Hackers sending SPAM from my site

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
bevco
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Fri Apr 09, 2010 4:17 pm

Hackers sending SPAM from my site

Post by bevco » Sun Jun 11, 2017 10:02 pm

I am using Joomla 3.7.2, have changed all passwords and usernames, reloaded the sites from a backup before this started, added jHackguard to the sites, made sure nothing is writable and checked the sites with Sucuri Site Check and IsItHacked? And still somehow they are inserting php files in various folders (not always the same ones) - that are unwritable - that are sending out SPAM. Sometimes my ISP is able to catch the emails before they go out and deletes thousands of them at a time. This is happening on 3 of our 13 sites and there is no addon only used by those 3 sites. It also seemed to happen when our ISP moved to a cloud server.....I don't know what else to do.

Any suggestions will be very welcome!
Bev
Bev
Mt Garfield Software

User avatar
websitedons
I've been banned!
Posts: 389
Joined: Sat May 27, 2017 9:42 am

Re: Hackers sending SPAM from my site

Post by websitedons » Sun Jun 11, 2017 10:10 pm

Does JHackguard or Sucuri check file integrity or scan for recently changed files? If not, get RSFirewall. The hackers may have placed files deep within your system directories and are able to get in via those files. It's also possible that they placed files in the hosting root, (outside public_html or htdocs).

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35212
Joined: Sat Apr 05, 2008 9:58 pm

Re: Hackers sending SPAM from my site

Post by Webdongle » Sun Jun 11, 2017 10:44 pm

There are a lot of things that you missed
Please see viewtopic.php?f=714&t=946026 and the pages it links to. Your backup files could be hacked or you have a vulnerable extension or ...
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

bevco
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Fri Apr 09, 2010 4:17 pm

Re: Hackers sending SPAM from my site

Post by bevco » Sun Jun 11, 2017 11:12 pm

My ISP found and deleted some of the files and I have found a couple more - buried deep. I do believe that IsItHacked watches for Spam links, but somehow they are getting through anyway. I will look into RSFirewall....
Bev
Mt Garfield Software

User avatar
toivo
Joomla! Exemplar
Joomla! Exemplar
Posts: 9702
Joined: Thu Feb 15, 2007 5:48 am
Location: Oxford, UK
Contact:

Re: Hackers sending SPAM from my site

Post by toivo » Sun Jun 11, 2017 11:24 pm

In addition to cleaning your site properly, based on the instructions in the sticky post viewtopic.php?f=714&t=757645 and Webdongle's recovery instructions, you should check out Admin Tools from JED - https://extensions.joomla.org/extension/admin-tools - and the myJoomla.com service at https://myjoomla.com, where the first scan is free.
Toivo Talikka, Global Moderator
my first programs were assembled and run in 16KB :)
troubleshooting smtp and other articles https://talikka.com/joomla

bevco
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Fri Apr 09, 2010 4:17 pm

Re: Hackers sending SPAM from my site

Post by bevco » Sun Jun 11, 2017 11:56 pm

Thanks! Will check these out and try one as soon as I find out which sites are now being hit the most. Try one at a time :)
Bev
Mt Garfield Software

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35212
Joined: Sat Apr 05, 2008 9:58 pm

Re: Hackers sending SPAM from my site

Post by Webdongle » Mon Jun 12, 2017 12:29 am

bevco wrote:...as soon as I find out which sites are now being hit the most. Try one at a time :)
Step #C of viewtopic.php?f=714&t=946026 means all the files not just the files of one site. Still waiting for step #A
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

bevco
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Fri Apr 09, 2010 4:17 pm

Re: Hackers sending SPAM from my site

Post by bevco » Mon Jun 12, 2017 1:03 am

I have been finding strange files and deleting them - will get to the above asap. Thanks!
Bev
Mt Garfield Software

bevco
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Fri Apr 09, 2010 4:17 pm

Re: Hackers sending SPAM from my site

Post by bevco » Mon Jun 12, 2017 1:15 am

OK - I tried to install the FPA and got the message "JInstaller: :Install: Can't find XML setup file."
Bev
Mt Garfield Software

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35212
Joined: Sat Apr 05, 2008 9:58 pm

Re: Hackers sending SPAM from my site

Post by Webdongle » Mon Jun 12, 2017 1:24 am

bevco wrote:I have been finding strange files and deleting them - will get to the above asap. ...
Deleting strange files is not enough. Every file you find and delete the hackers will probably upload another 3.

