Page 1 of 1

My site was hacked please help

Posted: Wed Jan 25, 2017 8:44 am
by parakentisi
Joomla! 2.5.28 i can't update to joomla 3,5
I found the virus take a look in zip file
i found advance .htaccess for joomla and i secure the site
My site is http://www.aer a.gr and some redirection happen some times to another site
I found a file /plugins/system/cdscriptegrator/libraries/phpjs/js/php.default.namespaced.min.js
and i delete it i don't know what is it
i Run ForumPostAssistant and everything is ok
Any advice how to find the problem ?

Re: My site was hacked please help

Posted: Wed Jan 25, 2017 8:52 am
by parakentisi
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.7) : 25th January 2017 wrote:[22-Jan-2017 08:18:30 UTC] PHP Warning: PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20131226/xcache.so' - /usr/local/lib/php/extensions/no-debug-non-zts-20131226/xcache.so: cannot open shared object file: No such file or directory in Unknown on line 0
Forum Post Assistant (v1.2.7) : 25th January 2017 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.28-Stable (Ember) 10-December-2014
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: aera (uid: 1/gid: 1) | Group: aera (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 1 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 2 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-431.5.1.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/aera/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.6.29 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 24567 | Log Errors To: error_log | Last Known Error: 22nd January 2017 08:18:30. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 150M | Max. POST Size: 150M | Max. Input Time: 90 | Max. Execution Time: 70 | Memory Limit: 256M

