Joomla 3.2 all users have username admin

Discussion regarding Joomla! 3.x security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
mrartuka
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Wed Mar 12, 2014 11:31 pm

Joomla 3.2 all users have username admin

Post by mrartuka » Sat Mar 15, 2014 7:51 am

hello to all, im soory if i writing here in wrong category but i really need help.
Few days ago i entered my site,and saw all users have username admin.
I immediately went into phpmyadmin and saw that the passwords are changed. Using md5 decryptor I found that passwords are admin.
I did use the mysql backup to return the original users, but few more time this happened again. This morning that was again, and do not know what to do. Please help me .......
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.4) : 15th March 2014 wrote:[15-Mar-2014 07:26:11 UTC] PHP Parse error: syntax error, unexpected $end in /home/ponoc/public_html/fpa-en.php on line 4750
Forum Post Assistant (v1.2.4) : 15th March 2014 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.2.1-Stable (Ember) 18-December-2013
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Writable (644) | Owner: ponoc (uid: 1/gid: 1) | Group: ponoc (gid: 1) | Valid For: 3.2
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: none | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-042stab079.6 | Technology: x86_64 | Web Server: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 | Encoding: gzip,deflate,sdch | Doc Root: /home/ponoc/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.27 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: error_log | Last Known Error: 15th March 2014 07:26:11. | Register Globals: 0 | Magic Quotes: | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 5M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 1000M

MySQL Configuration :: Version: 5.5.36-cll (Client:5.5.36) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 7.70 MiB | #of Tables:  112
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.27) | date (5.3.27) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | filter (0.11.0) | ftp () | gd () | gettext () | hash (1.0) | iconv () | SPL (0.2) | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | session () | standard (5.3.27) | posix () | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | Phar (2.0.1) | SimpleXML (0.1) | sockets () | imap () | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | zip (1.11.0) | cgi-fcgi () | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | ffmpeg (0.6.2) | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: WF_AUTOSAVE_TITLE (2.3.4.4) | WF_BROWSER_TITLE (2.3.4.4) | WF_XHTMLXTRAS_TITLE (2.3.4.4) | WF_TABLE_TITLE (2.3.4.4) | WF_KITCHENSINK_TITLE (2.3.4.4) | WF_FULLSCREEN_TITLE (2.3.4.4) | WF_LAYER_TITLE (2.3.4.4) | WF_CONTEXTMENU_TITLE (2.3.4.4) | WF_SEARCHREPLACE_TITLE (2.3.4.4) | WF_ANCHOR_TITLE (2.3.4.4) | WF_TEXTCASE_TITLE (2.3.4.4) | WF_PREVIEW_TITLE (2.3.4.4) | WF_IMGMANAGER_TITLE (2.3.4.4) | WF_VISUALCHARS_TITLE (2.3.4.4) | WF_ARTICLE_TITLE (2.3.4.4) | WF_LINK_TITLE (2.3.4.4) | WF_NONBREAKING_TITLE (2.3.4.4) | WF_DIRECTIONALITY_TITLE (2.3.4.4) | WF_PRINT_TITLE (2.3.4.4) | WF_CHARMAP_TITLE (2.3.4.4) | WF_LISTS_TITLE (2.3.4.4) | WF_CLEANUP_TITLE (2.3.4.4) | WF_SOURCE_TITLE (2.3.4.4) | WF_STYLE_TITLE (2.3.4.4) | WF_INLINEPOPUPS_TITLE (2.3.4.4) | WF_VISUALBLOCKS_TITLE (2.3.4.4) | WF_SPELLCHECKER_TITLE (2.3.4.4) | WF_CLIPBOARD_TITLE (2.3.4.4) | WF_MEDIA_TITLE (2.3.4.4) | WF_POPUPS_WINDOW_TITLE (2.3.4.4) | WF_POPUPS_JCEMEDIABOX_TITLE (2.3.4.4) | K2 Links for JCE Link (2.2) | WF_LINKS_JOOMLALINKS_TITLE (2.3.4.4) | WF_LINK_SEARCH_TITLE (2.3.4.4) | WF_AGGREGATOR_VINE_TITLE (2.3.4.4) | WF_AGGREGATOR_[youtube]_TITLE (2.3.4.4) | WF_AGGREGATOR_GOOGLEMAPS_TITLE (2.3.4.4) | WF_AGGREGATOR_VIMEO_TITLE (2.3.4.4) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.3.4.4) | WF_FILESYSTEM_JOOMLA_TITLE (2.3.4.4) | com_wrapper (3.0.0) | codoPM (2.0) | com_mailto (3.0.0) |
Components :: ADMIN :: DM Helper (1.1.0) | com_search (3.0.0) | com_categories (3.0.0) | uddeIM (3.3) | com_cache (3.0.0) | com_config (3.0.0) | com_redirect (3.0.0) | com_content (3.0.0) | com_postinstall (3.2.0) | plg_kunena_alphauserpoints (3.0.4) | plg_kunena_kunena (3.0.4) | plg_kunena_comprofiler (3.0.4) | plg_kunena_finder (3.0.4) | plg_kunena_joomla (3.0.4) | plg_kunena_gravatar (3.0.4) | plg_finder_kunena (3.0.4) | plg_kunena_community (3.0.4) | plg_kunena_uddeim (3.0.4) | plg_system_kunena (-) | mod_kunenamenu (3.0.4) | com_kunena (3.0.4) | com_menus (3.0.0) | com_ajax (3.2.0) | com_finder (3.0.0) | Unknown (-) | JCE (2.3.4.4) | com_cpanel (3.0.0) | com_installer (3.0.0) | com_users (3.0.0) | COM_DMPINBOARDLITE (1.3.0) | com_media (3.0.0) | com_weblinks (3.0.0) | com_newsfeeds (3.0.0) | Kide (1.4.4) | Akeeba (3.9.2) | com_languages (3.0.0) | Admin Team Manager (0.0.1) | com_joomlaupdate (3.0.0) | com_messages (3.0.0) | codoPM (2.0) | com_contenthistory (3.2.0) | com_templates (3.0.0) | com_admin (3.0.0) | com_banners (3.0.0) | com_login (3.0.0) | com_tags (3.1.0) | com_plugins (3.0.0) | com_checkin (3.0.0) | com_modules (3.0.0) |