Yes hackers plural ... once a hacker has found a weakness in your site they post the vulnerability on hack forums. Then other hackers use it to put their own hack files on. There will be hack files all over the server and in genuine files. Cherry picking files to delete will just have you running around in circles. Unless you hire a professional to clean your site then your only viable option is to delete ALL the files after running the fpa.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35212
Joined: Sat Apr 05, 2008 9:58 pm

Re: Hackers sending SPAM from my site

Post by Webdongle » Mon Jun 12, 2017 1:26 am

bevco wrote:OK - I tried to install the FPA and got the message "JInstaller: :Install: Can't find XML setup file."
The fpa is not installed into Joomla. You unzip the file and ftp fpa-en.php to the server and point your browser at

Code: Select all

http://www.yoursite.com/fpa-en.php
Last edited by fcoulter on Mon Jun 12, 2017 9:45 am, edited 1 time in total.
Reason: broke link - there is an actual site at yoursite.com so lets not give them any free links
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

bevco
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Fri Apr 09, 2010 4:17 pm

Re: Hackers sending SPAM from my site

Post by bevco » Mon Jun 12, 2017 3:24 pm

I tried to post the code but get the message

Your message contains 20621 characters.
The maximum number of allowed characters is 20000.

now what?
Bev
Mt Garfield Software

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35212
Joined: Sat Apr 05, 2008 9:58 pm

Re: Hackers sending SPAM from my site

Post by Webdongle » Mon Jun 12, 2017 4:07 pm

Put it in a file and attach it ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

bevco
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Fri Apr 09, 2010 4:17 pm

Re: Hackers sending SPAM from my site

Post by bevco » Mon Jun 12, 2017 4:25 pm

This is without plugins
Forum Post Assistant (v1.3.0) : 12th June 2017 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.23-Stable (senu takaa ama baji) 04-March-2011
Joomla! Configured :: Yes | Writable (644) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | FTP Layer: 1 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 3.16.0-4-amd64 | Technology: x86_64 | Web Server: Apache/2.4.10 (Debian) | Encoding: gzip, deflate | Doc Root: /var/www/iehiministries.org/web | System TMP Writable: Yes

