Website has been hacked/sabotaged

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
timbo1
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 11, 2017 1:01 am

Website has been hacked/sabotaged

Postby timbo1 » Wed Jan 11, 2017 10:21 am

Help please!


When I try and log in to administer my site, I am getting the message "Warning: The app was not configured: Non-zero exit status returned by script." in Plesk when clicking on the Joomla App.

If I go to the Administrator Login, I can log in with the username and password I have been given, but get an "Error 0 - Cannot open file for writing log" message.

The situation is a bit more complicated, of course! The site was created and maintained by a Third Party for one of my clients. The site has apparently been hacked, although I think this was in the past. The site itself works fine, but Google is displaying hacked pages and the legend "this site may have been hacked".

The client has now got me the logon information so that I can take over site maintainence. However, it looks like inbetween times someone has fiddled with the file structure, causing this Error message.

I am hoping that fixing the error message is a simple fix, probably just a permissions issue.

The site is running on Joomla 3.3.1 (release 2). I have been trying to get the Third Party to update to the latest version, but for some reason he would never do it. Obviously, this will be one of the first things I do once I can get into the site!

Thanks in advance for any help with this.
Last edited by toivo on Wed Jan 11, 2017 3:18 pm, edited 1 time in total.
Reason: mod note: moved to 3.x Security

itoctopus
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3554
Joined: Mon Nov 25, 2013 4:35 pm
Location: Montreal, Canada
Contact:

Re: Website has been hacked/sabotaged

Postby itoctopus » Wed Jan 11, 2017 3:11 pm

It might be that you have 2 problems there: the site is hacked and you have permission issues on your website (which may have been caused by the hack).

In any case, try posting the FPA (the Forum Post Assistant link, which is in the pink box on the top) results here so we can have a closer look.
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter

timbo1
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 11, 2017 1:01 am

Re: Website has been hacked/sabotaged

Postby timbo1 » Wed Jan 11, 2017 6:00 pm

Thanks.


I have followed the instructions, but this site is blocking the post of the results from the FPA. I have gone to the unblock link, and at the moment am still awaiting a response.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13931
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Website has been hacked/sabotaged

Postby mandville » Wed Jan 11, 2017 9:24 pm

can you put the fpa in a text file and attatch to post
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

timbo1
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 11, 2017 1:01 am

Re: Website has been hacked/sabotaged

Postby timbo1 » Wed Jan 11, 2017 9:32 pm

Thanks Mandville -

Forum Post Assistant (v1.2.7) : 11th January 2017 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.1.5-Stable (Ember) 01-August-2013
Joomla! Platform :: Joomla Platform 12.2.0-Stable (Neil Armstrong) 21-September-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: arbrown (uid: 1/gid: 1) | Group: psacln (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-042stab116.2 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /var/www/vhosts/arbrown-solicitors.co.uk/httpdocs | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.29 | PHP API: cgi-fcgi | Session Path Writable: No | Display Errors: | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /var/www/vhosts/arbrown-solicitors.co.uk/httpdocs/:/tmp/ | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.52-MariaDB (Client:mysqlnd 5.0.8-dev - 20102224 - $Id: 731e5b87ba42146a687c29995d2dfd8b4e40b325 $) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 9.51 MiB | #of Tables: 94
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.29) | date (5.3.29) | ereg () | libxml () | openssl () | pcre () | zlib (1.1) | bz2 () | calendar () | ctype () | hash (1.0) | filter (0.11.0) | ftp () | gettext () | gmp () | SPL (0.2) | iconv () | pcntl () | readline () | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | session () | standard (5.3.29) | SimpleXML (0.1) | sockets () | exif (1.4 $Id$) | tokenizer (0.1) | xml () | mysqlnd (mysqlnd 5.0.8-dev - 20102224 - $Id: 731e5b87ba42146a687c29995d2dfd8b4e40b325 $) | cgi-fcgi () | XCache (3.2.0) | bcmath () | curl () | dba () | dom (20031129) | enchant (1.1.0) | fileinfo (1.0.5-dev) | gd () | imagick (3.1.2) | imap () | intl (1.1.0) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | odbc (1.0) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | PDO_ODBC (1.0.1) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | Phar (2.0.1) | posix () | pspell () | redis (2.2.5) | soap () | sqlite3 (0.7-dev) | sysvmsg () | sysvsem () | sysvshm () | tidy (2.0) | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | XCache Cacher (3.2.0) | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) |

