Forum Post Assistant (v1.6.6) : 29-Feb-2024 wrote:Problem Description :: wrote:We have a problem with our Joomla 3.6.5 webpage. Someone inserts scripts into our files (most often in index.php) and then site visitors are redirected to some other sites. We restore the backup, but the attacks are periodically repeated. We have changed the FTP passwords but the problem is not solved. Today we were deleting some of the .bt files that shouldn't be there and that have a lot of IP addresses in them, but one of them keeps coming back after 30 seconds. We read that those .bt files are some malware that appears in WordPress, so they probably have that effect here as well. And we delete all redundant files when they occasionally appear. In some of the files, we find scripts that shouldn't exist there, so when we notice them, we restore the old correct ones in their place.Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.6.5-Stable (Noether) 1-December-2016
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) |
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: false | .htaccess/web.config: Yes | GZip: false | Cache: false | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: N/A | SSL: 0 | Error Reporting: none | Site Debug: false | Language Debug: false | Default Access: Public | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 3.6.5: Yes | Database Supports J! 3.6.5: No | Database Credentials Present: Yes |
Host Configuration :: OS: Linux | OS Version: 5.4.0-163-generic | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | System TMP Writable: Yes | Free Disk Space : 562.77 GiB |
PHP Configuration :: Version: 5.6.40-68+ubuntu20.04.1+deb.sury.org+1 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 0 | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: 1 | Open Base: | Uploads: 1 | Max. Upload Size: 16M | Max. POST Size: 32M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M
Database Configuration :: Version: 8.0.36-0ubuntu0.20.04.1 (Client:mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | Database Size: 18.92 MiB | #of Tables with config prefix: 90 | #of other Tables: 0 | User Privileges : GRANT ALLDetailed Environment :: wrote:PHP Extensions :: Core (5.6.40-68+ubuntu20.04.1+deb.sury.org+1) | date (5.6.40-68+ubuntu20.04.1+deb.sury.org+1) | ereg () | libxml () | openssl () | pcre () | zlib (2.0) | filter (0.11.0) | hash (1.0) | pcntl () | Reflection ($Id: 5f15287237d5f78d75b19c26915aa7bd83dee8b8 $) | SPL (0.2) | session () | standard (5.6.40-68+ubuntu20.04.1+deb.sury.org+1) | cgi-fcgi () | mysqlnd (mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | PDO (1.0.4dev) | xml () | calendar () | ctype () | dom (20031129) | mbstring () | fileinfo (1.0.5) | ftp () | gd () | gettext () | iconv () | intl (1.1.0) | json (1.2.1) | exif (1.4 $Id: cad29b729548e4206f0697710cc9e177f26fdff3 $) | mcrypt () | mysql (1.0) | mysqli (0.1) | pdo_mysql (1.0.2) | Phar (2.0.2) | posix () | pspell () | readline (5.6.40-68+ubuntu20.04.1+deb.sury.org+1) | shmop () | SimpleXML (0.1) | sockets () | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.12.5) | mhash () | Zend OPcache (7.0.6-devFE) | Zend Engine (2.6.0) |
Potential Missing Extensions :: curl |
Switch User Environment :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Potential Ownership Issues: NoFolder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |
Elevated Permissions (First 10) ::Database Information :: wrote:Database statistics :: Uptime: 2216112 | Threads: 4 | Questions: 551564417 | Slow queries: 7957 | Opens: 21222110 | Flush tables: 3 | Open tables: 512 | Queries per second avg: 248.888 |Extensions Discovered :: wrote:Components :: Site ::
Core :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 |