PHP Configuration :: Version: 7.1.0 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /var/www/clients/client11/web20/web:/var/www/clients/client11/web20/private:/var/www/clients/client11/web20/tmp:/var/www/iehiministries.org/web:/srv/www/iehiministries.org/web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/dev/random:/dev/urandom | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 32M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.5-10.0.30-MariaDB-0+deb8u2 (Client:mysqlnd 5.0.12-dev - 20150407 - $Id: d8daadaf41e3cd81d7c6ae96c6091fd15b2c9382 $) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 4.40 MiB | #of Tables: 83
Detailed Environment :: wrote:PHP Extensions :: Core (7.1.0) | date (7.1.0) | libxml (7.1.0) | openssl (7.1.0) | pcre (7.1.0) | sqlite3 (0.7-dev) | zlib (7.1.0) | bcmath (7.1.0) | bz2 (7.1.0) | calendar (7.1.0) | ctype (7.1.0) | curl (7.1.0) | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (7.1.0) | ftp (7.1.0) | gd (7.1.0) | gettext (7.1.0) | SPL (7.1.0) | iconv (7.1.0) | session (7.1.0) | json (1.5.0) | mbstring (7.1.0) | mcrypt (7.1.0) | standard (7.1.0) | pcntl (7.1.0) | PDO (7.1.0) | mysqlnd (mysqlnd 5.0.12-dev - 20150407 - $Id: d8daadaf41e3cd81d7c6ae96c6091fd15b2c9382 $) | pdo_pgsql (7.1.0) | pdo_sqlite (7.1.0) | pgsql (7.1.0) | Phar (2.0.2) | posix (7.1.0) | Reflection (7.1.0) | imap (7.1.0) | SimpleXML (7.1.0) | soap (7.1.0) | sockets (7.1.0) | pdo_mysql (7.1.0) | exif (1.4 $Id: 8bdc0c8f27c2c9dd1f7551f1f9fe3ab57a06a4b1 $) | sysvsem (7.1.0) | sysvshm (7.1.0) | tokenizer (7.1.0) | xml (7.1.0) | xmlreader (7.1.0) | xmlrpc (7.1.0) | xmlwriter (7.1.0) | xsl (7.1.0) | zip (1.13.5) | mysqli (7.1.0) | cgi-fcgi () | memcached (3.0.0b1) | Zend OPcache (7.1.0) | Zend Engine (3.1.0-dev) |
Potential Missing Extensions :: mysql | suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (3.0.0) 1 | WF_FILESYSTEM_JOOMLA_TITLE (2.6.14) 1 | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.14) 1 | WF_POPUPS_WINDOW_TITLE (2.6.14) 1 | WF_LINK_SEARCH_TITLE (2.6.14) 1 | WF_LINKS_JOOMLALINKS_TITLE (2.6.14) 1 | WF_AGGREGATOR_[youtube]_TITLE (2.6.14) 1 | WF_AGGREGATOR_DAILYMOTION_TITL (2.6.14) 1 | WF_AGGREGATOR_VINE_TITLE (2.6.14) 1 | WF_AGGREGATOR_VIMEO_TITLE (2.6.14) 1 | WF_LINK_TITLE (2.6.14) 1 | WF_CLIPBOARD_TITLE (2.6.14) 1 | WF_VISUALCHARS_TITLE (2.6.14) 1 | WF_FONTSIZESELECT_TITLE (2.6.14) 1 | WF_PREVIEW_TITLE (2.6.14) 1 | WF_FONTSELECT_TITLE (2.6.14) 1 | WF_FORMATSELECT_TITLE (2.6.14) 1 | WF_IMGMANAGER_TITLE (2.6.14) 1 | WF_PRINT_TITLE (2.6.14) 1 | WF_CHARMAP_TITLE (2.6.14) 1 | WF_VISUALBLOCKS_TITLE (2.6.14) 1 | WF_TABLE_TITLE (2.6.14) 1 | WF_NONBREAKING_TITLE (2.6.14) 1 | WF_SOURCE_TITLE (2.6.14) 1 | WF_BROWSER_TITLE (2.6.14) 1 | WF_EMOTIONS_TITLE (2.6.14) 1 | WF_TEXTCASE_TITLE (2.6.14) 1 | WF_CONTEXTMENU_TITLE (2.6.14) 1 | WF_LAYER_TITLE (2.6.14) 1 | WF_ARTICLE_TITLE (2.6.14) 1 | WF_INLINEPOPUPS_TITLE (2.6.14) 1 | WF_FULLSCREEN_TITLE (2.6.14) 1 | WF_SPELLCHECKER_TITLE (2.6.14) 1 | WF_STYLESELECT_TITLE (2.6.14) 1 | WF_SEARCHREPLACE_TITLE (2.6.14) 1 | WF_LISTS_TITLE (2.6.14) 1 | WF_AUTOSAVE_TITLE (2.6.14) 1 | WF_FONTCOLOR_TITLE (2.6.14) 1 | WF_DIRECTIONALITY_TITLE (2.6.14) 1 | WF_STYLE_TITLE (2.6.14) 1 | WF_HR_TITLE (2.6.14) 1 | WF_CLEANUP_TITLE (2.6.14) 1 | WF_ANCHOR_TITLE (2.6.14) 1 | WF_KITCHENSINK_TITLE (2.6.14) 1 | WF_MEDIA_TITLE (2.6.14) 1 | WF_XHTMLXTRAS_TITLE (2.6.14) 1 | com_mailto (3.0.0) 1 | User (1.5.0) 1 |
Components :: ADMIN :: com_cpanel (3.0.0) 1 | Contact Items (1.0.0) 1 | com_jhackguard (2.0.2) 1 | com_contenthistory (3.2.0) 1 | Polls (1.5.0) 1 | com_plugins (3.0.0) 1 | com_fields (3.7.0) 1 | com_newsfeeds (3.0.0) 1 | com_associations (3.7.0) 1 | com_templates (3.0.0) 1 | com_menus (3.0.0) 1 | com_installer (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_languages (3.0.0) 1 | com_messages (3.0.0) 1 | com_categories (3.0.0) 1 | com_banners (3.0.0) 1 | com_login (3.0.0) 1 | com_tags (3.1.0) 1 | com_cache (3.0.0) 1 | com_finder (3.0.0) 1 | com_modules (3.0.0) 1 | com_admin (3.0.0) 1 | com_media (3.0.0) 1 | COM_JCE (2.6.14) 1 | com_ajax (3.2.0) 1 | com_search (3.0.0) 1 | com_content (3.0.0) 1 | Frontpage (1.5.0) 1 | COM_SPUPGRADE (4.1.5) 1 | com_postinstall (3.2.0) 1 | com_users (3.0.0) 1 | Mass Mail (1.5.0) 1 | com_redirect (3.0.0) 1 | Weblinks (1.5.0) 1 | Trash (1.0.0) 1 | com_config (3.0.0) 1 | com_checkin (3.0.0) 1 |

