Site hacked with php files and html redirection

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
itjoomin
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Wed Feb 18, 2015 8:02 am

Site hacked with php files and html redirection

Post by itjoomin » Wed Feb 18, 2015 8:29 am

Hello,
I am using Joomla 2.5.6

Before hacked, the permission file were 777 everywhere. First thing, I change the persmission and remove unwanted files.

Below, my Joomla installation information
Forum Post Assistant (v1.2.4) : 18th February 2015 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.6-Stable (Ember) 19-June-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (644) | Owner: 10024 (uid: /gid: ) | Group: 505 (gid: ) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-358.18.1.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /var/www/vhosts/mywebsite.com/httpdocs | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.3 | PHP API: apache2handler | Session Path Writable: No | Display Errors: | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: 0 | Open Base: /var/www/vhosts/mywebsite.com/:/tmp/ | Uploads: 1 | Max. Upload Size: 128M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 60 | Memory Limit: 128M

MySQL Configuration :: Version: 5.1.73 (Client:5.1.73) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 439.91 KiB | #of Tables:  77
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.3) | date (5.3.3) | ereg () | libxml () | openssl () | pcre () | zlib (1.1) | bz2 () | calendar () | ctype () | hash (1.0) | filter (0.11.0) | ftp () | gettext () | gmp () | SPL (0.2) | iconv () | Reflection ($Revision: 300393 $) | session () | standard (5.3.3) | shmop () | SimpleXML (0.1) | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | tokenizer (0.1) | xml () | apache2handler () | curl () | dom (20031129) | fileinfo (1.0.5-dev) | gd () | imap () | json (1.2.1) | mbstring () | mysql (1.0) | mysqli (0.1) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | sqlite3 (0.7-dev) | wddx () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.9.1) | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: mcrypt | suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe

Apache Modules :: core | prefork | http_core | mod_so | mod_auth_basic | mod_auth_digest | mod_authn_file | mod_authn_alias | mod_authn_anon | mod_authn_dbm | mod_authn_default | mod_authz_host | mod_authz_user | mod_authz_owner | mod_authz_groupfile | mod_authz_dbm | mod_authz_default | util_ldap | mod_authnz_ldap | mod_include | mod_log_config | mod_logio | mod_env | mod_ext_filter | mod_mime_magic | mod_expires | mod_deflate | mod_headers | mod_usertrack | mod_setenvif | mod_mime | mod_dav | mod_status | mod_autoindex | mod_info | mod_dav_fs | mod_vhost_alias | mod_negotiation | mod_dir | mod_actions | mod_speling | mod_userdir | mod_alias | mod_substitute | mod_rewrite | mod_proxy | mod_proxy_balancer | mod_proxy_ftp | mod_proxy_http | mod_proxy_ajp | mod_proxy_connect | mod_cache | mod_suexec | mod_disk_cache | mod_cgi | mod_version | mod_aclr2 | mod_bw | mod_cloudflare | mod_fcgid | mod_jk | mod_perl | mod_php5 | mod_python | mod_rpaf-2 | mod_ssl | Apache |
Potential Missing Modules :: mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (2.5.0) | com_mailto (2.5.0) | Default (1.0.0) |
Components :: ADMIN :: com_messages (2.5.0) | com_redirect (2.5.0) | com_admin (2.5.0) | com_content (2.5.0) | com_templates (2.5.0) | com_languages (2.5.0) | com_menus (2.5.0) | com_banners (2.5.0) | com_categories (2.5.0) | com_config (2.5.0) | com_installer (2.5.0) | com_newsfeeds (2.5.0) | com_weblinks (2.5.0) | com_users (2.5.0) | com_finder (2.5.0) | com_login (2.5.0) | com_plugins (2.5.0) | Akeeba (3.6.1) | com_joomlaupdate (2.5.0) | com_cpanel (2.5.0) | com_search (2.5.0) | com_checkin (2.5.0) | com_phocagallery (3.2.0) | com_cache (2.5.0) | com_media (2.5.0) | com_modules (2.5.0) |

