Page 1 of 1

Hackers sending SPAM from my site

Posted: Sun Jun 11, 2017 10:02 pm
by bevco
I am using Joomla 3.7.2, have changed all passwords and usernames, reloaded the sites from a backup before this started, added jHackguard to the sites, made sure nothing is writable and checked the sites with Sucuri Site Check and IsItHacked? And still somehow they are inserting php files in various folders (not always the same ones) - that are unwritable - that are sending out SPAM. Sometimes my ISP is able to catch the emails before they go out and deletes thousands of them at a time. This is happening on 3 of our 13 sites and there is no addon only used by those 3 sites. It also seemed to happen when our ISP moved to a cloud server.....I don't know what else to do.

Any suggestions will be very welcome!
Bev

Re: Hackers sending SPAM from my site

Posted: Sun Jun 11, 2017 10:10 pm
by websitedons
Does JHackguard or Sucuri check file integrity or scan for recently changed files? If not, get RSFirewall. The hackers may have placed files deep within your system directories and are able to get in via those files. It's also possible that they placed files in the hosting root, (outside public_html or htdocs).

Re: Hackers sending SPAM from my site

Posted: Sun Jun 11, 2017 10:44 pm
by Webdongle
There are a lot of things that you missed
Please see viewtopic.php?f=714&t=946026 and the pages it links to. Your backup files could be hacked or you have a vulnerable extension or ...

Re: Hackers sending SPAM from my site

Posted: Sun Jun 11, 2017 11:12 pm
by bevco
My ISP found and deleted some of the files and I have found a couple more - buried deep. I do believe that IsItHacked watches for Spam links, but somehow they are getting through anyway. I will look into RSFirewall....

Re: Hackers sending SPAM from my site

Posted: Sun Jun 11, 2017 11:24 pm
by toivo
In addition to cleaning your site properly, based on the instructions in the sticky post viewtopic.php?f=714&t=757645 and Webdongle's recovery instructions, you should check out Admin Tools from JED - https://extensions.joomla.org/extension/admin-tools - and the myJoomla.com service at https://myjoomla.com, where the first scan is free.

Re: Hackers sending SPAM from my site

Posted: Sun Jun 11, 2017 11:56 pm
by bevco
Thanks! Will check these out and try one as soon as I find out which sites are now being hit the most. Try one at a time :)

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 12:29 am
by Webdongle
bevco wrote:...as soon as I find out which sites are now being hit the most. Try one at a time :)
Step #C of viewtopic.php?f=714&t=946026 means all the files not just the files of one site. Still waiting for step #A

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 1:03 am
by bevco
I have been finding strange files and deleting them - will get to the above asap. Thanks!

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 1:15 am
by bevco
OK - I tried to install the FPA and got the message "JInstaller: :Install: Can't find XML setup file."

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 1:24 am
by Webdongle
bevco wrote:I have been finding strange files and deleting them - will get to the above asap. ...
Deleting strange files is not enough. Every file you find and delete the hackers will probably upload another 3.

Yes hackers plural ... once a hacker has found a weakness in your site they post the vulnerability on hack forums. Then other hackers use it to put their own hack files on. There will be hack files all over the server and in genuine files. Cherry picking files to delete will just have you running around in circles. Unless you hire a professional to clean your site then your only viable option is to delete ALL the files after running the fpa.

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 1:26 am
by Webdongle
bevco wrote:OK - I tried to install the FPA and got the message "JInstaller: :Install: Can't find XML setup file."
The fpa is not installed into Joomla. You unzip the file and ftp fpa-en.php to the server and point your browser at

Code: Select all

http://www.yoursite.com/fpa-en.php

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 3:24 pm
by bevco
I tried to post the code but get the message

Your message contains 20621 characters.
The maximum number of allowed characters is 20000.

now what?

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 4:07 pm
by Webdongle
Put it in a file and attach it ?