Modules :: SITE :: Sections (1.5.0) 1 | mod_users_latest (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_finder (3.0.0) 1 | Most Read Content (1.5.0) 1 | mod_articles_archive (3.0.0) 1 | mod_languages (3.5.0) 1 | Menu (1.5.0) 1 | mod_articles_popular (3.0.0) 1 | Latest News (1.5.0) 1 | mod_footer (3.0.0) 1 | Poll (1.5.0) 1 | jModule (1.0.3) 1 | mod_custom (3.0.0) 1 | mod_search (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_menu (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | Newsflash (1.5.0) 1 | mod_articles_news (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_login (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_whosonline (3.0.0) 1 | Archived Content (1.5.0) 1 | mod_articles_category (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_feed (3.0.0) 1 |
Modules :: ADMIN :: Akeeba Backup Notification Mod (3.4.3) 1 | mod_latest (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_status (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_logged (3.0.0) 1 | Online Users (1.0.0) 1 | mod_title (3.0.0) 1 | Footer (1.0.0) 1 | jModule (1.0.3) 1 | mod_custom (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_quickicon (3.0.0) 1 | Unread Items (1.0.0) 1 | mod_login (3.0.0) 1 | Items Stats (1.0.0) 1 | mod_submenu (3.0.0) 1 | mod_version (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_toolbar (3.0.0) 1 |

Templates Discovered :: wrote:Templates :: SITE :: IEHI2 (1.0) 1 | IEHI3 (1.0) 1 | jTemplate (1.0.3) 1 | IEHI3a (1.0) 1 | IEHI (1.0) 1 | protostar (1.0) 1 |
Templates :: ADMIN :: jTemplate (1.0.3) 1 | isis (1.0) 1 | hathor (3.0.0) 1 | Khepri (1.0) 1 |
Bev
Mt Garfield Software

bevco
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Fri Apr 09, 2010 4:17 pm

Re: Hackers sending SPAM from my site

Post by bevco » Mon Jun 12, 2017 4:27 pm

This is without modules
Forum Post Assistant (v1.3.0) : 12th June 2017 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.23-Stable (senu takaa ama baji) 04-March-2011
Joomla! Configured :: Yes | Writable (644) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | FTP Layer: 1 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 3.16.0-4-amd64 | Technology: x86_64 | Web Server: Apache/2.4.10 (Debian) | Encoding: gzip, deflate | Doc Root: /var/www/iehiministries.org/web | System TMP Writable: Yes