Elevated Permissions (First 10) :: --protected-- (777) | --protected-- (777) | --protected-- (777) | --protected-- (777) | --protected-- (777) | --protected-- (777) | --protected-- (777) | --protected-- (777) | --protected-- (777) | --protected-- (777) |
Extensions Discovered :: wrote:Strict Information Privacy was selected. Nothing to display.
Templates Discovered :: wrote:_FPA_STRICT Information Privacy Nothing to display.

All being well, file attached.
You do not have the required permissions to view the files attached to this post.

timbo1
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 11, 2017 1:01 am

Re: Website has been hacked/sabotaged

Postby timbo1 » Fri Jan 13, 2017 3:29 pm

Hi itopctopus and mandville -


Thanks for your input so far. Do you think you will be able to help, please?

Regards
Tim

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13931
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Website has been hacked/sabotaged

Postby mandville » Fri Jan 13, 2017 3:52 pm

ok, with the very limited information that you provided ;
your joomla install is out of date and exploitable
you have incorrect folder permissions

follow these instructions viewtopic.php?f=714&t=757645
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

timbo1
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 11, 2017 1:01 am

Re: Website has been hacked/sabotaged

Postby timbo1 » Fri Jan 13, 2017 4:00 pm

Thanks Mandville.

Sorry, I am no expert on Joomla, although I guess I will quickly learn! Is there any more information I should be providing? I thought the FPA generated what was needed. I have posted the version of Joomla the site is running - Joomla 3.3.1 (release 2).

I have looked via FTP, and it looks like the configuration.php file has been changed. There is a older copy in a folder which looks like it was created as a backup by the person who may have corrupted the site.

Ideally, I would at least like to get into the site to salvage what I can, even if I have to recreate it in the latest version.

I would appreciate any further comment you can make on this.

Many thanks

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13931
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Website has been hacked/sabotaged

Postby mandville » Fri Jan 13, 2017 4:15 pm

you dont need to be an expert as most users find the instructions quite simple.
it is very unusual for a hacker to make a back up copy of the site. you posted the fpa for version 3.1.5 but now you say it was 3.3.1 (the fact they are both exploitable is negated now).
how do you know the config file was changed?
here are the basic step by steps to restoring your site.
Webdongle wrote:First make a backup of your database
Here is a summary of what you need to do after making a backup.

Before you ask what other users ask. No there is no real alternative ... you need to delete all folders/files.

  1. Uninstall any untrusted 3rd party extensions and Templates https://vel.joomla.org/live-vel
  2. Delete all the files on the server
  3. Scan your computer and all computers that have server or Joomla admin access
  4. Change Passwords
  5. Install Joomla (of the same version) to a new database. Install up to date 3rd party extensions (that are not on the VEL) then edit the configuration.php to connect to the original database. Update Joomla if you have and old version
  6. Change your Joomla SU/Admin Passwords and check the users/groups/access levels are correct and not been tampered with. Update your Joomla And run the fpa again

Step #f is simply installing Joomla and 3rd party extensions to an empty database so you get fresh files. Then connect the files to the database that has your data. That gives you your site back. The rest cleans the site and helps keep it secure.

Full details http://forum.joomla.org/viewtopic.php?f=714&t=757645
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

timbo1
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 11, 2017 1:01 am

Re: Website has been hacked/sabotaged

Postby timbo1 » Fri Jan 13, 2017 4:25 pm

OK. Thanks.

