The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Fri Aug 14, 2009 8:38 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Aug 25, 2005 9:37 pm
Posts: 10
Location: Greater Boston Area
One of my Joomla 1.5 websites was hacked. The site is fully patched and directory permission are 755/644. The hacker has been loading files like crp.php and int.php in the /images folder as well as other places. These files when downloaded are showing up as Rst.G trojan and C99Shell. I have been deleting the files but more show up within a day. RSFirewall hasn't reported anything yet the hacks continue.

What really disturbs me is that he has taken over a super admin account and I cannot delete it. If I delete it in Joomla (first demoting it to admin) it is removed from the list but when I check the database the account is still there. If I delete the account directly from the database it returns immediately. Has this kind of thing happened to anyone else?


Top
 Profile  
 
PostPosted: Mon Aug 17, 2009 9:18 am 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Jul 31, 2008 7:23 am
Posts: 163
Location: Marlborough UK
Your site has been seriously compromised. Remove all files via ftp - remove any related databases and start again. Hopefully you have a backup of the site prior to the hack. Upload your site over the new Joomla install, create a new database and import your backup dbs. Through your contol panel, can you add password protection to folders? If so, add a strong password to the administrator directory. This will help prevent attacks from hackers navigating straight to: /administrator Ask your webhost to help with this if you're not sure.

If you can't remove the dbs - get your host to do it.

Take a look at this: viewtopic.php?f=432&t=391251

Good luck!


Top
 Profile  
 
PostPosted: Mon Aug 17, 2009 1:15 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12440
Location: The Girly Side of Joomla in Sussex
can you also check your cron jobs to see if there is a system to reinfect you?

what has your host said?

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Mon Aug 17, 2009 3:28 pm 
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 05, 2009 1:42 pm
Posts: 577
Greetings:

mandville makes a good point as often times hackers will set up hourly, daily, or weekly jobs to replant their material.

Get your hosting provider involved to find how how security can be increased; especially since you stated you are on the latest version of Joomla.

Also, check if your provider has mod_security installed, and what additional layers of protection they have set up server wide.

Thank you.

_________________
Peter M. Abraham
http://www.dynamicnet.net/ - Dynamic Net, Inc. - in business since June 1995; a PCI Compliant, managed hosting provider.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 



Who is online

Users browsing this forum: No registered users and 16 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group