PHP Configuration :: Version: 7.1.0 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /var/www/clients/client11/web20/web:/var/www/clients/client11/web20/private:/var/www/clients/client11/web20/tmp:/var/www/iehiministries.org/web:/srv/www/iehiministries.org/web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/dev/random:/dev/urandom | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 32M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.5-10.0.30-MariaDB-0+deb8u2 (Client:mysqlnd 5.0.12-dev - 20150407 - $Id: d8daadaf41e3cd81d7c6ae96c6091fd15b2c9382 $) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 4.40 MiB | #of Tables: 83
Detailed Environment :: wrote:PHP Extensions :: Core (7.1.0) | date (7.1.0) | libxml (7.1.0) | openssl (7.1.0) | pcre (7.1.0) | sqlite3 (0.7-dev) | zlib (7.1.0) | bcmath (7.1.0) | bz2 (7.1.0) | calendar (7.1.0) | ctype (7.1.0) | curl (7.1.0) | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (7.1.0) | ftp (7.1.0) | gd (7.1.0) | gettext (7.1.0) | SPL (7.1.0) | iconv (7.1.0) | session (7.1.0) | json (1.5.0) | mbstring (7.1.0) | mcrypt (7.1.0) | standard (7.1.0) | pcntl (7.1.0) | PDO (7.1.0) | mysqlnd (mysqlnd 5.0.12-dev - 20150407 - $Id: d8daadaf41e3cd81d7c6ae96c6091fd15b2c9382 $) | pdo_pgsql (7.1.0) | pdo_sqlite (7.1.0) | pgsql (7.1.0) | Phar (2.0.2) | posix (7.1.0) | Reflection (7.1.0) | imap (7.1.0) | SimpleXML (7.1.0) | soap (7.1.0) | sockets (7.1.0) | pdo_mysql (7.1.0) | exif (1.4 $Id: 8bdc0c8f27c2c9dd1f7551f1f9fe3ab57a06a4b1 $) | sysvsem (7.1.0) | sysvshm (7.1.0) | tokenizer (7.1.0) | xml (7.1.0) | xmlreader (7.1.0) | xmlrpc (7.1.0) | xmlwriter (7.1.0) | xsl (7.1.0) | zip (1.13.5) | mysqli (7.1.0) | cgi-fcgi () | memcached (3.0.0b1) | Zend OPcache (7.1.0) | Zend Engine (3.1.0-dev) |
Potential Missing Extensions :: mysql | suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (3.0.0) 1 | WF_FILESYSTEM_JOOMLA_TITLE (2.6.14) 1 | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.14) 1 | WF_POPUPS_WINDOW_TITLE (2.6.14) 1 | WF_LINK_SEARCH_TITLE (2.6.14) 1 | WF_LINKS_JOOMLALINKS_TITLE (2.6.14) 1 | WF_AGGREGATOR_[youtube]_TITLE (2.6.14) 1 | WF_AGGREGATOR_DAILYMOTION_TITL (2.6.14) 1 | WF_AGGREGATOR_VINE_TITLE (2.6.14) 1 | WF_AGGREGATOR_VIMEO_TITLE (2.6.14) 1 | WF_LINK_TITLE (2.6.14) 1 | WF_CLIPBOARD_TITLE (2.6.14) 1 | WF_VISUALCHARS_TITLE (2.6.14) 1 | WF_FONTSIZESELECT_TITLE (2.6.14) 1 | WF_PREVIEW_TITLE (2.6.14) 1 | WF_FONTSELECT_TITLE (2.6.14) 1 | WF_FORMATSELECT_TITLE (2.6.14) 1 | WF_IMGMANAGER_TITLE (2.6.14) 1 | WF_PRINT_TITLE (2.6.14) 1 | WF_CHARMAP_TITLE (2.6.14) 1 | WF_VISUALBLOCKS_TITLE (2.6.14) 1 | WF_TABLE_TITLE (2.6.14) 1 | WF_NONBREAKING_TITLE (2.6.14) 1 | WF_SOURCE_TITLE (2.6.14) 1 | WF_BROWSER_TITLE (2.6.14) 1 | WF_EMOTIONS_TITLE (2.6.14) 1 | WF_TEXTCASE_TITLE (2.6.14) 1 | WF_CONTEXTMENU_TITLE (2.6.14) 1 | WF_LAYER_TITLE (2.6.14) 1 | WF_ARTICLE_TITLE (2.6.14) 1 | WF_INLINEPOPUPS_TITLE (2.6.14) 1 | WF_FULLSCREEN_TITLE (2.6.14) 1 | WF_SPELLCHECKER_TITLE (2.6.14) 1 | WF_STYLESELECT_TITLE (2.6.14) 1 | WF_SEARCHREPLACE_TITLE (2.6.14) 1 | WF_LISTS_TITLE (2.6.14) 1 | WF_AUTOSAVE_TITLE (2.6.14) 1 | WF_FONTCOLOR_TITLE (2.6.14) 1 | WF_DIRECTIONALITY_TITLE (2.6.14) 1 | WF_STYLE_TITLE (2.6.14) 1 | WF_HR_TITLE (2.6.14) 1 | WF_CLEANUP_TITLE (2.6.14) 1 | WF_ANCHOR_TITLE (2.6.14) 1 | WF_KITCHENSINK_TITLE (2.6.14) 1 | WF_MEDIA_TITLE (2.6.14) 1 | WF_XHTMLXTRAS_TITLE (2.6.14) 1 | com_mailto (3.0.0) 1 | User (1.5.0) 1 |
Components :: ADMIN :: com_cpanel (3.0.0) 1 | Contact Items (1.0.0) 1 | com_jhackguard (2.0.2) 1 | com_contenthistory (3.2.0) 1 | Polls (1.5.0) 1 | com_plugins (3.0.0) 1 | com_fields (3.7.0) 1 | com_newsfeeds (3.0.0) 1 | com_associations (3.7.0) 1 | com_templates (3.0.0) 1 | com_menus (3.0.0) 1 | com_installer (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_languages (3.0.0) 1 | com_messages (3.0.0) 1 | com_categories (3.0.0) 1 | com_banners (3.0.0) 1 | com_login (3.0.0) 1 | com_tags (3.1.0) 1 | com_cache (3.0.0) 1 | com_finder (3.0.0) 1 | com_modules (3.0.0) 1 | com_admin (3.0.0) 1 | com_media (3.0.0) 1 | COM_JCE (2.6.14) 1 | com_ajax (3.2.0) 1 | com_search (3.0.0) 1 | com_content (3.0.0) 1 | Frontpage (1.5.0) 1 | COM_SPUPGRADE (4.1.5) 1 | com_postinstall (3.2.0) 1 | com_users (3.0.0) 1 | Mass Mail (1.5.0) 1 | com_redirect (3.0.0) 1 | Weblinks (1.5.0) 1 | Trash (1.0.0) 1 | com_config (3.0.0) 1 | com_checkin (3.0.0) 1 |



