How to defend against a phishing virus

[sirram]

Hi,

My web site was recently hacked and a phishing virus inserted. The company that hosts my site kindly located and removed it for me.

Mine is a very simple site - just some pages of information, downloadable PDFs and a Contact form. There are no login forms, membership area or anything like that.

Could someone recommend a Joomla extension that would help protect against this happening again?

[mandville]

how about you look at how and why it was hacked?
please run and post the results to http://forum.joomla.org/viewtopic.php?f=621&t=582860

[jack-herow]

To secure the website ensure the basics. Most of the hacks are problems by using the "classics":

- FTP password: Ensure you have a unique password and a secure password. Your website name is not a good password Also recommended: change it some times.
- Same with admin passwords.
- Updates: The joomla team is working hard. also for closing bugs and releasing security patches. In that case the "leak" is public and an update is needed. So keep your site up to date.
- a security plugin, can open other security risks...
- a Trojan/virus on a computer which you use to admin the site can track your login-data. So the protection of your computer is a must and do not login to unknown machines!
- The most of the sites are not SSL protected. In that reason it is easy to sniff the network traffic and grab your login data. So if you admin the site from public lans/wlans an SSL is highly recommended. -> Same with FTP!

[sirram]

Hi mandville,

Sorry, I didn't realise mine was a "Poor question".

My site got hacked and I was hoping someone on this forum might be able to advise on Joomla anti-virus defences (not my specialist field I'm afraid).

I can't tell you much about the virus. The company that hosts my web site were alerted to it by some software called Netcraft - which scans web sites and, in my case, detected a phishing virus on my site. I know nothing about phishing viruses I'm afraid, except I believe they are used by criminals trying to trick people into revealing confidential information.

The company that hosts my web site said the malevolent code was stored in a folder under .../web/Plugins/Content/...

They suspended my site and, while I was on the phone to them, they kindly removed the offending code. The site is now back up again but I can't tell you anything about the criminal's actual code as it is no longer there. I asked my hosting company how the criminal could have accessed my site. They suggested someone got lucky by blitzing the backend login with billions of different login permutations.

I was only asking this forum whether there a recommended Joomla extension that (for example) works like an anti-virus program on a PC (i.e. that will do a regular scan and alert one to viruses)?

[sirram]

Hi jack-herow,

Yours are all good points but (hopefully) none of them applies in my case. I'm the only administrator of my web site. Passwords are not simple and they do get changed. No-one knows them except me. The PC I use to login to my site's backend is on my home network. My PC is fully up to date with Windows Updates and, in all the time I have had it, has never had a virus. I scan it regularly.

[JAVesey]

What Mandville meant was that in order to defend your site you need to know how the offending software was placed in your code.

It could either be because of a vulnerability in your code (an extension rather than Joomla itself most likely) or it could be that the server itself is insecure (could be another website on the same shared hosting platform providing the vulnerability).

You might end up deploying a solution which doesn't actually help you prevent a recurrence.

At the top of this Forum there is a link to using the FPA (Forum Post Assistant). Can you do this and post the results? It will give clues as to where the problem might be.

Also, I strongly recommend getting your site audited at myjoomla.com - the first audit is free - and this will help you understand things further too.

[sozzled]

I will be any money that the opportunity to successfully attack and corrupt this website is because @sirram was using an out-of-date version of Joomla and outdated Joomla extensions on the site. Just to be clear, hackers do not always need to know passwords to inject malware into vulnerable websites. If you keep you site software up-to-date you are less likely to have these kinds of problems in future.

[sirram]

I have run the FPA (Forum Post Assistant). Results are as below. Please advise if I have inadvertently included any private information.

================================================================================

Trying to determine how my website was hacked with a phishing virus

Phishing Virus code has been removed from web site, but I still need to determine how it got there.

