Can the virus encrypt the psw everytime I try to log in?

[fildin]

Hi guys

my website got hacked and I only have hacked backup. Tried everything I knew to solve it out but nothing works this time. The virus changes admin password everytime I change it in PHPmyAdmin (in user_ table). I change the password to MD5 salted hashed password, then I go to admin login and try to login, but it wont work. Then I look in the user_ table and can see that the password was changed itself (has been BLOWFISH encrypted to $2y$10..........)

Am I missing something??

I tried to compare files in Meld, searched for eval(base64_decode etc. in Text Crawler but can't find any hacked file at all. It just looks clean to me. In the past I cleaned severeal hacked joomla website with ease, this time I am helpless though.

Any advice will be well appreciated. The website is https://truhlarstvihavalec.cz/administrator

[gws]

I don't think joomla uses MD5 any more. mysites.guru is a site auditing service for hacked/broken sites,the first audit is free.

[sozzled]

I don't think joomla uses MD5 any more ...

Hmmm ... see end the article (last updated 11-Sep-2020) https://docs.joomla.org/How_do_you_reco ... assword%3F

See also https://github.com/joomla/joomla-cms/issues/12333. It's confusing, isn't it, to read https://stackoverflow.com/questions/518 ... for-my-api Until I read otherwise, I'll go by what I read from the J! 4.0 development team leader and JDOCs.

[Webdongle]

Follow the steps of viewtopic.php?f=714&t=946026 (skip step #b if you don't have access). After you perform step #e that should prevent the hacker from interfere with you rebuilding your site.

[PhilTaylor-Prazgod]

Joomla will accept a variety of insecure hashes (like md5) for user passwords in the database - but will automatically rehash them once a user logs in, to a more secure algorithm.

Using this, you can store the md5 for a password in the db, but as soon as you login it will change.

For example 21232f297a57a5a743894a0e4a801fc3 is "admin" - once you login with the password of "admin" this will change to a bcyrpted hash.

This is achieved with the checkIfRehashNeeded method of the Hash Handlers listed here: https://github.com/joomla/joomla-cms/tr ... n/Password

You can see in the md5Handler that checkIfRehashNeeded always returns true forcing a rehash to a more modern and secure algorithm https://github.com/joomla/joomla-cms/bl ... er.php#L34

If the user is valid, their password is valid, and the handler returns true for checkIfRehashNeeded then Joomla will rehash the password here :

https://github.com/joomla/joomla-cms/bl ... r.php#L507

By default it would use the Constant defining the BCrypt password algorithm