Site Hacked - Help with FPA

[purplenova]

I believe my site was hacked. some folks were getting a 404 error when visiting the site but when I tried initially everything looked ok, but after more hunting I found several php pages that had the "$remote = random ip address using port443. Found this line in 2 separate files .

After a google search or two, I found a research paper where someone spent two years tracking something called Asprox botnet and the paper also referenced the exact same $remote= same ip address, that I found.

Hopefully this is an easy fix.

found strange php pages in root with remote ip adress

Joomla! Instance :: Joomla! 2.5.19-Stable (Ember) 6-March-2014
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: 9004202 (uid: /gid: ) | Group: 100450 (gid: ) | Valid For: 2.5
Configuration Options :: Offline: 1 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 1 | Cache: 2 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-604.30.3.lve1.3.63.el6.nfsfixes.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /var/chroot/home/content/02/9004202/html | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.24 | PHP API: cgi-fcgi | Session Path Writable: No | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: 0 | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 32M | Max. POST Size: 33M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M

MySQL Configuration :: Version: 5.0.96-log (Client:5.5.19) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 1.91 MiB | #of Tables:  83

PHP Extensions :: Core (5.3.24) | date (5.3.24) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | apc (3.1.13) | bcmath () | calendar () | ctype () | curl () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | imagick (3.1.0RC2) | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | session () | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | standard (5.3.24) | pspell () | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | Phar (2.0.1) | SimpleXML (0.1) | soap () | SQLite (2.0-dev) | exif (1.4 $Id$) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe

Core Folders :: images/ (705) | components/ (705) | modules/ (705) | plugins/ (705) | language/ (705) | templates/ (705) | cache/ (705) | logs/ (705) | tmp/ (705) | administrator/components/ (705) | administrator/modules/ (705) | administrator/language/ (705) | administrator/templates/ (705) |

Elevated Permissions (First 10) ::

Components :: SITE :: com_mailto (2.5.0) 1 | com_wrapper (2.5.0) 1 |
Components :: ADMIN :: com_admin (2.5.0) 1 | Akeeba (4.7.4) 1 | com_banners (2.5.0) 1 | com_cache (2.5.0) 1 | com_categories (2.5.0) 1 | com_checkin (2.5.0) 1 | com_config (2.5.0) 1 | com_content (2.5.0) 1 | com_cpanel (2.5.0) 1 | com_finder (2.5.0) 1 | com_installer (2.5.0) 1 | com_joomlaupdate (2.5.0) 1 | com_languages (2.5.0) 1 | com_login (2.5.0) 1 | com_media (2.5.0) 1 | com_menus (2.5.0) 1 | com_messages (2.5.0) 1 | com_modules (2.5.0) 1 | com_newsfeeds (2.5.0) 1 | com_plugins (2.5.0) 1 | com_redirect (2.5.0) 1 | com_search (2.5.0) 1 | com_templates (2.5.0) 1 | com_users (2.5.0) 1 | com_weblinks (2.5.0) 1 | Admintools (3.4.4) 1 |

Modules :: SITE :: mod_articles_archive (2.5.0) 1 | mod_articles_categories (2.5.0) 1 | mod_articles_category (2.5.0) 1 | mod_articles_latest (2.5.0) 1 | mod_articles_news (2.5.0) 1 | mod_articles_popular (2.5.0) 1 | mod_banners (2.5.0) 1 | mod_breadcrumbs (2.5.0) 1 | mod_custom (2.5.0) 1 | mod_feed (2.5.0) 1 | mod_finder (2.5.0) 1 | mod_footer (2.5.0) 1 | mod_languages (2.5.0) 1 | mod_login (2.5.0) 1 | mod_menu (2.5.0) 1 | mod_random_image (2.5.0) 1 | mod_related_items (2.5.0) 1 | mod_search (2.5.0) 1 | mod_stats (2.5.0) 1 | mod_syndicate (2.5.0) 1 | mod_users_latest (2.5.0) 1 | mod_weblinks (2.5.0) 1 | mod_whosonline (2.5.0) 1 | mod_wrapper (2.5.0) 1 |
Modules :: ADMIN :: mod_custom (2.5.0) 1 | mod_feed (2.5.0) 1 | mod_latest (2.5.0) 1 | mod_logged (2.5.0) 1 | mod_login (2.5.0) 1 | mod_menu (2.5.0) 1 | mod_multilangstatus (2.5.0) 1 | mod_popular (2.5.0) 1 | mod_quickicon (2.5.0) 1 | mod_status (2.5.0) 1 | mod_submenu (2.5.0) 1 | mod_title (2.5.0) 1 | mod_toolbar (2.5.0) 1 | mod_version (2.5.0) 1 |

