Hacked and cannot remove user from database using phpMyAdmin

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
liminal
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Thu Aug 25, 2005 9:37 pm
Location: Greater Boston Area
Contact:

Hacked and cannot remove user from database using phpMyAdmin

Postby liminal » Fri Aug 14, 2009 8:38 pm

One of my Joomla 1.5 websites was hacked. The site is fully patched and directory permission are 755/644. The hacker has been loading files like crp.php and int.php in the /images folder as well as other places. These files when downloaded are showing up as Rst.G trojan and C99Shell. I have been deleting the files but more show up within a day. RSFirewall hasn't reported anything yet the hacks continue.

What really disturbs me is that he has taken over a super admin account and I cannot delete it. If I delete it in Joomla (first demoting it to admin) it is removed from the list but when I check the database the account is still there. If I delete the account directly from the database it returns immediately. Has this kind of thing happened to anyone else?

User avatar
mick_3d
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 163
Joined: Thu Jul 31, 2008 7:23 am
Location: Marlborough UK
Contact:

Re: Hacked and cannot remove user from database using phpMyAdmin

Postby mick_3d » Mon Aug 17, 2009 9:18 am

Your site has been seriously compromised. Remove all files via ftp - remove any related databases and start again. Hopefully you have a backup of the site prior to the hack. Upload your site over the new Joomla install, create a new database and import your backup dbs. Through your contol panel, can you add password protection to folders? If so, add a strong password to the administrator directory. This will help prevent attacks from hackers navigating straight to: /administrator Ask your webhost to help with this if you're not sure.

If you can't remove the dbs - get your host to do it.

Take a look at this: viewtopic.php?f=432&t=391251

Good luck!

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13536
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Hacked and cannot remove user from database using phpMyAdmin

Postby mandville » Mon Aug 17, 2009 1:15 pm

can you also check your cron jobs to see if there is a system to reinfect you?

what has your host said?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

dynamicnet
Joomla! Guru
Joomla! Guru
Posts: 577
Joined: Wed Aug 05, 2009 1:42 pm

Re: Hacked and cannot remove user from database using phpMyAdmin

Postby dynamicnet » Mon Aug 17, 2009 3:28 pm

Greetings:

mandville makes a good point as often times hackers will set up hourly, daily, or weekly jobs to replant their material.

Get your hosting provider involved to find how how security can be increased; especially since you stated you are on the latest version of Joomla.

Also, check if your provider has mod_security installed, and what additional layers of protection they have set up server wide.

Thank you.
Peter M. Abraham
http://www.dynamicnet.net/ - Dynamic Net, Inc. - in business since June 1995; a PCI Compliant, managed hosting provider.


Return to “Security in Joomla! 1.5”

Who is online

Users browsing this forum: No registered users and 9 guests