (3.0.0) | mod_finder (3.0.0) | mod_articles_latest (3.0.0) | AcyMailing Module (3.7.0) | mod_seminarman_schedule (1.1.3) | mod_languages (3.0.0) | CB Workflows (1.9.1) | JEvents View Switcher (3.0.13) | MOD_DB8SITELASTMODIFIED (2.6) | MOD_VISITORCOUNTER (3-3) | JEvents Calendar (3.0.13) | mod_matukio (2.1.10) | mod_footer (3.0.0) | Notice board general (1.02) | mod_search (3.0.0) | mod_random_image (3.0.0) | Susnet Facebook Like Box (1.0.7) | mod_menu (3.0.0) | Birthday List (1.0.0) | Freetobook Widget (1.0.0) | MOD_SEMINARMAN_CALENDAR (1.0.7) | mod_stats (3.0.0) | mod_articles_news (3.0.0) | JEvents Filter (3.0.13) | Planyo.com online reservation (2.3) | MyPuzzle Sudoku (1.1.0) | Latest JEvents (3.0.13) | mod_feed (3.0.0) | mod_banners (3.0.0) | JFusion Whos Online Module (1.8.0-000) | mod_users_latest (3.0.0) | mod_breadcrumbs (3.0.0) | mod_articles_popular (3.0.0) |
Modules :: ADMIN :: mod_toolbar (3.0.0) | mod_logged (3.0.0) | mod_multilangstatus (3.0.0) | mod_ccc_matukio_overview (2.1.10) | mod_ccc_matukio_newsfeed (2.1.10) | mod_stats_admin (3.0.0) | mod_quickicon (3.0.0) | mod_custom (3.0.0) | mod_status (3.0.0) | mod_login (3.0.0) | mod_latest (3.0.0) | mod_title (3.0.0) | mod_submenu (3.0.0) | mod_ccc_matukio_icons (2.1.10) | mod_menu (3.0.0) | mod_version (3.0.0) | mod_feed (3.0.0) | mod_ccc_matukio_update (2.1.10) | mod_ccc_matukio_promotion (2.1.10) | mod_popular (3.0.0) | MOD_VISITORCOUNTER_BACKEND_INF (3-3) |