Modules :: SITE :: mod_articles_popular (2.5.0) | mod_login (2.5.0) | mod_random_image (2.5.0) | showplus (1.0.4.5) | mod_weblinks (2.5.0) | Nice Social Bookmark (1.7.2) | mod_articles_category (2.5.0) | mod_search (2.5.0) | mod_users_latest (2.5.0) | mod_articles_categories (2.5.0) | mod_custom (2.5.0) | mod_related_items (2.5.0) | mod_syndicate (2.5.0) | mod_feed (2.5.0) | mod_menu (2.5.0) | mod_article (1.7.2.4) | mod_languages (2.5.0) | mod_articles_archive (2.5.0) | mod_breadcrumbs (2.5.0) | mod_wrapper (2.5.0) | mod_whosonline (2.5.0) | mod_footer (2.5.0) | mod_articles_latest (2.5.0) | mod_banners (2.5.0) | mod_articles_news (2.5.0) | mod_stats (2.5.0) | mod_finder (2.5.0) |
Modules :: ADMIN :: mod_login (2.5.0) | mod_latest (2.5.0) | mod_status (2.5.0) | mod_custom (2.5.0) | mod_multilangstatus (2.5.0) | mod_submenu (2.5.0) | mod_logged (2.5.0) | mod_feed (2.5.0) | mod_menu (2.5.0) | mod_toolbar (2.5.0) | mod_title (2.5.0) | mod_version (2.5.0) | mod_popular (2.5.0) | mod_quickicon (2.5.0) |

Plugins :: SITE :: plg_system_p3p (2.5.0) | plg_system_remember (2.5.0) | System - JCK Typography (3.4.8) | plg_system_debug (2.5.0) | plg_system_log (2.5.0) | plg_system_cache (2.5.0) | plg_system_languagecode (2.5.0) | plg_system_highlight (2.5.0) | plg_system_logout (2.5.0) | plg_system_languagefilter (2.5.0) | System - Bincom Multiple Googl (1.0) | System - Bincom Multiple Googl (1.0) | plg_system_redirect (2.5.0) | plg_system_sef (2.5.0) | plg_search_categories (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_content (2.5.0) | plg_search_contacts (2.5.0) | plg_search_weblinks (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_editors_codemirror (1.0) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | JTreeLink (1.0) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | System - JCK Typography (3.4.8) | Editor - JoomlaCK (5.0 Beta) | Editor - JoomlaCK (5.0 Beta) | plg_editors_tinymce (3.4.9) | plg_extension_joomla (2.5.0) | plg_captcha_recaptcha (2.5.0) | plg_authentication_joomla (2.5.0) | plg_authentication_gmail (2.5.0) | plg_authentication_ldap (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_content (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_weblinks (2.5.0) | plg_content_joomla (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_finder (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_vote (2.5.0) | plg_content_mavikthumbnails (0.9.9.8) | plg_content_geshi (2.5.0) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) | plg_user_joomla (2.5.0) | plg_user_profile (2.5.0) | plg_user_contactcreator (2.5.0) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_article (2.5.0) |
Templates Discovered :: wrote:Templates :: SITE :: pleinr6 (1.0) | pleinr5 (1.0) | pleinr4 (1.0) | pleinr2 (1.0) | pleinr (1.0) | pleinr3 (1.0) | publiciteweb254 (1.0) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |
Please advise me what I can do to make sure my website.
I have full access to my server
Do not hesitate to contact me if you need more information

Thank you

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19661
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Site hacked with php files and html redirection

Post by leolam » Sun Feb 22, 2015 4:07 am

[ ] Ensure you have the latest version of Joomla for your version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.

[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.

[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories More detailed information can be found in the Security Checklist 7 document.

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
-> Joomla Webmaster Services: gws-webmaster.services


Locked

Return to “Security in Joomla! 2.5”