Plugins :: SITE :: plg_authentication_gmail (2.5.0) 0 | plg_authentication_joomla (2.5.0) 1 | plg_authentication_ldap (2.5.0) 0 | plg_captcha_recaptcha (2.5.0) 1 | plg_content_emailcloak (2.5.0) 1 | plg_content_finder (2.5.0) 0 | plg_content_geshi (2.5.0) 0 | plg_content_joomla (2.5.0) 1 | plg_content_loadmodule (2.5.0) 1 | plg_content_pagebreak (2.5.0) 1 | plg_content_pagenavigation (2.5.0) 1 | plg_content_vote (2.5.0) 1 | plg_editors-xtd_article (2.5.0) 1 | plg_editors-xtd_image (2.5.0) 1 | plg_editors-xtd_pagebreak (2.5.0) 1 | plg_editors-xtd_readmore (2.5.0) 1 | plg_editors_codemirror (1.0) 1 | plg_editors_tinymce (3.5.4.1) 1 | plg_extension_joomla (2.5.0) 1 | plg_finder_categories (2.5.0) 1 | plg_finder_contacts (2.5.0) 1 | plg_finder_content (2.5.0) 1 | plg_finder_newsfeeds (2.5.0) 1 | plg_finder_weblinks (2.5.0) 1 | PLG_JMONITORING_AKEEBABACKUP_T (1.0) 1 | plg_quickicon_extensionupdate (2.5.0) 1 | plg_quickicon_joomlaupdate (2.5.0) 1 | plg_quickicon_akeebabackup (1.0) 1 | plg_search_categories (2.5.0) 1 | plg_search_contacts (2.5.0) 1 | plg_search_content (2.5.0) 1 | plg_search_newsfeeds (2.5.0) 1 | plg_search_weblinks (2.5.0) 1 | plg_system_cache (2.5.0) 0 | plg_system_debug (2.5.0) 1 | plg_system_highlight (2.5.0) 1 | plg_system_languagecode (2.5.0) 0 | plg_system_languagefilter (2.5.0) 0 | plg_system_log (2.5.0) 1 | plg_system_logout (2.5.0) 1 | plg_system_p3p (2.5.0) 1 | plg_system_redirect (2.5.0) 1 | plg_system_remember (2.5.0) 1 | plg_system_sef (2.5.0) 1 | Security - jHackGuard (1.4.2) 1 | System - Admin Tools (3.4.4) 1 | PLG_SYSTEM_BACKUPONUPDATE_TITL (3.7) 1 | plg_user_contactcreator (2.5.0) 0 | plg_user_joomla (2.5.0) 1 | plg_user_profile (2.5.0) 0 |

Templates :: SITE :: atomic (2.5.0) 1 | beez5 (2.5.0) 1 | beez_20 (2.5.0) 1 | TR_Neutrino (v1.1) 1 |
Templates :: ADMIN :: bluestork (2.5.0)

[sozzled]

Please edit your last post, remove the "[ code ]" tag at the beginning and the "[ /code ]" tag at the end so that we can read your FPA report, thank you.

The most likely cause of the way your site was hacked is because you're using J! 2.5.19 which is, as you should know, outdated (over three years old), unsupported and known to be vulnerable to attack. Unfortunately for you, you've paid the price of risking your website to attack by using obsolete and vulnerable software. I feel sorry for you.

[purplenova]

I knew it was out dated and my host would normally notify me of updates ready for install, so I kinda ignored the situation until I started getting phone calls. A bit late I know.

Other than your obvious observation, is there a remedy for my issue, other than update to latest release, or will that even correct it?

[sozzled]

There are two ways to remediate the situation; remediate is a great word: it means try to patch things up so that they hang together long enough until you can address the root cause of the problem and fix it properly.

You can restore your website from a backup that you made before the phone calls started happening. This may mean going back to the way your site was operating a few months ago but, at least, it's a start and it'll get you working again (hopefully) for long enough for you to start doing the required work to bring your antiquated J! 2.5.19 website up to "speed" with J! 2.5.28. However, even with J! 2.5.28 you're not free from problems. J! 2.5.28 is also outdated, unsupported and vulnerable to attack.

So there's the band-aid approach.

The way to fix the problem properly is to attempt to salvage as much material that you can and utilise this by creating a website built with the current supported (and less-likely-to-be-attacked) version of Joomla, namely J! 3.6.5. This, of course, means some work but, then again, if something is worthwhile doing then that "something" requires the investment of time, labour (and, perhaps, money).

It all depends, really, on how valuable your website (that's now ruined) was to you and/or your business. I don't know the answer to that; that's something only you can decide.

As a start, you might like to read viewtopic.php?f=714&t=757645

[purplenova]

As a start, you might like to read viewtopic.php?f=714&t=757645

Thank you !