Joomla! Instance :: Joomla! 3.3.1-Stable (Ember) 11-June-2014
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Writable (644) | Owner: <email address removed> (uid: 1/gid: 1) | Group: group_389501 (gid: 1) | Valid For: 3.3
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: N/A | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 3.16.0-0.bpo.4-amd64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /www/sites/f78/44f/www.site.uk/web | System TMP Writable: Yes

PHP Configuration :: Version: 5.6.24 | PHP API: cgi-fcgi | Session Path Writable: No | Display Errors: 1 | Error Reporting: 4177 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 1024M | Max. POST Size: 1024M | Max. Input Time: 50 | Max. Execution Time: 60 | Memory Limit: 256M

MySQL Configuration :: Version: 5.6.31 (Client:5.5.49) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 31.99 MiB | #of Tables: 115

PHP Extensions :: Core (5.6.24) | date (5.6.24) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (2.0) | bcmath () | calendar () | ctype () | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gettext () | SPL (0.2) | iconv () | intl (1.1.0) | json (1.2.1) | mbstring () | mysql (1.0) | mysqli (0.1) | PDO (1.0.4dev) | bz2 () | posix () | Reflection ($Id: fbcf7a77ca8e3d4cd7501de8025235b947b8240f $) | session () | shmop () | SimpleXML (0.1) | soap () | sockets () | standard (5.6.24) | exif (1.4 $Id: 5564de4b4a8fd6b32ae8bd44debf9f13b18c7768 $) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.12.5) | cgi-fcgi () | Phar (2.0.2) | curl () | dba () | gd () | imap () | mcrypt () | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | xmlrpc (0.51) | mhash () | ionCube Loader () | Zend Engine (2.6.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::

Components :: SITE :: WF_AGGREGATOR_VIMEO_TITLE (2.4.2) | WF_AGGREGATOR_VINE_TITLE (2.4.2) | WF_AGGREGATOR_[youtube]_TITLE (2.4.2) | WF_FILESYSTEM_JOOMLA_TITLE (2.4.2) | WF_LINKS_JOOMLALINKS_TITLE (2.4.2) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.4.2) | WF_POPUPS_JCEMEDIABOX_TITLE (2.4.2) | WF_POPUPS_WINDOW_TITLE (2.4.2) | WF_LINK_SEARCH_TITLE (2.4.2) | WF_ANCHOR_TITLE (2.4.2) | WF_ARTICLE_TITLE (2.4.2) | WF_AUTOSAVE_TITLE (2.4.2) | WF_BROWSER_TITLE (2.4.2) | WF_CHARMAP_TITLE (2.4.2) | WF_CLEANUP_TITLE (2.4.2) | WF_CLIPBOARD_TITLE (2.4.2) | WF_CONTEXTMENU_TITLE (2.4.2) | WF_DIRECTIONALITY_TITLE (2.4.2) | WF_FONTCOLOR_TITLE (2.4.2) | WF_FONTSELECT_TITLE (2.4.2) | WF_FONTSIZESELECT_TITLE (2.4.2) | WF_FORMATSELECT_TITLE (2.4.2) | WF_FULLSCREEN_TITLE (2.4.2) | WF_IMGMANAGER_TITLE (2.4.2) | WF_INLINEPOPUPS_TITLE (2.4.2) | WF_KITCHENSINK_TITLE (2.4.2) | WF_LAYER_TITLE (2.4.2) | WF_LINK_TITLE (2.4.2) | WF_LISTS_TITLE (2.4.2) | WF_MEDIA_TITLE (2.4.2) | WF_NONBREAKING_TITLE (2.4.2) | WF_PREVIEW_TITLE (2.4.2) | WF_PRINT_TITLE (2.4.2) | WF_SEARCHREPLACE_TITLE (2.4.2) | WF_SOURCE_TITLE (2.4.2) | WF_SPELLCHECKER_TITLE (2.4.2) | WF_STYLE_TITLE (2.4.2) | WF_STYLESELECT_TITLE (2.4.2) | WF_TABLE_TITLE (2.4.2) | WF_TEXTCASE_TITLE (2.4.2) | WF_VISUALBLOCKS_TITLE (2.4.2) | WF_VISUALCHARS_TITLE (2.4.2) | WF_XHTMLXTRAS_TITLE (2.4.2) | com_mailto (3.0.0) | com_wrapper (3.0.0) |
Components :: ADMIN :: com_admin (3.0.0) | com_ajax (3.2.0) | com_banners (3.0.0) | com_cache (3.0.0) | com_categories (3.0.0) | com_checkin (3.0.0) | com_config (3.0.0) | com_content (3.0.0) | com_contenthistory (3.2.0) | com_cpanel (3.0.0) | com_finder (3.0.0) | com_installer (3.0.0) | JCE (2.4.2) | Unknown (-) | JiFile (2.3) | com_joaktree (1.5.1) | com_joomlaupdate (3.0.0) | com_languages (3.0.0) | com_login (3.0.0) | com_media (3.0.0) | com_menus (3.0.0) | com_messages (3.0.0) | com_modules (3.0.0) | com_newsfeeds (3.0.0) | com_phocagallery (4.1.1) | com_plugins (3.0.0) | com_postinstall (3.2.0) | com_redirect (3.0.0) | com_search (3.0.0) | com_tags (3.1.0) | com_templates (3.0.0) | com_users (3.0.0) | com_weblinks (3.0.0) |

