Got hacked, restored site frontend, can't log into admin now

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
reallyordinary
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Sun Oct 14, 2007 4:44 pm

Got hacked, restored site frontend, can't log into admin now

Post by reallyordinary » Sat Aug 16, 2008 1:07 am

EDIT: Arggghh... nevermind, I figured it out. Stupid oversight on my part.

*******

One of my clients got hit by that stupid reDMin Turkey hack going around. He was running 1.5.2. I was able to get his site back online by restoring a clean version of the hacked configuration.php file. After that I changed the database username and password, the FTP username and password, installed the 1.5.6 patch, and CHMODed configuration.php to 644. So... his front end is now restored... but, interestingly... I can't log in to the administration section. At all. From any user account.

Even after going into phpmyadmin and resetting the admin password. Doesn't work. I tried changing it several times in several different ways, through SQL queries, through copying and pasting md5 code in... tried creating a new Super Admin user entirely... nada. Every time I try to log in I just keep getting "username and password do not match."

So... the hack appears to've done something that's screwed up the login code.

Anyone have any idea how to fix this?

drummerbran
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Sun Jun 01, 2008 6:32 am

Re: Got hacked, restored site frontend, can't log into admin now

Post by drummerbran » Sat Aug 16, 2008 1:45 am

I had the same thing happen to me today! Same hackers and same problem with the admin login! How did you fix it????

User avatar
SOAMJENA
Joomla! Ace
Joomla! Ace
Posts: 1274
Joined: Thu May 01, 2008 12:36 pm
Location: QubeSys Technologies Pvt. Ltd ,INDIA
Contact:

Re: Got hacked, restored site frontend, can't log into admin now

Post by SOAMJENA » Sat Aug 16, 2008 1:47 am

Hmmm,better to stay secure and prevent yourself from future hacks.
Well,to prevent yourself from being hacked,you can have a look at this article of my site,
[Mod Note: Self-promotion even when well intentioned is not permitted in these forums. Please see the Forum Rules for full clarification on this. URL removed]

And to solve your main issue of lost admin password,you should do this..
[Mod Note: Self-promotion even when well intentioned is not permitted in these forums. Please see the Forum Rules for full clarification on this. URL removed]


If you have any problems,feel free to contact me on the IMs.

Thanks....
Last edited by humvee on Sat Aug 16, 2008 10:32 am, edited 1 time in total.
Reason: Self promo url deleted
Web Design, eCommerce and Software Development
Joomla Premium Extensions,Templates and Support Packages

grocer
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sat Jun 09, 2007 4:54 am
Location: Sydney, Australia
Contact:

Re: Got hacked, restored site frontend, can't log into admin now

Post by grocer » Sat Aug 16, 2008 2:23 am

thanks for posting that it's solved my issue.

User avatar
humvee
Joomla! Master
Joomla! Master
Posts: 14713
Joined: Wed Aug 17, 2005 10:27 pm
Location: Kent, England

Re: Got hacked, restored site frontend, can't log into admin now

Post by humvee » Sat Aug 16, 2008 10:43 am

Information on resetting passwords is readily available on the http://docs.joomla.org and http://help.joomla.org Web sites. For example: http://docs.joomla.org/Administration_F ... assword.3F

Andy

atomiclotusbox
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Apr 14, 2008 2:55 am

Re: Got hacked, restored site frontend, can't log into admin now

Post by atomiclotusbox » Sat Aug 16, 2008 6:50 pm

thanks Andy!

mentha
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Thu Aug 16, 2007 1:18 pm

Re: Got hacked, restored site frontend, can't log into admin now

Post by mentha » Sun Aug 17, 2008 9:08 pm

Great, I've been hacked as well... Geesh, it's not like I've got anything interesting on my site...

Anyway, how do I restore my homepage and how can I prevent this from happening again? I changed my pw in the database, so I've been able to login to the Administrator. And now? Help?

