Malware removed now problems

[abccomputer]

My site was hacked. I have all the malware removed and now I cannot get into the admin panel so I can prepare the site to upgrade to 3.6

I'm getting a 500 error on the admin site. This is pointing to line 35 in the toolbar.php file in the administrator/includes

[29-Mar-2017 16:50:59 America/Denver] PHP Warning: Illegal string offset 'active' in /home4/mppdccom/public_html/templates/jsn_epic_pro/html/pagination.php on line 94

I've looked at the file and I don't see anything out of the ordinary.

Joomla! Instance :: Joomla! 2.5.28-Stable (Ember) 10-December-2014
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 3.12.65-20161020.132.ELK6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home4/mppdccom/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.4.43 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 22527 | Log Errors To: error_log | Last Known Error: 29th March 2017 16:56:21. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 64M | Max. POST Size: 64M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 256M

MySQL Configuration :: Version: 5.6.32-78.1-log (Client:5.6.32-78.1) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 8.06 MiB | #of Tables:  84

PHP Extensions :: Core (5.4.43) | date (5.4.43) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7) | zlib (2.0) | bcmath () | bz2 () | calendar () | ctype () | curl () | dba () | dom (20031129) | enchant (1.1.0) | hash (1.0) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gd () | gettext () | gmp () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | odbc (1.0) | pcntl () | standard (5.4.43) | PDO (1.0.4dev) | pdo_dblib (1.0.1) | pdo_mysql (1.0.2) | PDO_ODBC (1.0.1) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | Phar (2.0.1) | posix () | pspell () | readline (5.4.43) | recode () | Reflection ($Id: f6367cdb4e3f392af4a6d441a6641de87c2e50c4 $) | imap () | shmop () | SimpleXML (0.1) | soap () | sockets () | exif (1.4 $Id: 7f95ff43ea7cc9a2c41a912863ed70069c0e34c5 $) | sysvmsg () | sysvsem () | sysvshm () | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | imagick (3.1.2) | http (1.7.6) | magickwand (1.0.9) | mailparse (2.1.6) | OAuth (1.2.3) | oci8 (2.0. | uploadprogress (1.0.3.1) | mhash () | ionCube Loader () | SourceGuardian (10.1.5) | Zend Guard Loader () | Zend Engine (2.4.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: administrator/components/com_jfuploader/tfu/session_cache/ (777) |

Components :: SITE :: com_mailto (2.5.0) 1 | com_wrapper (2.5.0) 1 |
Components :: ADMIN :: com_search (2.5.0) 1 | com_login (2.5.0) 1 | com_banners (2.5.0) 1 | com_templates (2.5.0) 1 | com_languages (2.5.0) 1 | com_newsfeeds (2.5.0) 1 | com_checkin (2.5.0) 1 | com_cpanel (2.5.0) 1 | ImageShow (3.1.2) 1 | ImageShow (3.1.2) 1 | com_finder (2.5.0) 1 | com_config (2.5.0) 1 | com_cache (2.5.0) 1 | com_categories (2.5.0) 1 | com_joomlaupdate (2.5.0) 1 | com_weblinks (2.5.0) 1 | com_users (2.5.0) 1 | com_installer (2.5.0) 1 | com_messages (2.5.0) 1 | com_admin (2.5.0) 1 | com_menus (2.5.0) 1 | com_content (2.5.0) 1 | com_media (2.5.0) 1 | com_modules (2.5.0) 1 | com_redirect (2.5.0) 1 | com_plugins (2.5.0) 1 | COM_JFUPLOADER (2.17) 1 |