Modules :: SITE :: mod_articles_archive (3.0.0) | mod_articles_categories (3.0.0) | mod_articles_category (3.0.0) | mod_articles_latest (3.0.0) | mod_articles_news (3.0.0) | mod_articles_popular (3.0.0) | mod_banners (3.0.0) | mod_breadcrumbs (3.0.0) | mod_custom (3.0.0) | mod_feed (3.0.0) | mod_finder (3.0.0) | mod_footer (3.0.0) | mod_languages (3.0.0) | mod_login (3.0.0) | mod_menu (3.0.0) | mod_random_image (3.0.0) | mod_related_items (3.0.0) | mod_search (3.0.0) | sigplus (1.4.2.17) | mod_stats (3.0.0) | mod_syndicate (3.0.0) | mod_tags_popular (3.1.0) | mod_tags_similar (3.1.0) | mod_users_latest (3.0.0) | mod_weblinks (3.0.0) | mod_whosonline (3.0.0) | mod_wrapper (3.0.0) |
Modules :: ADMIN :: mod_custom (3.0.0) | mod_feed (3.0.0) | mod_latest (3.0.0) | mod_logged (3.0.0) | mod_login (3.0.0) | mod_menu (3.0.0) | mod_multilangstatus (3.0.0) | mod_popular (3.0.0) | mod_quickicon (3.0.0) | mod_stats_admin (3.0.0) | mod_status (3.0.0) | mod_submenu (3.0.0) | mod_title (3.0.0) | mod_toolbar (3.0.0) | mod_version (3.0.0) |

