Hacked site with PHP code injection

Discussion regarding Joomla! 2.5 security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
tchao57
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Sep 28, 2018 5:03 pm

Hacked site with PHP code injection

Post by tchao57 » Thu Oct 11, 2018 11:16 am

Hello everyone,

I'm coming to see you today because I have a site that has been hacked with PHP code injection into the pages.

I noticed that many PHP pages were affected but not all. The injected code is always at the top of the PHP file with the <?php and ?> Tags and the code inside.

What I want to do is delete all this code in all pages at one time. I have not looked at all the pages but the code seems to be similar each time.

For that I downloaded the whole file "www" on my computer. I do a Windows search for all PHP files by typing *.php, and so I end up with all the files with PHP extension that are in the folder "www".

Now I would have to make sure to remove everything between the PHP tags of these files, but without touching the rest of PHP code of course.

I do not know if I'm posting in the good forum, if it's not the case I'll change.

Thank you in advance for your help.

User avatar
CyrusXxX
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 235
Joined: Wed Oct 04, 2017 6:23 am
Location: Belgrade Serbia
Contact:

Re: Hacked site with PHP code injection

Post by CyrusXxX » Thu Oct 11, 2018 11:38 am

Sorry to hear that tchao57, concerning your question of deleting all selected code at once I think there are some editors out there which have that ability. Something like Find and Replace function

But I strongly recommend you to delete those lines manually as you will avoid possible errors and deletion of wrong code.

But here is the other solution if you have clean versions of those files and if you haven't modified anything you could do simple overwrite and will not worry about possible errors related to deletion of wrong code.

Naturally after you secure those holes related to php injection issue.
Joomla Serbian Latin Coordinator
https://volunteers.joomla.org/joomlers/ ... oran-nesic

Power is knowledge and knowledge is power.
https://regenesiscomputers.com

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44029
Joined: Sat Apr 05, 2008 9:58 pm

Re: Hacked site with PHP code injection

Post by Webdongle » Thu Oct 11, 2018 11:50 am

CyrusXxX wrote:
Thu Oct 11, 2018 11:38 am
...
But I strongly recommend you to delete those lines manually as you will avoid possible errors and deletion of wrong code....
That is not enough. Please see viewtopic.php?f=714&t=946026 and viewtopic.php?f=710&t=956702
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

tchao57
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Sep 28, 2018 5:03 pm

Re: Hacked site with PHP code injection

Post by tchao57 » Thu Oct 11, 2018 12:01 pm

Hi Guys,

thanks for your quick replies.
before deleting everything and reinstalling Joomla again I will want to test the removal of malicious PHP code.
I think it's feasible with notepad++ and the search and replace function in a folder. But I do not really know what to put in the settings.

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3507
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: Hacked site with PHP code injection

Post by ribo » Thu Oct 11, 2018 12:45 pm

tchao57 wrote:
Thu Oct 11, 2018 12:01 pm
I will want to test the removal of malicious PHP code.
I think it's feasible with notepad++ and the search and replace function in a folder. But I do not really know what to put in the settings.
You will not clean your joomla website permanently with this way. You will see that you will be hacked again.
With this way viewtopic.php?f=714&t=946026 and viewtopic.php?f=710&t=956702 you will be clean your joomla for sure.
chat room spontes : http://www.spontes.com

tchao57
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Sep 28, 2018 5:03 pm

Re: Hacked site with PHP code injection

Post by tchao57 » Thu Oct 11, 2018 1:50 pm

Yes ribo I agree with you. The site will be hacked again.
But the problem with the method you propose (of what I undertand) is that I must first delete everything and reinstall Joomla completely. Basically, it's almost like recreating the site of zero.

My idea was initially to remove the malicious code pages to find a functional site, then make the necessary updates to block future intrusions.