Plugins :: SITE :: XML-RPC - Joomla API (1.0) 1 | XML-RPC - Blogger API (1.0) 1 | plg_system_highlight (3.0.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_cache (3.0.0) 0 | plg_system_p3p (3.0.0) 0 | System - SEF (1.5) 1 | plg_system_remember (3.0.0) 1 | System - Debug (1.5) 1 | System - Remember Me (1.5) 1 | plg_system_fields (3.7.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_stats (3.5.0) 1 | System - Cache (1.5) 1 | plg_system_languagecode (3.0.0) 0 | System - Mootools Upgrade (1.5) 1 | plg_system_updatenotification (3.5.0) 1 | System - Log (1.5) 1 | plg_system_log (3.0.0) 1 | Akeeba Backup Lazy Scheduling (3.3) 1 | JHackGuard Plugin (2.0.4) 1 | System - Backlinks (1.5) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_jce (2.6.14) 1 | plg_system_debug (3.0.0) 1 | System - Legacy (1.5) 1 | plg_system_logout (3.0.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_twofactorauth_totp (3.2.0) 0 | Content - Pagebreak (1.5) 1 | Content - Example (1.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_emailcloak (3.0.0) 1 | Content - Code Highlighter (Ge (1.5) 1 | plg_content_vote (3.0.0) 1 | Content - Email Cloaking (1.5) 1 | plg_content_finder (3.0.0) 0 | plg_content_loadmodule (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_jce (2.6.14) 1 | Content - Load Modules (1.5) 1 | Content - Vote (1.5) 1 | Content - Page Navigation (1.5) 1 | plg_content_pagebreak (3.0.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_jce (2.6.14) 1 | plg_editors-xtd_image (3.0.0) 1 | Button - Pagebreak (1.5) 1 | plg_editors-xtd_fields (3.7.0) 1 | Button - Image (1.0.0) 1 | Button - Readmore (1.5) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_captcha_recaptcha (3.4.0) 0 | plg_editors_tinymce (4.5.6) 1 | plg_editors_codemirror (5.25.2) 1 | Editor - JCE 1.5.6 (1.5.6) 1 | Editor - TinyMCE 3 (3.2.6) 1 | plg_editors_jce (2.6.14) 1 | Template Manager (1.5.5) 1 | Paste (1.5.6) 1 | Image Manager (1.5.2) 1 | File Manager (1.5.2) 1 | Image Manager Extended (1.5.5) 1 | File Browser (1.5.0 Stable) 1 | Media Manager (1.5.4) 1 | Paste (1.5.0) 1 | Advanced Code Editor (1.5.6) 1 | SpellChecker (2.0.0) 1 | Joomla! Links for Advanced Lin (1.2.1) 1 | Advanced Link (1.5.1) 1 | Object Support (1.5.1) 1 | Editor - XStandard Lite for Jo (1.0) 1 | Search - Content (1.5) 1 | Search - Contacts (1.5) 1 | plg_search_categories (3.0.0) 1 | plg_search_content (3.0.0) 1 | Search - Weblinks (1.5) 1 | plg_search_contacts (3.0.0) 1 | plg_search_tags (3.0.0) 1 | Search - Sections (1.5) 1 | Search - Newsfeeds (1.5) 1 | plg_search_newsfeeds (3.0.0) 1 | Search - Categories (1.5) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_jce (2.6.0-pro-bet) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_extension_jce (2.6.14) 1 | Authentication - Example (1.5) 1 | Authentication - Joomla (1.5) 1 | plg_authentication_joomla (3.0.0) 1 | Authentication - OpenID (1.5) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_ldap (3.0.0) 0 | Authentication - LDAP (1.5) 1 | Authentication - GMail (1.5) 1 | plg_authentication_cookie (3.0.0) 1 | User - Example (1.0) 1 | User - Joomla! (1.5) 1 | plg_user_joomla (3.0.0) 1 | plg_user_profile (3.0.0) 0 | plg_user_contactcreator (3.0.0) 0 | jPlugin (1.0.3) 1 |
Templates Discovered :: wrote:Templates :: SITE :: IEHI2 (1.0) 1 | IEHI3 (1.0) 1 | jTemplate (1.0.3) 1 | IEHI3a (1.0) 1 | IEHI (1.0) 1 | protostar (1.0) 1 |
Templates :: ADMIN :: jTemplate (1.0.3) 1 | isis (1.0) 1 | hathor (3.0.0) 1 | Khepri (1.0) 1 |
Bev
Mt Garfield Software

