Hacked - Welcome To Our Shell - [redacted]

Discussion regarding Joomla! 3.x security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
Topknotch
Joomla! Apprentice
Joomla! Apprentice
Posts: 45
Joined: Tue Mar 29, 2011 6:28 pm

Hacked - Welcome To Our Shell - [redacted]

Post by Topknotch » Sat Jan 06, 2018 11:50 am

Hi,

I have 2 sites both running joomla 3.82 and google sent this message -
Hacked content detected on http://www.***.co.uk/

To webmaster of http://www.***.co.uk/,

Google has detected that your site has been hacked by a third party who created malicious, unexpected or harmful content on some of your pages. This issue affects your site’s reputation by showing the hacked content on your site or in search results. We recommend you remove the hacked content from your site as soon as possible. Once removed, our system will automatically reflect these changes as we update our index.

Following are some example URLs. Review them to gain a better sense of where this hacked content appears, and how it may have been placed on your website. The list is not exhaustive.
http://www.***.co.uk/Mm4tNDk1MDMtbmYvODc3MS1mNA==.amm

http://www.***.co.uk/NTQxay0xNzc3LTQxay05NTkxLTFrczQ=.gov

http://www.***.co.uk/NXc3LTIxMzI3L3c3LzM1MS03d2I4cA==.tech
I can see that numerous .php files have been uploaded to the root, one of them shows - welcome to shell - and shows sites files.

Is there a way I can fix this please?
Many thanks
Last edited by mandville on Sat Jan 06, 2018 12:16 pm, edited 1 time in total.
Reason: removed kudos - dont promote the hacker
Top
User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15152
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Hacked - Welcome To Our Shell - [redacted]

Post by mandville » Sat Jan 06, 2018 12:30 pm

try doing this viewtopic.php?f=714&t=793531
and

viewtopic.php?f=714&t=946026
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Top
Topknotch
Joomla! Apprentice
Joomla! Apprentice
Posts: 45
Joined: Tue Mar 29, 2011 6:28 pm

Re: Hacked - Welcome To Our Shell - [redacted]

Post by Topknotch » Mon Jan 15, 2018 10:32 am

Hi,
I have 3 of these attacks now. All on different websites. 1 thing they do have in common though is they all use smartslider 2.
Forum Post Assistant (v1.3.9) : 15th January 2018 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.8.3-Stable (Amani) 12-December-2017
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.8
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 1 | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: 0 | FTP Layer: 0 | Proxy: 0 | LiveSite: | Session lifetime: 60 | Session handler: database | Shared sessions: 0 | SSL: 0 | FrontEdit: 1 | Error Reporting: none | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | dbConnection Type: mysqli | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-673.8.1.lve1.4.3.1.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 59.22 GiB |