MySQL Configuration :: Version: 5.5.52-cll (Client:5.5.52) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 1268.98 MiB | #of Tables:  257
Detailed Environment :: wrote:PHP Extensions :: Core (5.6.29) | date (5.6.29) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (2.0) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | json (1.2.1) | mbstring () | mcrypt () | standard (5.6.29) | mysql (1.0) | mysqli (0.1) | mysqlnd (mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | Phar (2.0.2) | posix () | pspell () | Reflection ($Id: 5f15287237d5f78d75b19c26915aa7bd83dee8b8 $) | imap () | SimpleXML (0.1) | soap () | sockets () | exif (1.4 $Id: 8b0e34c10dc8a04b8e81d9d79985b2566141b03d $) | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.12.5) | cgi-fcgi () | XCache (3.2.0) | suhosin (0.9.38) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | pdo_mysql (1.0.2) | SourceGuardian (10.1) | XCache Cacher (3.2.0) | ionCube Loader () | Zend Guard Loader () | Zend Engine (2.6.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: Weblinks (1.6.4) | SOBIPRO (1.11) | Content (1.8) | Banners (1.6.1) | com_mailto (2.5.0) | Default (1.0.0) | WF_FILESYSTEM_JOOMLA_TITLE (2.6.7.1) | WF_AGGREGATOR_[youtube]_TITLE (2.6.7.1) | WF_AGGREGATOR_VIMEO_TITLE (2.6.7.1) | WF_AGGREGATOR_VINE_TITLE (2.6.7.1) | WF_AGGREGATOR_DAILYMOTION_TITL (2.6.7.1) | WF_LINK_SEARCH_TITLE (2.6.7.1) | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.7.1) | WF_POPUPS_WINDOW_TITLE (2.6.7.1) | WF_LINKS_JOOMLALINKS_TITLE (2.6.7.1) | WF_DIRECTIONALITY_TITLE (2.6.7.1) | WF_EMOTIONS_TITLE (2.6.7.1) | WF_VISUALBLOCKS_TITLE (2.6.7.1) | WF_ARTICLE_TITLE (2.6.7.1) | WF_VISUALCHARS_TITLE (2.6.7.1) | WF_FONTSIZESELECT_TITLE (2.6.7.1) | WF_CONTEXTMENU_TITLE (2.6.7.1) | WF_STYLE_TITLE (2.6.7.1) | WF_INLINEPOPUPS_TITLE (2.6.7.1) | WF_XHTMLXTRAS_TITLE (2.6.7.1) | WF_STYLESELECT_TITLE (2.6.7.1) | WF_LINK_TITLE (2.6.7.1) | WF_FULLSCREEN_TITLE (2.6.7.1) | WF_FONTSELECT_TITLE (2.6.7.1) | WF_KITCHENSINK_TITLE (2.6.7.1) | WF_ANCHOR_TITLE (2.6.7.1) | WF_BROWSER_TITLE (2.6.7.1) | WF_TEXTCASE_TITLE (2.6.7.1) | WF_FORMATSELECT_TITLE (2.6.7.1) | WF_SOURCE_TITLE (2.6.7.1) | WF_FONTCOLOR_TITLE (2.6.7.1) | WF_NONBREAKING_TITLE (2.6.7.1) | WF_SPELLCHECKER_TITLE (2.6.7.1) | WF_CLEANUP_TITLE (2.6.7.1) | WF_AUTOSAVE_TITLE (2.6.7.1) | WF_HR_TITLE (2.6.7.1) | WF_CLIPBOARD_TITLE (2.6.7.1) | WF_MEDIA_TITLE (2.6.7.1) | WF_LISTS_TITLE (2.6.7.1) | WF_CHARMAP_TITLE (2.6.7.1) | WF_LAYER_TITLE (2.6.7.1) | WF_PRINT_TITLE (2.6.7.1) | WF_TABLE_TITLE (2.6.7.1) | WF_SEARCHREPLACE_TITLE (2.6.7.1) | WF_IMGMANAGER_TITLE (2.6.7.1) | WF_PREVIEW_TITLE (2.6.7.1) | com_wrapper (2.5.0) |
Components :: ADMIN :: NS Pro (1.8) | JotCache (4.2.3) | Categories (1.0.0) | FaLang (1.7.0) | com_falang (1.2.0) | com_templates (2.5.0) | com_languages (2.5.0) | obRSS (1.8.14) | System - obRSS (1.6.1) | obRSS (1.6.2) | Content - Load obRSS (1.8.12) | obRSS (1.8.13) | obRSS (2.0.0) | com_cpanel (2.5.0) | com_finder (2.5.0) | com_menus (2.5.0) | com_config (2.5.0) | JComments (2.3.0) | com_users (2.5.0) | com_media (2.5.0) | JoomGallery (2.1.6) | JoomGallery (2.1.6) | com_rsseo (1.0.0 R17) | COM_HWDMEDIASHARE (1.0.7) | com_installer (2.5.0) | JFBAlbum (4.3) | com_messages (2.5.0) | GD Image Library For Joomla (1.0 Beta Buil) | com_igallery (3.6.7) | Widgetkit (1.5.6) | com_banners (2.5.0) | com_categories (2.5.0) | com_redirect (2.5.0) | com_phocamaps (2.0.6) | com_search (2.5.0) | com_content (2.5.0) | com_phocagallery (3.2.3) | com_login (2.5.0) | rseventspro (1.0.0) | com_rseventspro (1.0.0) | com_autotweet (7.9.7) | com_cache (2.5.0) | com_joomlaupdate (2.5.0) | COM_JCE (2.6.7.1) | AdAgency (3.1.10) | aiContactSafe (1.0.0) | aiContactSafe - Form (1.0.15.stable) | aiContactSafe module (1.0.13.stable) | aiContactSafe - Link (1.0.10.stable) | aiContactSafe (2.0.19.stable) | com_plugins (2.5.0) | com_modules (2.5.0) | com_admin (2.5.0) | com_djimageslider (3.1.0) | com_checkin (2.5.0) | System - Jumi (2.0.6) | com_jumi (2.0.7) | Jumi (2.0.6) | System - Jumi Router (2.0.6) | com_newsfeeds (2.5.0) | com_weblinks (2.5.0) |