Modules :: SITE :: mod_breadcrumbs (3.0.0) | mod_sw_kbirthday (1.9.0) | mod_articles_archive (3.0.0) | mod_tags_similar (3.1.0) | Radio Player Joomla FREE (2.6) | SP News Highlighter (3.3.0) | uddeIM Mailbox (3.3) | MOD_MH_TS3VIEWER (rev 38) | mod_whosonline (3.0.0) | Top Profile (1.0.0) | News Show SP2 (1.6.0) | mod_articles_news (3.0.0) | mod_kunenastats (3.0.1) | zKunenaLatest (2.0) | mod_login (3.0.0) | uddeIM Notifier (3.3) | mod_weblinks (3.0.0) | mod_articles_latest (3.0.0) | mod_articles_categories (3.0.0) | Top Poster (1.0.0) | mod_finder (3.0.0) | mod_stats (3.0.0) | mod_banners (3.0.0) | JExtBOX Who is Online (1.0.0) | mod_simpl_fb (1.0.1) | mod_articles_category (3.0.0) | mod_articles_popular (3.0.0) | mod_footer (3.0.0) | mod_syndicate (3.0.0) | mod_kide (1.1) | FCChat (3.6.0.6) | mod_users_latest (3.0.0) | Lof Article Scroller Module (3.0) | mod_tags_popular (3.1.0) | mod_kunenalatest (3.0.1) | RAR Radio (0.4.1) | mod_custom (3.0.0) | BT Login (2.5.6) | mod_highlighter_gk4 (GK4 1.9) | mod_feed (3.0.0) | mod_random_image (3.0.0) | mod_menu (3.0.0) | MOD_JUNEWSULTRA (4.5.5) | JUNewsUltra - Bootstrap Highly (1.4) | JUNewsUltra - Bootstrap Highly (1.2) | JUNewsUltra - List template (3.3) | mod_related_items (3.0.0) | mod_search (3.0.0) | mod_wrapper (3.0.0) | Apsou Chat (1.0) | mod_languages (3.0.0) |
Modules :: ADMIN :: mod_quickicon (3.0.0) | mod_status (3.0.0) | mod_latest (3.0.0) | mod_multilangstatus (3.0.0) | mod_login (3.0.0) | mod_version (3.0.0) | mod_popular (3.0.0) | mod_submenu (3.0.0) | mod_title (3.0.0) | mod_stats_admin (3.0.0) | mod_logged (3.0.0) | mod_custom (3.0.0) | mod_feed (3.0.0) | mod_menu (3.0.0) | mod_toolbar (3.0.0) |

