Joomla Sites Hacked. All index.php and Default.php modified

Discussion regarding Joomla! 2.5 security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
brann
Joomla! Apprentice
Joomla! Apprentice
Posts: 39
Joined: Wed Apr 01, 2009 9:20 am

Joomla Sites Hacked. All index.php and Default.php modified

Post by brann » Sat Jan 28, 2012 1:35 am

I am running WAMP server on Windows 2003
(Apache 2.058, PHP 5.2.8 and MYSQL 5.1.36)
We are hosting Joomla, Contado and other CMS system all using PHP/MYSQL

The 16th our server was hacked. We Restored and Now the 27th if was hacked again
We have about 30 websites.
25 of them are Joomla sites from version 1.5.23-.1.7
Customers are adding modules and plugins all the time and we have no control over this

What I found out is the following:
All joomla sites running 1.5.23 up to 1.7 have all got all index.php and Default.php modified and a php code has been added to the bottom of all of this files.
The code causes the browser not to read the <jdoc:include ...> statement
Here some examples:
[removed]

I have checked the apache log files. no "POST" in loggs
I have checked FTP and there are nothing comming from there
Mysql are OK. not touched

I therefore thing they must use a vonurability in Joomla or one extention

So here some questions
1. Anyone agrees with this?
2. How can I narrow down to whats causing the problem?
3. Can anyone use a vonurability in Joomla/Extention and manage to write to php files?
4. Can I make a contra script that delete a php code from all index and default.php

I am just alittle stuck on where to start looking

any help would be much appresiated

Thanks in advance

Brann
Last edited by alikon on Sat Jan 28, 2012 11:11 am, edited 1 time in total.
Reason: removed hacked link

User avatar
Josh Lewis
Joomla! Guru
Joomla! Guru
Posts: 528
Joined: Wed Jun 11, 2008 11:12 pm
Location: Lynnwood,WA
Contact:

Re: Joomla Sites Hacked. All index.php and Default.php modif

Post by Josh Lewis » Sat Jan 28, 2012 11:02 pm

I've been hacked before too. >:( Quite annoying. No traces of the code since I migrated to joomla 2.5. 8)

Be sure to be using the latest versions of the extensions on the sites. I did some searching around for site protection in the joomla directory which after getting some I have never been hacked since. Now this was last year when I used joomla 1.5, now that I use joomla 2.5 it seems more secure even without the additional security.

User avatar
Z9iT
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 166
Joined: Fri Oct 14, 2011 8:15 am
Contact:

Re: Joomla Sites Hacked. All index.php and Default.php modif

Post by Z9iT » Sun Feb 19, 2012 7:11 am

Even tough i want to help you, however i don't have so much of experience with this kind of issues....

I hope this online article may help you... I bet, this is the perfect article over internet i have found so far...
http://25yearsofprogramming.com/blog/20070705.htm

this online tool will help you identify which kind of penetration attempts have been tried on your server by analyzing your raw access logs.
http://25yearsofprogramming.com/javascr ... tifier.htm

Once i had a "Hacker's favorite" website, which was hacked over 15times.. then i came across that article, did whatever was explained, and bingo, it was never hacked again.... hope this might help!

and yes, the experts says that Linux based servers are more stable than windows based servers, for you are at mercy by one company for all the bug fixes and security releases, which are often delayed... you may also ask for support from Microsoft at this point of time...
http://z9it.com....Bringing the best of www, in a gist...

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla Sites Hacked. All index.php and Default.php modif

Post by mandville » Sun Feb 19, 2012 11:58 am

brann wrote:1. Anyone agrees with this?
how did you sort the hack last time?
2. How can I narrow down to whats causing the problem?
see the checklist below
3. Can anyone use a vonurability in Joomla/Extention and manage to write to php files?
yes
4. Can I make a contra script that delete a php code from all index and default.php
yes,BUT you dont know what else they used/installed

[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories

[ ] Review Vulnerable Extensions List
another issue is you said you have ther cms etc installed, were they altered?

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

brann
Joomla! Apprentice
Joomla! Apprentice
Posts: 39
Joined: Wed Apr 01, 2009 9:20 am

Re: Joomla Sites Hacked. All index.php modified (SOLVED)

Post by brann » Sun Feb 19, 2012 1:12 pm

Hi
Thanks for all reply
I think i have resolved it
As by restoring the php files only it resolved it untill next time, i was sure it had nothing to do with mysql database itself

I then through it has to be folder permission or php setting
I used default folder permission as on windows

I then started to look into PHP Setting

I found phpsecinfo http://phpsec.org/projects/phpsecinfo/index.html
I downloaded and put folder on webserver

I got 2 or 3 red fields stating critical

The first one was
allow_url_fopen=on
I changed this to =off

Restarted wamp server

Ever since I have not had this problem
I think its resolved

As an additional security I have invested in RSFirewall!
http://www.rsjoomla.com/joomla-extensio ... urity.html
With this I can lock Joomla down 100% and open for edeting again with 1 click
I am now running this on half of the websites and monitoring

The Firewall is just an extra thing. The fix was the PHP.ini setting mentioned above

Thanks for all who has contributed

Regards
Brann

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1115
Joined: Sat Aug 13, 2011 6:27 am

Re: Joomla Sites Hacked. All index.php and Default.php modif

Post by Slackervaara » Mon Feb 20, 2012 6:51 pm

With the security plugin JHackGuard it is possible to make allow_url_fopen=off, which is very good as my web host did not have that option for me.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Joomla Sites Hacked. All index.php and Default.php modif

Post by PhilD » Tue Feb 21, 2012 1:18 am

This security forum is to assist in security of Joomla itself and not designed to help securely set up a server.

Blaming Joomla and your clients for issues of hacking when the server appears to be very poorly setup is just not right. That does not exonerate them, and mandville gave sound advice. No one else has to this point.

XAMPP is not secure at all as downloaded. XAMPP is designed to create unix style development server environments on windows and actually requires much work to properly secure for live use such as hosting. php settings are just one small area that has to be hardened. There are much better options that have already been hardened enough for hosting. Once everything is hardened, then the server has to be tuned properly or it will die under the slightest real load.

The fact that you are not very familiar with server settings and basic permissions as related to hosting suggests that out of consideration for your clients, you should hire someone to properly setup and manage your server(s). Local technical colleges also usually have courses in I.T. that will help you gain the knowledge you are lacking.
PhilD


Locked

Return to “Security in Joomla! 2.5”