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13291
Joined: Fri Aug 12, 2005 12:38 am
Location: Sydney - Australia
Contact:

Re: Got hacked, restored site frontend, can't log into admin now

Post by brad » Sun Aug 17, 2008 9:19 pm

Brad Baker
https://xyzuluhosting.com
https://www.joomlatutorials.com <-- Joomla Help & Tutorials

Scoffers
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Sun Mar 30, 2008 6:51 pm

Re: Got hacked, restored site frontend, can't log into admin now

Post by Scoffers » Mon Aug 18, 2008 10:08 am

My site was hacked too. I restored my configuration.php and the frontend site is back up and running. I now need to create a new admin userid (as per the Joomla help dictates). I have chmoded the configuration.php to 644

I will also be updating from 1.5.5 to 1.5.6 as this seems to fix the vulnerability that caused the issue.

User avatar
peteraloha
Joomla! Apprentice
Joomla! Apprentice
Posts: 20
Joined: Sat Sep 02, 2006 1:05 am
Location: Los Angeles
Contact:

Re: Got hacked, restored site frontend, can't log into admin now

Post by peteraloha » Tue Aug 19, 2008 1:56 am

Hi Folks,

My site was hacked too.

Can someone give me a few more details (specific steps) to HOW I RESTORE MY CONFIGURATION.PHP, and is that likely to fix the fact that instead of my homepage there is the hackers home page pulling up?

I am pretty good in following diligently what I am told to do, but since I am fairly new I just don't have the individual steps to fix this hack (which is btw at http://www.mypcguru.net/Support/)

Any help or hint to links that might be helpful are *truly* appreciated!

Peter

Scoffers
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Sun Mar 30, 2008 6:51 pm

Re: Got hacked, restored site frontend, can't log into admin now

Post by Scoffers » Tue Aug 19, 2008 10:07 am

Certainly peteraloha

All the hack seems to do is update the following lines in your configuration.php file

var $offline =
var $sitename =
var $offline_message =

The first one should be set to 0 (The Hack sets the value to 1 which means offline)
The next two are your site name and offline message, just change that back to whatever you want

So that is all you need to change. Once that is done, you should be able to see your site again. You will then need to follow the procedure listed above to change your admin password

Good Luck !

User avatar
peteraloha
Joomla! Apprentice
Joomla! Apprentice
Posts: 20
Joined: Sat Sep 02, 2006 1:05 am
Location: Los Angeles
Contact:

Re: Got hacked, restored site frontend, can't log into admin now

Post by peteraloha » Tue Aug 19, 2008 3:22 pm

Hi Scoffers,

THANK YOU SO MUCH for taking the time to post this detailed advice.

I downloaded the configuration.php file of my site and found that the hack that I am hit with didn't change the values you are listing in your solution. So there must be another place to apply the fix. Do you or anyone have any other suggestions or leads?

The hacked site is here
http://www.mypcguru.net/Support/

and the folks listed on the hackers page is this: "+CaprazAtes.Org" (that's the site name showing up.

Since I don't know what the hack might have done, any advice is appreciated.
I did attempt the suggestions posted by Jerad Hill, who suggest that code is inserted in mysql db:
http://www.revver.com/video/783600/how- ... omla-site/

Unfortunately I got stuck there half way through the remedy he suggests, but if I here that his suggestion might be the next step for me, I shall focus on that. He talks about the mysql tables and then the "jos content" where the hack apparently was applied. In that particular area I am not confident which "editing" to do, and if someone knows how well that works, I would love to hear from them.

Thank you so much for any support,

Peter

jratunh21
Joomla! Guru
Joomla! Guru
Posts: 651
Joined: Thu Oct 12, 2006 10:55 pm
Location: CT (USA)
Contact:

Re: Got hacked, restored site frontend, can't log into admin now

Post by jratunh21 » Tue Aug 19, 2008 3:45 pm

Hey Peter. Unfortunately, I am not here to tell you how to fix the problem; however, what I can suggest from experience is if you did not back up your information prior to the hack, you might just have to redo the site over again. Unfortunately because you do not know if passwords were stolen, and what extra code has been and where it was embedded, I would just simply erase everything in MySqL and completely blow out the site root folder. Again, this is if you cannot come up with a solution. Most people would like to fix it, but if you are not to experienced, you might get hacked as soon as you fix the site. Just take it as a lesson to be learned. Depending on your hosting provider, set up your site to automatically back up the tables and such. I was a noob @ one point and my site got hacked, then I took the proper precautions. Everytime I add a new extension, I back up everything. This way I can restore my site to the last known good configuration. good luck :pop
http://www.letmefixthatforyou.com
http://vel.joomla.org/ [Joomla's Vulnerable Extension List]
"When in doubt, just ask Google"

Scoffers
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Sun Mar 30, 2008 6:51 pm

Re: Got hacked, restored site frontend, can't log into admin now

Post by Scoffers » Tue Aug 19, 2008 3:48 pm

Interesting, sounds like a different hack to what I had.

