School Site Hacked

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, PhilD, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
nabberuk
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Mon May 12, 2014 12:38 pm

School Site Hacked

Postby nabberuk » Mon Dec 04, 2017 9:10 am

We have a site that keeps getting hacked, we've restored it 3 times now but it keeps getting hacked again. When browsing around the site popups appears.

All modules are up to date other than DPCalendar Professional which won't update.

We've installed Security Suite which logs IPs trying to scan the site for vulnerabilities and then added the IPs to the htaccess file.

I'm now lost on what else we can do?

User avatar
AMurray
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3009
Joined: Sat Feb 13, 2010 7:35 am
Location: Australia

Re: School Site Hacked

Postby AMurray » Mon Dec 04, 2017 10:12 am

I would suspect that if the hack is repeated, then you are restoring files that contain the hacked files. The minimum joomla version for DPCalendar Professional is 3.7.x - What version (of Joomla) are you running? If older than 3.8.2 then that could also explain the repeated attacks.

https://extensions.joomla.org/extension ... pcalendar/

Can you not download DP Calendar Professional and update through extension manager (or renew the subscription so that the auto-update occurs?) What other issues are there preventing that update? How out of date is it? The latest release DPCalendar Professional on the JED is 6.1.5 (released date 24/11/2017).

How are you doing the restore of the website; are you using Akeeba Backup and Kickstart (by far the easiest method).

Suggest signing up to the myjoomla.com service which can audit your site, and find vulnerable extensions or problems with the Joomla core. Note it has a cost involved but only a few GBP per month.

I assume also you have read, and/or tried the advice contained here: Recover from a hack
Regards,
--------------------------------------------------------------
A Murray
Millennium Falcon - it's the ship that made the Kessel run in less than 12 parsecs! The fastest hunk of junk in the galaxy.

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1372
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: School Site Hacked

Postby fcoulter » Mon Dec 04, 2017 11:56 am

When your site is hacked it is quite common for the hacker to leave behind a "back door" disguised as a legitimate file, which gives them continued access to your site. If you are just removing the visible signs of the hack then it is likely that you are leaving the back door in place. If you are restoring from a backup then is it likely that the back door is also in the backup.

The solution is to remove all files as in webdongle's advice, and rebuild the site using clean files. It may seem a lot of work, but it will probably save you more work in the long run.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator
VEL team member
"Wearing my tin foil hat with pride"

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 33717
Joined: Sat Apr 05, 2008 9:58 pm

Re: School Site Hacked

Postby Webdongle » Mon Dec 04, 2017 3:16 pm


nabberuk
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Mon May 12, 2014 12:38 pm

Re: School Site Hacked

Postby nabberuk » Thu Dec 07, 2017 8:33 am

We've been hacked yet again, the URL is parklandprimary.co.uk and as you can see there are popups. We recently paid for the admin tools addon, seems like it didn't do it's job.

nabberuk
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Mon May 12, 2014 12:38 pm

Re: School Site Hacked

Postby nabberuk » Thu Dec 07, 2017 9:34 am

oddly, there was a htaccess file above public_html forcing the site to use php5.6.

Is there any tool out there that will scan files to see if they have been changed from the originals. Admin tools scans for changes but i they have been changed prior to installing that it won't help much

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 33717
Joined: Sat Apr 05, 2008 9:58 pm

Re: School Site Hacked

Postby Webdongle » Thu Dec 07, 2017 9:53 am

nabberuk wrote:We've been hacked yet again
Told you so.


nabberuk wrote:We recently paid for the admin tools addon, seems like it didn't do it's job.
That is not designed to clean hacked sites.



Is there any tool out there that will scan files to see if they have been changed from the originals.
yes but it needs experienced users to understand the results.

You can pay someone to clean your site or you can follow the instructions on viewtopic.php?f=714&t=946026 . If you have an old site please see viewtopic.php?f=710&t=956702

User avatar
JAVesey
Joomla! Ace
Joomla! Ace
Posts: 1414
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: School Site Hacked

Postby JAVesey » Thu Dec 07, 2017 8:37 pm

If you haven't done so already, submit your site for a scan/audit at myjoomla.com; the first use is free. This will tell you what's wrong and give you some pointers as to the underlying cause. There's nothing better than this service for a potentially hacked Joomla site IMHO.
John V
Cardiff, Wales, UK
Website: http://www.llanmon.org.uk (Joomla 3.8.3)

DavidBoggitt
Joomla! Guru
Joomla! Guru
Posts: 762
Joined: Wed Jan 09, 2008 9:16 pm
Contact:

Re: School Site Hacked

Postby DavidBoggitt » Thu Dec 07, 2017 10:23 pm

Second the above. It's worth paying Phil to fix it, rather than the time and anguish spent...!
My website: http://www.davidboggitt.com/
Love and hate both devastate you, but at least love takes you to dinner first.


Return to “Security in Joomla! 3.x”

Who is online

Users browsing this forum: No registered users and 2 guests