Plugins :: SITE :: plg_user_profile (3.0.0) | plg_user_joomla (3.0.0) | plg_user_contactcreator (3.0.0) | plg_editors_jce (2.3.4.4) | plg_editors_tinymce (4.0.10) | plg_editors_codemirror (3.15) | plg_extension_joomla (3.0.0) | plg_captcha_recaptcha (3.0.0) | plg_quickicon_joomlaupdate (3.0.0) | plg_quickicon_jcefilebrowser (2.3.4.4) | plg_quickicon_extensionupdate (3.0.0) | plg_quickicon_kunena (3.0.4) | uddeIM Content Link (3.3) | plg_content_pagenavigation (3.0.0) | plg_content_kunenadiscuss (3.0.1) | plg_content_loadmodule (3.0.0) | plg_content_pagebreak (3.0.0) | plg_content_joomla (3.0.0) | Content - MovingText (3.1) | plg_content_emailcloak (3.0.0) | plg_content_finder (3.0.0) | plg_content_vote (3.0.0) | PLG_SYS_MOOTABLE (1.1.1) | plg_system_languagecode (3.0.0) | plg_system_p3p (3.0.0) | plg_system_highlight (3.0.0) | System - jQuery++ Integrator b (v 1.5.4) | plg_system_debug (3.0.0) | plg_system_remember (3.0.0) | plg_system_log (3.0.0) | plg_system_sef (3.0.0) | PLG_SYSTEM_JQUERYEASY (1.5.5) | plg_system_cache (3.0.0) | plg_system_logout (3.0.0) | plg_system_languagefilter (3.0.0) | plg_system_redirect (3.0.0) | plg_system_kunena (3.0.4) | plg_editors-xtd_image (3.0.0) | plg_editors-xtd_pagebreak (3.0.0) | plg_editors-xtd_article (3.0.0) | plg_editors-xtd_readmore (3.0.0) | plg_installer_webinstaller (1.0.5) | plg_search_weblinks (3.0.0) | plg_search_content (3.0.0) | plg_search_newsfeeds (3.0.0) | plg_search_contacts (3.0.0) | plg_search_categories (3.0.0) | plg_authentication_ldap (3.0.0) | plg_authentication_joomla (3.0.0) | plg_authentication_gmail (3.0.0) | plg_authentication_cookie (3.0.0) | plg_twofactorauth_totp (3.2.0) | plg_twofactorauth_yubikey (3.2.0) | plg_finder_weblinks (3.0.0) | plg_finder_tags (3.0.0) | plg_finder_content (3.0.0) | plg_finder_newsfeeds (3.0.0) | plg_finder_contacts (3.0.0) | plg_finder_categories (3.0.0) | plg_kunena_alphauserpoints (3.0.4) | plg_kunena_gravatar (3.0.4) | plg_kunena_comprofiler (3.0.4) | plg_kunena_uddeim (3.0.4) | plg_kunena_community (3.0.4) | plg_kunena_joomla (3.0.4) | plg_kunena_kunena (3.0.4) |
Templates Discovered :: wrote:Templates :: SITE :: GoRed_ULTRA (1.1) | shaper_crux (1.0.0) | multigaming_lernvid.com32 (1.0) | protostar (1.0) | beez3 (3.1.0) |
Templates :: ADMIN :: hathor (3.0.0) | isis (1.0) |
Top
User avatar
EivindJ
Joomla! Explorer
Joomla! Explorer
Posts: 411
Joined: Mon Nov 17, 2008 12:16 pm
Location: Drammen
Contact:
Contact EivindJ

Re: Joomla 3.2 all users have username admin

Post by EivindJ » Sun Mar 16, 2014 9:11 am

Seems like your site has been hacked.