I have server access through Plesk. That is telling me that the version on Joomla on the site is 3.3.1. So is FPA saying it is actually older than that?

The config file is dated 10 January 2017. No update to the site was authorised or expected by the client. Just happens to coincide with contacting the previous developer...

There is a folder with a very rude name also created around the same time, which has an older config file in it.

When I try and access the back end, I can log in successfully, but I get the message "Error 0 - Cannot open file for writing log", and do not appear to be able to do anything further. I have tried updating the Joomla installation using the option in Plesk, but that just returns the message "Error: Update failed: Non-zero exit status returned by script. "

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13931
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Website has been hacked/sabotaged

Postby mandville » Fri Jan 13, 2017 8:26 pm

it gets weirder and weirder.
did you get the admin job after someone left?
i would just follow the steps indicated and if you have questions, please ask before you go head and do something.
you can send me the config file by PM if you wish so i can see what has been altered to it.
the default fpa settings do not have such restricted permissions on them. as you can possibly tell from other fpa posts
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 31768
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website has been hacked/sabotaged

Postby Webdongle » Fri Jan 13, 2017 9:17 pm

timbo1 wrote:... I am no expert on Joomla...
You don't need to be a Joomla expert to delete files and set up databases. If you want you can set up localhost and practice installing Joomla and extensions.

The database contains the site. All the files do is put/get data to/from the database and display it in the browser.
  • Deleting the files from the server makes sure the hack files are removed
  • Installing Joomla to a new database gives you fresh Joomla files
  • Installing trusted 3rd party extensions into the new Joomla gives you the 3rd paty files (without damaging the original database).
  • Editing the configuration.php (of the new install) to connect to the original database ... gives you the site back.
It really is that simple.

timbo1
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 11, 2017 1:01 am

Re: Website has been hacked/sabotaged

Postby timbo1 » Fri Jan 13, 2017 9:25 pm

Thanks mandville -


Unfortunately, apparently I haven't been a forum member long enough to be allowed to send PMs!

Yes, I have just been given the admin job. I run the server, and very familiar with designing my own sites in Dreamweaver, and have a fair bit of WordPress knowledge. However, Joomla is new to me, hence I am struggling a bit!

Are you able to PM me so I can reply? I have the files available.

timbo1
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 11, 2017 1:01 am

Re: Website has been hacked/sabotaged

Postby timbo1 » Fri Jan 13, 2017 9:34 pm

In the meantime, I have had a quick look at the two config files. The one glaring difference I can see straight away is that the following line is missing from the file in the root folder:

$_SERVER['DOCUMENT_ROOT'] = "/var/www/vhosts/sitename...

timbo1
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 11, 2017 1:01 am

Re: Website has been hacked/sabotaged

Postby timbo1 » Sat Jan 14, 2017 10:54 pm

OK. Sorry if I am being thick.

Is the template also stored in the database? I have looked online, and the template used is no longer available. :(

Am I able to download the database onto my computer using localhost on my computer, delete everything in the httpsdocs folders on the server and reupload?

Any help would be appreciated.

User avatar
AMurray
Joomla! Hero
Joomla! Hero
Posts: 2061
Joined: Sat Feb 13, 2010 7:35 am
Location: Australia

Re: Website has been hacked/sabotaged

Postby AMurray » Sun Jan 15, 2017 12:42 am

Am I able to download the database onto my computer using localhost on my computer, delete everything in the httpsdocs folders on the server and reupload?

You can transfer your site live host > localhost with Akeeba Backup (which backs up entire site - files and database), and a utility called Akeeba Kickstart.

Kickstart unpacks the archive file, and restores the Joomla files to whatever location you put it in. Then it runs an installation/restoration script to restore your database, returning the site to working order. See https://www.akeebabackup.com/products/a ... ackup.html and https://www.akeebabackup.com/products/a ... start.html.

Work on your site on the localhost, then backup & restore the same method as above from localhost to the live server (once you remove all the other files).

