Joomla 3.6.5 site hacked

rasheed23 · Post by **rasheed23** » Thu Feb 29, 2024 3:23 pm

Forum Post Assistant (v1.6.6) : 29-Feb-2024 wrote:
Problem Description :: wrote:We have a problem with our Joomla 3.6.5 webpage. Someone inserts scripts into our files (most often in index.php) and then site visitors are redirected to some other sites. We restore the backup, but the attacks are periodically repeated. We have changed the FTP passwords but the problem is not solved. Today we were deleting some of the .bt files that shouldn't be there and that have a lot of IP addresses in them, but one of them keeps coming back after 30 seconds. We read that those .bt files are some malware that appears in WordPress, so they probably have that effect here as well. And we delete all redundant files when they occasionally appear. In some of the files, we find scripts that shouldn't exist there, so when we notice them, we restore the old correct ones in their place.
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.6.5-Stable (Noether) 1-December-2016
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) |
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: false | .htaccess/web.config: Yes | GZip: false | Cache: false | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: N/A | SSL: 0 | Error Reporting: none | Site Debug: false | Language Debug: false | Default Access: Public | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 3.6.5: Yes | Database Supports J! 3.6.5: No | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 5.4.0-163-generic | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | System TMP Writable: Yes | Free Disk Space : 562.77 GiB |

PHP Configuration :: Version: 5.6.40-68+ubuntu20.04.1+deb.sury.org+1 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 0 | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: 1 | Open Base: | Uploads: 1 | Max. Upload Size: 16M | Max. POST Size: 32M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M

Database Configuration :: Version: 8.0.36-0ubuntu0.20.04.1 (Client:mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | Database Size: 18.92 MiB | #of Tables with config prefix: 90 | #of other Tables: 0 | User Privileges : GRANT ALL
Detailed Environment :: wrote:PHP Extensions :: Core (5.6.40-68+ubuntu20.04.1+deb.sury.org+1) | date (5.6.40-68+ubuntu20.04.1+deb.sury.org+1) | ereg () | libxml () | openssl () | pcre () | zlib (2.0) | filter (0.11.0) | hash (1.0) | pcntl () | Reflection ($Id: 5f15287237d5f78d75b19c26915aa7bd83dee8b8 $) | SPL (0.2) | session () | standard (5.6.40-68+ubuntu20.04.1+deb.sury.org+1) | cgi-fcgi () | mysqlnd (mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | PDO (1.0.4dev) | xml () | calendar () | ctype () | dom (20031129) | mbstring () | fileinfo (1.0.5) | ftp () | gd () | gettext () | iconv () | intl (1.1.0) | json (1.2.1) | exif (1.4 $Id: cad29b729548e4206f0697710cc9e177f26fdff3 $) | mcrypt () | mysql (1.0) | mysqli (0.1) | pdo_mysql (1.0.2) | Phar (2.0.2) | posix () | pspell () | readline (5.6.40-68+ubuntu20.04.1+deb.sury.org+1) | shmop () | SimpleXML (0.1) | sockets () | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.12.5) | mhash () | Zend OPcache (7.0.6-devFE) | Zend Engine (2.6.0) |
Potential Missing Extensions :: curl |

Switch User Environment :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 2216112 | Threads: 4 | Questions: 551564417 | Slow queries: 7957 | Opens: 21222110 | Flush tables: 3 | Open tables: 512 | Queries per second avg: 248.888 |
Extensions Discovered :: wrote:Components :: Site ::
Core :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 |
3rd Party:: WF_VISUALCHARS_TITLE (2.4.5) ? | WF_FONTCOLOR_TITLE (2.4.5) ? | WF_BROWSER_TITLE (2.4.5) ? | WF_NONBREAKING_TITLE (2.4.5) ? | WF_STYLESELECT_TITLE (2.4.5) ? | WF_SEARCHREPLACE_TITLE (2.4.5) ? | WF_AUTOSAVE_TITLE (2.4.5) ? | WF_FORMATSELECT_TITLE (2.4.5) ? | WF_CONTEXTMENU_TITLE (2.4.5) ? | WF_FULLSCREEN_TITLE (2.4.5) ? | WF_XHTMLXTRAS_TITLE (2.4.5) ? | WF_SPELLCHECKER_TITLE (2.4.5) ? | WF_TABLE_TITLE (2.4.5) ? | WF_IMGMANAGER_TITLE (2.4.5) ? | WF_LINK_TITLE (2.4.5) ? | WF_PRINT_TITLE (2.4.5) ? | WF_CLEANUP_TITLE (2.4.5) ? | WF_PREVIEW_TITLE (2.4.5) ? | WF_FONTSELECT_TITLE (2.4.5) ? | WF_TEXTCASE_TITLE (2.4.5) ? | WF_DIRECTIONALITY_TITLE (2.4.5) ? | WF_INLINEPOPUPS_TITLE (2.4.5) ? | WF_ANCHOR_TITLE (2.4.5) ? | WF_ARTICLE_TITLE (2.4.5) ? | WF_FONTSIZESELECT_TITLE (2.4.5) ? | WF_MEDIA_TITLE (2.4.5) ? | WF_VISUALBLOCKS_TITLE (2.4.5) ? | WF_STYLE_TITLE (2.4.5) ? | WF_SOURCE_TITLE (2.4.5) ? | WF_CHARMAP_TITLE (2.4.5) ? | WF_LAYER_TITLE (2.4.5) ? | WF_KITCHENSINK_TITLE (2.4.5) ? | WF_LISTS_TITLE (2.4.5) ? | WF_CLIPBOARD_TITLE (2.4.5) ? | WF_FILESYSTEM_JOOMLA_TITLE (2.4.5) ? | WF_AGGREGATOR_VIMEO_TITLE (2.4.5) ? | WF_AGGREGATOR_VINE_TITLE (2.4.5) ? | WF_AGGREGATOR_[youtube]_TITLE (2.4.5) ? | WF_POPUPS_WINDOW_TITLE (2.4.5) ? | WF_POPUPS_JCEMEDIABOX_TITLE (2.4.5) ? | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.4.5) ? | WF_LINK_SEARCH_TITLE (2.4.5) ? | WF_LINKS_JOOMLALINKS_TITLE (2.4.5) ? |

