Joomla 3.6.5 site hacked

Post by rasheed23 » Thu Feb 29, 2024 3:23 pm

Forum Post Assistant (v1.6.6) : 29-Feb-2024 wrote:
Problem Description :: wrote:We have a problem with our Joomla 3.6.5 webpage. Someone inserts scripts into our files (most often in index.php) and then site visitors are redirected to some other sites. We restore the backup, but the attacks are periodically repeated. We have changed the FTP passwords but the problem is not solved. Today we were deleting some of the .bt files that shouldn't be there and that have a lot of IP addresses in them, but one of them keeps coming back after 30 seconds. We read that those .bt files are some malware that appears in WordPress, so they probably have that effect here as well. And we delete all redundant files when they occasionally appear. In some of the files, we find scripts that shouldn't exist there, so when we notice them, we restore the old correct ones in their place.
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.6.5-Stable (Noether) 1-December-2016
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) |
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: false | .htaccess/web.config: Yes | GZip: false | Cache: false | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: N/A | SSL: 0 | Error Reporting: none | Site Debug: false | Language Debug: false | Default Access: Public | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 3.6.5: Yes | Database Supports J! 3.6.5: No | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 5.4.0-163-generic | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | System TMP Writable: Yes | Free Disk Space : 562.77 GiB |

PHP Configuration :: Version: | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 0 | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: 1 | Open Base: | Uploads: 1 | Max. Upload Size: 16M | Max. POST Size: 32M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M

Database Configuration :: Version: 8.0.36-0ubuntu0.20.04.1 (Client:mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | Database Size: 18.92 MiB | #of Tables with config prefix:  90 | #of other Tables:  0 | User Privileges : GRANT ALL
Detailed Environment :: wrote:PHP Extensions :: Core ( | date ( | ereg () | libxml () | openssl () | pcre () | zlib (2.0) | filter (0.11.0) | hash (1.0) | pcntl () | Reflection ($Id: 5f15287237d5f78d75b19c26915aa7bd83dee8b8 $) | SPL (0.2) | session () | standard ( | cgi-fcgi () | mysqlnd (mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | PDO (1.0.4dev) | xml () | calendar () | ctype () | dom (20031129) | mbstring () | fileinfo (1.0.5) | ftp () | gd () | gettext () | iconv () | intl (1.1.0) | json (1.2.1) | exif (1.4 $Id: cad29b729548e4206f0697710cc9e177f26fdff3 $) | mcrypt () | mysql (1.0) | mysqli (0.1) | pdo_mysql (1.0.2) | Phar (2.0.2) | posix () | pspell () | readline ( | shmop () | SimpleXML (0.1) | sockets () | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.12.5) | mhash () | Zend OPcache (7.0.6-devFE) | Zend Engine (2.6.0) |
Potential Missing Extensions :: curl |

Switch User Environment :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 2216112 | Threads: 4 | Questions: 551564417 | Slow queries: 7957 | Opens: 21222110 | Flush tables: 3 | Open tables: 512 | Queries per second avg: 248.888 |
Extensions Discovered :: wrote:Components :: Site ::
Core :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 |

Components :: Admin ::
Core :: com_menus (3.0.0) 1 | com_content (3.0.0) 1 | com_weblinks (3.0.0) 1 | com_ajax (3.2.0) 1 | com_plugins (3.0.0) 1 | com_banners (3.0.0) 1 | com_config (3.0.0) 1 | com_redirect (3.0.0) 1 | com_messages (3.0.0) 1 | com_categories (3.0.0) 1 | com_search (3.0.0) 1 | com_admin (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_cpanel (3.0.0) 1 | com_modules (3.0.0) 1 | com_tags (3.1.0) 1 | com_media (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_finder (3.0.0) 1 | com_installer (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_cache (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_templates (3.0.0) 1 | com_login (3.0.0) 1 | com_users (3.0.0) 1 | com_checkin (3.0.0) 1 | com_languages (3.0.0) 1 |
3rd Party:: JCE (2.4.5) ? | com_proforms (1.5.5) 1 | COM_REDMIGRATOR (1.0.0) ? | COM_CONTENTMAP (1.3.5) 1 | COM_REDCORE (1.0.0) ? |

