How do I stop the hack in my site, please?

Discussion regarding Joomla! 3.x security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
Eng1n33rfalk3
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Wed Jun 11, 2014 6:19 pm

How do I stop the hack in my site, please?

Post by Eng1n33rfalk3 » Tue Jun 17, 2014 8:15 am

Problem Description :: Forum Post Assistant (v1.2.4) : 17th June 2014 wrote:My site was hack still after reinstalling a new joomla.
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.4) : 17th June 2014 wrote:[17-Jun-2014 07:57:58 UTC] PHP Warning: ini_set() has been disabled for security reasons in /home/engineer/public_html/libraries/joomla/session/session.php on line 925
Forum Post Assistant (v1.2.4) : 17th June 2014 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.3.1-Stable (Ember) 11-June-2014
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: engineer (uid: 1/gid: 1) | Group: engineer (gid: 1) | Valid For: 3.3
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-358.18.1.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/engineer/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.27 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 22519 | Log Errors To: error_log | Last Known Error: 17th June 2014 07:58:22. | Register Globals: 0 | Magic Quotes: | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 10M | Max. POST Size: 10M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M

MySQL Configuration :: Version: 5.5.36-cll (Client:5.5.36) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 3.91 MiB | #of Tables:  68
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.27) | date (5.3.27) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | standard (5.3.27) | Phar (2.0.1) | posix () | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | imap () | SimpleXML (0.1) | sockets () | exif (1.4 $Id$) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | zip (1.11.0) | cgi-fcgi () | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | ionCube Loader () | Zend Guard Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (777) | components/ (777) | modules/ (777) | plugins/ (777) | language/ (777) | templates/ (777) | cache/ (777) | logs/ (777) | tmp/ (777) | administrator/components/ (777) | administrator/modules/ (777) | administrator/language/ (777) | administrator/templates/ (777) |

Elevated Permissions (First 10) :: administrator/cache/ (777) | administrator/components/ (777) | administrator/language/ (777) | administrator/language/en-GB/ (777) | administrator/language/overrides/ (777) | administrator/manifests/files/ (777) | administrator/manifests/libraries/ (777) | administrator/manifests/packages/ (777) | administrator/modules/ (777) | administrator/templates/ (777) |
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (3.0.0) | com_wrapper (3.0.0) |
Components :: ADMIN :: com_contenthistory (3.2.0) | com_banners (3.0.0) | com_installer (3.0.0) | com_admin (3.0.0) | com_redirect (3.0.0) | com_languages (3.0.0) | com_plugins (3.0.0) | com_menus (3.0.0) | com_cache (3.0.0) | com_ajax (3.2.0) | com_cpanel (3.0.0) | com_login (3.0.0) | com_postinstall (3.2.0) | com_search (3.0.0) | com_joomlaupdate (3.0.0) | com_content (3.0.0) | com_config (3.0.0) | com_tags (3.1.0) | com_finder (3.0.0) | com_newsfeeds (3.0.0) | com_modules (3.0.0) | com_users (3.0.0) | com_templates (3.0.0) | com_categories (3.0.0) | com_media (3.0.0) | com_messages (3.0.0) | com_weblinks (3.0.0) | com_checkin (3.0.0) |

Modules :: SITE :: mod_banners (3.0.0) | mod_breadcrumbs (3.0.0) | mod_stats (3.0.0) | mod_feed (3.0.0) | mod_random_image (3.0.0) | mod_search (3.0.0) | mod_whosonline (3.0.0) | mod_menu (3.0.0) | mod_footer (3.0.0) | mod_tags_similar (3.1.0) | mod_syndicate (3.0.0) | mod_wrapper (3.0.0) | mod_articles_news (3.0.0) | mod_articles_archive (3.0.0) | mod_weblinks (3.0.0) | mod_custom (3.0.0) | mod_articles_popular (3.0.0) | mod_articles_latest (3.0.0) | mod_languages (3.0.0) | mod_tags_popular (3.1.0) | mod_users_latest (3.0.0) | mod_finder (3.0.0) | mod_articles_categories (3.0.0) | mod_related_items (3.0.0) | mod_articles_category (3.0.0) | mod_login (3.0.0) |
Modules :: ADMIN :: mod_logged (3.0.0) | mod_popular (3.0.0) | mod_feed (3.0.0) | mod_submenu (3.0.0) | mod_quickicon (3.0.0) | mod_status (3.0.0) | mod_toolbar (3.0.0) | mod_title (3.0.0) | mod_menu (3.0.0) | mod_custom (3.0.0) | mod_stats_admin (3.0.0) | mod_multilangstatus (3.0.0) | mod_version (3.0.0) | mod_latest (3.0.0) | mod_login (3.0.0) |