3rd Party:: WF_VISUALCHARS_TITLE (2.4.5) ? | WF_FONTCOLOR_TITLE (2.4.5) ? | WF_BROWSER_TITLE (2.4.5) ? | WF_NONBREAKING_TITLE (2.4.5) ? | WF_STYLESELECT_TITLE (2.4.5) ? | WF_SEARCHREPLACE_TITLE (2.4.5) ? | WF_AUTOSAVE_TITLE (2.4.5) ? | WF_FORMATSELECT_TITLE (2.4.5) ? | WF_CONTEXTMENU_TITLE (2.4.5) ? | WF_FULLSCREEN_TITLE (2.4.5) ? | WF_XHTMLXTRAS_TITLE (2.4.5) ? | WF_SPELLCHECKER_TITLE (2.4.5) ? | WF_TABLE_TITLE (2.4.5) ? | WF_IMGMANAGER_TITLE (2.4.5) ? | WF_LINK_TITLE (2.4.5) ? | WF_PRINT_TITLE (2.4.5) ? | WF_CLEANUP_TITLE (2.4.5) ? | WF_PREVIEW_TITLE (2.4.5) ? | WF_FONTSELECT_TITLE (2.4.5) ? | WF_TEXTCASE_TITLE (2.4.5) ? | WF_DIRECTIONALITY_TITLE (2.4.5) ? | WF_INLINEPOPUPS_TITLE (2.4.5) ? | WF_ANCHOR_TITLE (2.4.5) ? | WF_ARTICLE_TITLE (2.4.5) ? | WF_FONTSIZESELECT_TITLE (2.4.5) ? | WF_MEDIA_TITLE (2.4.5) ? | WF_VISUALBLOCKS_TITLE (2.4.5) ? | WF_STYLE_TITLE (2.4.5) ? | WF_SOURCE_TITLE (2.4.5) ? | WF_CHARMAP_TITLE (2.4.5) ? | WF_LAYER_TITLE (2.4.5) ? | WF_KITCHENSINK_TITLE (2.4.5) ? | WF_LISTS_TITLE (2.4.5) ? | WF_CLIPBOARD_TITLE (2.4.5) ? | WF_FILESYSTEM_JOOMLA_TITLE (2.4.5) ? | WF_AGGREGATOR_VIMEO_TITLE (2.4.5) ? | WF_AGGREGATOR_VINE_TITLE (2.4.5) ? | WF_AGGREGATOR_[youtube]_TITLE (2.4.5) ? | WF_POPUPS_WINDOW_TITLE (2.4.5) ? | WF_POPUPS_JCEMEDIABOX_TITLE (2.4.5) ? | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.4.5) ? | WF_LINK_SEARCH_TITLE (2.4.5) ? | WF_LINKS_JOOMLALINKS_TITLE (2.4.5) ? |
Components :: Admin ::
Core :: com_menus (3.0.0) 1 | com_content (3.0.0) 1 | com_weblinks (3.0.0) 1 | com_ajax (3.2.0) 1 | com_plugins (3.0.0) 1 | com_banners (3.0.0) 1 | com_config (3.0.0) 1 | com_redirect (3.0.0) 1 | com_messages (3.0.0) 1 | com_categories (3.0.0) 1 | com_search (3.0.0) 1 | com_admin (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_cpanel (3.0.0) 1 | com_modules (3.0.0) 1 | com_tags (3.1.0) 1 | com_media (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_finder (3.0.0) 1 | com_installer (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_cache (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_templates (3.0.0) 1 | com_login (3.0.0) 1 | com_users (3.0.0) 1 | com_checkin (3.0.0) 1 | com_languages (3.0.0) 1 |
3rd Party:: JCE (2.4.5) ? | com_proforms (1.5.5) 1 | COM_REDMIGRATOR (1.0.0) ? | COM_CONTENTMAP (1.3.5) 1 | COM_REDCORE (1.0.0) ? |
Modules :: Site ::
Core :: mod_search (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_stats (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_login (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_users_latest (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_articles_latest (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_weblinks (3.0.0) 1 |
3rd Party:: Hot Image Slider (3.1.1) 1 | mod_contentmap (1.3.5) 1 | MOD_SIMPLEBOX (0.1) 1 | RokAjaxSearch (2.0.3) 1 | Simple File Upload v1.3 (for Joomla (1.3) ? |
Modules :: Admin ::
Core :: mod_multilangstatus (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_title (3.0.0) 1 | mod_login (3.0.0) 1 | mod_status (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_version (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_latest (3.0.0) 1 |
3rd Party::
Libraries ::
Core ::
3rd Party:: redCORE - Libraries (1.0.0) 1 |
Plugins ::
Core :: plg_user_joomla (3.0.0) 1 | plg_user_contactcreator (3.0.0) 0 | plg_user_profile (3.0.0) 0 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_installer_webinstaller (1.0.5) 1 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_cookie (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_twofactorauth_totp (3.2.0) 0 | plg_captcha_recaptcha (3.4.0) 0 | plg_extension_joomla (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_finder (3.0.0) 0 | plg_system_remember (3.0.0) 1 | plg_system_log (3.0.0) 1 | plg_system_languagecode (3.0.0) 0 | Settings (1.0.0) 1 | plg_system_debug (3.0.0) 1 | plg_system_cache (3.0.0) 0 | plg_system_redirect (3.0.0) 0 | plg_system_logout (3.0.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_p3p (3.0.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_stats (3.5.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_highlight (3.0.0) 1 | plg_finder_weblinks (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_search_weblinks (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_tags (3.0.0) 0 | plg_search_contacts (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_categories (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 |