The alternative to the Akeeba method is to simply FTP/transfer the files from server to local PC and then backup the database with phpMyAdmin. and restore the same on the local side

Note: you need to be running a local web server on your PC for all the above to work. Such servers would include XAMPP or WAMPServer among others.

Is the template also stored in the database? I have looked online, and the template used is no longer available

The template's settings/configuration is probably in the database, but the template files themselves (the PHP, HTML, Javascript, image files) are located in the following folder:

Code: Select all

/templates/[your-site-template] folder.

For example, if you browse to that folder you can see 'protostar' and 'beez3' which are two default templates that come with the Joomla core system. Additionally you should see a folder there for the template your site uses.
Regards,
--------------------------------------------------------------
A Murray

timbo1
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 11, 2017 1:01 am

Re: Website has been hacked/sabotaged

Postby timbo1 » Sun Jan 15, 2017 9:11 am

Thankyou AMurray -


I shall give that a go.

I am still struggling with signing in to the back end. I have looked at other forum questions on a similar subject (the error 0 message). The file paths look correct, as do the file permissions. What else could cause this? Will I still have the same problem if I bring the site offline?


Cheers

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 31768
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website has been hacked/sabotaged

Postby Webdongle » Sun Jan 15, 2017 11:42 am

AMurray wrote:...
You can transfer your site live host > localhost with Akeeba Backup (which backs up entire site - files and database), and a utility called Akeeba Kickstart....
Not advisable when your site has been hacked !!!

Best option
  1. On the server
    1. Uninstall all untrusted 3rd party files (and the custom Template that you can not get new files for)
  2. On localhost
    1. Install Joomla of the same version
    2. Download and install the trusted 3rd party extensions

You now have:
A live database with the Tables for Joomla and the trusted 3rd party Templates on the server
and
Fresh/clean files on your localhost

Export/import the live database to a new database on localhost and edit the configuration.php to connect to the new database. (On localhost it' just a matter of editing the database name in the configuration.php).

The custom Template files could be transferred from the site to localhost and reinstalled into the database ... but there is a big problem with that. As you are unable to get an updated copy of the Template then it would be impracticable to use the old one. Follow the instructions and then find a new Template would (imho) is your best and quickest option.

The Template only differs from a HTML file in that it has variables instead of text. The variables are defined in the Template's .xml file and the values are defined in the database by the choices made in Joomla admin (module positions etc.).

User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3430
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: Website has been hacked/sabotaged

Postby abernyte » Sun Jan 15, 2017 11:55 am

Using a localhost might be a non starter unless you get one that supports MariaDB as that seems to be what you are running in the live site. Xampp has a version which does but I am not sure about WAMP.
Your issues may be ownership rather than permissions, although the files and folder permissions are all wrong.
If you are the server admin then fixing that should be a breeze without the site admin access working. directories 755, files 644 and ideally you don't want the files owned by Apache user unless you are running SuExec or PHP-FPM, local user would be best.

If you are hacked then the safe route to recovery given is the only safe option.
It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so. Twain

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13931
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Website has been hacked/sabotaged

Postby mandville » Sun Jan 15, 2017 12:25 pm

i would ask that you redo the fpa with the default settings, not the paranoid security setting so we can see the folders and extension names etc.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

timbo1
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Wed Jan 11, 2017 1:01 am

Re: Website has been hacked/sabotaged

Postby timbo1 » Sun Jan 15, 2017 2:28 pm

Thank you all. Really appreciate your help.