Modules :: SITE :: mod_syndicate (2.5.0) 1 | mod_menu (2.5.0) 1 | mod_custom (2.5.0) 1 | mod_random_image (2.5.0) 1 | mod_articles_news (2.5.0) 1 | mod_whosonline (2.5.0) 1 | mod_feed (2.5.0) 1 | mod_articles_categories (2.5.0) 1 | mod_articles_archive (2.5.0) 1 | mod_articles_latest (2.5.0) 1 | GTranslate (3.0.39) 1 | JSN ImageShow (3.1.2) 1 | mod_articles_category (2.5.0) 1 | mod_search (2.5.0) 1 | mod_wrapper (2.5.0) 1 | mod_breadcrumbs (2.5.0) 1 | mod_users_latest (2.5.0) 1 | mod_finder (2.5.0) 1 | mod_login (2.5.0) 1 | mod_stats (2.5.0) 1 | mod_banners (2.5.0) 1 | mod_related_items (2.5.0) 1 | mod_weblinks (2.5.0) 1 | mod_languages (2.5.0) 1 | mod_articles_popular (2.5.0) 1 | mod_footer (2.5.0) 1 |
Modules :: ADMIN :: mod_version (2.5.0) 1 | mod_logged (2.5.0) 1 | mod_menu (2.5.0) 1 | mod_latest (2.5.0) 1 | mod_custom (2.5.0) 1 | mod_feed (2.5.0) 1 | JSN ImageShow Quick Icons (3.1.0) 1 | mod_status (2.5.0) 1 | mod_online (1.6.0) 1 | mod_submenu (2.5.0) 1 | mod_title (2.5.0) 1 | mod_quickicon (2.5.0) 1 | mod_multilangstatus (2.5.0) 1 | mod_login (2.5.0) 1 | mod_unread (1.6.0) 1 | mod_toolbar (2.5.0) 1 | mod_popular (2.5.0) 1 |

Plugins :: SITE :: plg_editors_codemirror (1.0) 1 | plg_editors_tinymce (3.5.11) 1 | plg_authentication_joomla (2.5.0) 1 | plg_authentication_gmail (2.5.0) 0 | plg_authentication_cookie (3.0.0) 1 | plg_authentication_ldap (2.5.0) 0 | plg_authentification_example (1.6.0) 1 | plg_user_contactcreator (2.5.0) 0 | plg_user_profile (2.5.0) 0 | plg_user_joomla (2.5.0) 1 | plg_user_example (1.0) 1 | Theme Classic (1.1.0) 1 | plg_extension_joomla (2.5.0) 1 | plg_extension_example (1.0) 1 | plg_editors-xtd_article (2.5.0) 1 | plg_editors-xtd_pagebreak (2.5.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_image (2.5.0) 1 | plg_editors-xtd_readmore (2.5.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_newsfeeds (2.5.0) 1 | plg_finder_weblinks (2.5.0) 1 | plg_finder_categories (2.5.0) 1 | plg_finder_contacts (2.5.0) 1 | plg_finder_content (2.5.0) 1 | plg_system_cache (2.5.0) 0 | plg_system_languagecode (2.5.0) 0 | plg_system_sef (2.5.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_debug (2.5.0) 1 | plg_system_logout (2.5.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_log (2.5.0) 1 | plg_system_languagefilter (2.5.0) 0 | System - JSN ImageShow (3.1.2) 1 | plg_system_p3p (2.5.0) 1 | plg_system_remember (2.5.0) 1 | plg_system_redirect (2.5.0) 1 | plg_system_highlight (2.5.0) 1 | plg_captcha_recaptcha (2.5.0) 1 | PLG_EOSNOTIFY (2.5.0) 1 | plg_quickicon_extensionupdate (2.5.0) 1 | plg_quickicon_joomlaupdate (2.5.0) 1 | plg_search_tags (3.0.0) 1 | plg_search_newsfeeds (2.5.0) 1 | plg_search_weblinks (2.5.0) 1 | plg_search_categories (2.5.0) 1 | plg_search_contacts (2.5.0) 1 | plg_search_content (2.5.0) 1 | plg_twofactorauth_totp (3.2.0) 1 | plg_twofactorauth_yubikey (3.2.0) 1 | plg_content_joomla (2.5.0) 1 | plg_content_pagebreak (2.5.0) 1 | plg_content_loadmodule (2.5.0) 1 | plg_content_finder (2.5.0) 0 | plg_content_vote (2.5.0) 1 | [spam] (4.1.0) 0 | plg_content_pagenavigation (2.5.0) 1 | plg_content_emailcloak (2.5.0) 1 | plg_content_geshi (2.5.0) 0 | Content - JSN ImageShow (3.1.2) 1 | plg_content_example (1.0) 1 |

