Page 1 of 1

Site hacked!

Posted: Wed Apr 22, 2015 7:56 am
by tonytimms
My site seems to have been hacked this morning, some of the articles are in Polish or some other language. I don't know how this happened but what is the best solution? The structure of the site seems ok with menus etc intact. Any help much appreciated.

Regards

Re: Site hacked!

Posted: Wed Apr 22, 2015 10:50 am
by Per Yngve Berg

Re: Site hacked!

Posted: Wed Apr 22, 2015 2:32 pm
by tonytimms
Problem Description :: Forum Post Assistant (v1.2.4) : 22nd April 2015 wrote:A number of articles including those on the index page are in another language.
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.4) : 22nd April 2015 wrote:[22-Apr-2015 12:35:39 Europe/London] PHP Warning: Invalid argument supplied for foreach() in /home/w10mich/public_html/libraries/joomla/string/string.php on line 970
Actions Taken To Resolve by Forum Post Assistant (v1.2.4) 22nd April 2015 wrote:No actions have been taken as yet
Forum Post Assistant (v1.2.4) : 22nd April 2015 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.8-Stable (Ember) 8-November-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: 2248 (uid: /gid: ) | Group: 2247 (gid: ) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-531.1.2.lve1.2.54.el6.x86_64 | Technology: x86_64 | Web Server: LiteSpeed | Encoding: gzip, deflate | Doc Root: /home/w10mich/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.29 | PHP API: litespeed | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: error_log | Last Known Error: 22nd April 2015 12:35:39. | Register Globals: 0 | Magic Quotes: | Safe Mode: 0 | Open Base: /home/w10mich:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp | Uploads: 1 | Max. Upload Size: 256M | Max. POST Size: 256M | Max. Input Time: 120 | Max. Execution Time: 120 | Memory Limit: 256M

MySQL Configuration :: Version: 5.5.42-cll (Client:5.5.42) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 22045.22 MiB | #of Tables:  82
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.29) | date (5.3.29) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | enchant (1.1.0) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | standard (5.3.29) | Phar (2.0.1) | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | imap () | SimpleXML (0.1) | snmp () | soap () | sockets () | exif (1.4 $Id$) | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | litespeed () | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | imagick (3.1.2) | SourceGuardian (10.1) | ionCube Loader () | Zend Guard Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (2.5.0) | com_wrapper (2.5.0) |
Components :: ADMIN :: com_weblinks (2.5.0) | COM_K2 (2.6.2) | mod_k2_comments (-) | mod_k2_comments (-) | K2 (2.5.7) | com_templates (2.5.0) | com_newsfeeds (2.5.0) | com_cpanel (2.5.0) | Gantry (4.1.4) | com_login (2.5.0) | com_content (2.5.0) | com_plugins (2.5.0) | com_users (2.5.0) | com_search (2.5.0) | com_menus (2.5.0) | com_messages (2.5.0) | com_admin (2.5.0) | RokCandy (1.3) | com_banners (2.5.0) | com_redirect (2.5.0) | com_config (2.5.0) | com_media (2.5.0) | com_joomlaupdate (2.5.0) | com_installer (2.5.0) | com_languages (2.5.0) | com_modules (2.5.0) | com_checkin (2.5.0) | com_categories (2.5.0) | com_cache (2.5.0) | aiContactSafe (2.0.21c.stabl) | aiContactSafe - Form (1.0.15.stable) | aiContactSafe - Link (1.0.10.stable) | aiContactSafe (1.0.0) | aiContactSafe module (1.0.13.stable) | com_finder (2.5.0) |

Modules :: SITE :: K2 Login (2.5.7) | mod_menu (2.5.0) | mod_articles_news (2.5.0) | K2 User (2.6.2) | K2 Tools (2.6.2) | mod_wrapper (2.5.0) | mod_articles_category (2.5.0) | mod_feed (2.5.0) | mod_finder (2.5.0) | mod_breadcrumbs (2.5.0) | mod_footer (2.5.0) | mod_banners (2.5.0) | MOD_JGMAP (0.16.35) | K2 Users (2.6.2) | mod_languages (2.5.0) | mod_articles_archive (2.5.0) | mod_search (2.5.0) | mod_related_items (2.5.0) | mod_weblinks (2.5.0) | K2 Content (2.6.2) | mod_superfish_menu (2.5.0) | mod_syndicate (2.5.0) | mod_articles_latest (2.5.0) | mod_stats (2.5.0) | mod_custom (2.5.0) | mod_random_image (2.5.0) | K2 Comments (2.6.2) | mod_whosonline (2.5.0) | RokNavMenu (1.12) | mod_login (2.5.0) | mod_users_latest (2.5.0) | mod_articles_categories (2.5.0) | mod_articles_popular (2.5.0) | K2 FlexSlider (2.1) |
Modules :: ADMIN :: mod_menu (2.5.0) | mod_toolbar (2.5.0) | K2 Quick Icons (admin) (2.6.2) | mod_latest (2.5.0) | mod_feed (2.5.0) | mod_logged (2.5.0) | mod_popular (2.5.0) | mod_version (2.5.0) | mod_multilangstatus (2.5.0) | mod_title (2.5.0) | mod_status (2.5.0) | K2 Stats (admin) (2.6.2) | mod_custom (2.5.0) | mod_submenu (2.5.0) | mod_login (2.5.0) | mod_quickicon (2.5.0) |

