1.7 Hacked and 1.6.3 hacked

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
gkar2000
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Sun Jul 31, 2011 7:46 am

1.7 Hacked and 1.6.3 hacked

Postby gkar2000 » Sun Jul 31, 2011 7:58 am

Hi 2, of mij websites just got hacked.

Website 1= 1.7 website
website 2 = 1.6.3 website <-no non-joomla extension modules installed.
Same hackergroup, looks like same hack

I own several more websites which didn't got hacked.
2 websites = 1.6.3
1 website = 1.5.23

Some <nationality removed> hacking group, claims te be at least.

Looks like a cross-site scripting hack, admin password got changed etc, the usual.
Can't find any weird database entries (exept voor password change).
No new crontasks found.

please advice -> currently in process of deleting Joomla installation, changing all passwords incl. ftp en cpanel, new database etc

Since it's a 1.7 website when i'm back online should i worry
Last edited by mandville on Sun Jul 31, 2011 6:13 pm, edited 1 time in total.
Reason: removed assumed nationality

gkar2000
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Sun Jul 31, 2011 7:46 am

Re: 1.7 Hacked and 1.6.3 hacked

Postby gkar2000 » Sun Jul 31, 2011 8:29 am

Found Security list Currently working list

[Y] Did you use the forum search.php search box for a similar error?

[Doesnt work because i have a J!1.7 site: Fatal error: Class 'joomlaVersion' not found in /home/internet/public_html/jts-post_1.1.1.php on line 156]
Run the forum post assistant and security tool Instructions available here

[Y] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories

[Y] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[Y] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[Y] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[Y] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[Y] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[Y] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[Y] Ensure you do not have anonymous ftp enabled
Last edited by gkar2000 on Sun Jul 31, 2011 1:07 pm, edited 1 time in total.

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11300
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: 1.7 Hacked and 1.6.3 hacked

Postby brian » Sun Jul 31, 2011 9:55 am

IF both sites were in the same hosting space then a vulnerability in one will have resulted in a hack on both
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

gkar2000
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Sun Jul 31, 2011 7:46 am

Re: 1.7 Hacked and 1.6.3 hacked

Postby gkar2000 » Sun Jul 31, 2011 10:20 am

Ihave a reseller pack and just found out other joomla! websites on the server were also hacked (not all) Its not the same hosting or domain, only the server

Is it possible to hack a vunrable website and hack more on the same server (different domains, hosting packs etc)

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11300
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: 1.7 Hacked and 1.6.3 hacked

Postby brian » Sun Jul 31, 2011 10:23 am

simple answer is yes
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13770
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: 1.7 Hacked and 1.6.3 hacked

Postby mandville » Sun Jul 31, 2011 6:11 pm

i agree with brian, just ask your host about jailshell and see what they respond with.
also the post tool should work with 1.7 it was tested on it, and it is under developement for a brand new version .
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

gkar2000
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Sun Jul 31, 2011 7:46 am

Re: 1.7 Hacked and 1.6.3 hacked

Postby gkar2000 » Sun Jul 31, 2011 7:16 pm

My hoster just put a version backup from yesterday on the domain which used to be the 1.6 website so im up and running again,

The 1.6 website.
so im taking all the necesary precautions to prevent repetition of last night, upgrading the 1.6 to 1.7 and cpanel code on the admin screen. There are 2 non joomla extensions, one of which is a contact form: DFcontact (latest version) and Showplus, a simple image slider (latest version).

The 1.7 website. <too many extensions to name.
There is an anomaly which i can't place yet, the website is restored with a recent backup however there is a small .png image in the footer which isn't showing. Not so impressive, however it is placed on the right location and pointed to correctly by CSS.
Now the anomaly is when you use firebug or Chrome to ispect the code, instead of notifieing an error in location or such it displays this:
[an error occurred while processing this directive]

Is this just because of transporting sites or is this a trace?