Plugins :: SITE :: plg_authentication_cookie (3.0.0) | plg_authentication_gmail (3.0.0) | plg_authentication_joomla (3.0.0) | plg_authentication_ldap (3.0.0) | plg_captcha_recaptcha (3.0.0) | ContactUs Form (3.1.1) | plg_content_emailcloak (3.0.0) | plg_content_finder (3.0.0) | plg_content_geshi (3.0.0) | plg_content_joaktree (1.5.0) | plg_content_joomla (3.0.0) | plg_content_loadmodule (3.0.0) | plg_content_pagebreak (3.0.0) | plg_content_pagenavigation (3.0.0) | Content - Image gallery - sigp (1.4.2.17) | plg_content_vote (3.0.0) | plg_editors_codemirror (3.15) | plg_editors_jce (2.4.2) | plg_editors_tinymce (4.0.22) | plg_editors-xtd_article (3.0.0) | plg_editors-xtd_image (3.0.0) | plg_editor-xtd_joaktree_link (1.5.0) | plg_editor-xtd_joaktree_map (1.5.0) | plg_editors-xtd_pagebreak (3.0.0) | plg_editors-xtd_readmore (3.0.0) | plg_extension_joomla (3.0.0) | plg_finder_categories (3.0.0) | plg_finder_contacts (3.0.0) | plg_finder_content (3.0.0) | plg_finder_newsfeeds (3.0.0) | plg_finder_tags (3.0.0) | plg_finder_weblinks (3.0.0) | plg_quickicon_extensionupdate (3.0.0) | plg_quickicon_jcefilebrowser (2.4.2) | plg_quickicon_joomlaupdate (3.0.0) | plg_search_categories (3.0.0) | plg_search_contacts (3.0.0) | plg_search_content (3.0.0) | Search - JiFile (2.1) | plg_search_joaktree (1.5.0) | plg_search_newsfeeds (3.0.0) | plg_search_tags (3.0.0) | plg_search_weblinks (3.0.0) | plg_system_cache (3.0.0) | plg_system_debug (3.0.0) | plg_system_highlight (3.0.0) | plg_system_languagecode (3.0.0) | plg_system_languagefilter (3.0.0) | plg_system_log (3.0.0) | plg_system_logout (3.0.0) | plg_system_p3p (3.0.0) | plg_system_redirect (3.0.0) | plg_system_remember (3.0.0) | plg_system_sef (3.0.0) | plg_twofactorauth_totp (3.2.0) | plg_twofactorauth_yubikey (3.2.0) | plg_user_contactcreator (3.0.0) | plg_user_joomla (3.0.0) | plg_user_profile (3.0.0) | plg_installer_webinstaller (1.0.5) |

Templates :: SITE :: beez3 (3.1.0) | marris (1.0) | protostar (1.0) |
Templates :: ADMIN :: hathor (3.0.0) | isis (1.0) |

================================================================================

[ribo]

Session Path Writable: No . This must be Yes . Tell to your host to fix it
Your joomla is out of date. That is another reason that you ve been hacked

[ribo]

Also here are the instructions how to clean your website http://forum.joomla.org/viewtopic.php?t=757645

[jack-herow]

the session save path is not a problem in order to can be hacked. Joomla anyway uses as default the database to save the sessions, so its not a problem at the moment.

What i'm wondering is the general php setup. Could you please put a phpinfo to your webserver?

phpinfo is a file "phpinfo.php" with the folowing contend:

Code: Select all

<?php
phpinfo();
?>

[Per Yngve Berg]

You don't have a .htaccess file. Rename htaccess.txt to .htaccess.

[sirram]

Will look at "phpinfo" later. Meanwhile, re: Joomla being out of date. I didn't realise this because, when I login to my web site's back-end, under "Joomla! Update", it says:

"No updates available"
"You already have the latest Joomla! version, 3.3.1."

Yet, on investigation, I can see that the true latest version is 3.6. I have raised a ticket with my web hosting company but, so far, they cannot see why I'm not being offered the update to 3.6.

I will next research how to grab the 3.6. release manually.

[mandville]

clear all caches on your site. then switch the update channel to another one and back again, that may force your site to redetect the correct update.
https://docs.joomla.org/J3.x:Updating_f ... ng_version

[sirram]

I'd have never guessed this - but "Clear cache" immediately revealed the hidden update to Joomla 3.6. So, I've just installed Joomla 3.6. The install worked fine - but:

Disaster!

Joomla 3.6 has corrupted the style of all my web pages. Everything has moved around and images have shrunk to about 100th of their original size (one can barely make them out at all). I had a nice winter scene on the home page and a selection of coats of arms on the other pages (i.e. this is a family history web site). I also had a wide-angle photo of poppies on my Word War 1 page. All of these are now barely discernible at all.

The whole site looks ridiculous now. Menu items (e.g. Home, Overview, Contact etc) that I had running across the the top of each page have all been moved to the left hand side. Ugly, ugly.

I also had a nice side panel on the right hand side of each page (It took me ages to achieve this.) But Joomla 3.6 has moved it to the very bottom of each web page - Visitors won't now see it unless they happen to scroll down to the bottom. Funnily enough, the coats of arms in the side-panel pages are still the correct size.