Plugins :: SITE :: plg_finder_categories (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_content (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_k2 (2.6.2) | plg_editors_tinymce (3.5.4.1) | plg_editors_codemirror (1.0) | plg_system_redirect (2.5.0) | plg_system_highlight (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_languagecode (2.5.0) | plg_system_sef (2.5.0) | System - RokBox (1.2) | System - jQuery Easy (1.4.0) | System - RokExtender (1.0) | plg_system_logout (2.5.0) | System - Gantry (4.1.4) | plg_system_debug (2.5.0) | System - RokCandy (1.3) | plg_system_cache (2.5.0) | plg_system_log (2.5.0) | plg_system_p3p (2.5.0) | System - K2 (2.6.2) | plg_system_remember (2.5.0) | Josetta - K2 Categories (2.6.2) | Josetta - K2 Items (2.6.2) | plg_content_emailcloak (2.5.0) | plg_content_finder (2.5.0) | plg_content_pagenavigation (2.5.0) | AllVideos (by JoomlaWorks) (4.4) | Content - RokBox (1.2) | plg_content_geshi (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_joomla (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_vote (2.5.0) | plg_extension_joomla (2.5.0) | plg_user_contactcreator (2.5.0) | plg_user_profile (2.5.0) | plg_user_joomla (2.5.0) | User - K2 (2.6.2) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_article (2.5.0) | Button - RokCandy (1.3) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_search_categories (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_content (2.5.0) | plg_search_contacts (2.5.0) | plg_search_weblinks (2.5.0) | Search - K2 (2.6.2) | plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | plg_authentication_gmail (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_joomla (2.5.0) | plg_captcha_recaptcha (2.5.0) |
Templates Discovered :: wrote:Templates :: SITE :: beez_20 (2.5.0) | beez5 (2.5.0) | atomic (2.5.0) | theme1279 (2.5) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |

Re: Site hacked!

Posted: Mon May 04, 2015 5:21 pm
by Bernard T
You use 2.5 year old Joomla version, with known vulnerabilities - 2.5.8.


Follow this instructions:
  1. Preparation
    • Note which version of Joomla you have. Download the "Joomla Full Install" package for this version. (you will upgrade later)
    • Also note which 3rd party extensions you have installed.
    • Review Vulnerable Extensions List to make sure any 3rd party extensions versions used don't appear on the Live Vulnerable list. If they do, note them and don't install them, search for alternative extension.
    • Download all 3rd party extensions packages only from the developer's website in versions that are currently use. (you will upgrade later)
    • Review and action Security Checklist 7. Ensure you follow all of the steps above.
  2. Backup and remove all Website Files
    • Save a copy of the configuration.php file to your PC.
    • Delete ALL files in your Joomla installation. This is ONLY the files and directories in the joomla_root/ directory NOT the database!
    • Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Security Checklist 7 contains a list or recommended scanners.
    • Change all passwords and if possible user names for the website host control panel.
    • Change the Joomla database user name and password.
    • Use proper permissions on files and directories.
      • They should never be 777,
      • Use 644 for files and 755 for directories.
      • The configuration.php file can be set to 444 which is read only.
    • Check your .htaccess for for any odd code (i.e. code which is not in the standard htaccess.txt supplied as part of the Joomla installation).
    • Check the crontab or Task Scheduler for unexpected jobs/tasks.
    • Ensure you do not have anonymous FTP enabled.
    • Verify individually that any non-Joomla file that will be placed back on the website (such as, but not limited to, images, pdf files, files for download, and other documents and files) are valid and are supposed to be a part of your website.
  3. Install the clean Joomla - the same version you had until now (you will upgrade later)
    • Extract/copy the Joomla files to your FTP root folder
    • Create a NEW database and install without sample data to it
    • Install the 3rd party extensions(including any custom template) to the new Joomla. (That insures you have the files in place for the 3rd party extensions)
    • Edit the configuration.php file of the new Joomla to connect to your original database. (we installed some moments ago to new database, you can delete it thereafter)
  4. Update Joomla and extensions
    • Make a backup
    • update your Joomla to the current stable version
    • update all extensions of your site to the current version (skip those that you found on Live VEL and don't have appropriate updates)
  5. Reinstate the deleted files
    • Upload any non-Joomla files (images, movies, download documents etc.) that are necessary for your website.
IMPORTANT
Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the back-doors that may have been inserted and hidden in various files and directories.
More detailed information can be found in the security Checklist 7 link above.