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 4:25 pm
by bevco
This is without plugins
Forum Post Assistant (v1.3.0) : 12th June 2017 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.23-Stable (senu takaa ama baji) 04-March-2011
Joomla! Configured :: Yes | Writable (644) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | FTP Layer: 1 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 3.16.0-4-amd64 | Technology: x86_64 | Web Server: Apache/2.4.10 (Debian) | Encoding: gzip, deflate | Doc Root: /var/www/iehiministries.org/web | System TMP Writable: Yes

PHP Configuration :: Version: 7.1.0 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /var/www/clients/client11/web20/web:/var/www/clients/client11/web20/private:/var/www/clients/client11/web20/tmp:/var/www/iehiministries.org/web:/srv/www/iehiministries.org/web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/dev/random:/dev/urandom | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 32M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.5-10.0.30-MariaDB-0+deb8u2 (Client:mysqlnd 5.0.12-dev - 20150407 - $Id: d8daadaf41e3cd81d7c6ae96c6091fd15b2c9382 $) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 4.40 MiB | #of Tables: 83
Detailed Environment :: wrote:PHP Extensions :: Core (7.1.0) | date (7.1.0) | libxml (7.1.0) | openssl (7.1.0) | pcre (7.1.0) | sqlite3 (0.7-dev) | zlib (7.1.0) | bcmath (7.1.0) | bz2 (7.1.0) | calendar (7.1.0) | ctype (7.1.0) | curl (7.1.0) | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (7.1.0) | ftp (7.1.0) | gd (7.1.0) | gettext (7.1.0) | SPL (7.1.0) | iconv (7.1.0) | session (7.1.0) | json (1.5.0) | mbstring (7.1.0) | mcrypt (7.1.0) | standard (7.1.0) | pcntl (7.1.0) | PDO (7.1.0) | mysqlnd (mysqlnd 5.0.12-dev - 20150407 - $Id: d8daadaf41e3cd81d7c6ae96c6091fd15b2c9382 $) | pdo_pgsql (7.1.0) | pdo_sqlite (7.1.0) | pgsql (7.1.0) | Phar (2.0.2) | posix (7.1.0) | Reflection (7.1.0) | imap (7.1.0) | SimpleXML (7.1.0) | soap (7.1.0) | sockets (7.1.0) | pdo_mysql (7.1.0) | exif (1.4 $Id: 8bdc0c8f27c2c9dd1f7551f1f9fe3ab57a06a4b1 $) | sysvsem (7.1.0) | sysvshm (7.1.0) | tokenizer (7.1.0) | xml (7.1.0) | xmlreader (7.1.0) | xmlrpc (7.1.0) | xmlwriter (7.1.0) | xsl (7.1.0) | zip (1.13.5) | mysqli (7.1.0) | cgi-fcgi () | memcached (3.0.0b1) | Zend OPcache (7.1.0) | Zend Engine (3.1.0-dev) |
Potential Missing Extensions :: mysql | suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (3.0.0) 1 | WF_FILESYSTEM_JOOMLA_TITLE (2.6.14) 1 | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.14) 1 | WF_POPUPS_WINDOW_TITLE (2.6.14) 1 | WF_LINK_SEARCH_TITLE (2.6.14) 1 | WF_LINKS_JOOMLALINKS_TITLE (2.6.14) 1 | WF_AGGREGATOR_[youtube]_TITLE (2.6.14) 1 | WF_AGGREGATOR_DAILYMOTION_TITL (2.6.14) 1 | WF_AGGREGATOR_VINE_TITLE (2.6.14) 1 | WF_AGGREGATOR_VIMEO_TITLE (2.6.14) 1 | WF_LINK_TITLE (2.6.14) 1 | WF_CLIPBOARD_TITLE (2.6.14) 1 | WF_VISUALCHARS_TITLE (2.6.14) 1 | WF_FONTSIZESELECT_TITLE (2.6.14) 1 | WF_PREVIEW_TITLE (2.6.14) 1 | WF_FONTSELECT_TITLE (2.6.14) 1 | WF_FORMATSELECT_TITLE (2.6.14) 1 | WF_IMGMANAGER_TITLE (2.6.14) 1 | WF_PRINT_TITLE (2.6.14) 1 | WF_CHARMAP_TITLE (2.6.14) 1 | WF_VISUALBLOCKS_TITLE (2.6.14) 1 | WF_TABLE_TITLE (2.6.14) 1 | WF_NONBREAKING_TITLE (2.6.14) 1 | WF_SOURCE_TITLE (2.6.14) 1 | WF_BROWSER_TITLE (2.6.14) 1 | WF_EMOTIONS_TITLE (2.6.14) 1 | WF_TEXTCASE_TITLE (2.6.14) 1 | WF_CONTEXTMENU_TITLE (2.6.14) 1 | WF_LAYER_TITLE (2.6.14) 1 | WF_ARTICLE_TITLE (2.6.14) 1 | WF_INLINEPOPUPS_TITLE (2.6.14) 1 | WF_FULLSCREEN_TITLE (2.6.14) 1 | WF_SPELLCHECKER_TITLE (2.6.14) 1 | WF_STYLESELECT_TITLE (2.6.14) 1 | WF_SEARCHREPLACE_TITLE (2.6.14) 1 | WF_LISTS_TITLE (2.6.14) 1 | WF_AUTOSAVE_TITLE (2.6.14) 1 | WF_FONTCOLOR_TITLE (2.6.14) 1 | WF_DIRECTIONALITY_TITLE (2.6.14) 1 | WF_STYLE_TITLE (2.6.14) 1 | WF_HR_TITLE (2.6.14) 1 | WF_CLEANUP_TITLE (2.6.14) 1 | WF_ANCHOR_TITLE (2.6.14) 1 | WF_KITCHENSINK_TITLE (2.6.14) 1 | WF_MEDIA_TITLE (2.6.14) 1 | WF_XHTMLXTRAS_TITLE (2.6.14) 1 | com_mailto (3.0.0) 1 | User (1.5.0) 1 |
Components :: ADMIN :: com_cpanel (3.0.0) 1 | Contact Items (1.0.0) 1 | com_jhackguard (2.0.2) 1 | com_contenthistory (3.2.0) 1 | Polls (1.5.0) 1 | com_plugins (3.0.0) 1 | com_fields (3.7.0) 1 | com_newsfeeds (3.0.0) 1 | com_associations (3.7.0) 1 | com_templates (3.0.0) 1 | com_menus (3.0.0) 1 | com_installer (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_languages (3.0.0) 1 | com_messages (3.0.0) 1 | com_categories (3.0.0) 1 | com_banners (3.0.0) 1 | com_login (3.0.0) 1 | com_tags (3.1.0) 1 | com_cache (3.0.0) 1 | com_finder (3.0.0) 1 | com_modules (3.0.0) 1 | com_admin (3.0.0) 1 | com_media (3.0.0) 1 | COM_JCE (2.6.14) 1 | com_ajax (3.2.0) 1 | com_search (3.0.0) 1 | com_content (3.0.0) 1 | Frontpage (1.5.0) 1 | COM_SPUPGRADE (4.1.5) 1 | com_postinstall (3.2.0) 1 | com_users (3.0.0) 1 | Mass Mail (1.5.0) 1 | com_redirect (3.0.0) 1 | Weblinks (1.5.0) 1 | Trash (1.0.0) 1 | com_config (3.0.0) 1 | com_checkin (3.0.0) 1 |