You should:
- upgrade to latest Joomla! version, 3.2.3
- Restore users and change all superadmin passwords
- Change MySQL database password
- Change FTP password
- Check your files for malware

Do also read this: http://docs.joomla.org/Security_Checkli ... or_defaced
Trond Eivind Johnsen

[ lei en Joomla!-ekspert på www.exentra.no ]
Top
User avatar
popa alexandru
Joomla! Intern
Joomla! Intern
Posts: 63
Joined: Sun Sep 05, 2010 7:33 am
Contact:
Contact popa alexandru

Re: Joomla 3.2 all users have username admin

Post by popa alexandru » Sun Mar 16, 2014 9:49 am

You are definitely hacked.
Joomla! Extensions
http://www.beesto.com
Top
mrartuka
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Wed Mar 12, 2014 11:31 pm

Re: Joomla 3.2 all users have username admin

Post by mrartuka » Sun Mar 16, 2014 10:32 am

EivindJ wrote:Seems like your site has been hacked.

You should:
- upgrade to latest Joomla! version, 3.2.3
- Restore users and change all superadmin passwords
- Change MySQL database password
- Change FTP password
- Check your files for malware

Do also read this: http://docs.joomla.org/Security_Checkli ... or_defaced

No updates available
You already have the latest Joomla! version, 3.2.1.
I did restored users.
I just need to know how this is posible. Its only affected to _users table, nothing else.
Top
User avatar
EivindJ
Joomla! Explorer
Joomla! Explorer
Posts: 411
Joined: Mon Nov 17, 2008 12:16 pm
Location: Drammen
Contact:
Contact EivindJ

Re: Joomla 3.2 all users have username admin

Post by EivindJ » Mon Mar 17, 2014 7:04 am

Then you have a problem with your servers finding the new update. Try to click "Emtpy cache" on the update site.

This can happen in many ways. All the hackers need is a security hole to access the database, and they they can do whatever they like. At your site they found out to do exactly this.

I really think you should do all the other steps as well. Just restoring the users doesn't really solve anything if they decide to return.
Trond Eivind Johnsen

[ lei en Joomla!-ekspert på www.exentra.no ]
Top
mrartuka
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Wed Mar 12, 2014 11:31 pm

Re: Joomla 3.2 all users have username admin

Post by mrartuka » Mon Mar 17, 2014 8:54 am

EivindJ wrote:Then you have a problem with your servers finding the new update. Try to click "Emtpy cache" on the update site.

This can happen in many ways. All the hackers need is a security hole to access the database, and they they can do whatever they like. At your site they found out to do exactly this.

I really think you should do all the other steps as well. Just restoring the users doesn't really solve anything if they decide to return.
Okay, here is what i did:
Mysql users restored.
Changed database prefix
Changed mysql password
Disabled one custom module
Upgraded to latest version:
Joomla! Version Update Status
Your site has been successfully updated. Your Joomla version is now 3.2.3.


dont know what to do more, i dont want to lose my users again. Problem is that when all username got admin, then my forum die,even if i restore old users table :(
Top
User avatar
EivindJ
Joomla! Explorer
Joomla! Explorer
Posts: 411
Joined: Mon Nov 17, 2008 12:16 pm
Location: Drammen
Contact:
Contact EivindJ

Re: Joomla 3.2 all users have username admin

Post by EivindJ » Mon Mar 17, 2014 9:10 am

You also need to:
- Change FTP passwords
- Change all admin passwords
- Do a scan to see if you find any malware
- Check that all your plugins, modules, components are up to date, and that none of them have any security issues

Regarding your users you could send an email to all of them and give a good explanation of what just happened. Maybe that will help many of them return when you explain that the problem is fixed.
Trond Eivind Johnsen

[ lei en Joomla!-ekspert på www.exentra.no ]
Top
Locked

Return to “Security in Joomla! 3.x”