My site has been hacked

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, PhilD, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
k8thegr8
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sun Jul 30, 2017 6:09 pm

My site has been hacked

Postby k8thegr8 » Sun Jul 30, 2017 6:11 pm

Hello everyone

My site has been hacked and I dont know what to do now :-( My site is

Code: Select all

 hxxp://www.riddles-answers.com


Code: Select all

and here are some pages which the hacker had made

hxxp://www.riddles-answers.com/a480-e22660-wkbnvz/adkpogp/

hxxp://www.riddles-answers.com/a480-e22710-rupechvroxxirhjbyod/

hxxp://www.riddles-answers.com/a480-e22760-jhjkks/yeeadaggq/


Please, tell me what should I do know to clean my website.

Thank you !
Last edited by fcoulter on Sun Jul 30, 2017 6:18 pm, edited 1 time in total.

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1315
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: My site has been hacked

Postby fcoulter » Sun Jul 30, 2017 6:20 pm

Please do not post live links to hacked pages.

Here are the instructions to fix your site: https://forum.joomla.org/viewtopic.php?f=714&t=946026
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator
VEL team member
"Wearing my tin foil hat with pride"

k8thegr8
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sun Jul 30, 2017 6:09 pm

Re: My site has been hacked

Postby k8thegr8 » Sun Jul 30, 2017 7:09 pm

Thank you for your reply, but its too complicated... I dont even know how to run the fpa.

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3059
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: My site has been hacked

Postby ribo » Sun Jul 30, 2017 7:14 pm

It s not difficult, please read carefully viewtopic.php?f=621&t=582860 and post the results here
chat room spontes : http://www.spontes.com

k8thegr8
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sun Jul 30, 2017 6:09 pm

Re: My site has been hacked

Postby k8thegr8 » Sun Jul 30, 2017 7:23 pm

Dont know if I did it right, but here it is

Forum Post Assistant (v1.3.1) : 30th July 2017 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.28-Stable (Ember) 10-December-2014
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Writable (640) | Owner: --protected-- . (uid: /gid: ) | Group: --protected-- (gid: ) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: N/A | FTP Layer: 0 | Proxy: N/A | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: N/A | SSL: 0 | FrontEdit: N/A | Error Reporting: none | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-573.7.1.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.29 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: 0 | Magic Quotes: | Safe Mode: 0 | Open Base: /data/web/virtuals/64024/virtual | Uploads: 1 | Max. Upload Size: 32M | Max. POST Size: 32M | Max. Input Time: 30 | Max. Execution Time: 90 | Memory Limit: 128M

MySQL Configuration :: Version: 5.6.15 (Client:5.6.15) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 13.50 MiB | #of Tables:  104
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.29) | date (5.3.29) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | gmp () | SPL (0.2) | iconv () | session () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | standard (5.3.29) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | imap () | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | imagick (3.1.2) | XCache (3.1.0) | mhash () | XCache Cacher (3.1.0) | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 18260
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: My site has been hacked

Postby leolam » Mon Jul 31, 2017 3:31 am

This FPA is not complete and is missing the output of all extensions, modules etc. However what I do see is that your server environment is very, very outdated (PHP 5.3.29) and with an enabled Open Base Dir.

So you only have one option to cleans your site:

Webdongle wrote:Your database is your site ... first and foremost make a backup of your database.

All the files do is put/get data to/from the database and display the data on the screen.

Cleaning the site is easy ... just delete all the folders/files. Rebuilding the site is easy ... just install a fresh Joomla to a empty database and install 3rd party extensions then edit the configuration.php.

Before you ask what other users ask. No there is no real alternative ... you need to delete all folders/files.

Here is a summary of what you need to do


  1. Run the fpa and post the results in this forum
  2. Uninstall any untrusted/unwanted 3rd party extensions and Templates https://vel.joomla.org/live-vel
  3. Delete all the files on the server
  4. Scan your computer and all computers that have server or Joomla admin access
  5. Change Passwords
  6. Install Joomla (of the same version) to a new database. Install up to date 3rd party extensions (that are not on the VEL) then edit the configuration.php to connect to the original database. Update Joomla if you have and old version
  7. Change your Joomla SU/Admin Passwords and check the users/groups/access levels are correct and not been tampered with. Update your Joomla and run the fpa again

Step #f is simply installing Joomla and 3rd party extensions to an empty database so you get fresh files. Then connect the files to the database that has your data. That gives you your site back. The rest cleans the site and helps keep it secure.

Full details http://forum.joomla.org/viewtopic.php?f=714&t=757645
Leo 8)
Celebrating 12-Years of Professional Joomla Support Services
- Joomla Professional Support:https://gws-desk.com -
- Joomla Specialized Hosting Solutions:https://gws-host.com -
- Member Joomla Bug Squad & J-CMS Release Team


Return to “Security in Joomla! 2.5”

Who is online

Users browsing this forum: No registered users and 7 guests