Modules :: SITE :: Sections (1.5.0) 1 | mod_users_latest (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_finder (3.0.0) 1 | Most Read Content (1.5.0) 1 | mod_articles_archive (3.0.0) 1 | mod_languages (3.5.0) 1 | Menu (1.5.0) 1 | mod_articles_popular (3.0.0) 1 | Latest News (1.5.0) 1 | mod_footer (3.0.0) 1 | Poll (1.5.0) 1 | jModule (1.0.3) 1 | mod_custom (3.0.0) 1 | mod_search (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_menu (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | Newsflash (1.5.0) 1 | mod_articles_news (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_login (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_whosonline (3.0.0) 1 | Archived Content (1.5.0) 1 | mod_articles_category (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_feed (3.0.0) 1 |
Modules :: ADMIN :: Akeeba Backup Notification Mod (3.4.3) 1 | mod_latest (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_status (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_logged (3.0.0) 1 | Online Users (1.0.0) 1 | mod_title (3.0.0) 1 | Footer (1.0.0) 1 | jModule (1.0.3) 1 | mod_custom (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_quickicon (3.0.0) 1 | Unread Items (1.0.0) 1 | mod_login (3.0.0) 1 | Items Stats (1.0.0) 1 | mod_submenu (3.0.0) 1 | mod_version (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_toolbar (3.0.0) 1 |