If you want i could pm you the link

gkar2000
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Sun Jul 31, 2011 7:46 am

Re: 1.7 Hacked and 1.6.3 hacked

Postby gkar2000 » Sun Jul 31, 2011 7:42 pm

Just found out another website which i didnt check earlier was hacked, this is a 1.5.23 website, it is a clean install of joomla 1.5.3 with only DTRegister module on it (paid)

gkar2000
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Sun Jul 31, 2011 7:46 am

Re: 1.7 Hacked and 1.6.3 hacked

Postby gkar2000 » Sun Jul 31, 2011 8:10 pm

found another, different time joomla 1.5.23

gkar2000
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Sun Jul 31, 2011 7:46 am

Re: 1.7 Hacked and 1.6.3 hacked

Postby gkar2000 » Sun Jul 31, 2011 9:28 pm

Still under attack, found a trace now, definatly the hacker is entering through the admin screen.

Doesnt seem to matter which Joomla! version or pw changes. i've been hacked on: 2x 1.5.23, 1.6.1, 1.6.3, 1.7

found logs!

184.154.223.130 - - [31/Jul/2011:17:54:04 +0200] "GET /administrator HTTP/1.1" 301 429 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:05 +0200] "GET /administrator/ HTTP/1.1" 200 4156 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:07 +0200] "GET /administrator/templates/khepri/css/rounded.css HTTP/1.1" 200 2495 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:07 +0200] "GET /administrator/templates/khepri/css/login.css HTTP/1.1" 200 1952 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:07 +0200] "GET /administrator/templates/system/css/system.css HTTP/1.1" 200 1131 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:07 +0200] "GET /media/system/js/mootools.js HTTP/1.1" 200 74434 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:15 +0200] "GET /administrator/templates/khepri/css/general.css HTTP/1.1" 200 15582 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:17 +0200] "GET /administrator/templates/khepri/images/h_green/j_header_middle.png HTTP/1.1" 200 385 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:17 +0200] "GET /administrator/templates/khepri/images/h_green/j_header_right.png HTTP/1.1" 200 366 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:18 +0200] "GET /administrator/templates/khepri/images/h_green/j_header_left.png HTTP/1.1" 200 5148 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:18 +0200] "GET /administrator/templates/khepri/images/j_button1_next.png HTTP/1.1" 200 1507 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:18 +0200] "GET /administrator/templates/khepri/images/j_crn_tr_light.png HTTP/1.1" 200 252 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:18 +0200] "GET /administrator/templates/khepri/images/j_border.png HTTP/1.1" 200 213 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:18 +0200] "GET /administrator/templates/khepri/images/j_button1_left.png HTTP/1.1" 200 483 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:18 +0200] "GET /administrator/templates/khepri/images/j_crn_br_light.png HTTP/1.1" 200 253 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:18 +0200] "GET /administrator/templates/khepri/images/j_crn_bl_light.png HTTP/1.1" 200 246 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:19 +0200] "GET /administrator/templates/khepri/images/j_crn_tl_light.png HTTP/1.1" 200 247 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:19 +0200] "GET /administrator/templates/khepri/images/j_login_lock.jpg HTTP/1.1" 200 2536 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:19 +0200] "GET /administrator/templates/khepri/images/j_bottom.png HTTP/1.1" 200 232 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:19 +0200] "GET /administrator/templates/khepri/images/j_corner_br.png HTTP/1.1" 200 314 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:19 +0200] "GET /administrator/templates/khepri/images/j_corner_bl.png HTTP/1.1" 200 303 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:20 +0200] "GET /administrator/templates/khepri/favicon.ico HTTP/1.1" 200 1150 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:55:36 +0200] "POST /administrator/index.php HTTP/1.1" 303 - "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:55:37 +0200] "GET /administrator/index.php HTTP/1.1" 200 17436 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:55:39 +0200] "GET /includes/js/joomla.javascript.js HTTP/1.1" 200 15405 "http://fightershub.com/administrator/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"

gkar2000
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Sun Jul 31, 2011 7:46 am

Re: 1.7 Hacked and 1.6.3 hacked

Postby gkar2000 » Sun Jul 31, 2011 9:34 pm

There is no other logs of any activities besides the above or some simular logs on different domains, and im working together with my hoster so either im doing something terribly wrong, or the hacker is exploiting somesort of security issue

gkar2000
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Sun Jul 31, 2011 7:46 am

Re: 1.7 Hacked and 1.6.3 hacked

Postby gkar2000 » Mon Aug 01, 2011 12:19 am

JTS-post Problem Description wrote:Hacked admin codes and hackers message onscreen
JTS-post Actions Taken To Resolve wrote:Deleted all files, loaded a backup database, /administrator dir lock by Cpanel, all admin users deleted.