Modules :: Site ::
Core :: mod_search (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_stats (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_login (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_users_latest (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_articles_latest (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_weblinks (3.0.0) 1 |
3rd Party:: Hot Image Slider (3.1.1) 1 | mod_contentmap (1.3.5) 1 | MOD_SIMPLEBOX (0.1) 1 | RokAjaxSearch (2.0.3) 1 | Simple File Upload v1.3 (for Joomla (1.3) ? |

Modules :: Admin ::
Core :: mod_multilangstatus (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_title (3.0.0) 1 | mod_login (3.0.0) 1 | mod_status (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_version (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_latest (3.0.0) 1 |
3rd Party::

Libraries ::
Core ::
3rd Party:: redCORE - Libraries (1.0.0) 1 |

Plugins ::
Core :: plg_user_joomla (3.0.0) 1 | plg_user_contactcreator (3.0.0) 0 | plg_user_profile (3.0.0) 0 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_installer_webinstaller (1.0.5) 1 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_cookie (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_twofactorauth_totp (3.2.0) 0 | plg_captcha_recaptcha (3.4.0) 0 | plg_extension_joomla (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_vote (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_finder (3.0.0) 0 | plg_system_remember (3.0.0) 1 | plg_system_log (3.0.0) 1 | plg_system_languagecode (3.0.0) 0 | Settings (1.0.0) 1 | plg_system_debug (3.0.0) 1 | plg_system_cache (3.0.0) 0 | plg_system_redirect (3.0.0) 0 | plg_system_logout (3.0.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_p3p (3.0.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_stats (3.5.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_highlight (3.0.0) 1 | plg_finder_weblinks (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_search_weblinks (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_tags (3.0.0) 0 | plg_search_contacts (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_categories (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 |
3rd Party:: plg_quickicon_jcefilebrowser (2.4.5) 1 | plg_content_contentmap (1.3.5) 1 | PLG_SYSTEM_REDCORE (1.0.0) 1 | JA T3 Framework (2.7.1) 1 | plg_editors_jce (2.4.5) 1 | plg_editors_tinymce (4.4.3) 1 | plg_editors_codemirror (5.18.0) 1 |
Templates Discovered :: wrote:Templates :: Site :: protostar (1.0) 1 | beez3 (3.1.0) 1 | ja_t3_blank (2.5.8) 1 |
Templates :: Admin :: hathor (3.0.0) 1 | isis (1.0) 1 |
Re: Joomla 3.6.5 site hacked

Post by AMurray » Thu Feb 29, 2024 9:52 pm

I'm curious as to why you have missed nine years of updates. Joomla v 3.6.5 was released in December 2016. My first advice is to update the site to 3.10.12 at minimum with a short term goal of migrating to 4.x or 5.x.

You're also running long out-of-date PHP 5.6.....that may be the only 'backdoor' that hackers need.
If you want to remain with 3.10.x for the time being, you will need to subscribe to Extended Long Term Support to obtain ongoing updates until February 2025.

To address the hacking issue, I would advise you to try the service, and run an audit of your site. The audit should find the issues you're having. Additionally you could seek advice from Phil Taylor who runs (noting this is a paid subscription service). The first site audit is free.

These configuration settings are also inadequate for more recent joomla versions, so address the server issues before anything else.
FPA wrote:PHP Configuration :: Version: | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 0 | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: 1 | Open Base: | Uploads: 1 | Max. Upload Size: 16M | Max. POST Size: 32M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M
Re: Joomla 3.6.5 site hacked

Post by Webdongle » Fri Mar 01, 2024 12:16 am

When you have sorted your server specs please see viewtopic.php?f=714&t=946026 ... or-joomla/ is also worth looking at