Templates Discovered :: wrote:Templates :: SITE :: IEHI2 (1.0) 1 | IEHI3 (1.0) 1 | jTemplate (1.0.3) 1 | IEHI3a (1.0) 1 | IEHI (1.0) 1 | protostar (1.0) 1 |
Templates :: ADMIN :: jTemplate (1.0.3) 1 | isis (1.0) 1 | hathor (3.0.0) 1 | Khepri (1.0) 1 |

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 4:27 pm
by bevco
This is without modules
Forum Post Assistant (v1.3.0) : 12th June 2017 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.23-Stable (senu takaa ama baji) 04-March-2011
Joomla! Configured :: Yes | Writable (644) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | FTP Layer: 1 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 3.16.0-4-amd64 | Technology: x86_64 | Web Server: Apache/2.4.10 (Debian) | Encoding: gzip, deflate | Doc Root: /var/www/iehiministries.org/web | System TMP Writable: Yes

PHP Configuration :: Version: 7.1.0 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /var/www/clients/client11/web20/web:/var/www/clients/client11/web20/private:/var/www/clients/client11/web20/tmp:/var/www/iehiministries.org/web:/srv/www/iehiministries.org/web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/dev/random:/dev/urandom | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 32M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.5-10.0.30-MariaDB-0+deb8u2 (Client:mysqlnd 5.0.12-dev - 20150407 - $Id: d8daadaf41e3cd81d7c6ae96c6091fd15b2c9382 $) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 4.40 MiB | #of Tables: 83
Detailed Environment :: wrote:PHP Extensions :: Core (7.1.0) | date (7.1.0) | libxml (7.1.0) | openssl (7.1.0) | pcre (7.1.0) | sqlite3 (0.7-dev) | zlib (7.1.0) | bcmath (7.1.0) | bz2 (7.1.0) | calendar (7.1.0) | ctype (7.1.0) | curl (7.1.0) | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (7.1.0) | ftp (7.1.0) | gd (7.1.0) | gettext (7.1.0) | SPL (7.1.0) | iconv (7.1.0) | session (7.1.0) | json (1.5.0) | mbstring (7.1.0) | mcrypt (7.1.0) | standard (7.1.0) | pcntl (7.1.0) | PDO (7.1.0) | mysqlnd (mysqlnd 5.0.12-dev - 20150407 - $Id: d8daadaf41e3cd81d7c6ae96c6091fd15b2c9382 $) | pdo_pgsql (7.1.0) | pdo_sqlite (7.1.0) | pgsql (7.1.0) | Phar (2.0.2) | posix (7.1.0) | Reflection (7.1.0) | imap (7.1.0) | SimpleXML (7.1.0) | soap (7.1.0) | sockets (7.1.0) | pdo_mysql (7.1.0) | exif (1.4 $Id: 8bdc0c8f27c2c9dd1f7551f1f9fe3ab57a06a4b1 $) | sysvsem (7.1.0) | sysvshm (7.1.0) | tokenizer (7.1.0) | xml (7.1.0) | xmlreader (7.1.0) | xmlrpc (7.1.0) | xmlwriter (7.1.0) | xsl (7.1.0) | zip (1.13.5) | mysqli (7.1.0) | cgi-fcgi () | memcached (3.0.0b1) | Zend OPcache (7.1.0) | Zend Engine (3.1.0-dev) |