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3507
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: Hacked site with PHP code injection

Post by ribo » Thu Oct 11, 2018 2:03 pm

tchao57 wrote:
Thu Oct 11, 2018 1:50 pm
Yes ribo I agree with you. The site will be hacked again.
But the problem with the method you propose (of what I undertand) is that I must first delete everything and reinstall Joomla completely. Basically, it's almost like recreating the site of zero.
No it s not like you create a joomla website from zero as you have your database. Let me tell you in summary
what do you do and you can finish this in a hour. When you are sure that everything is ok in your host server(from fpa results), see if you have vulnerable extensions or template and change passwords(ftp, mail, etc.) then you list in a text file all your third party extensions and template. You back up files and database and then delete everything. Then you install joomla and your listed third party extensions. After you drop the new database and you put your old database. And at the end you overwrite all your images that you had and if you have changes in css etc. and voila, your website is back. After that it is recommended to update your joomla 2.5 to the latest joomla 3 version and your extensions too. So as you understand this is not creating a joomla website from zero.
Last edited by ribo on Thu Oct 11, 2018 2:17 pm, edited 3 times in total.
chat room spontes : http://www.spontes.com

User avatar
ribo
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3507
Joined: Sun Jan 03, 2010 8:47 pm
Contact:

Re: Hacked site with PHP code injection

Post by ribo » Thu Oct 11, 2018 2:05 pm

tchao57 wrote:
Thu Oct 11, 2018 1:50 pm

My idea was initially to remove the malicious code pages to find a functional site, then make the necessary updates to block future intrusions.
Ony with remove the malicious code and even if you update your joomla to 3.8.13 you will be hacked again and then you will ask how you are hacked with the latest version of joomla
chat room spontes : http://www.spontes.com

tchao57
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Sep 28, 2018 5:03 pm

Re: Hacked site with PHP code injection

Post by tchao57 » Thu Oct 11, 2018 2:37 pm

Ok ribo now I understand well. Thanx.

Then first thing that I need to do is install FPA from viewtopic.php?t=582860.
After do I need to post the result here?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44029
Joined: Sat Apr 05, 2008 9:58 pm

Re: Hacked site with PHP code injection

Post by Webdongle » Thu Oct 11, 2018 2:49 pm

Yes post the results here.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

tchao57
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Sep 28, 2018 5:03 pm

Re: Hacked site with PHP code injection

Post by tchao57 » Thu Oct 11, 2018 2:51 pm

There it is:
Forum Post Assistant (v1.4.5 (Ganymede)) : 11th October 2018 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.17-Stable (Ember) 18-December-2013
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Writable (666) | Owner: --protected-- . (uid: /gid: ) | Group: --protected-- (gid: ) | Valid For: 2.5
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: false | .htaccess/web.config: No | GZip: false | Cache: false | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: N/A | FTP Layer: false | Proxy: N/A | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: N/A | SSL: 0 | Error Reporting: default | Site Debug: false | Language Debug: false | Default Access: 1 | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 2.5.17: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Windows NT | OS Version: 10.0 | Technology: i586 | Web Server: Apache/2.4.33 (Win32) PHP/5.6.35 | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 11.09 GiB |

PHP Configuration :: Version: 5.6.35 | PHP API: apache2handler | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 30711 | Log Errors To: c:/wamp/logs/php_error.log | Last Known Error: 25th September 2018 14:16:05. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 20M | Max. Input Time: 60 | Max. Execution Time: 120 | Memory Limit: 128M