Do you have an old copy of your configuration.php? if so, you can compare that with the hacked one using software like BeyondCompare, other than that, you could PM me your configuration.php. I can't promise anything, but I'll take a look.

Scoffers
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Sun Mar 30, 2008 6:51 pm

Re: Got hacked, restored site frontend, can't log into admin now

Post by Scoffers » Tue Aug 19, 2008 3:51 pm

jratunh21 you words seem very wise to me. I have two Joomla sites, one I had more security on, one less so, one site was fine, the other hacked, I managed to bring it back fairly quickly, but as you say, it's integrity is now under question. The site itself is a non-commercial one with non sensitive data, so I may just let it ride and see what happens.

cheers

the1zia
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Wed Feb 27, 2008 9:39 am
Location: Dhaka
Contact:

Re: Got hacked, restored site frontend, can't log into admin now

Post by the1zia » Tue Aug 19, 2008 3:52 pm

Hello dear friends!

Today is a very sad day for me. My two site got hacked. Please see yourself.

http://www.gffl-move.com
http://www.uttaraonlinebd.com

All these day everything was ok. when http://www.joomla.org posted details how site can be hacked. before I could start to make it ok. everything is gone.


If things keep going like this may be I have to leave working on joomla.

Any Expert please help me how I can get back my site... I had work long hours for these sites... Now everythings screwed up.


Even Some people, I think hacker itself is posting on the forum and saying to contact them over IM

And they are asking for 150 dollar


Please help

jratunh21
Joomla! Guru
Joomla! Guru
Posts: 651
Joined: Thu Oct 12, 2006 10:55 pm
Location: CT (USA)
Contact:

Re: Got hacked, restored site frontend, can't log into admin now

Post by jratunh21 » Tue Aug 19, 2008 3:53 pm

good idea; however, be aware that code not only injects into the configuration.php file, hackers some time inject code into MySQL, which is probably how they got into your site in the first place. Read up on SQL injection from google or wikipedia if you are not familiar (not directing that towards anyone; that's for people who want to educate themselves on that topic) or they could have got in through an unsecure extension :pop
http://www.letmefixthatforyou.com
http://vel.joomla.org/ [Joomla's Vulnerable Extension List]
"When in doubt, just ask Google"

Scoffers
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Sun Mar 30, 2008 6:51 pm

Re: Got hacked, restored site frontend, can't log into admin now

Post by Scoffers » Tue Aug 19, 2008 4:26 pm

the1zia wrote:Hello dear friends!

Today is a very sad day for me. My two site got hacked. Please see yourself.

http://www.gffl-move.com
http://www.uttaraonlinebd.com

All these day everything was ok. when http://www.joomla.org posted details how site can be hacked. before I could start to make it ok. everything is gone.


If things keep going like this may be I have to leave working on joomla.

Any Expert please help me how I can get back my site... I had work long hours for these sites... Now everythings screwed up.


Even Some people, I think hacker itself is posting on the forum and saying to contact them over IM

And they are asking for 150 dollar


Please help
Blimey, not good.

The first site looks similar to mine, in other words, they've hacked the configuration.php, the second site I have no idea on.

Do you have any backups at all?

jthomas311
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Aug 19, 2008 4:30 pm

Re: Got hacked, restored site frontend, can't log into admin now

Post by jthomas311 » Tue Aug 19, 2008 4:42 pm

It seems I have had the same issue happen. I haven't made changes to our website in a while which made it easy for me to find what could have caused the problem.

