The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.



Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 19 posts ] 
Author Message
PostPosted: Sun Jul 31, 2011 7:58 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jul 31, 2011 7:46 am
Posts: 11
Hi 2, of mij websites just got hacked.

Website 1= 1.7 website
website 2 = 1.6.3 website <-no non-joomla extension modules installed.
Same hackergroup, looks like same hack

I own several more websites which didn't got hacked.
2 websites = 1.6.3
1 website = 1.5.23

Some <nationality removed> hacking group, claims te be at least.

Looks like a cross-site scripting hack, admin password got changed etc, the usual.
Can't find any weird database entries (exept voor password change).
No new crontasks found.

please advice -> currently in process of deleting Joomla installation, changing all passwords incl. ftp en cpanel, new database etc

Since it's a 1.7 website when i'm back online should i worry


Last edited by mandville on Sun Jul 31, 2011 6:13 pm, edited 1 time in total.
removed assumed nationality


Top
 Profile  
 
PostPosted: Sun Jul 31, 2011 8:29 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jul 31, 2011 7:46 am
Posts: 11
Found Security list Currently working list

[Y] Did you use the forum search.php search box for a similar error?

[Doesnt work because i have a J!1.7 site: Fatal error: Class 'joomlaVersion' not found in /home/internet/public_html/jts-post_1.1.1.php on line 156]
Run the forum post assistant and security tool Instructions available here

[Y] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories

[Y] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[Y] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[Y] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[Y] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[Y] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[Y] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[Y] Ensure you do not have anonymous ftp enabled


Last edited by gkar2000 on Sun Jul 31, 2011 1:07 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Sun Jul 31, 2011 9:55 am 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Fri Aug 12, 2005 7:19 am
Posts: 10542
Location: Leeds, UK
IF both sites were in the same hosting space then a vulnerability in one will have resulted in a hack on both

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/


Top
 Profile  
 
PostPosted: Sun Jul 31, 2011 10:20 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jul 31, 2011 7:46 am
Posts: 11
Ihave a reseller pack and just found out other joomla! websites on the server were also hacked (not all) Its not the same hosting or domain, only the server

Is it possible to hack a vunrable website and hack more on the same server (different domains, hosting packs etc)


Top
 Profile  
 
PostPosted: Sun Jul 31, 2011 10:23 am 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Fri Aug 12, 2005 7:19 am
Posts: 10542
Location: Leeds, UK
simple answer is yes

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/


Top
 Profile  
 
PostPosted: Sun Jul 31, 2011 6:11 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12561
Location: The Girly Side of Joomla in Sussex
i agree with brian, just ask your host about jailshell and see what they respond with.
also the post tool should work with 1.7 it was tested on it, and it is under developement for a brand new version .

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Sun Jul 31, 2011 7:16 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jul 31, 2011 7:46 am
Posts: 11
My hoster just put a version backup from yesterday on the domain which used to be the 1.6 website so im up and running again,

The 1.6 website.
so im taking all the necesary precautions to prevent repetition of last night, upgrading the 1.6 to 1.7 and cpanel code on the admin screen. There are 2 non joomla extensions, one of which is a contact form: DFcontact (latest version) and Showplus, a simple image slider (latest version).

The 1.7 website. <too many extensions to name.
There is an anomaly which i can't place yet, the website is restored with a recent backup however there is a small .png image in the footer which isn't showing. Not so impressive, however it is placed on the right location and pointed to correctly by CSS.
Now the anomaly is when you use firebug or Chrome to ispect the code, instead of notifieing an error in location or such it displays this:
[an error occurred while processing this directive]

Is this just because of transporting sites or is this a trace?