Database Configuration :: Version: 5.7.21 (Client:mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | Host: --protected-- (--protected--) | Localhost: Yes | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 7.80 MiB | #of Tables: 118
Detailed Environment :: wrote:PHP Extensions :: Core (5.6.35) | bcmath () | calendar () | ctype () | date (5.6.35) | ereg () | filter (0.11.0) | ftp () | hash (1.0) | iconv () | json (1.2.1) | mcrypt () | SPL (0.2) | odbc (1.0) | pcre () | Reflection ($Id: 5f15287237d5f78d75b19c26915aa7bd83dee8b8 $) | session () | standard (5.6.35) | mysqlnd (mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $) | tokenizer (0.1) | zip (1.12.5) | zlib (2.0) | libxml () | dom (20031129) | PDO (1.0.4dev) | bz2 () | SimpleXML (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | apache2handler () | openssl () | curl () | com_dotnet (0.1) | fileinfo (1.0.5) | gd () | gettext () | gmp () | intl (1.1.0) | imap () | ldap () | mbstring () | exif (1.4 $Id: 1c8772f76be691b7b3f77ca31eb788a2abbcefe5 $) | mysql (1.0) | mysqli (0.1) | Phar (2.0.2) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | soap () | sockets () | sqlite3 (0.7-dev) | xmlrpc (0.51) | xsl (0.1) | mhash () | Zend OPcache (7.0.6-devFE) | xdebug (2.5.5) | Zend Engine (2.6.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Apache Modules :: core | mod_win32 | mpm_winnt | http_core | mod_so | mod_access_compat | mod_actions | mod_alias | mod_allowmethods | mod_asis | mod_auth_basic | mod_auth_digest | mod_authn_core | mod_authn_file | mod_authz_core | mod_authz_groupfile | mod_authz_host | mod_authz_user | mod_autoindex | mod_cache | mod_cache_disk | mod_cgi | mod_dir | mod_env | mod_file_cache | mod_include | mod_isapi | mod_log_config | mod_mime | mod_negotiation | mod_rewrite | mod_setenvif | mod_userdir | mod_vhost_alias | mod_php5 | Apache/2.4.33 (Win32) PHP/5.6.35 |
Potential Missing Modules :: mod_expires | mod_deflate | mod_security | mod_evasive | mod_dosevasive | mod_ssl | mod_qos | mod_userdir |
Folder Permissions :: wrote:Core Folders :: images/ (777) | components/ (777) | modules/ (777) | plugins/ (777) | language/ (777) | templates/ (777) | cache/ (777) | logs/ (777) | tmp/ (777) | administrator/components/ (777) | administrator/modules/ (777) | administrator/language/ (777) | administrator/templates/ (777) | administrator/logs/ (---) |

Elevated Permissions (First 10) :: administrator/ (777) | administrator/cache/ (777) | administrator/components/ (777) | administrator/components/com_admin/ (777) | administrator/components/com_admin/controllers/ (777) | administrator/components/com_admin/helpers/ (777) | administrator/components/com_admin/helpers/html/ (777) | administrator/components/com_admin/models/ (777) | administrator/components/com_admin/models/forms/ (777) | administrator/components/com_admin/sql/ (777) |
Database Information :: wrote:Database statistics :: Uptime: 21802 | Threads: 1 | Questions: 3541 | Slow queries: 0 | Opens: 652 | Flush tables: 1 | Open tables: 642 | Queries per second avg: 0.162 |
Extensions Discovered :: wrote:Components :: SITE ::
Core :: com_mailto (2.5.0) 1 | com_wrapper (2.5.0) 1 |
3rd Party:: CB Profile Notifier (1.2) 1 | iC rounded - iCagenda Theme (3.5.6) 1 | WF_AGGREGATOR_DAILYMOTION_TITL (2.5.8) 1 | WF_AGGREGATOR_VIMEO_TITLE (2.5.8) 1 | WF_AGGREGATOR_VINE_TITLE (2.5.8) 1 | WF_AGGREGATOR_[youtube]_TITLE (2.5.8) 1 | WF_FILESYSTEM_JOOMLA_TITLE (2.5.8) 1 | WF_LINKS_JOOMLALINKS_TITLE (2.5.8) 1 | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.5.8) 1 | WF_POPUPS_JCEMEDIABOX_TITLE (2.5.8) 1 | WF_POPUPS_WINDOW_TITLE (2.5.8) 1 | WF_LINK_SEARCH_TITLE (2.5.8) 1 | WF_ANCHOR_TITLE (2.5.8) 1 | WF_ARTICLE_TITLE (2.5.8) 1 | WF_AUTOSAVE_TITLE (2.5.8) 1 | WF_BROWSER_TITLE (2.5.8) 1 | WF_CHARMAP_TITLE (2.5.8) 1 | WF_CLEANUP_TITLE (2.5.8) 1 | WF_CLIPBOARD_TITLE (2.5.8) 1 | WF_CONTEXTMENU_TITLE (2.5.8) 1 | WF_DIRECTIONALITY_TITLE (2.5.8) 1 | WF_FONTCOLOR_TITLE (2.5.8) 1 | WF_FONTSELECT_TITLE (2.5.8) 1 | WF_FONTSIZESELECT_TITLE (2.5.8) 1 | WF_FORMATSELECT_TITLE (2.5.8) 1 | WF_FULLSCREEN_TITLE (2.5.8) 1 | WF_IMGMANAGER_TITLE (2.5.8) 1 | WF_INLINEPOPUPS_TITLE (2.5.8) 1 | WF_KITCHENSINK_TITLE (2.5.8) 1 | WF_LAYER_TITLE (2.5.8) 1 | WF_LINK_TITLE (2.5.8) 1 | WF_LISTS_TITLE (2.5.8) 1 | WF_MEDIA_TITLE (2.5.8) 1 | WF_NONBREAKING_TITLE (2.5.8) 1 | WF_PREVIEW_TITLE (2.5.8) 1 | WF_PRINT_TITLE (2.5.8) 1 | WF_SEARCHREPLACE_TITLE (2.5.8) 1 | WF_SOURCE_TITLE (2.5.8) 1 | WF_SPELLCHECKER_TITLE (2.5.8) 1 | WF_STYLE_TITLE (2.5.8) 1 | WF_STYLESELECT_TITLE (2.5.8) 1 | WF_TABLE_TITLE (2.5.8) 1 | WF_TEXTCASE_TITLE (2.5.8) 1 | WF_VISUALBLOCKS_TITLE (2.5.8) 1 | WF_VISUALCHARS_TITLE (2.5.8) 1 | WF_XHTMLXTRAS_TITLE (2.5.8) 1 |