3rd Party:: plg_quickicon_jcefilebrowser (2.4.5) 1 | plg_content_contentmap (1.3.5) 1 | PLG_SYSTEM_REDCORE (1.0.0) 1 | JA T3 Framework (2.7.1) 1 | plg_editors_jce (2.4.5) 1 | plg_editors_tinymce (4.4.3) 1 | plg_editors_codemirror (5.18.0) 1 |Templates Discovered :: wrote:Templates :: Site :: protostar (1.0) 1 | beez3 (3.1.0) 1 | ja_t3_blank (2.5.8) 1 |
Templates :: Admin :: hathor (3.0.0) 1 | isis (1.0) 1 |
Joomla 3.6.5 site hacked
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
-
- Joomla! Fledgling
- Posts: 1
- Joined: Thu Feb 29, 2024 3:00 pm
Joomla 3.6.5 site hacked
Last edited by toivo on Thu Feb 29, 2024 10:11 pm, edited 1 time in total.
Reason: mod note: disabled smilies in post Options for readability
Reason: mod note: disabled smilies in post Options for readability
- AMurray
- Joomla! Exemplar
- Posts: 9768
- Joined: Sat Feb 13, 2010 7:35 am
- Location: Australia
Re: Joomla 3.6.5 site hacked
I'm curious as to why you have missed nine years of updates. Joomla v 3.6.5 was released in December 2016. My first advice is to update the site to 3.10.12 at minimum with a short term goal of migrating to 4.x or 5.x.
You're also running long out-of-date PHP 5.6.....that may be the only 'backdoor' that hackers need.
If you want to remain with 3.10.x for the time being, you will need to subscribe to Extended Long Term Support to obtain ongoing updates until February 2025.
To address the hacking issue, I would advise you to try the Mysites.guru service, and run an audit of your site. The audit should find the issues you're having. Additionally you could seek advice from Phil Taylor who runs mysites.guru (noting this is a paid subscription service). The first site audit is free.
These configuration settings are also inadequate for more recent joomla versions, so address the server issues before anything else.
You're also running long out-of-date PHP 5.6.....that may be the only 'backdoor' that hackers need.
If you want to remain with 3.10.x for the time being, you will need to subscribe to Extended Long Term Support to obtain ongoing updates until February 2025.
To address the hacking issue, I would advise you to try the Mysites.guru service, and run an audit of your site. The audit should find the issues you're having. Additionally you could seek advice from Phil Taylor who runs mysites.guru (noting this is a paid subscription service). The first site audit is free.
These configuration settings are also inadequate for more recent joomla versions, so address the server issues before anything else.
FPA wrote:PHP Configuration :: Version: 5.6.40-68+ubuntu20.04.1+deb.sury.org+1 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 0 | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: 1 | Open Base: | Uploads: 1 | Max. Upload Size: 16M | Max. POST Size: 32M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M
Regards - A Murray
General Support Moderator
General Support Moderator
- Webdongle
- Joomla! Master
- Posts: 44114
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla 3.6.5 site hacked
When you have sorted your server specs please see viewtopic.php?f=714&t=946026
https://mysites.guru/free-site-audit-fo ... or-joomla/ is also worth looking at
https://mysites.guru/free-site-audit-fo ... or-joomla/ is also worth looking at
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".