If you want i could pm you the link


Top
 Profile  
 
PostPosted: Sun Jul 31, 2011 7:42 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jul 31, 2011 7:46 am
Posts: 11
Just found out another website which i didnt check earlier was hacked, this is a 1.5.23 website, it is a clean install of joomla 1.5.3 with only DTRegister module on it (paid)


Top
 Profile  
 
PostPosted: Sun Jul 31, 2011 8:10 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jul 31, 2011 7:46 am
Posts: 11
found another, different time joomla 1.5.23


Top
 Profile  
 
PostPosted: Sun Jul 31, 2011 9:28 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jul 31, 2011 7:46 am
Posts: 11
Still under attack, found a trace now, definatly the hacker is entering through the admin screen.

Doesnt seem to matter which Joomla! version or pw changes. i've been hacked on: 2x 1.5.23, 1.6.1, 1.6.3, 1.7

found logs!

184.154.223.130 - - [31/Jul/2011:17:54:04 +0200] "GET /administrator HTTP/1.1" 301 429 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:05 +0200] "GET /administrator/ HTTP/1.1" 200 4156 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:07 +0200] "GET /administrator/templates/khepri/css/rounded.css HTTP/1.1" 200 2495 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:07 +0200] "GET /administrator/templates/khepri/css/login.css HTTP/1.1" 200 1952 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:07 +0200] "GET /administrator/templates/system/css/system.css HTTP/1.1" 200 1131 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:07 +0200] "GET /media/system/js/mootools.js HTTP/1.1" 200 74434 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:15 +0200] "GET /administrator/templates/khepri/css/general.css HTTP/1.1" 200 15582 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:17 +0200] "GET /administrator/templates/khepri/images/h_green/j_header_middle.png HTTP/1.1" 200 385 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:17 +0200] "GET /administrator/templates/khepri/images/h_green/j_header_right.png HTTP/1.1" 200 366 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:18 +0200] "GET /administrator/templates/khepri/images/h_green/j_header_left.png HTTP/1.1" 200 5148 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:18 +0200] "GET /administrator/templates/khepri/images/j_button1_next.png HTTP/1.1" 200 1507 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:18 +0200] "GET /administrator/templates/khepri/images/j_crn_tr_light.png HTTP/1.1" 200 252 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:18 +0200] "GET /administrator/templates/khepri/images/j_border.png HTTP/1.1" 200 213 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:18 +0200] "GET /administrator/templates/khepri/images/j_button1_left.png HTTP/1.1" 200 483 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:18 +0200] "GET /administrator/templates/khepri/images/j_crn_br_light.png HTTP/1.1" 200 253 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:18 +0200] "GET /administrator/templates/khepri/images/j_crn_bl_light.png HTTP/1.1" 200 246 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:19 +0200] "GET /administrator/templates/khepri/images/j_crn_tl_light.png HTTP/1.1" 200 247 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:19 +0200] "GET /administrator/templates/khepri/images/j_login_lock.jpg HTTP/1.1" 200 2536 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:19 +0200] "GET /administrator/templates/khepri/images/j_bottom.png HTTP/1.1" 200 232 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:19 +0200] "GET /administrator/templates/khepri/images/j_corner_br.png HTTP/1.1" 200 314 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:19 +0200] "GET /administrator/templates/khepri/images/j_corner_bl.png HTTP/1.1" 200 303 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:54:20 +0200] "GET /administrator/templates/khepri/favicon.ico HTTP/1.1" 200 1150 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:55:36 +0200] "POST /administrator/index.php HTTP/1.1" 303 - "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:55:37 +0200] "GET /administrator/index.php HTTP/1.1" 200 17436 "http://fightershub.com/administrator/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"
184.154.223.130 - - [31/Jul/2011:17:55:39 +0200] "GET /includes/js/joomla.javascript.js HTTP/1.1" 200 15405 "http://fightershub.com/administrator/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"


Top
 Profile  
 
PostPosted: Sun Jul 31, 2011 9:34 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jul 31, 2011 7:46 am
Posts: 11
There is no other logs of any activities besides the above or some simular logs on different domains, and im working together with my hoster so either im doing something terribly wrong, or the hacker is exploiting somesort of security issue


Top
 Profile  
 
PostPosted: Mon Aug 01, 2011 12:19 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jul 31, 2011 7:46 am
Posts: 11
JTS-post Problem Description wrote:
Hacked admin codes and hackers message onscreen
JTS-post Actions Taken To Resolve wrote:
Deleted all files, loaded a backup database, /administrator dir lock by Cpanel, all admin users deleted.