Potential Missing Extensions :: mysql | suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (3.0.0) 1 | WF_FILESYSTEM_JOOMLA_TITLE (2.6.14) 1 | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.14) 1 | WF_POPUPS_WINDOW_TITLE (2.6.14) 1 | WF_LINK_SEARCH_TITLE (2.6.14) 1 | WF_LINKS_JOOMLALINKS_TITLE (2.6.14) 1 | WF_AGGREGATOR_[youtube]_TITLE (2.6.14) 1 | WF_AGGREGATOR_DAILYMOTION_TITL (2.6.14) 1 | WF_AGGREGATOR_VINE_TITLE (2.6.14) 1 | WF_AGGREGATOR_VIMEO_TITLE (2.6.14) 1 | WF_LINK_TITLE (2.6.14) 1 | WF_CLIPBOARD_TITLE (2.6.14) 1 | WF_VISUALCHARS_TITLE (2.6.14) 1 | WF_FONTSIZESELECT_TITLE (2.6.14) 1 | WF_PREVIEW_TITLE (2.6.14) 1 | WF_FONTSELECT_TITLE (2.6.14) 1 | WF_FORMATSELECT_TITLE (2.6.14) 1 | WF_IMGMANAGER_TITLE (2.6.14) 1 | WF_PRINT_TITLE (2.6.14) 1 | WF_CHARMAP_TITLE (2.6.14) 1 | WF_VISUALBLOCKS_TITLE (2.6.14) 1 | WF_TABLE_TITLE (2.6.14) 1 | WF_NONBREAKING_TITLE (2.6.14) 1 | WF_SOURCE_TITLE (2.6.14) 1 | WF_BROWSER_TITLE (2.6.14) 1 | WF_EMOTIONS_TITLE (2.6.14) 1 | WF_TEXTCASE_TITLE (2.6.14) 1 | WF_CONTEXTMENU_TITLE (2.6.14) 1 | WF_LAYER_TITLE (2.6.14) 1 | WF_ARTICLE_TITLE (2.6.14) 1 | WF_INLINEPOPUPS_TITLE (2.6.14) 1 | WF_FULLSCREEN_TITLE (2.6.14) 1 | WF_SPELLCHECKER_TITLE (2.6.14) 1 | WF_STYLESELECT_TITLE (2.6.14) 1 | WF_SEARCHREPLACE_TITLE (2.6.14) 1 | WF_LISTS_TITLE (2.6.14) 1 | WF_AUTOSAVE_TITLE (2.6.14) 1 | WF_FONTCOLOR_TITLE (2.6.14) 1 | WF_DIRECTIONALITY_TITLE (2.6.14) 1 | WF_STYLE_TITLE (2.6.14) 1 | WF_HR_TITLE (2.6.14) 1 | WF_CLEANUP_TITLE (2.6.14) 1 | WF_ANCHOR_TITLE (2.6.14) 1 | WF_KITCHENSINK_TITLE (2.6.14) 1 | WF_MEDIA_TITLE (2.6.14) 1 | WF_XHTMLXTRAS_TITLE (2.6.14) 1 | com_mailto (3.0.0) 1 | User (1.5.0) 1 |
Components :: ADMIN :: com_cpanel (3.0.0) 1 | Contact Items (1.0.0) 1 | com_jhackguard (2.0.2) 1 | com_contenthistory (3.2.0) 1 | Polls (1.5.0) 1 | com_plugins (3.0.0) 1 | com_fields (3.7.0) 1 | com_newsfeeds (3.0.0) 1 | com_associations (3.7.0) 1 | com_templates (3.0.0) 1 | com_menus (3.0.0) 1 | com_installer (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_languages (3.0.0) 1 | com_messages (3.0.0) 1 | com_categories (3.0.0) 1 | com_banners (3.0.0) 1 | com_login (3.0.0) 1 | com_tags (3.1.0) 1 | com_cache (3.0.0) 1 | com_finder (3.0.0) 1 | com_modules (3.0.0) 1 | com_admin (3.0.0) 1 | com_media (3.0.0) 1 | COM_JCE (2.6.14) 1 | com_ajax (3.2.0) 1 | com_search (3.0.0) 1 | com_content (3.0.0) 1 | Frontpage (1.5.0) 1 | COM_SPUPGRADE (4.1.5) 1 | com_postinstall (3.2.0) 1 | com_users (3.0.0) 1 | Mass Mail (1.5.0) 1 | com_redirect (3.0.0) 1 | Weblinks (1.5.0) 1 | Trash (1.0.0) 1 | com_config (3.0.0) 1 | com_checkin (3.0.0) 1 |