Plugins :: SITE :: plg_finder_categories (3.0.0) | plg_finder_contacts (3.0.0) | plg_finder_newsfeeds (3.0.0) | plg_finder_tags (3.0.0) | plg_finder_content (3.0.0) | plg_finder_weblinks (3.0.0) | plg_editors-xtd_article (3.0.0) | plg_editors-xtd_readmore (3.0.0) | plg_editors-xtd_image (3.0.0) | plg_editors-xtd_pagebreak (3.0.0) | plg_captcha_recaptcha (3.0.0) | plg_authentication_gmail (3.0.0) | plg_authentication_ldap (3.0.0) | plg_authentication_joomla (3.0.0) | plg_authentication_cookie (3.0.0) | plg_quickicon_extensionupdate (3.0.0) | plg_quickicon_joomlaupdate (3.0.0) | plg_editors_tinymce (4.0.22) | plg_editors_codemirror (3.15) | plg_twofactorauth_yubikey (3.2.0) | plg_twofactorauth_totp (3.2.0) | plg_system_p3p (3.0.0) | plg_system_debug (3.0.0) | plg_system_languagefilter (3.0.0) | plg_system_languagecode (3.0.0) | plg_system_remember (3.0.0) | plg_system_cache (3.0.0) | plg_system_log (3.0.0) | plg_system_sef (3.0.0) | plg_system_highlight (3.0.0) | plg_system_logout (3.0.0) | plg_system_redirect (3.0.0) | plg_search_categories (3.0.0) | plg_search_contacts (3.0.0) | plg_search_newsfeeds (3.0.0) | plg_search_tags (3.0.0) | plg_search_content (3.0.0) | plg_search_weblinks (3.0.0) | plg_user_profile (3.0.0) | plg_user_joomla (3.0.0) | plg_user_contactcreator (3.0.0) | plg_content_finder (3.0.0) | plg_content_pagenavigation (3.0.0) | plg_content_loadmodule (3.0.0) | plg_content_emailcloak (3.0.0) | plg_content_joomla (3.0.0) | plg_content_vote (3.0.0) | plg_content_pagebreak (3.0.0) | plg_extension_joomla (3.0.0) |
Templates Discovered :: wrote:Templates :: SITE :: protostar (1.0) | beez3 (3.1.0) | Engineers_Template (1.1) |
Templates :: ADMIN :: hathor (3.0.0) | isis (1.0) |
Top
User avatar
JAVesey
Joomla! Hero
Joomla! Hero
Posts: 2635
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:
Contact JAVesey

Re: How do I stop the hack in my site, please?

Post by JAVesey » Tue Jun 17, 2014 11:17 am

:eek: Start by changing your folder permissions - 777 is a huge risk

Then tell what happened, i.e. what was hacked.
John V
Cardiff, Wales, UK
Joomla 5.1.0 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.1.0 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28
Top
Eng1n33rfalk3
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Wed Jun 11, 2014 6:19 pm

Re: How do I stop the hack in my site, please?

Post by Eng1n33rfalk3 » Wed Jun 18, 2014 5:11 pm

Thanks John, I changed the permissions to 755 and 644 for folders and files respectively. However the hack still goes on, I read the notice message posted by one of the moderators, so I crossed check my site against the checklist, but I think the hacker must have left something hidden in the directories, so I talk to my host and We decide to delete the whole site and start a fresh. I will let you know if I have any issues.
Top
itoctopus
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4025
Joined: Mon Nov 25, 2013 4:35 pm
Location: Montreal, Canada
Contact:
Contact itoctopus

Re: How do I stop the hack in my site, please?

Post by itoctopus » Tue Jun 24, 2014 2:46 pm

You can't get your website really clean until you remove the malicious files form your Joomla website. Check your logs to see what's going on (how the hack is called). Search for "base64" and "eval" in your PHP files. Only a few files should have them.
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter
Top
User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15152
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: How do I stop the hack in my site, please?

Post by mandville » Tue Jun 24, 2014 6:52 pm

http://docs.joomla.org/Security_Checkli ... ter_relief#


save the configuration.php file and your images and personal files one by one, (not the folder as it may contain unwanted files)
wipe the entire folder where Joomla! is installed
upload a new clean full package latest version of joomla 1.5.x or Joomla 2.5.x, joomla 3.x (minus the install folder)[2]
reupload your configuration file & images.
reupload or reinstall the latest versions of your extensions , templates (even better is to use original clean copies to ensure that the hacker/defacer did not leave any shell script files in your site)
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Top
User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:
Contact leolam

Re: How do I stop the hack in my site, please?

Post by leolam » Wed Jun 25, 2014 8:07 am

run your site through myjoomla.com

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
Top
Locked

Return to “Security in Joomla! 3.x”