No administrator access

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
NFCWill
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Wed Feb 09, 2011 8:35 am

No administrator access

Post by NFCWill » Tue Mar 10, 2015 9:21 am

It seems our site has been hacked, and we no longer have admin access. The index.php file is no longer within the administrator site. I have read what I need to do with regards to deleting all joomla files and making a copy of the config file. However, excuse my ignorance but when reinstalling joomla and new extensions would this not make me lose all previous work? layouts? and many hours inputing data?

Again excuse my ignorance, I just need to know what I am letting myself in for before starting. Any help/advice would be greatly appreciated.
Problem Description :: Forum Post Assistant (v1.2.4) : 10th March 2015 wrote:No administrator access
Log/Error Message :: Forum Post Assistant (v1.2.4) : 10th March 2015 wrote:403 Forbidden
Forum Post Assistant (v1.2.4) : 10th March 2015 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.15-Stable (Ember) 06-November-2013
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: 11328 (uid: /gid: ) | Group: 2523 (gid: ) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-531.29.2.lve1.3.11.3.el5h.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /var/www/vhosts/northernfootballclub.co.uk/httpdocs | System TMP Writable: Yes

PHP Configuration :: Version: 5.4.36 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 32767 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: -1 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.41-cll-lve (Client:5.5.41) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 8.74 MiB | #of Tables:  261
Detailed Environment :: wrote:PHP Extensions :: Core (5.4.36) | date (5.4.36) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7) | zlib (2.0) | bz2 () | calendar () | ctype () | curl () | hash (1.0) | filter (0.11.0) | ftp () | gettext () | gmp () | SPL (0.2) | iconv () | pcntl () | readline (5.4.36) | Reflection ($Id: f6367cdb4e3f392af4a6d441a6641de87c2e50c4 $) | session () | standard (5.4.36) | shmop () | SimpleXML (0.1) | mbstring () | tokenizer (0.1) | xml () | cgi-fcgi () | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_pgsql (1.0.2) | wddx () | bcmath () | gd () | mysql (1.0) | fileinfo (1.0.5) | sockets () | zip (1.11.0) | xmlwriter (0.1) | snmp (0.1) | pgsql () | json (1.2.1) | exif (1.4 $Id: 637ebf9289b40d157fdf8edcdddeb3d907b28d9b $) | ldap () | sysvmsg () | sysvshm () | soap () | odbc (1.0) | xmlrpc (0.51) | sysvsem () | pspell () | mysqli (0.1) | imap () | dom (20031129) | pdo_sqlite (1.0.1) | Phar (2.0.1) | xmlreader (0.1) | posix () | mcrypt () | PDO_ODBC (1.0.1) | xsl (0.1) | mhash () | ionCube Loader () | Zend Engine (2.4.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: HaniXavi/root/dev/shm/ (777) | test/app/ (777) | test/app/mejdi/ (777) | test/app/mejdi/Snd/ (777) | test/app/mejdi/Snd/rz/ (777) | test/app/mejdi/css/ (777) | test/app/mejdi/img/ (777) | test/app/mejdi/js/ (777) | test/app/mejdi/js/contrib/ (777) | test/app/mejdi/js/languages/ (777) |
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (2.5.0) | com_wrapper (2.5.0) | Default (3.0.1) | Default (3.0_Alpha1.2) |
Components :: ADMIN :: com_messages (2.5.0) | RokGallery (2.22) | com_admin (2.5.0) | com_search (2.5.0) | com_config (2.5.0) | com_banners (2.5.0) | RokSprocket (2.0.2) | com_cpanel (2.5.0) | Gantry (4.1.12) | com_media (2.5.0) | com_weblinks (2.5.0) | com_finder (2.5.0) | com_content (2.5.0) | com_modules (2.5.0) | com_menus (2.5.0) | RokCandy (2.0.0) | com_flashmagazinedeluxe (3.0.0 (build ) | com_languages (2.5.0) | com_templates (2.5.0) | com_installer (2.5.0) | com_checkin (2.5.0) | com_login (2.5.0) | com_categories (2.5.0) | com_redirect (2.5.0) | com_newsfeeds (2.5.0) | JoomSport (2.9.3) | com_users (2.5.0) | com_plugins (2.5.0) | Community (3.0.1) | Community (3.0.1) | com_cache (2.5.0) | com_joomlaupdate (2.5.0) | com_jckman (5.3) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | JTreeLink (1.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | JoomlaCK Pugin Manager Control (1.0.0 DEVELOP) |

