Joomla! Discussion Forums

Last night I got hacked again.  And not only the site that has been hacked in the past, but also my other 3 sites.  They did it differently then in the past and I don't think I will even be able to recover them.

I have read everything I could about security issues on this forum and have taken all precautions, I thought.  Any ideas on how this keeps happening?

yes.

Do you want to share?

if you expect any non-sarcastic help, you might want to share complete details of your situation, including versions of everything installed, exactly what went wrong, what kind of hosting you have (including details and version of that stuff), and exactly what you've read and tried.

otherwise -- how can anyone really help you?

Yes a non-sarcastic reply would be appreciated.  I have had a bad enough day.

I cannot get access to anything to tell you exact versions, except to say that everything, joomla, mosets tree, noah's classified's were the latest versions as of 2 weeks ago.

I also don't know what you mean by what kind of hosting I have.  I know the basics of putting together a site, but do not know the terminology for most of it.

Kathy

Hi Katers,

Well since you don't know what type of hosting...I'm going to guess shared hosting. 

First of all I hope you do regular backups.  Do you still have FTP access?  Do you still have admin access?  If so, change the passwords to both immediately, if you haven't already.  For future reference I would strongly encourage you to use .htaccess for your administrator folder if you are not already. 

I am curious are all three sites hosted by the same company?  Also, were the sites defaced, files changed, password changed?  If this is shared hosting, you could very easily have your host chown & chmod all your files to fix the access issue, unless of course they have been deleted.  Also your host should be able to give you their version info, i.e.

Platform (Linux distribution & kernel version)
WebServer (Apache, Lighttpd, & version)
PHP Version
MySQL Version  <-is this local or remote sql server

May be good idea to ask your host if other users have been experiencing similar problems...if they are willing to admit...

It could be your host, I've seen countless careless web hosts, surprising from some of the larger ones.  We know your stressed, but people are much more able, and willing to help when you give us the resources to help you.

Also, it would be very helpful if you could find out all the components installed, even if you have to get your host to do a directory listing of the following:

/somefolder/yourfolder/yoursite/components

That will at least let the community know what components that are/were installed in your site.

Look forward to hearing back. 

I checked again and I now have access to cpanel and admin.  I got this response from my host earlier today

It looks like something to do with joomla and smf hacking. I've checked other clients using phpbb,smf forum and invision boards and there sites are fine. So that eliminates the database problem. They prolly tracked your sites doing a whois search and found my site also. This clients site is on your server and it works fine thats why I say there hacking again. The backups I have  are only database backups not full sites.

Platform (Linux distribution & kernel version)=

WHM 10.8.0 cPanel 10.9.0-C117
\
CentOS 4.4

Kernel version 2.6.9-42.0.3.ELsmp

WebServer (Apache, Lighttpd, & version)=

Apache version 1.3.37 (Unix)

PHP Version =

PHP version 4.4.4 including php5 support

MySQL Version  <-is this local or remote sql server =

MySQL version 4.1.21-standard-log

Thank you

Hmmm, sounds like a typical host answer, do you do any type of logging, or can you get a hold of any logs from your host?  Also, it sounds like you are not doing regular backups, I'm uploading a couple scripts you may want to look at if your hosts will allow cronjobs.  The SQL one only requires four variables, username/password, host & email, it has been around for a while and is a very thorough SQL db archiver.  The other one I wrote for my own sites, but used it when I still had shared hosting.  The only real variable to update is the EXCLUDED variable, the two there already are the backup directory, and for my sites I kept my cache outside of the web root.  The file backup script takes one variable at runtime, full.  i.e., ./file_backup.sh full.  If you leave this off it will perform an incremental backup and a latest "patch" backup.

I'll wait to here back on what info you get from your host, but those may be useful in the future.  If my site were completely wiped out, I could have backups from that morning up and running in a few minutes. 

Just thought that might be helpful for the future. 

Thank you, I appreciate it. 

My host is trying to put the sites up for me, but he is not too familur with Joomla so it is hard to say if they can be saved.

All the sites are hosted by the same place.  All have different url's.  passwords were not changed during the hackings.

Componanents from one site are as follows (this site was just done last week, so everything was newly uploaded)

RSGallery
Linx
Art Banner
Xe-GuestWall V1

Other site...
Art banners
Joomla Explorer
Noah's Classified
Moset's Tree
Virtue Mart

The third site is a smf forum and the forth site is one I had just started and nothing had been added to it yet.