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14686
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Hackers sending SPAM from my site

Post by mandville » Mon Jun 12, 2017 4:31 pm

Mod comment. Relocated to j1.5 forum
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

bevco
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Fri Apr 09, 2010 4:17 pm

Re: Hackers sending SPAM from my site

Post by bevco » Mon Jun 12, 2017 4:34 pm

Why is the FPA saying 1.5 when I am using Joomla 3.7.2???
Bev
Mt Garfield Software

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14686
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Hackers sending SPAM from my site

Post by mandville » Mon Jun 12, 2017 4:36 pm

It clearly says on your fpa report.

Basic Environment :: wrote:
Joomla! Instance :: Joomla! 1.5.23-Stable (senu takaa ama baji) 04-March-2011
Joomla! Configured :: Yes | Writable (644) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 1.5
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

bevco
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Fri Apr 09, 2010 4:17 pm

Re: Hackers sending SPAM from my site

Post by bevco » Mon Jun 12, 2017 4:39 pm

I do not understand why it is saying 1.5 my admin shows 3.7.2 - attaching clip

What do I need to do now?
You do not have the required permissions to view the files attached to this post.
Last edited by bevco on Mon Jun 12, 2017 4:55 pm, edited 1 time in total.
Bev
Mt Garfield Software

User avatar
dhuelsmann
Joomla! Master
Joomla! Master
Posts: 19643
Joined: Sun Oct 02, 2005 12:50 am
Location: Omaha, NE
Contact:

Re: Hackers sending SPAM from my site

Post by dhuelsmann » Mon Jun 12, 2017 4:52 pm

I don't think a 1.5 site can run on php 7.1
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org

bevco
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Fri Apr 09, 2010 4:17 pm

Re: Hackers sending SPAM from my site

Post by bevco » Mon Jun 12, 2017 4:56 pm

I am not running a 1.5 site. I have updated it and it is 3.7.2. I don't understand why the FPA says it is 1.5????
\The site has been updated several times since 1.5.
Bev
Mt Garfield Software

bevco
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Fri Apr 09, 2010 4:17 pm

Re: Hackers sending SPAM from my site

Post by bevco » Mon Jun 12, 2017 5:05 pm

Hmmm....I just checked and several of my sites show the 3.7.2 version of Joomla in the fpa, but 3 of them which are also 3.7.2 show 1.5.23. Why would this be???

I am getting more and more confused :(
Bev
Mt Garfield Software

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35212
Joined: Sat Apr 05, 2008 9:58 pm

Re: Hackers sending SPAM from my site

Post by Webdongle » Mon Jun 12, 2017 5:42 pm

FTP Layer: 1 should be 0 (zero). ftp layer is not needed when the Ownership is correct.

Have you checked the extension in the vel yet ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

bevco
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Fri Apr 09, 2010 4:17 pm

Re: Hackers sending SPAM from my site

Post by bevco » Mon Jun 12, 2017 5:58 pm

Webdongle wrote:FTP Layer: 1 should be 0 (zero). ftp layer is not needed when the Ownership is correct.

Have you checked the extension in the vel yet ?
Changed the ftp - missed that one. Usually keep it off.

The only extension I am using in this site is JCE Editor and it is not on the vel list.

But why is the FPA showing the wrong version of Joomla on several sites??
Bev
Mt Garfield Software

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35212
Joined: Sat Apr 05, 2008 9:58 pm

Re: Hackers sending SPAM from my site

Post by Webdongle » Mon Jun 12, 2017 6:14 pm

It might be easier for you to rebuild the site (with fresh files) on localhost before deleting all the files from the server. If you do that then put your sites off line until you are ready to delete the files from the server.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

bevco
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Fri Apr 09, 2010 4:17 pm

Re: Hackers sending SPAM from my site

Post by bevco » Mon Jun 12, 2017 6:36 pm

OK - we are having a problem with our local host server php, but guess will have to do that as soon as we get it fixed.

Would going with MyJoomla or RSFirewall correct this without having to rebuild?
Bev
Mt Garfield Software

User avatar
websitedons
I've been banned!
Posts: 389
Joined: Sat May 27, 2017 9:42 am

Re: Hackers sending SPAM from my site

Post by websitedons » Mon Jun 12, 2017 6:46 pm

bevco wrote:... or RSFirewall correct this without having to rebuild?
You would be on the right path by now if you consulted with RSFirewall. Those guys know everything.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35212
Joined: Sat Apr 05, 2008 9:58 pm

Re: Hackers sending SPAM from my site

Post by Webdongle » Mon Jun 12, 2017 8:10 pm

bevco wrote:...
Would going with MyJoomla or RSFirewall correct this without having to rebuild?
MyJoomla has a good reputation and should be able to clean your server. If you want a professional service I would highly recommend you use them. Not sure if RsJoomla provide a service to clean hacked sites.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

bevco
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Fri Apr 09, 2010 4:17 pm

Re: Hackers sending SPAM from my site

Post by bevco » Tue Jun 13, 2017 12:35 am

Thanks!

Any idea why the FPA shows the incorrect version of Joomla??
Bev
Mt Garfield Software


Post Reply

Return to “Security in Joomla! 1.5”