Components :: Admin ::
Core :: com_menus (3.0.0) 1 | com_content (3.0.0) 1 | com_weblinks (3.0.0) 1 | com_ajax (3.2.0) 1 | com_plugins (3.0.0) 1 | com_banners (3.0.0) 1 | com_config (3.0.0) 1 | com_redirect (3.0.0) 1 | com_messages (3.0.0) 1 | com_categories (3.0.0) 1 | com_search (3.0.0) 1 | com_admin (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_cpanel (3.0.0) 1 | com_modules (3.0.0) 1 | com_tags (3.1.0) 1 | com_media (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_finder (3.0.0) 1 | com_installer (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_cache (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_templates (3.0.0) 1 | com_login (3.0.0) 1 | com_users (3.0.0) 1 | com_checkin (3.0.0) 1 | com_languages (3.0.0) 1 |
3rd Party:: JCE (2.4.5) ? | com_proforms (1.5.5) 1 | COM_REDMIGRATOR (1.0.0) ? | COM_CONTENTMAP (1.3.5) 1 | COM_REDCORE (1.0.0) ? |

Modules :: Site ::
Core :: mod_search (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_stats (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_login (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_users_latest (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_articles_latest (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_weblinks (3.0.0) 1 |
3rd Party:: Hot Image Slider (3.1.1) 1 | mod_contentmap (1.3.5) 1 | MOD_SIMPLEBOX (0.1) 1 | RokAjaxSearch (2.0.3) 1 | Simple File Upload v1.3 (for Joomla (1.3) ? |

Modules :: Admin ::
Core :: mod_multilangstatus (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_title (3.0.0) 1 | mod_login (3.0.0) 1 | mod_status (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_version (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_latest (3.0.0) 1 |
3rd Party::

Libraries ::
Core ::
3rd Party:: redCORE - Libraries (1.0.0) 1 |

Plugins ::
Core :: plg_user_joomla (3.0.0) 1 | plg_user_contactcreator (3.0.0) 0 | plg_user_profile (3.0.0) 0 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_installer_webinstaller (1.0.5) 1 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_cookie (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_twofactorauth_totp (3.2.0) 0 | plg_captcha_recaptcha (3.4.0) 0 | plg_extension_joomla (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_finder (3.0.0) 0 | plg_system_remember (3.0.0) 1 | plg_system_log (3.0.0) 1 | plg_system_languagecode (3.0.0) 0 | Settings (1.0.0) 1 | plg_system_debug (3.0.0) 1 | plg_system_cache (3.0.0) 0 | plg_system_redirect (3.0.0) 0 | plg_system_logout (3.0.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_p3p (3.0.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_stats (3.5.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_highlight (3.0.0) 1 | plg_finder_weblinks (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_search_weblinks (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_tags (3.0.0) 0 | plg_search_contacts (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_categories (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 |
3rd Party:: plg_quickicon_jcefilebrowser (2.4.5) 1 | plg_content_contentmap (1.3.5) 1 | PLG_SYSTEM_REDCORE (1.0.0) 1 | JA T3 Framework (2.7.1) 1 | plg_editors_jce (2.4.5) 1 | plg_editors_tinymce (4.4.3) 1 | plg_editors_codemirror (5.18.0) 1 |
Templates Discovered :: wrote:Templates :: Site :: protostar (1.0) 1 | beez3 (3.1.0) 1 | ja_t3_blank (2.5.8) 1 |
Templates :: Admin :: hathor (3.0.0) 1 | isis (1.0) 1 |

Post by **AMurray** » Thu Feb 29, 2024 9:52 pm

I'm curious as to why you have missed nine years of updates. Joomla v 3.6.5 was released in December 2016. My first advice is to update the site to 3.10.12 at minimum with a short term goal of migrating to 4.x or 5.x.

You're also running long out-of-date PHP 5.6.....that may be the only 'backdoor' that hackers need.

If you want to remain with 3.10.x for the time being, you will need to subscribe to Extended Long Term Support to obtain ongoing updates until February 2025.

To address the hacking issue, I would advise you to try the Mysites.guru service, and run an audit of your site. The audit should find the issues you're having. Additionally you could seek advice from Phil Taylor who runs mysites.guru (noting this is a paid subscription service). The first site audit is free.

These configuration settings are also inadequate for more recent joomla versions, so address the server issues before anything else.

FPA wrote:PHP Configuration :: Version: 5.6.40-68+ubuntu20.04.1+deb.sury.org+1 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 0 | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: 1 | Open Base: | Uploads: 1 | Max. Upload Size: 16M | Max. POST Size: 32M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M

Webdongle · Post by **Webdongle** » Fri Mar 01, 2024 12:16 am

When you have sorted your server specs please see viewtopic.php?f=714&t=946026
https://mysites.guru/free-site-audit-fo ... or-joomla/ is also worth looking at

The Joomla! Forum™

Joomla 3.6.5 site hacked

Joomla 3.6.5 site hacked

Re: Joomla 3.6.5 site hacked

Re: Joomla 3.6.5 site hacked