PHP Configuration :: Version: 7.0.27 | PHP API: cgi-fcgi | Session Path Writable: No | Display Errors: 1 | Error Reporting: | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 64M | Max. POST Size: 8M | Max. Input Time: -1 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.58-cll (Client:5.5.58) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 12.74 MiB | #of Tables:  196
Detailed Environment :: wrote:PHP Extensions :: Core (7.0.27) | date (7.0.27) | libxml (7.0.27) | openssl (7.0.27) | pcre (7.0.27) | sqlite3 (7.0.27) | zlib (7.0.27) | bz2 (7.0.27) | calendar (7.0.27) | ctype (7.0.27) | curl (7.0.27) | hash (1.0) | filter (7.0.27) | ftp (7.0.27) | gettext (7.0.27) | gmp (7.0.27) | SPL (7.0.27) | iconv (7.0.27) | pcntl (7.0.27) | readline (7.0.27) | Reflection (7.0.27) | session (7.0.27) | standard (7.0.27) | shmop (7.0.27) | SimpleXML (7.0.27) | mbstring (7.0.27) | tokenizer (7.0.27) | xml (7.0.27) | cgi-fcgi () | bcmath (7.0.27) | dom (20031129) | fileinfo (1.0.5) | gd (7.0.27) | imap (7.0.27) | json (1.4.0) | exif (7.0.27) | mcrypt (7.0.27) | mysqli (7.0.27) | mysqlnd (mysqlnd 5.0.12-dev - 20150407 - $Id: b5c5906d452ec590732a93b051f3827e02749b83 $) | PDO (7.0.27) | pdo_mysql (7.0.27) | pdo_sqlite (7.0.27) | Phar (2.0.2) | posix (7.0.27) | soap (7.0.27) | sockets (7.0.27) | tidy (7.0.27) | wddx (7.0.27) | xmlreader (7.0.27) | xmlrpc (7.0.27) | xmlwriter (7.0.27) | xsl (7.0.27) | zip (1.13.5) | Zend Engine (3.0.0) |
Potential Missing Extensions :: mysql | suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 1852498 | Threads: 5 | Questions: 715918968 | Slow queries: 159 | Opens: 12918268 | Flush tables: 1 | Open tables: 384 | Queries per second avg: 386.461 |
Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 | WF_LAYER_TITLE (2.6.12) 1 | WF_LISTS_TITLE (2.6.12) 1 | WF_NONBREAKING_TITLE (2.6.12) 1 | WF_CLEANUP_TITLE (2.6.12) 1 | WF_HR_TITLE (2.6.12) 1 | WF_FULLSCREEN_TITLE (2.6.12) 1 | WF_ANCHOR_TITLE (2.6.12) 1 | WF_FORMATSELECT_TITLE (2.6.12) 1 | WF_PREVIEW_TITLE (2.6.12) 1 | WF_VISUALCHARS_TITLE (2.6.12) 1 | WF_TEXTCASE_TITLE (2.6.12) 1 | WF_CHARMAP_TITLE (2.6.12) 1 | WF_VISUALBLOCKS_TITLE (2.6.12) 1 | WF_FONTSELECT_TITLE (2.6.12) 1 | WF_IMGMANAGER_TITLE (2.6.12) 1 | WF_BROWSER_TITLE (2.6.12) 1 | WF_SEARCHREPLACE_TITLE (2.6.12) 1 | WF_LINK_TITLE (2.6.12) 1 | WF_CONTEXTMENU_TITLE (2.6.12) 1 | WF_SPELLCHECKER_TITLE (2.6.12) 1 | WF_DIRECTIONALITY_TITLE (2.6.12) 1 | WF_PRINT_TITLE (2.6.12) 1 | WF_TABLE_TITLE (2.6.12) 1 | WF_MEDIA_TITLE (2.6.12) 1 | WF_XHTMLXTRAS_TITLE (2.6.12) 1 | WF_KITCHENSINK_TITLE (2.6.12) 1 | WF_INLINEPOPUPS_TITLE (2.6.12) 1 | WF_SOURCE_TITLE (2.6.12) 1 | WF_STYLE_TITLE (2.6.12) 1 | WF_EMOTIONS_TITLE (2.6.12) 1 | WF_STYLESELECT_TITLE (2.6.12) 1 | WF_FONTSIZESELECT_TITLE (2.6.12) 1 | WF_FONTCOLOR_TITLE (2.6.12) 1 | WF_AUTOSAVE_TITLE (2.6.12) 1 | WF_CLIPBOARD_TITLE (2.6.12) 1 | WF_ARTICLE_TITLE (2.6.12) 1 | WF_LINKS_JOOMLALINKS_TITLE (2.6.12) 1 | WF_POPUPS_WINDOW_TITLE (2.6.12) 1 | WF_POPUPS_JCEMEDIABOX_TITLE (2.6.12) 1 | WF_LINK_SEARCH_TITLE (2.6.12) 1 | WF_AGGREGATOR_VIMEO_TITLE (2.6.12) 1 | WF_AGGREGATOR_[youtube]_TITLE (2.6.12) 1 | WF_AGGREGATOR_DAILYMOTION_TITL (2.6.12) 1 | WF_AGGREGATOR_VINE_TITLE (2.6.12) 1 | WF_FILESYSTEM_JOOMLA_TITLE (2.6.12) 1 |
Components :: ADMIN :: com_languages (3.0.0) 1 | VirtueMart_allinone (-) 1 | VirtueMart_allinone (-) 1 | Realex (2.9.9) 1 | plg_vm_route (2.5.0) 1 | Responsivizer (2.2) 1 | com_media (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_login (3.0.0) 1 | com_installer (3.0.0) 1 | com_messages (3.0.0) 1 | com_banners (3.0.0) 1 | com_contenthistory (3.2.0) 1 | Quickicon - VM Inventory (0.0.1) 1 | COM_VMINVENTORY (3.7.0) 1 | com_menus (3.0.0) 1 | com_cpanel (3.0.0) 1 | com_joomlaupdate (3.6.2) 1 | com_users (3.0.0) 1 | COM_JCE (2.6.12) 1 | Smart Slider 2 (2.3.10) 1 | Akeeba (5.3.4) 1 | com_plugins (3.0.0) 1 | tcpdf (1.0.0) 1 | tcpdf (1.0.2) 1 | com_fields (3.7.0) 1 | com_weblinks (3.5.0) 1 | VIRTUEMART (-) 1 | ECB Currency Converter (1.0) 1 | nextend_installer (1.0) 1 | com_search (3.0.0) 1 | com_admin (3.0.0) 1 | COM_B2JCONTACT (2.0) 1 | com_profiles (1.0.0) 1 | COM_FOXCONTACT (3.4.4) 1 | com_tags (3.1.0) 1 | com_finder (3.0.0) 1 | com_checkin (3.0.0) 1 | sh404SEF (4.6.0.2718) 1 | plg_installer_sh404sef (4.6.0.2718) 1 | sh404sef - Analytics plugin (4.6.0.2718) 1 | sh404sef - Similar urls plugin (4.6.0.2718) 1 | sh404sef - Offline code plugin (4.6.0.2718) 1 | PLG_SH404SEFCORE_SH404SEFSOCIA (4.6.0.2718) 1 | plg_system_shlib (0.2.11.388) 1 | sh404sef - System mobile templ (4.6.0.2718) 1 | sh404sef - System plugin (4.6.0.2718) 1 | sh404sef - Default component s (4.6.0.2718) 1 | COM_RSMONIALS (2.2) 1 | com_redirect (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_associations (3.7.0) 1 | com_modules (3.0.0) 1 | com_categories (3.0.0) 1 | com_config (3.0.0) 1 | com_ajax (3.2.0) 1 | com_content (3.0.0) 1 | com_templates (3.0.0) 1 | Admintools (4.1.3) 1 | com_cache (3.0.0) 1 |