Plugins :: SITE :: XML-RPC - Joomla API (1.0) 1 | XML-RPC - Blogger API (1.0) 1 | plg_system_highlight (3.0.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_cache (3.0.0) 0 | plg_system_p3p (3.0.0) 0 | System - SEF (1.5) 1 | plg_system_remember (3.0.0) 1 | System - Debug (1.5) 1 | System - Remember Me (1.5) 1 | plg_system_fields (3.7.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_stats (3.5.0) 1 | System - Cache (1.5) 1 | plg_system_languagecode (3.0.0) 0 | System - Mootools Upgrade (1.5) 1 | plg_system_updatenotification (3.5.0) 1 | System - Log (1.5) 1 | plg_system_log (3.0.0) 1 | Akeeba Backup Lazy Scheduling (3.3) 1 | JHackGuard Plugin (2.0.4) 1 | System - Backlinks (1.5) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_jce (2.6.14) 1 | plg_system_debug (3.0.0) 1 | System - Legacy (1.5) 1 | plg_system_logout (3.0.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_twofactorauth_totp (3.2.0) 0 | Content - Pagebreak (1.5) 1 | Content - Example (1.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_emailcloak (3.0.0) 1 | Content - Code Highlighter (Ge (1.5) 1 | plg_content_vote (3.0.0) 1 | Content - Email Cloaking (1.5) 1 | plg_content_finder (3.0.0) 0 | plg_content_loadmodule (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_jce (2.6.14) 1 | Content - Load Modules (1.5) 1 | Content - Vote (1.5) 1 | Content - Page Navigation (1.5) 1 | plg_content_pagebreak (3.0.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_jce (2.6.14) 1 | plg_editors-xtd_image (3.0.0) 1 | Button - Pagebreak (1.5) 1 | plg_editors-xtd_fields (3.7.0) 1 | Button - Image (1.0.0) 1 | Button - Readmore (1.5) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_captcha_recaptcha (3.4.0) 0 | plg_editors_tinymce (4.5.6) 1 | plg_editors_codemirror (5.25.2) 1 | Editor - JCE 1.5.6 (1.5.6) 1 | Editor - TinyMCE 3 (3.2.6) 1 | plg_editors_jce (2.6.14) 1 | Template Manager (1.5.5) 1 | Paste (1.5.6) 1 | Image Manager (1.5.2) 1 | File Manager (1.5.2) 1 | Image Manager Extended (1.5.5) 1 | File Browser (1.5.0 Stable) 1 | Media Manager (1.5.4) 1 | Paste (1.5.0) 1 | Advanced Code Editor (1.5.6) 1 | SpellChecker (2.0.0) 1 | Joomla! Links for Advanced Lin (1.2.1) 1 | Advanced Link (1.5.1) 1 | Object Support (1.5.1) 1 | Editor - XStandard Lite for Jo (1.0) 1 | Search - Content (1.5) 1 | Search - Contacts (1.5) 1 | plg_search_categories (3.0.0) 1 | plg_search_content (3.0.0) 1 | Search - Weblinks (1.5) 1 | plg_search_contacts (3.0.0) 1 | plg_search_tags (3.0.0) 1 | Search - Sections (1.5) 1 | Search - Newsfeeds (1.5) 1 | plg_search_newsfeeds (3.0.0) 1 | Search - Categories (1.5) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_jce (2.6.0-pro-bet) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_extension_jce (2.6.14) 1 | Authentication - Example (1.5) 1 | Authentication - Joomla (1.5) 1 | plg_authentication_joomla (3.0.0) 1 | Authentication - OpenID (1.5) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_ldap (3.0.0) 0 | Authentication - LDAP (1.5) 1 | Authentication - GMail (1.5) 1 | plg_authentication_cookie (3.0.0) 1 | User - Example (1.0) 1 | User - Joomla! (1.5) 1 | plg_user_joomla (3.0.0) 1 | plg_user_profile (3.0.0) 0 | plg_user_contactcreator (3.0.0) 0 | jPlugin (1.0.3) 1 |
Templates Discovered :: wrote:Templates :: SITE :: IEHI2 (1.0) 1 | IEHI3 (1.0) 1 | jTemplate (1.0.3) 1 | IEHI3a (1.0) 1 | IEHI (1.0) 1 | protostar (1.0) 1 |
Templates :: ADMIN :: jTemplate (1.0.3) 1 | isis (1.0) 1 | hathor (3.0.0) 1 | Khepri (1.0) 1 |