Components :: ADMIN ::
Core :: com_admin (2.5.0) 1 | com_banners (2.5.0) 1 | com_cache (2.5.0) 1 | com_categories (2.5.0) 1 | com_checkin (2.5.0) 1 | com_config (2.5.0) 1 | com_content (2.5.0) 1 | com_cpanel (2.5.0) 1 | com_finder (2.5.0) 1 | com_installer (2.5.0) 1 | com_joomlaupdate (2.5.0) 1 | com_languages (2.5.0) 1 | com_login (2.5.0) 1 | com_media (2.5.0) 1 | com_menus (2.5.0) 1 | com_messages (2.5.0) 1 | com_modules (2.5.0) 1 | com_newsfeeds (2.5.0) 1 | com_plugins (2.5.0) 1 | com_redirect (2.5.0) 1 | com_search (2.5.0) 1 | com_templates (2.5.0) 1 | com_users (2.5.0) 1 | com_weblinks (2.5.0) 1 |
3rd Party:: Akeeba (3.4.6) 1 | comprofiler (2.0.10) 1 | iCagenda (3.5.6) 1 | JCE (2.5.8) 1 | JW_DISQUS (3.2) 1 | COM_MAXIMENUCK (4.0.6) 1 | com_phocadownload (2.1.9) 1 | Remository (3.55J2) 1 | COM_REREPLACER (5.13.5FREE) 1 | uddeIM (3.7) 1 |