Modules :: SITE :: Community - Dating Search (3.0.1) | mod_articles_latest (2.5.0) | mod_languages (2.5.0) | mod_articles_categories (2.5.0) | Community - Photos Module (3.0.1) | Community - Hello Me (3.0.1) | Community - Active Groups (3.0.1) | Community - Quick Search Modul (3.0.1) | mod_banners (2.5.0) | mod_weblinks (2.5.0) | Community - Latest group posts (3.0.1) | Community - JomSocial Connect (3.0.1) | Community - Photo Comments (3.0.1) | Community - Activity Stream (3.0.1) | mod_articles_category (2.5.0) | mod_breadcrumbs (2.5.0) | RokAjaxSearch (2.0.0) | mod_syndicate (2.5.0) | mod_users_latest (2.5.0) | mod_articles_popular (2.5.0) | Community - Events Module (3.0.1) | RokGallery Module (2.22) | Community - Whos Online (3.0.1) | mod_feed (2.5.0) | mod_custom (2.5.0) | mod_wrapper (2.5.0) | mod_menu (2.5.0) | Community - Latest Discussion (3.0.1) | Community - JomSocial Statisti (3.0.1) | mod_related_items (2.5.0) | mod_articles_archive (2.5.0) | mod_random_image (2.5.0) | Community - Videos Module (3.0.1) | Community - Jomsocial Notifica (3.0.1) | mod_login (2.5.0) | Flash Magazine Deluxe - Archiv (3.0.0 (build ) | mod_articles_news (2.5.0) | Community - Groups Module (3.0.1) | Community - Video Comments (3.0.1) | mod_finder (2.5.0) | mod_search (2.5.0) | Community - Members Module (3.0.1) | mod_whosonline (2.5.0) | RokNavMenu (2.0.3) | mod_footer (2.5.0) | mod_stats (2.5.0) | RokSprocket Module (2.0.2) | Community - Top Members (3.0.1) |
Modules :: ADMIN :: mod_quickicon (2.5.0) | mod_latest (2.5.0) | mod_status (2.5.0) | mod_popular (2.5.0) | mod_multilangstatus (2.5.0) | mod_feed (2.5.0) | mod_custom (2.5.0) | mod_menu (2.5.0) | mod_toolbar (2.5.0) | mod_logged (2.5.0) | mod_login (2.5.0) | mod_submenu (2.5.0) | mod_version (2.5.0) | mod_title (2.5.0) | JoomlaCK Pugin Manager Control (1.0.0 DEVELOP) |

Plugins :: SITE :: Unknown (-) | Community - My Latest Videos (3.0.1) | Unknown (-) | Community - Events (3.0.1) | Community - Friend's Location (3.0.1) | Community - Latest Photos (3.0.1) | Unknown (-) | Community - Invite (3.0.1) | Unknown (-) | My twitter updates (3.0.1) | Community - Walls (3.0.1) | Kunena Groups (2.0.3) | Unknown (-) | Community - Feeds (3.0.1) | Unknown (-) | Community - My Contacts (3.0.1) | My Forum Menu (2.0.3) | Community - My Tagged Videos (3.0.1) | Unknown (-) | Community - My Articles (3.0.1) | Community - Input Processor (3.0.1) | Community - Wordfilter (3.0.1) | My Forum Posts (2.0.3) | Unknown (-) | Community - My Google Ads (3.0.1) | Community - My kunena updates (3.0.1) | plg_extension_joomla (2.5.0) | User - Jomsocial User (3.0.1) | plg_user_profile (2.5.0) | plg_user_contactcreator (2.5.0) | plg_user_joomla (2.5.0) | plg_system_redirect (2.5.0) | plg_system_p3p (2.5.0) | System - RokSprocket (2.0.2) | plg_system_highlight (2.5.0) | System - RokBox (2.0.4) | plg_system_remember (2.5.0) | System - Jomsocial Redirect (3.0.1) | System - Gantry (4.1.12) | plg_system_sef (2.5.0) | System - RokCandy (2.0.0) | system - EUCookieDirectiveLite (1.0.9) | System - JCK Typography (3.5.0) | System - RokUpdater (1.0.8) | plg_system_languagecode (2.5.0) | Azrul System Mambot For Joomla (3.0.1) | plg_system_cache (2.5.0) | System - RokExtender (2.0.0) | Abivia.net SuperTable Plus Plu (1.8.2) | System - RokCommon (3.1.6) | plg_system_debug (2.5.0) | System - RokBooster (1.1.8) | plg_system_log (2.5.0) | plg_system_logout (2.5.0) | System - RokGallery (2.22) | System - JCK Modal (1.0) | plg_system_languagefilter (2.5.0) | Jomsocial Update (3.0.1) | System - Jomsocial Facebook Co (3.0.1) | Flash Magazine Deluxe - Button (3.0.0 (build ) | Button - RokBox (2.0.4) | Button - RokCandy (2.0.0) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_readmore (2.5.0) | Button - RokGallery (2.22) | plg_captcha_recaptcha (2.5.0) | plg_authentication_gmail (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_joomla (2.5.0) | Editor - RokPad (2.1.5) | Editor - JoomlaCK (6.5.3) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (0.1) | Unknown (1.0) | Unknown (0.1) | Unknown (0.1) | System - JCK Typography (3.5.0) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.5.4.1) | Content - RokBox (2.0.4) | Flash Magazine Deluxe - Conten (3.0.0 (build ) | plg_content_szaki_table (1.2) | plg_content_emailcloak (2.5.0) | plg_content_pagenavigation (2.5.0) | Content - RokInjectModule (1.5) | plg_content_joomla (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_geshi (2.5.0) | plg_content_vote (2.5.0) | plg_content_finder (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_content (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | plg_search_categories (2.5.0) | plg_search_weblinks (2.5.0) | plg_search_contacts (2.5.0) | plg_search_content (2.5.0) | plg_search_newsfeeds (2.5.0) |
Templates Discovered :: wrote:Templates :: SITE :: beez_20 (2.5.0) | rt_fracture (1.5) | beez5 (2.5.0) | atomic (2.5.0) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |

itoctopus
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4026
Joined: Mon Nov 25, 2013 4:35 pm
Location: Montreal, Canada
Contact:

Re: No administrator access

Post by itoctopus » Tue Mar 10, 2015 9:50 am

Where did you read that you have to delete all your Joomla files to fix the hack?

In any case, try re-uploading the whole administrator folder to your website (don't delete the current one) and then you should clean your website from the hack and ensure that your website is secured and updated to the latest secure version of Joomla (you are running a very old version of Joomla, which is 2.5.15).
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter

NFCWill
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Wed Feb 09, 2011 8:35 am

Re: No administrator access

Post by NFCWill » Tue Mar 10, 2015 10:00 am

itoctopus wrote:Where did you read that you have to delete all your Joomla files to fix the hack?

In any case, try re-uploading the whole administrator folder to your website (don't delete the current one) and then you should clean your website from the hack and ensure that your website is secured and updated to the latest secure version of Joomla (you are running a very old version of Joomla, which is 2.5.15).
In the sticky it says
Ensure you have the latest version of Joomla for your version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.


Am I misreading/understanding.

Thank you for the advice, I have the original administrator file at home and will try that tonight.

yoann
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Mar 10, 2015 10:12 am

Re: No administrator access

Post by yoann » Tue Mar 10, 2015 10:30 am

you just need to upload all core files (after download a fresh version of the same version of yours) to replace core infected files.
But in you have deleted your template folder i hope you've got a backup...
All your content is contained in the database and is not deleted.
If you don't have a backup of your website try to ask your host, maybe he can reinstall a backup of your files

NFCWill
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Wed Feb 09, 2011 8:35 am

Re: No administrator access

Post by NFCWill » Wed Mar 11, 2015 9:58 am

I have tried uploading just the administrator file, but when I go to the admin login page it shows blank.

Looks like I will have to replace the core folders.

Again excuse my ignorance but Is there an easy way to back up my template? Is it as easy as copying the template folder and re-uploading?

Also I use rocketlauncher from rockettheme, would it be as easy as deleting all folders and reinstalling. Seeing as all content is kept in the database? Would I need to copy the current config file and re-upload it?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14781
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: No administrator access

Post by mandville » Wed Mar 11, 2015 11:35 am

The instructions for deleting and replacing the core files are so that you delete any shell scripts and malware hidden.
Your install is very old.
Some of your extensions are old .
You have 777 folder permissions.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

NFCWill
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Wed Feb 09, 2011 8:35 am

Re: No administrator access

Post by NFCWill » Mon Mar 16, 2015 10:47 am

mandville wrote:The instructions for deleting and replacing the core files are so that you delete any shell scripts and malware hidden.
Your install is very old.
Some of your extensions are old .
You have 777 folder permissions.
I have done as suggested but now my website just shows a blank screen? I am quite lost as what to do next.

The 777 folder permissions are what I believe "the hack".


Locked

Return to “Security in Joomla! 2.5”