JTS-post Diagnostic Information wrote:
Joomla! Version: Joomla! 1.5.23 Stable [ senu takaa ama baji ] 04-March-2011 18:00 GMT
configuration.php: Not Writable (Mode: 444 ) | Architecture/Platform: Linux 2.6.18-164.el5PAE ( i686) | Web Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 | PHP Version: 5.2.14
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): Yes | iconv Support (1.5 or above): Yes | save.session_path: Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: ( )

JTS-post Extended Information wrote:
SEF: Enabled (with ReWrite) | Legacy Mode: Disabled | FTP Layer: Disabled | htaccess: Implemented
PHP/suExec: User and Web Server accounts are not the same. (PHP/suExec probably not installed)
PHP Environment: API: cgi | MySQLi: Yes | Max. Memory: 96M | Max. Upload Size: 50M | Max. Post Size: 50M | Max. Input Time: 60 | Zend Version: 2.2.0
Disabled Functions: proc_open, popen, disk_free_space, diskfreespace, leak, tmpfile, exec, system, shell_exec, passthru
MySQL Client: 5.0.92 ( )


Top
 Profile  
 
PostPosted: Mon Aug 01, 2011 12:22 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jul 31, 2011 7:46 am
Posts: 11
and here's another.

JTS-post Problem Description wrote:
Same as above, different site
JTS-post Actions Taken To Resolve wrote:
Deleted all files, loaded a backup database, /administrator dir lock by Cpanel, all admin users deleted.

JTS-post Diagnostic Information wrote:
Joomla! Version: Joomla! 1.5.23 Stable [ senu takaa ama baji ] 04-March-2011 18:00 GMT
configuration.php: Not Writable (Mode: 444 ) | Architecture/Platform: Linux 2.6.18-164.el5PAE ( i686) | Web Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 | PHP Version: 5.2.14
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): Yes | iconv Support (1.5 or above): Yes | save.session_path: Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.0.92-community ( Localhost via UNIX socket )

JTS-post Extended Information wrote:
SEF: Disabled (without ReWrite) | Legacy Mode: Disabled | FTP Layer: Disabled | htaccess: Not Implemented
PHP/suExec: User and Web Server accounts are not the same. (PHP/suExec probably not installed)
PHP Environment: API: cgi | MySQLi: Yes | Max. Memory: 96M | Max. Upload Size: 50M | Max. Post Size: 50M | Max. Input Time: 60 | Zend Version: 2.2.0
Disabled Functions: proc_open, popen, disk_free_space, diskfreespace, leak, tmpfile, exec, system, shell_exec, passthru
MySQL Client: 5.0.92 ( latin1 )


Top
 Profile  
 
PostPosted: Mon Aug 01, 2011 7:17 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Mon Aug 24, 2009 10:11 pm
Posts: 73
Any chance your host is running open_basedir? I had an instance once with my reseller account where open_basedir allowed a hacker to view all of my accounts - then systematically start hacking them. You might also want to check out "JSecure" (Plug-in). It requires additional information after the www.site.com/administration/ path to access the admin area - whereby making it harder for hackers to get in.


Top
 Profile  
 
PostPosted: Mon Aug 01, 2011 11:21 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2727
Location: Wisconsin USA
Here are some thoughts and observations.

What was the host response on the JailShell question asked by Brian and mandville?

What is the host response on the open_base directory? Are the paths set correctly or are they not set at all?

What are/or were your permissions on your files?, Your Directories?

htaccess: Not Implemented ---->> The Joomla htaccess file should be enabled. Not being implemented is a security risk.