Not being a Joomla expert, I spent weeks getting the site how I wanted. That was a year or two ago and I'm now going to have to try and remember what I did.

How extremely annoying.

[Per Yngve Berg]

It can be an issue with cached items from before the update. Clear your browser's cache.

[sirram]

Same issue with different browsers and when browsing from someone else's PC.

Will investigate further. Doesn't make sense.

[JAVesey]

Are you using a site cache plugin?

If so then you need to clear the site cache as a well as the browser cache.

Also, try switching the site template and then switching it back.

[sozzled]

This topic began with the question, "How to defend against a phishing virus" and I was probably correct when I wrote

I will be any money that the opportunity to successfully attack and corrupt this website is because @sirram was using an out-of-date version of Joomla and outdated Joomla extensions on the site.

I assume that the original problem has been fixed.

The topic has now digressed into other matters concerning J! 3.6.0. These sorts of digressions are unhelpful to people who may be searching for how to deal with phishing attempts in sites that employed out-of-date versions of Joomla. Regardless of whether the upgrade to J! 3.6.0 caused other unrelated problems—about which @sirram has my most sincere sympathy—can we establish, once and for all, that the original question has been resolved as a result of upgrading to J! 3.6.0, please? If the original question has been resolved, this topic should now be closed and further discussion about the fall-out from the upgrade can be handled separately.

[sirram]

As an amateur (i.e. someone just trying to build a family history web site), I don't think the question has been adequately answered. Joomla 3.3.1 is only two years old (released 11 Jun 2014) so is hardly antiquated. Was everyone else's site hacked in 2014 when they were on that version?

And, if so, what was the precise weakness that criminals were able to exploit?

I really am very grateful to everyone who has replied to my original question, but I am none the wiser as to how to protect my site from being hacked. That's because I don't know how the hacker (criminal) gained access in the first place. To say, "well it's because you were on an old version" is pretty vague.

I am the single administrator of my web site, my passwords are strong, the passwords are known only to me, and I maintain my website from a single PC on my home network. My PC has NEVER EVER had a virus. I scan it regularly and always make sure it is up to date with Windows Updates.

sozzled writes, "I will bet any money that the opportunity to successfully attack and corrupt this website is because @sirram was using an out-of-date version of Joomla and outdated Joomla extensions on the site."

But that doesn't actually explain how the criminal gained access. If someone could explain how, I could implement steps to prevent it - or at least run regular checks to look out for it.

Yes, Joomla 3.6 has wrecked my web site and, if I can't figure this out, I will raise it as a separate Topic.

I do think though that Joomla's security would benefit hugely from properly informing users when a new Joomla release is available. How on earth is one supposed to guess? My back-end was telling me that I was up-to-date. It was only after clicking on "Clear Cache" that the truth emerged. How obscure is that?

It does make me wonder how many others out there are running on out-of-date Joomla versions while, at the same time, seeing messages (as I was) that their version is up to date.

[sozzled]

As an amateur (i.e. someone just trying to build a family history web site), I don't think the question has been adequately answered. Joomla 3.3.1 is only two years old (released 11 Jun 2014) so is hardly antiquated. Was everyone else's site hacked in 2014 when they were on that version?

Answer: yes! In September/October last year there was a world-wide frenzy of attacks on all Joomla websites affecting all versions of Joomla earlier than J! 3.4.7. These exploits were stopped with the release of J! 3.4.7. We could debate the antiquatedness of J! 3.3.1 and, perhaps, not reach a consensus but the weight of evidence shows that that version was as vulnerable to attack as all versions earlier than J! 3.4.7 were likewise vulnerable. This was behind my reasoning in suggesting that an upgrade to J! 3.6.0 would address the vulnerability you experienced.

If you want to know what was the precise [SQL injection] vulnerability that was addressed nearly a year ago, it would not take too long to find this out by looking at the amount of discussion within this community at that time. Those of us who are active in the community are well aware of these kinds of problems.