Plugins :: SITE :: plg_editors-xtd_article (3.0.0) | plg_editors-xtd_image (3.0.0) | PLG_EDITORS-XTD_TOOLTIPS (3.7.9FREE) | plg_editors-xtd_module (3.5.0) | plg_editors-xtd_readmore (3.0.0) | plg_editors-xtd_vouchbutton (-) | plg_editors-xtd_pagebreak (3.0.0) | plg_editors-xtd_cbppmagicwindo (1.1.0) | plg_search_seminarman_categori (1.0.3) | plg_search_weblinks (3.5.0) | plg_search_seminarman_courses (1.0.3) | Search - JEvents (3.0.13) | Search - JiFile (2.1) | plg_search_seminarman_tutors (1.0.3) | plg_search_content (3.0.0) | plg_search_contacts (3.0.0) | Search - Doc Indexer (1.0) | plg_search_newsfeeds (3.0.0) | plg_search_tags (3.0.0) | plg_search_categories (3.0.0) | plg_system_updatenotification (3.5.0) | System - Admin Tools (3.8.3) | plg_system_logout (3.0.0) | RSEvents!Pro Offline payment (1.0.0) | plg_system_p3p (3.0.0) | AcyMailing: override Joomla ma (4.9.3) | PLG_SYSTEM_BACKUPONUPDATE_TITL (3.7) | plg_system_languagefilter (3.0.0) | plg_system_kunena (3.0.5) | PLG_SYSTEM_TOOLTIPS (3.7.9FREE) | Hikashop - VirtueMart Fallback (1.0.0) | System - RSEvents!Pro PDF plug (1.3.0) | AcyMailing : (auto)Subscribe d (4.9.3) | plg_system_jdownloads (2.5) | plg_system_stats (3.5.0) | System - Perfect Joomla! 3 Use (1.8) | PLG_SYSTEM_JQUERYEASY (1.5.5) | plg_system_debug (3.0.0) | plg_system_sef (3.0.0) | plg_system_remember (3.0.0) | eorisis_jquery (1.2.2) | plg_system_redirect (3.0.0) | plg_system_highlight (3.0.0) | AcyMailing : Handle Click trac (4.9.3) | System - Google Analytics (4.6.1) | plg_system_languagecode (3.0.0) | plg_system_log (3.0.0) | plg_system_cache (3.0.0) | PLG_SYSTEM_NNFRAMEWORK (15.1.2) | plg_kunena_alphauserpoints (3.0.5) | plg_kunena_comprofiler (3.0.5) | plg_kunena_kunena (3.0.5) | plg_kunena_joomla (3.0.5) | plg_kunena_community (3.0.5) | plg_kunena_uddeim (3.0.5) | plg_kunena_gravatar (3.0.5) | My courses (0.1) | Teacher courses (0.1) | Unknown (-) | RSEvents!Pro - JomSocial plugi (1.0) | plg_finder_jevents (3.0.13) | plg_finder_weblinks (3.5.0) | plg_finder_content (3.0.0) | plg_finder_contacts (3.0.0) | plg_finder_newsfeeds (3.0.0) | plg_finder_tags (3.0.0) | plg_finder_categories (3.0.0) | plg_authentication_cookie (3.0.0) | plg_authentication_joomla (3.0.0) | plg_authentication_ldap (3.0.0) | plg_authentication_gmail (3.0.0) | plg_twofactorauth_yubikey (3.2.0) | plg_twofactorauth_totp (3.2.0) | plg_captcha_recaptcha (3.4.0) | OSG Seminarman Advanced Bookin (1.4RC4) | plg_seminarman_pdflist (1.0.2) | plg_seminarman_smanprices (1.2.1) | plg_editors_jce (2.3.4.4) | plg_editors_codemirror (5.12) | AcyMailing Editor (4.9.3) | plg_editors_tinymce (4.3.3) | plg_content_loadmodule (3.0.0) | plg_content_vote (3.0.0) | plg_content_joomla (3.0.0) | plg_content_pagenavigation (3.0.0) | plg_content_finder (3.0.0) | Content - Load Spider FAQ (1.3) | plg_content_vouchnote (1.0) | Include Content Item (3.0.12) | plg_content_pagebreak (3.0.0) | GJFields - a set of additional (1.0.27) | PLG_CONTENT_AUTOREADMORE_TITLE (4.0.7) | plg_content_emailcloak (3.0.0) | plg_installer_webinstaller (1.0.5) | plg_quickicon_kunena (3.0.5) | plg_quickicon_akeebabackup (1.0) | plg_quickicon_joomlaupdate (3.0.0) | plg_quickicon_extensionupdate (3.0.0) | plg_quickicon_jcefilebrowser (2.3.4.4) | AcyMailing Tag : content inser (3.7.0) | AcyMailing Tag : Date / Time (4.9.3) | AcyMailing : share on social n (1.0.0) | AcyMailing Tag : Joomla User I (4.9.3) | AcyMailing Tag : CB User infor (3.7.1) | AcyMailing Tag : Subscriber in (4.9.3) | AcyMailing : trigger Joomla Co (3.7.0) | AcyMailing Tag : VirtueMart in (4.9.3) | AcyMailing : Statistics Plugin (3.7.0) | AcyMailing Tag : Website links (3.7.0) | AcyMailing Geolocation : Tag a (4.9.3) | AcyMailing : Inbox actions (4.9.3) | AcyMailing table of contents g (1.0.0) | AcyMailing : Handle Click trac (4.9.3) | AcyMailing Tag : Manage the Su (4.9.3) | AcyMailing Template Class Repl (4.9.3) | AcyMailing Manage text (1.0.0) | AcyMailing Tag : Insert a Modu (4.9.3) | plg_extension_joomla (3.0.0) | plg_user_joomla (3.0.0) | plg_user_seminarman (1.0.6) | plg_user_contactcreator (3.0.0) | plg_user_profile (3.0.0) |
Templates Discovered :: wrote:Templates :: SITE :: protostar (1.0) | Cleanlogic-for-Joomla-3.X (1.2) | beez3 (3.1.0) | templatecreatorck (1.0.0) | clubys (3.0) | darland (2.5.0) | Clever (3.1) |
Templates :: ADMIN :: hathor (3.0.0) | isis (1.0) |