Templates :: SITE :: JSN_Epic_PRO (4.2.0) 1 | j2template (2.5.0) 1 | atomic (2.5.0) 1 | beez_20 (2.5.0) 1 | beez5 (2.5.0) 1 |
Templates :: ADMIN :: bluestork (2.5.0) 1 | hathor (2.5.0) 1 |

[Webdongle]

Download the Joomla 2.5.28 full package zip and unzip. Then upload the Joomla core files. That should get your site running but you then need to clean it. Start at step #B of viewtopic.php?f=714&t=946026 . When you get to step #G update your Joomla

1. Uninstall all the non compatible J3.6.5 3rd party extensions
2. Delete all the folders/files
3. Install a fresh Joomla 2.5 (same version as you have now) to a new database.
   You now have fresh Joomla files
4. Edit the configuration.php to connect to your original database and update.
   You now have your database updated without the files from the 3rd party extensions interfering with the update.
   
5. Delete all the folders/files again
6. Install J3.6.5 to another new database
7. Install your 3rd party extensions to that
   You now have fresh Joomla files and fresh 3rd party extension files(the files that are intended for J3.6.5)
8. Edit the configuration.php (of the fresh 3.6.5 install) to use the original (updated) database

[boban_dedovic]

@Webdongle has a GREAT answer. One thing I want to add though: back up your site (DB and application code)!

It is a good best practice. I recommend using GitHub for long-term code backup/maintenance.

The Akeeba backup extension can also help with this.

[mandville]

One thing I want to add though: back up your site (DB and application code)!

why? explain your reasoning for backing up a hacked website.

[abccomputer]

The site is no longer hacked it has been cleaned. My current issue was getting into the back end so I can uninstall the non-3.x compatible extensions/add-ins, etc.

working on that now.

[dhuelsmann]

If you did not do the following steps, you site is highly unlikely to be free of of malware.

[quote="Webdongle"]
Before you ask what other users ask. No there is no real alternative ... you need to delete all folders/files.

Cleaning the site is easy ... just delete all the folders/files. Rebuilding the site is easy ... just install a fresh Joomla to a empty database and install 3rd party extensions then edit the configuration.php.


Here is a summary of what you need to do

1. Run the fpa and post the results in this forum
2. Uninstall any untrusted 3rd party extensions and Templates https://vel.joomla.org/live-vel
3. Delete all the files on the server
4. Scan your computer and all computers that have server or Joomla admin access
5. Change Passwords
6. Install Joomla (of the same version) to a new database. Install up to date 3rd party extensions (that are not on the VEL) then edit the configuration.php to connect to the original database. Update Joomla if you have and old version
7. Change your Joomla SU/Admin Passwords and check the users/groups/access levels are correct and not been tampered with. Update your Joomla and run the fpa again

Step #f is simply installing Joomla and 3rd party extensions to an empty database so you get fresh files. Then connect the files to the database that has your data. That gives you your site back. The rest cleans the site and helps keep it secure.

[Webdongle]

The site is no longer hacked it has been cleaned. ....

Please what is your definition of cleaned ?

[abccomputer]

It's been scanned by several different scanners and they find no malware. Yes I know everything will need to be deleted. I am just trying to get the site stable and working so I can upgrade it.

[Webdongle]

Did you attempt an update before you started getting the 500 error ?