It's beside the point, however. To also claim that your PC or other operating environments have never been attacked is, perhaps, good fortune on your part. I've been involved in this industry for over 40 years and I have lost count of the number of times that the IT assets for which I was responsible were compromised from maliciously-intended sources. Again, this is also beside the point.

The matter that I want to confirm is whether the vulnerability that you mentioned in your opening post has now been closed. Has the phishing now stopped? Simple question: yes or no?

You're right, however, in saying that it makes us all wonder how many people are using out-of-date versions of Joomla. There are still people posting questions on this forum about unsupported versions of Joomla dating back to J! 1.x. It makes me wonder why people have not taken the time to address the matter of upgrading their sites. Of course, it's entirely their business why that happens just as it's my business to offer reasonable, evidence-based and supportive advice. Whether people choose to take my advice is, of course, an entirely different proposition.

So, returning to the topic (and leaving aside the other collateral damage caused by upgrading to J! 3.6.0), has the phishing been stopped?

[sirram]

You write that, "It makes me wonder why people have not taken the time to address the matter of upgrading their sites."

You make it sound reckless, but I am trying to tell you that my site showed that my version of Joomla (i.e. 3.3.1) was UP TO DATE. It was only after clicking "Clear Cache" that I was shown it was out of date. Even someone like me with an IT background, and who is scrupulous in protecting his own PC, would never have guessed in a million years that my version of Joomla was out of date, especially as Joomla was telling me the COMPLETE OPPOSITE.

You then ask, "has the phishing been stopped?"

How can I tell? What do I run? I originally asked, "Could someone recommend a Joomla extension that would help protect against this happening again?"

That's still the question.

[sozzled]

I cannot tell if the phishing has stopped on your website because it's not my website.

I can tell you this:

1. I am subscribed to this forum and I receive (on a daily basis) news about the latest versions of Joomla and the latest security issues that people make us aware of.
2. I am a member of a local Joomla User Group and we discuss the news about the latest versions of Joomla.
3. I follow #joomla on Twitter to receive the latest news about Joomla
4. I visit http://joomla.org on a regular basis to read about the latest news and releases of Joomla
5. I make it my business to keep my websites up to date with the latest releases of Joomla
6. I make it my business to protect my business from external threats (including, but not limited to, known vulnerabilities in Joomla)
7. I keep in regular contact with foundation members of the Joomla community, attend and am involved with numerous forums, and
8. I have had one or two of my Joomla sites "visited" by maliciously-intended sources (and therefore I am aware of the risks); I remain ever-vigilant to the possibility that these things can and do occur and I keep regular backups of my websites.

As far as your other problems concerning the wreckage caused by upgrading to J! 3.6.0 are concerned, I would ask that you raise each of those concerns separately in another topic (or topics). I'm sorry if I have sounded like a flea in your ear and I beg your pardon for my [apparently] unwelcome intrusion into your life. I sincerely wish you the best in your activities and I hope that your problems will soon be satisfactorily resolved.

You've asked "what's the best defence against website attacks"? The best defence is vigilance—being alert and not becoming complacent. There is no single-bullet best defence but keeping your site up-to-date, having a good backup/insurance policy, following the news are all good ways to help prevent the possibility of future problems.

I'm sorry that you weren't informed that your software was made obsolete. These things happen and that's why it's possibly a good idea for people to use a requisite variety of means to obtain up-to-date information about what's happening around them.

[mandville]

your phishing symptom can be possibly seen as resolved by your logs. is there an old file being called directly eg site/images/loaded/ebay.php
updating the site and "wrecking" your template indicates you either have an unsupported template or extension that is not j3.6 compatible. a recent example was an event extension whose developer admitted they "didnt have time to make it compatible" and thousands of sites useless.
any number of insecure extensions could have provided a route via many different methods to hack your site.
A you have been a member on the forum for two years i am sure you must have come something in the news abut joomla updates and security

/eof

[sirram]

Thanks once again for your replies. I will follow up on all your suggestions.