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3507
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: hacked joomla, how to use olde backup and add other things from new

Post by ribo » Tue May 24, 2016 6:26 pm

Please fix first this in your php.ini

Code: Select all

upload_max_filesize = 30M
post_max_size = 30M
Then if your update is corrupted please restore your previous back up and update again after the changes that i told you to do in your php.ini
chat room spontes : http://www.spontes.com

CoyoteKG
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Thu May 19, 2016 7:46 am

Re: hacked joomla, how to use olde backup and add other things from new

Post by CoyoteKG » Wed May 25, 2016 8:48 am

Hello again,

I did that, localy with xampp, and updated from 3.3.6 to 3.5.1 with that instructions from link you gave me.
I repaired DB, and cleared cache also.

But unfortunately styles are missing. And I don't know how to diagnose what could be a problem.
I go to inspect element for example on background, I see that path to css is the same, but CSS files are different...
Before update I have

Code: Select all

body {
	margin: 0;
	font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
	font-size: 13px;
	line-height: 18px;
	color: #483d02;
	background-color: #fff;
	background-image: url('../../../images/schn23oerksel_c20dsm15y15.jpg');
and after update this is just a

Code: Select all

body {
	margin: 0;
	font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
	font-size: 13px;
	line-height: 18px;
	color: #333;
	background-color: #fff;}
Template is protostar
Why update overvriten those files?

I can't imagine what could be also broken, and I don't know if it is smart to overwrite CSS, JS or whatewer...


also links are different, for example in nav menu if i click on home, before update is without index.php, after update is with index.php

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3507
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: hacked joomla, how to use olde backup and add other things from new

Post by ribo » Wed May 25, 2016 10:16 am

Please go to global configuration-error reporting and put maximum or developmpent and tell me if you see any error.
Also go to extensions-manage-database and check there if need fix.
Also try to clear browser cache
chat room spontes : http://www.spontes.com

CoyoteKG
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Thu May 19, 2016 7:46 am

Re: hacked joomla, how to use olde backup and add other things from new

Post by CoyoteKG » Wed May 25, 2016 10:45 am

Hello, I changed it on maximum, and now on homepage I have more then 10 links like
C:\xampp\htdocs\shiatsuclean1\plugins\content\vouchnote\vouchnote.php on line 125
C:\xampp\htdocs\shiatsuclean1\modules\mod_susnet_likebox\mod_susnet_likebox.php on line 18

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3507
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: hacked joomla, how to use olde backup and add other things from new

Post by ribo » Wed May 25, 2016 11:03 am

Can you disable this plugin and this module or check if they need update? Or any third party extension of yours need update?
chat room spontes : http://www.spontes.com

CoyoteKG
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Thu May 19, 2016 7:46 am

Re: hacked joomla, how to use olde backup and add other things from new

Post by CoyoteKG » Wed May 25, 2016 11:25 am

Hello, I updated all, and error is still on homepage.
I disabled that module and that plugin, and error disappeared.

I checked this errors on site that I did not updated, and that errors are also there...


What about Theme, and stiles?
Joomla updated protostar theme also, and owerwrite CSS and maybe something more...

Can I just copy old protostar folder, and overwrite that new one? I did that already, and everything looks OK, but I don't know is that correct way?