Full fpa attached:
You do not have the required permissions to view the files attached to this post.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 31768
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website has been hacked/sabotaged

Postby Webdongle » Sun Jan 15, 2017 4:28 pm

Forum Post Assistant (v1.2.7) : 15th January 2017 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.1.5-Stable (Ember) 01-August-2013
Joomla! Platform :: Joomla Platform 12.2.0-Stable (Neil Armstrong) 21-September-2012
Joomla! Configured :: Yes | Writable (644) | Owner: arbrown (uid: 1/gid: 1) | Group: psacln (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-042stab116.2 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /var/www/vhosts/arbrown-solicitors.co.uk/httpdocs | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.29 | PHP API: cgi-fcgi | Session Path Writable: No | Display Errors: | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /var/www/vhosts/arbrown-solicitors.co.uk/httpdocs/:/tmp/ | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.52-MariaDB (Client:mysqlnd 5.0.8-dev - 20102224 - $Id: 731e5b87ba42146a687c29995d2dfd8b4e40b325 $) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 11.59 MiB | #of Tables: 94
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.29) | date (5.3.29) | ereg () | libxml () | openssl () | pcre () | zlib (1.1) | bz2 () | calendar () | ctype () | hash (1.0) | filter (0.11.0) | ftp () | gettext () | gmp () | SPL (0.2) | iconv () | pcntl () | readline () | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | session () | standard (5.3.29) | SimpleXML (0.1) | sockets () | exif (1.4 $Id$) | tokenizer (0.1) | xml () | mysqlnd (mysqlnd 5.0.8-dev - 20102224 - $Id: 731e5b87ba42146a687c29995d2dfd8b4e40b325 $) | cgi-fcgi () | XCache (3.2.0) | bcmath () | curl () | dba () | dom (20031129) | enchant (1.1.0) | fileinfo (1.0.5-dev) | gd () | imagick (3.1.2) | imap () | intl (1.1.0) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | odbc (1.0) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | PDO_ODBC (1.0.1) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | Phar (2.0.1) | posix () | pspell () | redis (2.2.5) | soap () | sqlite3 (0.7-dev) | sysvmsg () | sysvsem () | sysvshm () | tidy (2.0) | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | XCache Cacher (3.2.0) | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: cache/supercache/4/ (777) | cache/supercache/4/0/ (777) | cache/supercache/4/2/ (777) | cache/supercache/4/3/ (777) | cache/supercache/4/4/ (777) | cache/supercache/4/5/ (777) | cache/supercache/4/b/ (777) | cache/supercache/4/c/ (777) | cache/supercache/4/e/ (777) | cache/supercache/4/f/ (777) |
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (3.0.0) | WF_POPUPS_WINDOW_TITLE (2.3.3.2) | WF_POPUPS_JCEMEDIABOX_TITLE (2.3.3.2) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.3.3.2) | WF_AGGREGATOR_GOOGLEMAPS_TITLE (2.3.3.2) | [youtube] (2.3.3.2) | WF_AGGREGATOR_VIMEO_TITLE (2.3.3.2) | WF_AGGREGATOR_VINE_TITLE (2.3.3.2) | WF_FILESYSTEM_JOOMLA_TITLE (2.3.3.2) | WF_LINKS_JOOMLALINKS_TITLE (2.3.3.2) | WF_LINK_SEARCH_TITLE (2.3.3.2) | WF_CHARMAP_TITLE (2.3.3.2) | WF_CLEANUP_TITLE (2.3.3.2) | WF_CLIPBOARD_TITLE (2.3.3.2) | WF_TEXTCASE_TITLE (2.3.3.2) | WF_ANCHOR_TITLE (2.3.3.2) | [Do not buy our kitchens!] (2.3.3.2) | WF_PREVIEW_TITLE (2.3.3.2) | WF_MEDIA_TITLE (2.3.3.2) | WF_ARTICLE_TITLE (2.3.3.2) | WF_DIRECTIONALITY_TITLE (2.3.3.2) | WF_IMGMANAGER_TITLE (2.3.3.2) | WF_VISUALBLOCKS_TITLE (2.3.3.2) | WF_LINK_TITLE (2.3.3.2) | WF_STYLE_TITLE (2.3.3.2) | WF_PRINT_TITLE (2.3.3.2) | WF_TABLE_TITLE (2.3.3.2) | WF_NONBREAKING_TITLE (2.3.3.2) | WF_SEARCHREPLACE_TITLE (2.3.3.2) | WF_VISUALCHARS_TITLE (2.3.3.2) | WF_CONTEXTMENU_TITLE (2.3.3.2) | WF_BROWSER_TITLE (2.3.3.2) | WF_XHTMLXTRAS_TITLE (2.3.3.2) | WF_LISTS_TITLE (2.3.3.2) | WF_FULLSCREEN_TITLE (2.3.3.2) | WF_SOURCE_TITLE (2.3.3.2) | WF_LAYER_TITLE (2.3.3.2) | WF_INLINEPOPUPS_TITLE (2.3.3.2) | WF_AUTOSAVE_TITLE (2.3.3.2) | WF_SPELLCHECKER_TITLE (2.3.3.2) | com_wrapper (3.0.0) |
Components :: ADMIN :: com_messages (3.0.0) | com_admin (3.0.0) | com_search (3.0.0) | com_config (3.0.0) | com_banners (3.0.0) | com_jhackguard (2.0.2) | com_cpanel (3.0.0) | com_profiles (1.5.0) | Akeeba (3.7.10) | com_media (3.0.0) | com_weblinks (3.0.0) | com_finder (3.0.0) | com_content (3.0.0) | com_modules (3.0.0) | com_menus (3.0.0) | com_languages (3.0.0) | com_templates (3.0.0) | com_xmap (2.3.3) | com_installer (3.0.0) | com_tags (3.1.0) | com_checkin (3.0.0) | com_login (3.0.0) | com_categories (3.0.0) | Unknown (-) | JCE (2.3.3.2) | com_redirect (3.0.0) | com_newsfeeds (3.0.0) | com_users (3.0.0) | Admintools (2.5.8) | com_plugins (3.0.0) | com_cache (3.0.0) | com_joomlaupdate (3.0.0) | eXtplorer (2.1.3) |