Modules :: SITE ::
Core :: mod_articles_archive (2.5.0) 1 | mod_articles_categories (2.5.0) 1 | mod_articles_category (2.5.0) 1 | mod_articles_latest (2.5.0) 1 | mod_articles_news (2.5.0) 1 | mod_articles_popular (2.5.0) 1 | mod_banners (2.5.0) 1 | mod_breadcrumbs (2.5.0) 1 | mod_custom (2.5.0) 1 | mod_feed (2.5.0) 1 | mod_finder (2.5.0) 1 | mod_footer (2.5.0) 1 | mod_languages (2.5.0) 1 | mod_login (2.5.0) 1 | mod_menu (2.5.0) 1 | mod_random_image (2.5.0) 1 | mod_related_items (2.5.0) 1 | mod_search (2.5.0) 1 | mod_stats (2.5.0) 1 | mod_syndicate (2.5.0) 1 | mod_users_latest (2.5.0) 1 | mod_weblinks (2.5.0) 1 | mod_whosonline (2.5.0) 1 | mod_wrapper (2.5.0) 1 |
3rd Party:: Community Builder Login module (2.0.10) 1 | Community Builder Workflows mo (2.0.10) 1 | Community Builder Online modul (2.0.10) 1 | MOD_DATETIME (2.0.1) 1 | FreiChat-I (1.0.0) 1 | iCagenda - Calendar (3.5.6) 1 | JTS CounterStats (1.5) 1 | Maximenu CK (8.0.6) 1 | mod_news_pro_gk4 (GK4 3.3.8) 1 | Remository_Categories (3.55) 1 | Remository_multi_module (3.55J2) 1 | Remository_Newest (3.55J2) 1 | Remository_Most_Downloaded (3.55J2) 1 | Remository_Tree (3.55J2) 1 | sigplus (1.4.2.14) 1 | Slideshow CK (1.4.5) 1 | SP Smart Slider (2.3) 1 | Susnet Facebook Like Box (1.0.8) 1 | uddeIM Notifier (3.7) 1 | Visitors Counter (2.0.2) 1 |

Modules :: ADMIN ::
Core :: mod_custom (2.5.0) 1 | mod_feed (2.5.0) 1 | mod_latest (2.5.0) 1 | mod_logged (2.5.0) 1 | mod_login (2.5.0) 1 | mod_menu (2.5.0) 1 | mod_multilangstatus (2.5.0) 1 | mod_popular (2.5.0) 1 | mod_quickicon (2.5.0) 1 | mod_status (2.5.0) 1 | mod_submenu (2.5.0) 1 | mod_title (2.5.0) 1 | mod_toolbar (2.5.0) 1 | mod_version (2.5.0) 1 |
3rd Party:: Akeeba Backup Notification Mod (3.4.3) 1 | Community Builder Admin module (2.0.10) 1 |