PHP/suExec: User and Web Server accounts are not the same. (PHP/suExec probably not installed)
---->> This can cause issues with file/directory ownership and file/directory permissions. Elevated permissions are a normal result and are a security risk.

FrontPage/5.0.2.2635 ---->> this is a security risk and should be uninstalled from your domain (usually done through the domains c-panel). Joomla does not need this, and no other modern CMS, forum, store etc. uses this, so remove it.

Can't find any weird database entries (exept voor password change). --->> you probably won't as normally hacks are hidden within files, not the database.

/administrator dir lock by Cpanel ---> while this is a really good idea, at this point it is probably useless. --->>> At this point this would probably be useless. Sort of like locking the barn door after the horse has been stolen.

"JSecure" (Plug-in). It requires additional information after the http://www.site.com/administration/ path to access the admin area - whereby making it harder for hackers to get in. --->>> At this point this would probably be useless. Sort of like locking the barn door after the horse has been stolen.


Just found out another website which i didnt check earlier was hacked, this is a 1.5.23 website, it is a clean install of joomla 1.5.3 with only DTRegister module on it (paid)

Doesnt seem to matter which Joomla! version or pw changes. i've been hacked on: 2x 1.5.23, 1.6.1, 1.6.3, 1.7

Ihave a reseller pack and just found out other joomla! websites on the server were also hacked (not all) Its not the same hosting or domain, only the server

Since you mention you have a reseller account, then You are going to have to remove every single installation (Joomla or otherwise and ALL files) installed from your account all at the same time. Your account is your account and your account controls every domain you sold or have.

What is likely happening is you fix one site, but others are hacked and the hack spreads to the clean account while you try to fix the next one since they have now have the keys so to speak to your entire reseller account.

It is also likely that there are hacking files such as c99 installed on one or more accounts that allow the hacker to view your entire reseller account (and potentially the entire server) as if it were a local hard [drive] on their computer. There is also the possibility that someone else has an account or site hacked and the hacks are coming from there using the same scripts (c99 and such).

If you move to a a different host, do not take any backups from the old server to the new server, and don't reuse any files, or you will likely find the new one will also be hacked. (you moved the hack files), but rather start with 100% clean freshly downloaded installs.

There is also the possibility that your computer is hacked with malware that steals your login credentials every time you log in to both your reseller account and your domains/sites. it is also possible someone you host (if you do that) has the issue allowing the hacker in.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Fri Aug 05, 2011 6:37 am 
Joomla! Intern
Joomla! Intern

Joined: Tue May 24, 2011 6:49 am
Posts: 77
Dude, are you usually that free with your information? I understand you need help, but do you usually post site info on forums etc? You never know.


Top
 Profile  
 
PostPosted: Fri Aug 05, 2011 12:43 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2727
Location: Wisconsin USA
The forum post assistant is to assist in solving issues with a site by giving the user an easy to use way of gathering and posting the required information in a standard easy read format.

logs are logs. While I have not looked in detail, nothing jumped out at me.

I don't think posting the info is really a security issue, especially since the poster has already been hacked.

Of course after use you should remove the script.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Sun Aug 07, 2011 4:02 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Apr 01, 2008 5:51 pm
Posts: 11
mandville wrote:
i agree with brian, just ask your host about jailshell and see what they respond with.
also the post tool should work with 1.7 it was tested on it, and it is under developement for a brand new version .

Am pretty worried about this, there's an 1.7 install on the root for this site. I have no access to the panel, but the entire site went down. http://www.yearinisraelforum.com/


Top
 Profile  
 
PostPosted: Sun Aug 07, 2011 5:16 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12561
Location: The Girly Side of Joomla in Sussex
juanafer2k wrote:
.

Do not hijack tropics,
please start your own

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 19 posts ] 



Who is online

Users browsing this forum: No registered users and 16 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group