JTS-post Diagnostic Information wrote:Joomla! Version: Joomla! 1.5.23 Stable [ senu takaa ama baji ] 04-March-2011 18:00 GMT
configuration.php: Not Writable (Mode: 444 ) | Architecture/Platform: Linux 2.6.18-164.el5PAE ( i686) | Web Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 | PHP Version: 5.2.14
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): Yes | iconv Support (1.5 or above): Yes | save.session_path: Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: ( )

JTS-post Extended Information wrote:SEF: Enabled (with ReWrite) | Legacy Mode: Disabled | FTP Layer: Disabled | htaccess: Implemented
PHP/suExec: User and Web Server accounts are not the same. (PHP/suExec probably not installed)
PHP Environment: API: cgi | MySQLi: Yes | Max. Memory: 96M | Max. Upload Size: 50M | Max. Post Size: 50M | Max. Input Time: 60 | Zend Version: 2.2.0
Disabled Functions: proc_open, popen, disk_free_space, diskfreespace, leak, tmpfile, exec, system, shell_exec, passthru
MySQL Client: 5.0.92 ( )

gkar2000
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Sun Jul 31, 2011 7:46 am

Re: 1.7 Hacked and 1.6.3 hacked

Postby gkar2000 » Mon Aug 01, 2011 12:22 am

and here's another.

JTS-post Problem Description wrote:Same as above, different site
JTS-post Actions Taken To Resolve wrote:Deleted all files, loaded a backup database, /administrator dir lock by Cpanel, all admin users deleted.

JTS-post Diagnostic Information wrote:Joomla! Version: Joomla! 1.5.23 Stable [ senu takaa ama baji ] 04-March-2011 18:00 GMT
configuration.php: Not Writable (Mode: 444 ) | Architecture/Platform: Linux 2.6.18-164.el5PAE ( i686) | Web Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 | PHP Version: 5.2.14
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): Yes | iconv Support (1.5 or above): Yes | save.session_path: Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.0.92-community ( Localhost via UNIX socket )

JTS-post Extended Information wrote:SEF: Disabled (without ReWrite) | Legacy Mode: Disabled | FTP Layer: Disabled | htaccess: Not Implemented
PHP/suExec: User and Web Server accounts are not the same. (PHP/suExec probably not installed)
PHP Environment: API: cgi | MySQLi: Yes | Max. Memory: 96M | Max. Upload Size: 50M | Max. Post Size: 50M | Max. Input Time: 60 | Zend Version: 2.2.0
Disabled Functions: proc_open, popen, disk_free_space, diskfreespace, leak, tmpfile, exec, system, shell_exec, passthru
MySQL Client: 5.0.92 ( latin1 )

User avatar
iTD
Joomla! Intern
Joomla! Intern
Posts: 73
Joined: Mon Aug 24, 2009 10:11 pm

Re: 1.7 Hacked and 1.6.3 hacked

Postby iTD » Mon Aug 01, 2011 7:17 pm

Any chance your host is running open_basedir? I had an instance once with my reseller account where open_basedir allowed a hacker to view all of my accounts - then systematically start hacking them. You might also want to check out "JSecure" (Plug-in). It requires additional information after the www.site.com/administration/ path to access the admin area - whereby making it harder for hackers to get in.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2727
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: 1.7 Hacked and 1.6.3 hacked

Postby PhilD » Mon Aug 01, 2011 11:21 pm

Here are some thoughts and observations.

What was the host response on the JailShell question asked by Brian and mandville?

What is the host response on the open_base directory? Are the paths set correctly or are they not set at all?

What are/or were your permissions on your files?, Your Directories?

htaccess: Not Implemented ---->> The Joomla htaccess file should be enabled. Not being implemented is a security risk.