Modules :: SITE :: mod_articles_latest (3.0.0) | mod_languages (3.0.0) | mod_articles_categories (3.0.0) | mod_tags_popular (3.1.0) | mod_banners (3.0.0) | mod_weblinks (3.0.0) | mod_articles_category (3.0.0) | mod_breadcrumbs (3.0.0) | mod_tags_similar (3.1.0) | mod_syndicate (3.0.0) | mod_users_latest (3.0.0) | mod_articles_popular (3.0.0) | mod_feed (3.0.0) | mod_custom (3.0.0) | mod_wrapper (3.0.0) | mod_menu (3.0.0) | mod_related_items (3.0.0) | mod_articles_archive (3.0.0) | supersized2 (2) | mod_random_image (3.0.0) | mod_login (3.0.0) | mod_articles_news (3.0.0) | mod_finder (3.0.0) | mod_search (3.0.0) | mod_whosonline (3.0.0) | simple google map (1.0) | mod_footer (3.0.0) | mod_stats (3.0.0) |
Modules :: ADMIN :: mod_quickicon (3.0.0) | mod_latest (3.0.0) | mod_stats_admin (3.0.0) | mod_status (3.0.0) | mod_popular (3.0.0) | mod_multilangstatus (3.0.0) | mod_feed (3.0.0) | mod_custom (3.0.0) | mod_menu (3.0.0) | mod_toolbar (3.0.0) | mod_logged (3.0.0) | mod_login (3.0.0) | mod_submenu (3.0.0) | mod_version (3.0.0) | mod_title (3.0.0) |

