Site was hacked, can't get rid of html file

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
SomeGuyFromCali
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Jul 18, 2016 12:52 am

Site was hacked, can't get rid of html file

Postby SomeGuyFromCali » Mon Jul 18, 2016 12:58 am

One of my older sites got hacked recently. I believe the problem was simply that I left the permissions for the images folder open on accident.

They created an HTML file that loads when you go to the example URL
http://www.______.com/images/installs/c ... urale.html

I deleted the installs folder completely but the URL still loads when I go there. How do I completely remove the link to this page?


Also, how do I completely disable user registration? There were many new users in the user list that I did not create which I have now deleted.

User avatar
sozzled
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4699
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Site was hacked, can't get rid of html file

Postby sozzled » Mon Jul 18, 2016 1:11 am

When you're fighting these kinds of fires, it's always a good idea to learn from the professional firefighters:

1) Contain the blaze—stop it from spreading;

2) Rescue the victims

3) Put out the fire and fire-proof the environment so that it doesn't happen again. In other words, J! 2.5 is vulnerable and at risk from being attacked; better to migrate your site the latest version of J! 3.x instead of trying to "protect" it with outdated software.

SomeGuyFromCali wrote:One of my older sites got hacked recently. I believe the problem was simply that I left the permissions for the images folder open on accident.
The Forum Post Assistant will help you locate folders that have elevated privileges

SomeGuyFromCali wrote:I deleted the installs folder completely but the URL still loads when I go there. How do I completely remove the link to this page?
It is probable that the link was injected from another file on your site (very likely in the template default.php, but that's just a guess).

SomeGuyFromCali wrote:Also, how do I completely disable user registration? There were many new users in the user list that I did not create which I have now deleted.
See https://docs.joomla.org/Disabling_user_registration
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

SomeGuyFromCali
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Jul 18, 2016 12:52 am

Re: Site was hacked, can't get rid of html file

Postby SomeGuyFromCali » Mon Jul 18, 2016 2:02 am

sozzled wrote:When you're fighting these kinds of fires, it's always a good idea to learn from the professional firefighters:

1) Contain the blaze—stop it from spreading;

2) Rescue the victims

3) Put out the fire and fire-proof the environment so that it doesn't happen again. In other words, J! 2.5 is vulnerable and at risk from being attacked; better to migrate your site the latest version of J! 3.x instead of trying to "protect" it with outdated software.

SomeGuyFromCali wrote:One of my older sites got hacked recently. I believe the problem was simply that I left the permissions for the images folder open on accident.
The Forum Post Assistant will help you locate folders that have elevated privileges

SomeGuyFromCali wrote:I deleted the installs folder completely but the URL still loads when I go there. How do I completely remove the link to this page?
It is probable that the link was injected from another file on your site (very likely in the template default.php, but that's just a guess).

SomeGuyFromCali wrote:Also, how do I completely disable user registration? There were many new users in the user list that I did not create which I have now deleted.
See https://docs.joomla.org/Disabling_user_registration


Thank you, I am going to assume they exploited the older version or an older plugin. I have taken the site offline and am manually moving all of the content over article at a time to be certain none of the compromised code get's moved over with it.


Return to “Security in Joomla! 2.5”

Who is online

Users browsing this forum: No registered users and 3 guests