Here is what I know.
My last autobackup is dated 8-16-08. There are only a few files that are dated as being modified in the month of August.
index.php
index2.php
configuration.php

Then in my Images folder I found 2 added files.
c9.php and de.pl
From what I know of PHP it looks like a malicious script as it seems to constantly request passwords, userids, and at the very end of the file seems to be a log wiping attempt.

Also, the de.pl file has this in the header
- = [ Ka0tic Lab Tool for Mass Defacement Version 0.3 by S4P0 ] = -

What my question is how someone could get this php file and pl file added to the website without having a joomla account on my site. Should I assume it is one of my users? I plan on taking legal action upon finding the person responsible for adding these files.

EDIT: I was able to check my logs and found an IP, glad that you really cant do much for Amsterdam IP numbers. Proxies FTL.

dazza_dog
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 109
Joined: Thu Jan 24, 2008 1:54 pm
Location: Staffs, UK

Re: Got hacked, restored site frontend, can't log into admin now

Post by dazza_dog » Tue Aug 19, 2008 5:23 pm

It looks like all they have done with this site is changed the index.php file as you can access the administration page.

So try uploading the original index.php from a 1.5.6 install.

Search through the posts in theis forum for more information on what to do then.

Hope this helps.
"The answer my friend is blowing in the wind" (Bob Dylan) - not necessarily correct, but the search feature will probably find it ;-) .

the1zia
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Wed Feb 27, 2008 9:39 am
Location: Dhaka
Contact:

Re: Got hacked, restored site frontend, can't log into admin now

Post by the1zia » Tue Aug 19, 2008 5:43 pm

I have already restored http://www.gffl-move.com

but no Idea how to restore: http://www.uttaraonlinebd.com

So I have to upload joomla 1.5.6 and redo
Last edited by the1zia on Thu Aug 21, 2008 2:38 pm, edited 1 time in total.

User avatar
peteraloha
Joomla! Apprentice
Joomla! Apprentice
Posts: 20
Joined: Sat Sep 02, 2006 1:05 am
Location: Los Angeles
Contact:

Re: Got hacked, restored site frontend, can't log into admin now

Post by peteraloha » Wed Aug 20, 2008 11:53 pm

Thanks to all those contributing to this thread.

I was able to find where the (Turkish) hackers made their changes:

public_html/Support/index.php (where "Support" = Joomla installation folder)

I had a reasonably recent index.php file which I uploaded to overwrite the one that was mutulated by the hackers.
That stopped the appearance of the Hackers page when wanting to access our site at
http://www.mypcguru.net/Support/

Now when I go to the site now I am getting this message:
"Restricted access"

Any help to get our front page back up is greatly appreciated, even if it's a hint or link that will tell me about what might cause the "restriced access" response I am getting now when accessing our site's front end.

Peter

User avatar
twcmex
Joomla! Guru
Joomla! Guru
Posts: 551
Joined: Sat Dec 16, 2006 10:35 pm
Location: Durango, Mexico

Re: Got hacked, restored site frontend, can't log into admin now

Post by twcmex » Thu Aug 21, 2008 12:27 am

What some are not getting here is the idea that if someone has managed to compromise your site, evidenced by hacked files or some kind of defacement, then it is very likely that they have also left hidden bad stuff in your sites files.

It's like someone broke into your house, repainted one wall, but also stole your keys, made copies and hid them in the yard outside. You can put the wall back to original, but he still has a hidden key to get back in and do anything he wants.

The only sure way to restore a compromised site, especially without professional help, is to wipe it all and restore from clean backups or start over from scratch. I know that is a sobering thought. But it is the truth.
-Joe

User avatar
peteraloha
Joomla! Apprentice
Joomla! Apprentice
Posts: 20
Joined: Sat Sep 02, 2006 1:05 am
Location: Los Angeles
Contact:

Re: Got hacked, restored site frontend, can't log into admin now

Post by peteraloha » Thu Aug 21, 2008 1:11 am

Joe,

It's not that I am not getting it, it was more not getting it "yet".

Your words drove it home, guaranteed ;-)............. I just needed to hear it as clearly as you put it, and now I can invest my time in re-building rather then dicking around with a compromised site.

So, your point is well taken, thanks!