Plugins :: SITE ::
Core :: plg_authentication_gmail (2.5.0) 0 | plg_authentication_joomla (2.5.0) 1 | plg_authentication_ldap (2.5.0) 0 | plg_captcha_recaptcha (2.5.0) 1 | plg_content_emailcloak (2.5.0) 1 | plg_content_finder (2.5.0) 0 | plg_content_geshi (2.5.0) 0 | plg_content_joomla (2.5.0) 1 | plg_content_loadmodule (2.5.0) 1 | plg_content_pagebreak (2.5.0) 1 | plg_content_pagenavigation (2.5.0) 1 | plg_content_vote (2.5.0) 1 | plg_editors-xtd_article (2.5.0) 1 | plg_editors-xtd_image (2.5.0) 1 | plg_editors-xtd_pagebreak (2.5.0) 1 | plg_editors-xtd_readmore (2.5.0) 1 | plg_extension_joomla (2.5.0) 1 | plg_finder_categories (2.5.0) 1 | plg_finder_contacts (2.5.0) 1 | plg_finder_content (2.5.0) 1 | plg_finder_newsfeeds (2.5.0) 1 | plg_finder_weblinks (2.5.0) 1 | PLG_EOSNOTIFY (2.5.0) 1 | plg_quickicon_extensionupdate (2.5.0) 1 | plg_quickicon_joomlaupdate (2.5.0) 1 | plg_search_categories (2.5.0) 1 | plg_search_contacts (2.5.0) 1 | plg_search_content (2.5.0) 1 | plg_search_newsfeeds (2.5.0) 1 | plg_search_weblinks (2.5.0) 1 | plg_system_cache (2.5.0) 0 | plg_system_debug (2.5.0) 1 | plg_system_highlight (2.5.0) 1 | plg_system_languagecode (2.5.0) 0 | plg_system_languagefilter (2.5.0) 1 | plg_system_log (2.5.0) 1 | plg_system_logout (2.5.0) 1 | plg_system_p3p (2.5.0) 1 | plg_system_redirect (2.5.0) 1 | plg_system_remember (2.5.0) 1 | plg_system_sef (2.5.0) 1 | plg_user_contactcreator (2.5.0) 0 | plg_user_joomla (2.5.0) 1 | plg_user_profile (2.5.0) 0 |
3rd Party:: DISQUS Comments for Joomla! (b (3.2) 1 | Content - Load Module in Artic (3.1.0) 1 | bg-BG NotifyArticleSubmit lang (2014-06-26 22) 1 | cs-CZ NotifyArticleSubmit lang (2014-06-26 22) 1 | da-DK NotifyArticleSubmit lang (2014-06-26 22) 1 | de-DE NotifyArticleSubmit lang (2014-06-26 22) 1 | en-GB NotifyArticleSubmit lang (2014-06-26 22) 1 | es-ES NotifyArticleSubmit lang (2014-06-26 22) 1 | fr-FR NotifyArticleSubmit lang (2014-06-26 22) 1 | GJFields - a set of additional (1.0.29) 1 | it-IT NotifyArticleSubmit lang (2014-06-26 22) 1 | lt-LT NotifyArticleSubmit lang (2014-06-26 22) 1 | nb-NO NotifyArticleSubmit lang (2014-06-26 22) 1 | nl-NL NotifyArticleSubmit lang (2014-06-26 22) 1 | pl-PL NotifyArticleSubmit lang (2014-06-26 22) 1 | pt-BR NotifyArticleSubmit lang (2014-06-26 22) 1 | ru-RU NotifyArticleSubmit lang (2014-06-26 22) 1 | sk-SK NotifyArticleSubmit lang (2014-06-26 22) 1 | sl-SI NotifyArticleSubmit lang (2014-06-26 22) 1 | sv-SE NotifyArticleSubmit lang (2014-06-26 22) 1 | tr-TR NotifyArticleSubmit lang (2014-06-26 22) 1 | uk-UA NotifyArticleSubmit lang (2014-06-26 22) 1 | PLG_CONTENT_NOTIFYARTICLESUBMI (2.5.3) 1 | Quickdown (3.55J2) 1 | Content - Image gallery - sigp (1.4.2.14) 1 | plg_editors_codemirror (1.0) 1 | plg_editors_jce (2.5.8) 1 | plg_editors_tinymce (3.5.4.1) 1 | plg_quickicon_jcefilebrowser (2.5.8) 1 | Remository_Audio (3.55J2) 1 | ICAGENDA_PLG_SEARCH (1.4) 1 | Search_Remository (3.55J2) 1 | Akeeba Backup Lazy Scheduling (3.3) 0 | Community Builder System plugi (2.0.10) 1 | System - iCagenda :: Autologin (1.3) 1 | PLG_SYSTEM_IC_LIBRARY (1.2) 1 | plg_system_jce (2.5.8) 1 | System - JCE MediaBox (1.1.25) 1 | System - DISQUS Comments for J (3.2) 1 | System - Maximenu CK Mobile (1.1.18) 0 | System - Maximenu_CK params (4.0.5) 1 | PLG_SYSTEM_NNFRAMEWORK (15.4.5) 1 | PLG_SYSTEM_REREPLACER (5.13.5FREE) 1 | PLG_SYSTEM_WEB357FRAMEWORK (1.1.0) 1 |
Templates Discovered :: wrote:Templates :: SITE :: atomic (2.5.0) 1 | beez5 (2.5.0) 1 | beez_20 (2.5.0) 1 | suzanne (2.5.0) 1 | suzanne (2.5.0) 1 |
Templates :: ADMIN :: bluestork (2.5.0) 1 | hathor (2.5.0) 1 |

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44029
Joined: Sat Apr 05, 2008 9:58 pm

Re: Hacked site with PHP code injection

Post by Webdongle » Thu Oct 11, 2018 3:54 pm

You need to follow the instructions on viewtopic.php?f=714&t=946026
When you get to step #f ... use the method in viewtopic.php?f=710&t=956702 to update.

If you are unable to follow those instruction then you will need to pay someone to clean and update your site.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".


Locked

Return to “Security in Joomla! 2.5”