Modules :: SITE :: mod_articles_archive (2.5.0) | mod_weblinks (2.5.0) | Ad Agency Zone (3.0.910) | mod_search (2.5.0) | Mini Frontpage (2.2.3) | mod_articles_categories (2.5.0) | mod_media_groups (1.0.7) | mod_articles_popular (2.5.0) | Widgetkit Twitter (1.0.0) | mod_falang (1.2.0) | mod_jse_megamenu (3.1.1) | mod_articles_category (2.5.0) | JoomImages (2.0) | mod_media_tags (1.0.7) | AddThis Smart Layers (1.0.0) | MOD_FEWESTREAD (2.5-5) | Jumi (2.0.6) | mod_menu (2.5.0) | mod_articles_news (2.5.0) | ARTICLES_PLACED_ANYWHERE (1.1.6) | mod_media_images (1.0.7) | Random Article (1.4.1) | Widgetkit (1.0.0) | mod_media_albums (1.0.7) | Facebook Like Promotion (1.0) | mod_login (2.5.0) | 6Gallery (3.0.3) | mod_whosonline (2.5.0) | mod_finder (2.5.0) | mod_random_image (2.5.0) | Social Slider (1.0.2b) | AutoTweetNG Light RSS (7.9.7) | mod_media_item (1.0.7) | mod_users_latest (2.5.0) | mod_media_videos (1.0.7) | mod_languages (2.5.0) | DJ-ImageSlider (3.1.0) | sigplus (1.4.2.12) | mod_media_playlists (1.0.7) | mod_breadcrumbs (2.5.0) | JFBAlbum (4.3) | AutoTweetNG TW Follow (7.9.7) | mod_media_categories (1.0.7) | mod_feed (2.5.0) | obRSS (1.6.2) | mod_media_channels (1.0.7) | mod_stats (2.5.0) | MOD_RSEVENTSPRO_UPCOMING (1.0) | MOD_RSEVENTSPRO_CATEGORIES (1.0) | mod_articles_latest (2.5.0) | RAXO Module Template - All-mod (1.3) | RAXO Module Template - All-mod (1.0) | RAXO Module Template - All-mod (1.3) | RAXO Module Template - All-mod (1.3) | RAXO Module Template - All-mod (1.3) | RAXO Module Template - faceboo (1.1) | RAXO Module Template - All-mod (1.2) | RAXO Module Template - All-mod (1.3) | RAXO Module Template - All-mod (1.3) | RAXO Module Template - All-mod (1.3) | RAXO Module Template - All-mod (1.3) | RAXO Module Template - All-mod (1.3) | RAXO Module Template - All-mod (1.3) | RAXO Module Template - All-mod (1.2) | RAXO All-mode PRO (2.4) | mod_syndicate (2.5.0) | mod_footer (2.5.0) | Newsletter Subscriber Pro (1.8) | mod_joomcat (2.1) | mod_banners (2.5.0) | mod_media_audio (1.0.7) | mod_custom (2.5.0) | mod_related_items (2.5.0) | mod_media_media (1.0.7) | mod_wrapper (2.5.0) |
Modules :: ADMIN :: mod_autotweet_latest (7.9.7) | mod_logged (2.5.0) | mod_title (2.5.0) | mod_menu (2.5.0) | mod_version (2.5.0) | mod_status (2.5.0) | mod_quickicon (2.5.0) | mod_login (2.5.0) | mod_popular (2.5.0) | mod_multilangstatus (2.5.0) | mod_submenu (2.5.0) | mod_feed (2.5.0) | mod_toolbar (2.5.0) | mod_latest (2.5.0) | mod_custom (2.5.0) |