Peter

User avatar
twcmex
Joomla! Guru
Joomla! Guru
Posts: 551
Joined: Sat Dec 16, 2006 10:35 pm
Location: Durango, Mexico

Re: Got hacked, restored site frontend, can't log into admin now

Post by twcmex » Thu Aug 21, 2008 1:25 am

yeah, it's really aggravating to have to do so much work....out of fear (or wanting to avoid work) I usually backup my files and database after every update to a site. I haven't had to restore from backups yet due to a breached site, but I have messed up a site really good on a few occasions and those backups come in real handy!

I just happened to be online when the Joomla! 1.5.6 announcement came out and was able to patch real quick, that and a great host kept my sites safe. I count myself fortunate.
-Joe

User avatar
peteraloha
Joomla! Apprentice
Joomla! Apprentice
Posts: 20
Joined: Sat Sep 02, 2006 1:05 am
Location: Los Angeles
Contact:

Re: Got hacked, restored site frontend, can't log into admin now

Post by peteraloha » Thu Aug 21, 2008 1:49 am

Thanks, Joe, for your kind words which inspire me to practice backup. Yes, it's annoying to go through much work again, and I am learning my lesson here.

As for backup, would you recommend I simply make a backup copy of the entire folder that holds the site, or are there any particular recommendations out how to keep a running backup of a joomla site?

Peter

wixenstyx
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Sat Aug 12, 2006 6:35 pm

Re: Got hacked, restored site frontend, can't log into admin now

Post by wixenstyx » Thu Aug 21, 2008 2:01 am

I have a site that was hacked, too... It was running 1.5.3. :-[

Thing is, near as I can tell the only thing the guy fiddled with was the index.php file on the template I was using. That was certainly easy enough to fix, and the site he happened to hack into was one that only has three members and no sensitive information on it whatsoever. I've gone over the user database, and run through the list of every file on the site. Nothing had been opened or modified except the one index.php file.

That seems like a peculiar thing for a hacker to do, although from the sound of things the guy was pretty busy last night. Maybe he was just posturing, or maybe he got in and saw what a waste of time hacking that site was and just left his calling card? I don't know.

My question now, though, is that now that the site has been upgraded to 1.5.6 using the patch, are there likely to be vulnerabilities even so? I understand the point about making copies of my keys and leaving them all over the yard, but wouldn't the patch go a long way toward 'changing the locks', so to speak?

User avatar
twcmex
Joomla! Guru
Joomla! Guru
Posts: 551
Joined: Sat Dec 16, 2006 10:35 pm
Location: Durango, Mexico

Re: Got hacked, restored site frontend, can't log into admin now

Post by twcmex » Thu Aug 21, 2008 2:11 am

logs and file markers (last time modified) can easily be faked. If you're fortunate, all he did was what you have found :) , however:
but wouldn't the patch go a long way toward 'changing the locks', so to speak?
what if the bad guy is still inside the house? hidden scripts that do nasty things are commonly left inside by the bad guys....look at how many posts mention patching to 1.5.6, cleaning the index.php, only to get compromised again within hours? :'(
-Joe

User avatar
peteraloha
Joomla! Apprentice
Joomla! Apprentice
Posts: 20
Joined: Sat Sep 02, 2006 1:05 am
Location: Los Angeles
Contact:

Re: Got hacked, restored site frontend, can't log into admin now

Post by peteraloha » Thu Aug 21, 2008 2:57 am

Wyxenstix,

It's relatively easy to get back into the front end, essentially through myphpadmin in cpanel, and using a hashed password I knew............with "admin" for login, and bingo, that worked. Let me know if you need help with that.
However, I concur with Joe about not knowing to what extent my site was really compromised. Like I can't access my original frontpage yet, and Joe convinced me that maybe starting all over is the thing to do here, as much of a pain that might be.

:-)

Peter

paul_joseph
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Wed Feb 20, 2008 4:47 am

Re: Got hacked, restored site frontend, can't log into admin now

Post by paul_joseph » Thu Aug 21, 2008 3:32 am

My site got hacked by some Turkish invader and after following this thread and searching files, found they had altered my template index.php

I just replaced it with the original template index.php and upgraded to 1.5.6

everything seems to be working fine again.

thanks to all your help


Locked

Return to “Security in Joomla! 1.5”