[abccomputer]

No. the backend was working until the host deactivated the website. After it was cleaned and they reactivated it, the backend no longer worked. Copying the /administration folder from the joomla package fixed it.. well the backend works. So now I can work on the upgrade this weekend. This is a very large complicated site it's going take some time to do which is why I kept putting it off.

[Webdongle]

.... Copying the /administration folder from the joomla package fixed it.. ...

The very first line of my first reply (Eight posts ago) said ... "Download the Joomla 2.5.28 full package zip and unzip. Then upload the Joomla core files. That should get your site running"

Migrating from J3.5.28 to 3.5.6 is not as time consuming as most people think. Please see viewtopic.php?f=710&t=793171

Or you might like to try the following method as it has the advantage of cleaning your site as well. Finding the 3rd party extensions that are installed is simply a matter of sorting (Components/Modules/Plugins) ID descending ... from then on it's plain sailing.


The problem with some 2.5/3.6 compatible extensions 3rd party extensions is that they use different install files. Even when a 2.5/3.6 compatible extension uses the same zip is that some will detect the version of Joomla and install the files accordingly. One way to avoid 3rd party extension files corrupting the update is to update the database and 3rd party extension files separately.

• Update the database with files from a fresh Joomla 2.5.28 install
  Install the 3rd party extensions into a fresh Joomla 3.6.5 install
  Then connect the 3.6.0 Joomla and 3rd party extension files to the updated database.

1. Uninstall all the non compatible J3.6.5 3rd party extensions
2. Delete all the folders/files
3. Install a fresh Joomla 2.5 (same version as you have now) to a new database.
   You now have fresh Joomla files
4. Edit the configuration.php to connect to your original database and update.
   You now have your database updated without the files from the 3rd party extensions interfering with the update.
   
5. Delete all the folders/files again
6. Install J3.6.5 to another new database
7. Install your 3rd party extensions to that
   You now have fresh Joomla files and fresh 3rd party extension files(the files that are intended for J3.6.5)
8. Edit the configuration.php (of the fresh 3.6.5 install) to use the original (updated) database

[boban_dedovic]

One thing I want to add though: back up your site (DB and application code)!

why? explain your reasoning for backing up a hacked website.

That's a great question and I'm happy to explain. You would want to back it up in the case that you have content (articles or modules) that you will want to re-use. Just because a site is compromised does not mean that every single DB entry or file is also laced with a Trojan.

There are cases where you will want to back things up, especially if it's a large site and you put lots of time into it.

In another example, it's a good idea to review the pattern and overall structure of a compromised site to develop experience into diagnosing it. This is useful if you are interested in security.

With that being said, you are probably questioning what I wrote because of the notion that you don't want infected files on your machine. In this case, I agree with you to the extent that you don't want them actively sitting there and being used. However, you can easily put them in into a ZIP file and they probably won't be executed on their own.

Additionally, if they are extremely malicious it's likely that your OS (like Windows) will strip it out and quarantine it with Defender.

I hope this answers your question.

[ribo]

One thing I want to add though: back up your site (DB and application code)!

why? explain your reasoning for backing up a hacked website.

That's a great question and I'm happy to explain. You would want to back it up in the case that you have content (articles or modules) that you will want to re-use. Just because a site is compromised does not mean that every single DB entry or file is also laced with a Trojan.

There are cases where you will want to back things up, especially if it's a large site and you put lots of time into it.

In another example, it's a good idea to review the pattern and overall structure of a compromised site to develop experience into diagnosing it. This is useful if you are interested in security.

With that being said, you are probably questioning what I wrote because of the notion that you don't want infected files on your machine. In this case, I agree with you to the extent that you don't want them actively sitting there and being used. However, you can easily put them in into a ZIP file and they probably won't be executed on their own.

Additionally, if they are extremely malicious it's likely that your OS (like Windows) will strip it out and quarantine it with Defender.

I hope this answers your question.