Plugins :: SITE :: plg_hwdmediashare_remote_youtu (1.0.7) | plg_hwdmediashare_remote_metac (1.0.7) | plg_hwdmediashare_remote_video (1.0.7) | plg_hwdmediashare_remote_flick (1.0.7) | plg_hwdmediashare_player_jwadv (1.0.7) | plg_hwdmediashare_player_mejs (1.0.7) | plg_hwdmediashare_remote_youtu (1.0.7) | plg_hwdmediashare_remote_veohc (1.0.7) | plg_hwdmediashare_player_flowp (1.0.7) | plg_hwdmediashare_remote_vimeo (1.0.7) | plg_hwdmediashare_remote_blipt (1.0.7) | plg_hwdmediashare_remote_vyouk (1.0.7) | plg_hwdmediashare_player_bo_vi (1.0.7) | plg_hwdmediashare_player_hwdjw (1.0.7) | plg_hwdmediashare_comments_fac (1.0.7) | plg_hwdmediashare_comments_kom (1.0.7) | plg_hwdmediashare_comments_dis (1.0.7) | plg_hwdmediashare_remote_daily (1.0.7) | plg_hwdmediashare_cdn_amazons3 (1.0.7) | plg_hwdmediashare_comments_jco (1.0.7) | plg_hwdmediashare_platform_kal (1.0.7) | plg_hwdmediashare_platform_vza (1.0.7) | PLG_EDITORS-XTD_ARTICLESANYWHE (3.7.0FREE) | plg_editors-xtd_article (2.5.0) | PLG_EDITORS-XTD_SLIDER (2.2.2FREE) | Button - Ignite Gallery (3.6) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_jcommentsoff (1.0) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | PLG_EDITORS-XTD_TABS (4.1.2FREE) | PLG_EDITORS-XTD_MODULESANYWHER (3.4.0FREE) | plg_editors-xtd_jcommentson (1.0) | plg_editors-xtd_media (1.0.7) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.5.11) | plg_editors_jce (2.6.7.1) | plg_user_joomla (2.5.0) | plg_user_jcomments (1.0) | plg_user_contactcreator (2.5.0) | plg_user_profile (2.5.0) | plg_captcha_recaptcha (2.5.0) | plg_community_media (1.0.7) | plg_finder_weblinks (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_content (2.5.0) | plg_system_autotweetcontent (7.9.7) | plg_system_falangdriver (1.2.0) | System - AutoTweet Social Prof (7.9.7) | System - JSE Mega Menu Framewo (3.0.3) | PLG_SYSTEM_ARTICLESANYWHERE (3.7.0FREE) | plg_system_debug (2.5.0) | PLG_SYSTEM_SLIDER (2.2.2FREE) | plg_system_highlight (2.5.0) | plg_system_rsseo (1.2.0) | plg_system_redirect (2.5.0) | System - SocComments (1.3.0) | Srizon Modifier (1.0.0) | System - Jumi Router (2.0.6) | System - Widgetkit Joomla (1.0.0) | plg_system_p3p (2.5.0) | System - JCE MediaBox (1.2.4) | System - Google Maps (3.2) | plg_system_cdscriptegrator (2.5.x.2.2.9) | K2 (2.5.5) | Google Libraries API (unknown) | Community Builder (1.8) | Widgetkit (1.0.5) | YT Warp Theme Framework (6.1.6) | ZOO (2.5.17) | JA Comment (2.5.0) | plg_system_log (2.5.0) | PLG_SYS_MOOTABLE (1.1.3) | plg_system_languagefilter (2.5.0) | PLG_SYSTEM_MODALS (4.3.0PRO) | iJoomla News (1.0) | plg_system_remember (2.5.0) | plg_system_logout (2.5.0) | PLG_SYSTEM_TABS (4.1.2FREE) | plg_system_languagecode (2.5.0) | PLG_SYSTEM_MODULESANYWHERE (3.4.0FREE) | Plazart Framework (2.2) | System - jQuery Easy (1.6.1) | System - Widgetkit ZOO (3.1.0) | System - Jumi (2.0.6) | plg_system_jce (2.6.7.1) | PLG_SYSTEM_JFBALBUM (3.0.1) | plg_system_jcomments (1.0) | System - Widgetkit (1.0.0) | plg_system_cache (2.5.0) | iJoomlaUpgradeAlert (1.0) | plg_system_sef (2.5.0) | PLG_SYSTEM_NNFRAMEWORK (15.3.6) | System - obRSS (1.6.1) | plg_system_autotweetautomator (7.9.7) | aiRedirectWww (2.0.0) | plg_extension_joomla (2.5.0) | plg_extension_jce (2.6.7.1) | plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | PLG_EOSNOTIFY (2.5.0) | plg_quickicon_jce (2.6.0-pro-bet) | Recache (4.2.3) | Crawler Extended (4.2.3) | Crawler (4.2.3) | plg_joomgallery_joomlytebox (2.0.1) | plg_authentication_joomla (2.5.0) | plg_authentication_gmail (2.5.0) | plg_authentication_ldap (2.5.0) | plg_search_weblinks (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_categories (2.5.0) | plg_search_contacts (2.5.0) | plg_search_media (1.0.7) | plg_search_jcomments (1.0) | plg_search_content (2.5.0) | plg_autotweet_autotweetpost (7.9.7) | AllVideos (by JoomlaWorks) (4.7.0) | AllVideos (by JoomlaWorks) (4.7.0) | EasyImageCaption (0.52) | ijoomla_sidebar_plugin (2.0.11) | Phoca Maps Plugin (2.0.5) | plg_content_vote (2.5.0) | Content - Ignite Gallery (3.6) | plg_content_loadmodule (2.5.0) | Content - Easy [spam] (2.4) | Content - SocComments (1.3.0) | flashChart Content plugin (1.2.2.7) | plg_content_adselite (4.5) | Content - Thumbs (0.5.13) | PLG_PWEB_FBARTICLEIMAGES (2.0.27) | Content - Widgetkit (1.0.0) | plg_content_joomla (2.5.0) | Content - Embed Google Map (1.2.2) | plg_content_finder (2.5.0) | plg_content_pagebreak (2.5.0) | Multithumb (3.7.2) | Content - Image gallery - sigp (1.4.2.12) | Content - Modules in articles (0.8) | plg_content_hwdjwplayer (1.0.7) | Plugin HY Article (2.1.1.0) | plg_content_autotweetweblinks (6.4.0) | Content - Pagebreak - MyJspace (2.0.3) | plg_content_pagenavigation (2.5.0) | plg_content_jce (2.6.7.1) | plg_content_phoca_open_graph (2.0.0) | plg_content_media (1.0.7) | plg_content_geshi (2.5.0) | Content - Newsletter Subscribe (1.8) | plg_content_jcomments (1.0) | aiContactSafe - Form (1.0.15.stable) | plg_content_emailcloak (2.5.0) | plg_installer_jce (2.6.7.1) | plg_installer_autotweet (7.9.7) |
Templates Discovered :: wrote:Templates :: SITE :: yoo_inspire (1.0.4) | yoo_master (1.0.0) | tz_simplelove_joomla (1.1) | j2template (2.5.0) | yoo_avenue (1.0.10) | yoo_eat (1.0.8) | yoo_streamline (1.0.9) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |

Re: My site was hacked please help

Posted: Wed Jan 25, 2017 9:28 am
by parakentisi
my site sometime redirect to this site

Re: My site was hacked please help

Posted: Thu Jan 26, 2017 4:10 pm
by parakentisi
it hacked again and changed tha index.php

Re: My site was hacked please help

Posted: Thu Jan 26, 2017 4:23 pm
by ribo
Please see the instructions about how to clean your site from here viewtopic.php?f=714&t=945958#p3457104
It s the only way to clean it for sure. So it s good to move fast. After that migrate to the curent latest version

Re: My site was hacked please help

Posted: Thu Jan 26, 2017 8:29 pm
by sozzled
parakentisi wrote:Joomla! 2.5.28 i can't update to Joomla 3.5
What is preventing you from migrating to J! 3.x? Please be more specific.
parakentisi wrote:Any advice how to find [how/where my J! 2.5.28 site is being hacked]?
Simple! Websites built with J! 2.5.28 are prime targets for hacking. Use J! 3.6.5—the current, stable version of Joomla—and your website(s) will not be hacked. If you cannot migrate to J! 3.6.5 yourself, seek professional help. Professional help to migrate old J! 2.5 websites is widely available and does not cost a lot of money. It's your choice: it's your business or it's a case of you will probably be put out of business by hackers. 8)

Re: My site was hacked please help

Posted: Thu Jan 26, 2017 8:59 pm
by ribo
Please let me note again that you must clean first your joomla 2.5.28 with the instructions that i gave in my previous post and after you must migrate to joomla 3.6.5. Dont migrate without clean first your joomla 2.5.28, because if you will only migrate, you will have a vulnerable migrated joomla site.

Re: My site was hacked please help

Posted: Thu Jan 26, 2017 9:10 pm
by sozzled
ribo wrote:Please let me note again that you must clean first your joomla 2.5.28 with the instructions that i gave in my previous post and after you must migrate to joomla 3.6.5.
Noted: good advice except that the OP stated they "cannot migrate to J! 3.x" (but have not given any specific explanation about what is "preventing" them from migrating).

Re: My site was hacked please help

Posted: Thu Jan 26, 2017 9:17 pm
by ribo
sozzled wrote:
ribo wrote:Please let me note again that you must clean first your joomla 2.5.28 with the instructions that i gave in my previous post and after you must migrate to joomla 3.6.5.
Noted: good advice except that the OP stated they "cannot migrate to J! 3.x" (but have not given any specific explanation about what is "preventing" them from migrating).
I understand what do you mean, but i said in my advice "and after migrate to the latest curent version" which i did n t say that it is optional. It s a must after to migrate to the latest joomla version. Also he must update third party extensions and template.