Plugins :: SITE :: plg_extension_joomla (3.0.0) | plg_user_profile (3.0.0) | plg_user_contactcreator (3.0.0) | plg_user_joomla (3.0.0) | plg_system_redirect (3.0.0) | plg_system_p3p (3.0.0) | plg_system_highlight (3.0.0) | plg_system_remember (3.0.0) | System - Autologin (2.5.1) | plg_system_sef (3.0.0) | System - Admin Tools (2.5.8) | plg_system_languagecode (3.0.0) | plg_system_cache (3.0.0) | plg_system_debug (3.0.0) | JHackGuard Plugin (2.0.3) | plg_system_log (3.0.0) | plg_system_logout (3.0.0) | System - Google Maps (3.1) | plg_system_languagefilter (3.0.0) | plg_editors-xtd_article (3.0.0) | plg_editors-xtd_pagebreak (3.0.0) | plg_editors-xtd_image (3.0.0) | plg_editors-xtd_readmore (3.0.0) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) | plg_captcha_recaptcha (3.0.0) | plg_authentication_gmail (3.0.0) | plg_authentication_ldap (3.0.0) | plg_authentication_joomla (3.0.0) | plg_editors_jce (2.3.3.2) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.5.6) | Xmap - SobiPro Plugin (2.0.2) | Xmap - WebLinks Plugin (2.0.1) | Xmap - Content Plugin (2.0.4) | Xmap - Kunena Plugin (2.0.3) | Xmap - Mosets Tree Plugin (2.0.2) | Xmap - Virtuemart Plugin (2.0.1) | XMAP_PLUGIN_K2 (1.3) | plg_content_emailcloak (3.0.0) | plg_content_pagenavigation (3.0.0) | plg_content_joomla (3.0.0) | plg_content_pagebreak (3.0.0) | plg_content_loadmodule (3.0.0) | plg_content_vote (3.0.0) | plg_content_finder (3.0.0) | Content - XTypo (3.0.1) | plg_finder_categories (3.0.0) | plg_finder_weblinks (3.0.0) | plg_finder_contacts (3.0.0) | plg_finder_content (3.0.0) | plg_finder_tags (3.0.0) | plg_finder_newsfeeds (3.0.0) | plg_quickicon_joomlaupdate (3.0.0) | plg_quickicon_extensionupdate (3.0.0) | plg_quickicon_jcefilebrowser (2.3.3.2) | plg_search_categories (3.0.0) | plg_search_weblinks (3.0.0) | plg_search_contacts (3.0.0) | plg_search_content (3.0.0) | plg_search_newsfeeds (3.0.0) |
Templates Discovered :: wrote:Templates :: SITE :: full_screen_4 (4.0) | beez3 (3.1.0) | protostar (1.0) |
Templates :: ADMIN :: isis (1.0) | hathor (3.0.0) |

User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3430
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: Website has been hacked/sabotaged

Postby abernyte » Sun Jan 15, 2017 5:14 pm

There are a lot of out of date extensions in there and one which is abandoned. It probably hasn't been touched since going live. J3.1.5 was 2013 which looks about right.
I think I would rebuild from here.
It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so. Twain

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 31768
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website has been hacked/sabotaged

Postby Webdongle » Sun Jan 15, 2017 5:47 pm

Download Joomla! 3.5.1 Full Package (.zip) from https://downloads.joomla.org/cms/joomla3/3-5-1 and rebuild as described in previous posts

User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3430
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: Website has been hacked/sabotaged

Postby abernyte » Sun Jan 15, 2017 6:15 pm

Site components
[Do not buy our [Do not buy our kitchens!]!] (2.3.3.2)


I would say you are hacked.
It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so. Twain

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13931
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Website has been hacked/sabotaged

Postby mandville » Sun Jan 15, 2017 7:42 pm

abernyte wrote:Site components
[Do not buy our [Do not buy our [Do not buy our kitchens!]!]!] (2.3.3.2)


I would say you are hacked.
that is the forum antispam measure replacing the name of a jce component. however the site has enough issues to say that it is, oir just in a total state
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3430
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: Website has been hacked/sabotaged

Postby abernyte » Mon Jan 16, 2017 8:46 am

Well that's confusing! Talk about cryptic error messages. Caught me anyway. @ mandville, thanks for pointing that one out.
It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so. Twain


Return to “Security in Joomla! 3.x”

Who is online

Users browsing this forum: No registered users and 4 guests