PHP/suExec: User and Web Server accounts are not the same. (PHP/suExec probably not installed)
---->> This can cause issues with file/directory ownership and file/directory permissions. Elevated permissions are a normal result and are a security risk.

FrontPage/5.0.2.2635 ---->> this is a security risk and should be uninstalled from your domain (usually done through the domains c-panel). Joomla does not need this, and no other modern CMS, forum, store etc. uses this, so remove it.

Can't find any weird database entries (exept voor password change). --->> you probably won't as normally hacks are hidden within files, not the database.

/administrator dir lock by Cpanel ---> while this is a really good idea, at this point it is probably useless. --->>> At this point this would probably be useless. Sort of like locking the barn door after the horse has been stolen.

"JSecure" (Plug-in). It requires additional information after the http://www.site.com/administration/ path to access the admin area - whereby making it harder for hackers to get in. --->>> At this point this would probably be useless. Sort of like locking the barn door after the horse has been stolen.


Just found out another website which i didnt check earlier was hacked, this is a 1.5.23 website, it is a clean install of joomla 1.5.3 with only DTRegister module on it (paid)

Doesnt seem to matter which Joomla! version or pw changes. i've been hacked on: 2x 1.5.23, 1.6.1, 1.6.3, 1.7

Ihave a reseller pack and just found out other joomla! websites on the server were also hacked (not all) Its not the same hosting or domain, only the server

Since you mention you have a reseller account, then You are going to have to remove every single installation (Joomla or otherwise and ALL files) installed from your account all at the same time. Your account is your account and your account controls every domain you sold or have.

What is likely happening is you fix one site, but others are hacked and the hack spreads to the clean account while you try to fix the next one since they have now have the keys so to speak to your entire reseller account.

It is also likely that there are hacking files such as c99 installed on one or more accounts that allow the hacker to view your entire reseller account (and potentially the entire server) as if it were a local hard drive on their computer. There is also the possibility that someone else has an account or site hacked and the hacks are coming from there using the same scripts (c99 and such).

If you move to a a different host, do not take any backups from the old server to the new server, and don't reuse any files, or you will likely find the new one will also be hacked. (you moved the hack files), but rather start with 100% clean freshly downloaded installs.

There is also the possibility that your computer is hacked with malware that steals your login credentials every time you log in to both your reseller account and your domains/sites. it is also possible someone you host (if you do that) has the issue allowing the hacker in.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Vanilla Sky
Joomla! Intern
Joomla! Intern
Posts: 77
Joined: Tue May 24, 2011 6:49 am

Re: 1.7 Hacked and 1.6.3 hacked

Postby Vanilla Sky » Fri Aug 05, 2011 6:37 am

Dude, are you usually that free with your information? I understand you need help, but do you usually post site info on forums etc? You never know.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2727
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: 1.7 Hacked and 1.6.3 hacked

Postby PhilD » Fri Aug 05, 2011 12:43 pm

The forum post assistant is to assist in solving issues with a site by giving the user an easy to use way of gathering and posting the required information in a standard easy read format.

logs are logs. While I have not looked in detail, nothing jumped out at me.

I don't think posting the info is really a security issue, especially since the poster has already been hacked.

Of course after use you should remove the script.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
juanfer2k
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Tue Apr 01, 2008 5:51 pm
Contact:

Re: 1.7 Hacked and 1.6.3 hacked

Postby juanfer2k » Sun Aug 07, 2011 4:02 pm

mandville wrote:i agree with brian, just ask your host about jailshell and see what they respond with.
also the post tool should work with 1.7 it was tested on it, and it is under developement for a brand new version .

Am pretty worried about this, there's an 1.7 install on the root for this site. I have no access to the panel, but the entire site went down. http://www.yearinisraelforum.com/

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13770
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: 1.7 Hacked and 1.6.3 hacked

Postby mandville » Sun Aug 07, 2011 5:16 pm

juanafer2k wrote:.

Do not hijack tropics,
please start your own
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}


Return to “Security in Joomla! 2.5”

Who is online

Users browsing this forum: Google Adsense [Bot] and 2 guests