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3507
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: hacked joomla, how to use olde backup and add other things from new

Post by ribo » Wed May 25, 2016 11:52 am

Copy the css files of your back up, that are changed from you, but the best option is to use overrides to not have such issue in joomla updates https://www.ostraining.com/support-foru ... plate-css/
chat room spontes : http://www.spontes.com

CoyoteKG
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Thu May 19, 2016 7:46 am

Re: hacked joomla, how to use olde backup and add other things from new

Post by CoyoteKG » Wed May 25, 2016 5:29 pm

Thank you ribo, you helped me very much!!!!
I compared those two CSSs, and take out differences and put in overridden css.
I did not need to change index.php, I just named that css like user.css and put in same folder with main Protostar css.

Now everything looks fine.
I only need to find the best plugins for future protecting.

And to see do I need to delete inactive plugins and modules.

Thank you again!

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3507
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: hacked joomla, how to use olde backup and add other things from new

Post by ribo » Wed May 25, 2016 6:32 pm

If you are finished don t forget to delete fpa from your root folder
chat room spontes : http://www.spontes.com

User avatar
darb
Joomla! Hero
Joomla! Hero
Posts: 2038
Joined: Thu Jul 06, 2006 12:57 pm
Location: Stockholm Sweden

Re: hacked joomla, how to use olde backup and add other things from new

Post by darb » Sun May 29, 2016 8:25 am

And never install pirated 3:pds....

CoyoteKG
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Thu May 19, 2016 7:46 am

Re: hacked joomla, how to use olde backup and add other things from new

Post by CoyoteKG » Sun May 29, 2016 9:26 am

what is pirated 3:pds? :)
Do we have installed?

CoyoteKG
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Thu May 19, 2016 7:46 am

Re: hacked joomla, how to use olde backup and add other things from new

Post by CoyoteKG » Mon May 30, 2016 9:50 am

Hello,

malware is back again :/
https://www.virustotal.com/en/file/fdd0 ... /analysis/

This is results of corrupted index.php of protostar template.

If I did everything already I said that I did... Clean all files, scan DB with virustotal, how is it possible to change index.php if permissions of that file is 644?

I'm totaly confused now....


Can some backend user to change this file? I see that he has almost 150 users, but only 5 administrators/superusers

what I can do next?
I see in yesterdays backup that file was not infected.

User avatar
darb
Joomla! Hero
Joomla! Hero
Posts: 2038
Joined: Thu Jul 06, 2006 12:57 pm
Location: Stockholm Sweden

Re: hacked joomla, how to use olde backup and add other things from new

Post by darb » Mon May 30, 2016 10:05 am

You have a back door that is installed by your ftp programme in a hidden file bcs of pirated 3:pds? :)

CoyoteKG
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Thu May 19, 2016 7:46 am

Re: hacked joomla, how to use olde backup and add other things from new

Post by CoyoteKG » Mon May 30, 2016 11:33 am

OK, can you describe me what is file bcs, and pirated 3:pds?

CoyoteKG
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Thu May 19, 2016 7:46 am

Re: hacked joomla, how to use olde backup and add other things from new

Post by CoyoteKG » Wed Jun 01, 2016 9:15 am

Why I can't posted something about joomscan.pl, and results I got?

I got error 403

CoyoteKG
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Thu May 19, 2016 7:46 am

Re: hacked joomla, how to use olde backup and add other things from new

Post by CoyoteKG » Sat Jun 04, 2016 9:01 am

I uploaded again site, cleaned version. I hope so now it is clenad...
I installed SecurityCheck pro extension, and this morning Firewall blocked and deleted some magic.php file.

I found this magic.php eariler in previous hacked version, and I delete it... And this JCE plugin is a hole.

I dont want to paste this code, so here is the picture.
jce.JPG
I hope so, that this was a reason from the beginning and if I delete this JCE file that I finished with last problem
You do not have the required permissions to view the files attached to this post.


Locked

Return to “Security in Joomla! 3.x”