Sorry to say that, but i believe that your answer is wrong. Maybe the database will be clean, but there will be vulnerable files in a hacked site for sure. Also it s not 100% sure that every infected file will be detected from any antivirus software, that s why @webdongle says "2. Delete all the folders/files"

[Webdongle]

... You would want to back it up in the case that you have content (articles or modules) that you will want to re-use. Just because a site is compromised does not mean that every single DB entry or file is also laced with a Trojan.

There are cases where you will want to back things up, especially if it's a large site and you put lots of time into it.
...

You are basing your logic on a false premise. Any one of the files on the server could be compromised also by backing up the files you are backingup hack files as well. But the biggest error you make is in assuming that the files on the server are the originals ... but they are not. All the original files (custom or images) should be on the PC. If custom files were created online and not backed up immediately they are created then that is a hard lesson learned.

If you search the forum you will see numerous threads with users claiming the same as you. They end up spending days (sometimes weeks) restoring from backup and and getting re-hacked often. Eventually they spend 20 mins doing it correctly and not getting re-hacked.

[boban_dedovic]

@ribo and @Webdongle, thanks for replying to my post. I guess I should have clarified myself more thoroughly regarding such a delicate process as hacked site recovery.

Backing up hacked files

Any one of the files on the server could be compromised also by backing up the files you are backingup hack files as well... But the biggest error you make is in assuming that the files on the server are the originals

You are absolutely correct in saying that it is likely the case that malicious code was inserted sneakily into core files where it's unlikely to be found. I also agree that it's not a good idea to restore any files from a hacked site.

However, I am not suggesting that anyone should back up the hacked site files in order to restore the site. I suggested backing it up for one of the following use-cases:

1. If you are studying Joomla security and the compromise, then you may want to see exactly what was changed and how it was accomplished. Studying security intrusions (and hacked files) is one way that the open-source community finds vulnerabilities and issues patches. If you just delete everything and re-install a fresh copy without understanding the real root cause of the problem then it may be the case that it's a broader CMS issue that requires a security release patch. Discovery and reporting it could result from such investigation - if this is something that you are interested in doing.

2. Let's assume that you wrote lots of custom CSS code, had various template/component overrides and the like. It may be possible to salvage some of this work by having a backup.

3. Content is expensive and time consuming to replace, so having a DB backup can help you extract plain text so you don't have to re-write everything. If you have a large site with 100+ articles, it's not reasonable to just delete everything, especially image assets.

Sorry to say that, but i believe that your answer is wrong. Maybe the database will be clean, but there will be vulnerable files in a hacked site for sure.

Again, I am not suggesting that anyone restore hacked files after an intrusion, but to just have it for the use-cases mentioned above.

Often times, a DB can also be infected but plain-text article content can be salvaged.

Also it s not 100% sure that every infected file will be detected from any antivirus software, that s why @webdongle says "2. Delete all the folders/files"

I do agree that it's not possible for Win Defender (or any anti-virus software) to catch and quarantine all dangerous files on the desktop. But it works pretty well and the risk is upon the discretion and experience level of the end-user.

Advanced user disclaimer
I should have clarified this in my initial message, but the backup recommendation was intended only for more advanced users. I do wholly agree that for the normal end-user the backup option is more risky and not entirely recommended. But if you have more experience with Joomla and security, then there are benefits (listed previously) to having that backup. I should have added that it is risky and not advised.

Thank you both for addressing my recommendation as I understand how a less experienced user can get into trouble by following the advice without the proper risk disclaimer.

[Webdongle]

@ribo and @Webdongle, thanks for replying to my post. I guess I should have clarified myself more thoroughly regarding such a delicate process as hacked site recovery.
...
You are absolutely correct in saying that it is likely the case that malicious code was inserted sneakily into core files where it's unlikely to be found. ...

Yes we know we are right that is why our advice is often quoted. No need to try and explain your previous comments as it just looks like you are back tracking. Perhaps stop 'digging' and let the thread get back on Topic.

The OP has followed the advice and got his site working again and is working on cleaning/updating the site.