The weakest thing about Joomla is its simplicity in making a site. We can do that in 15 minutes without knowing anything! This makes everyone a webmaster.

Truth is  hosting a site or two and maintaining them requires skill and knowledge on a number of things.

Katers: if you dont know what type hosting you are on, then I doubt you have read the security FAQs in the stickies. The only thing that can help you know how the attack came in is the "Raw access log". See if you can get that from cPanel.


alamgir

I got the raw access files and downloaded them, but can't open them.  I will see what I can do.

You cant open them, cos probably is has got an extension of .com (same as your domain), rename to txt and open in Wordpad (notepad cant open big file).

alam

This doesn't look like what you want, but this is what it says.

#!/bin/bash

BCK=site_backups/file/
ORIGINAL=site_backups/file/snapshot.snar
COPY=site_backups/file/increment.snar
PATCH=site_backups/file/patch.snar
DATE=`date +\%Y\%m\%d`
EXCLUDED="--exclude=cache --exclude=site_backups"

cd /hsphere/local/home/staph777

if [ "$1" = "full" ]
then
echo "PERFORMING FULL BACKUP:  " ${DATE}
rm -f ${BCK}*.snar
tar pczf "${BCK}old/${DATE}.tar.gz" ${BCK} --exclude ${BCK}old
rm -f ${BCK}*
rm -fR ${BCK}increment
mkdir ${BCK}increment
tar pczf ${BCK}base_${DATE}.tar.gz -g ${ORIGINAL} ${EXCLUDED} ./
else
echo "PERFORMING INCREMENTAL BACKUP:  " ${DATE}
if [ ! -e ${COPY} ]
then
cp -f ${ORIGINAL} ${COPY}
fi
tar pczf ${BCK}increment/increment_${DATE}.tar.gz -g ${COPY} ${EXCLUDED} ./

echo "PERFORMING LATEST PATCH BACKUP:  " ${DATE}
cp -f ${ORIGINAL} ${PATCH}
rm -f ${BCK}latest_*
tar pczf ${BCK}latest_${DATE}.tar.gz -g ${PATCH} ${EXCLUDED} ./
fi

it's shell script that was used to backup your site!

Not access log.

I'd honestly suggest you hire or get someone with good knowledge.

al

That is the script I uploaded a few posts ago for you...maybe you just got them mixed up?  Will wait to here back...

What do I say

al

Oh good grief, I am loosing my mind!

Ok, I renamed the right file and opened it in word, however it is in some kind of code.

And I wish I could hire someone, but sunk all my money into doing these sites.  Grrr

ahhh, trial by fire.

read, search, read, search, read, search....

that's how i learned.

Yes by fire, sometimes by nuclear fallout, sometimes worse...   Katers, could you just upload what you have...and M$ editors handle page breaks and new line characters differently, probably Word not knowing the encoding so making it look like garbage. 

It is not letting me upload it.  I will have to have someone do it for me tomorrow.

I apologize for my sarcastic answer earlier
It is frustrating to see the cries for help that arent helpful. Still, its a natural outburst on your part and I should have been more understanding.


anyway...

1st plan of action.

Dont plan on "saving anything"

your jos_components and Jos_modules tables should show what you have installed, even if you cant get to the physical directories to list them directly.
You should blow them away anyway, totally clean, and check for CRON processes that may have been setup.

Since they had access to your server, and by extension, access to YOU (the risk of a browser injected Trojan or virus while currently somewhat small, is serious enough to require you do a full Virus/rootkit scan of your PC,change passwords etc.)
You may want to (and depending on your state, be forced to) report this to your users and have them take precautions as well.

Wipe everything clean.
put in an HTACCESS file that restricts access to your server while you reinstall
Do a full base RE install of Joomla 1.012
install your components and modules (after checking the 3rd party security advisories )
Do a LOCK DOWN of your permissions.

selectively restore in phpMyAdmin your joomla content and info ( start a new thread for how to and PM one of us who responded here so we dont miss it)

list if you could, the name of your host, the exact version of SMF you were using and those of the mods/add ons as well.

Moderators: would it be too hard to do a mod that forces first time posters in this particular board to read a sticky or fill out a trouble form that evokes information that would be useful in getting the help going (and advises against posting info that would not? i.e. diatribes against the hacker,etc?)

I will start now, thanks.