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 4:31 pm
by mandville
Mod comment. Relocated to j1.5 forum

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 4:34 pm
by bevco
Why is the FPA saying 1.5 when I am using Joomla 3.7.2???

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 4:36 pm
by mandville
It clearly says on your fpa report.

Basic Environment :: wrote:
Joomla! Instance :: Joomla! 1.5.23-Stable (senu takaa ama baji) 04-March-2011
Joomla! Configured :: Yes | Writable (644) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 1.5

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 4:39 pm
by bevco
I do not understand why it is saying 1.5 my admin shows 3.7.2 - attaching clip

What do I need to do now?

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 4:52 pm
by dhuelsmann
I don't think a 1.5 site can run on php 7.1

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 4:56 pm
by bevco
I am not running a 1.5 site. I have updated it and it is 3.7.2. I don't understand why the FPA says it is 1.5????
\The site has been updated several times since 1.5.

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 5:05 pm
by bevco
Hmmm....I just checked and several of my sites show the 3.7.2 version of Joomla in the fpa, but 3 of them which are also 3.7.2 show 1.5.23. Why would this be???

I am getting more and more confused :(

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 5:42 pm
by Webdongle
FTP Layer: 1 should be 0 (zero). ftp layer is not needed when the Ownership is correct.

Have you checked the extension in the vel yet ?

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 5:58 pm
by bevco
Webdongle wrote:FTP Layer: 1 should be 0 (zero). ftp layer is not needed when the Ownership is correct.

Have you checked the extension in the vel yet ?
Changed the ftp - missed that one. Usually keep it off.

The only extension I am using in this site is JCE Editor and it is not on the vel list.

But why is the FPA showing the wrong version of Joomla on several sites??

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 6:14 pm
by Webdongle
It might be easier for you to rebuild the site (with fresh files) on localhost before deleting all the files from the server. If you do that then put your sites off line until you are ready to delete the files from the server.

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 6:36 pm
by bevco
OK - we are having a problem with our local host server php, but guess will have to do that as soon as we get it fixed.

Would going with MyJoomla or RSFirewall correct this without having to rebuild?

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 6:46 pm
by websitedons
bevco wrote:... or RSFirewall correct this without having to rebuild?
You would be on the right path by now if you consulted with RSFirewall. Those guys know everything.

Re: Hackers sending SPAM from my site

Posted: Mon Jun 12, 2017 8:10 pm
by Webdongle
bevco wrote:...
Would going with MyJoomla or RSFirewall correct this without having to rebuild?
MyJoomla has a good reputation and should be able to clean your server. If you want a professional service I would highly recommend you use them. Not sure if RsJoomla provide a service to clean hacked sites.

Re: Hackers sending SPAM from my site

Posted: Tue Jun 13, 2017 12:35 am
by bevco
Thanks!

Any idea why the FPA shows the incorrect version of Joomla??