Modules :: SITE :: mod_feed (3.0.0) 1 | mod_virtuemart_category (3.0.18) 1 | mod_virtuemart_manufacturer (3.0.18) 1 | mod_menu (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_jux_vm_megamenu (2.0.4) 1 | mod_login (3.0.0) 1 | Responsivizer slideshow (2.2) 1 | B2J Contact (2.0) 1 | mod_tags_popular (3.1.0) 1 | mod_articles_popular (3.0.0) 1 | mod_virtuemart_search (3.0.18) 1 | mod_syndicate (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_footer (3.0.0) 1 | Responsive Module Rerouter (1.2) 1 | mod_stats (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_banners (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_search (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_virtuemart_cart (3.0.18) 1 | mod_articles_archive (3.0.0) 1 | mod_virtuemart_product (3.0.18) 1 | mod_tags_similar (3.1.0) 1 | mod_virtuemart_currencies (3.0.18) 1 | mod_articles_latest (3.0.0) 1 | Responsivizer mobile switcher (2.2) 1 | mod_custom (3.0.0) 1 | mod_weblinks (3.5.0) 1 | mod_finder (3.0.0) 1 | mod_related_items (3.0.0) 1 | Smart Slider 2 (2.3.0) 1 | MOD_FOXCONTACT (3.4.4) 1 |
Modules :: ADMIN :: mod_feed (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_login (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_version (3.0.0) 1 | mod_title (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_status (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | VirtueMart Administrator Menu (3.0.18) 1 | mod_sampledata (3.8.0) 0 | mod_custom (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_latest (3.0.0) 1 |

Plugins :: SITE :: plg_finder_newsfeeds (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_weblinks (3.5.0) 1 | plg_finder_categories (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_image (3.0.0) 1 | PLG_EDITORS-XTD_MODULESANYWHER (3.6.4FREE) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_article (3.0.0) 1 | Nextend Smart Slider Widget: T (1.0.0) 1 | Nextend Smart Slider Widget: T (1.0.0) 1 | Nextend Smart Slider Widget: T (1.0.0) 1 | By weight, ZIP and countries (3.0.18) 1 | VMSHIPMENT_RULES (5.4) 1 | plg_installer_packageinstaller (3.6.0) 1 | plg_installer_sh404sef (4.6.0.2718) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | plg_installer_jce (2.6.12) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | Nextend Smart Slider Simple Ty (1.0.0) 1 | Nextend Smart Slider Horizonta (1.0.0) 1 | Nextend Smart Slider Showcase (1.0.0) 1 | Nextend Smart Slider Full Page (1.0.0) 1 | Nextend Smart Slider Vertical (1.0.0) 1 | Realex_hpp_api (3.0.18) 1 | plg_editors_codemirror (5.30.0) 1 | plg_editors_tinymce (4.5.8) 1 | plg_editors_jce (2.6.12) 1 | Nextend Smart Slider Widget: A (1.0.0) 1 | Nextend Smart Slider Widget: A (1.0.0) 1 | Nextend Smart Slider Widget: S (1.0.0) 1 | Nextend Smart Slider Widget: H (1.0.0) 1 | Nextend Smart Slider Widget: I (1.0.0) 1 | Nextend Smart Slider Widget: T (1.0.0) 1 | Nextend Smart Slider Widget: B (1.0.0) 1 | Nextend Smart Slider Widget: B (1.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | Search - VirtueMart (3.0.18) 1 | plg_search_content (3.0.0) 1 | plg_search_tags (3.0.0) 1 | plg_search_weblinks (3.5.0) 1 | plg_search_categories (3.0.0) 1 | Nextend Smart Slider Widget: H (1.0.0) 1 | Authorize.net AIM (3.0.18) 1 | Sofort Ideal (3.0.18) 1 | VM Payment - klikandpay (Beta1) 1 | 2Checkout (0.1) 1 | VM Payment - Paybox (3.0.18) 0 | Klarna Checkout (3.0.18) 1 | Klarna (3.0.18) 1 | realex_hpp_api (3.0.18) 1 | Skrill (3.0.18) 1 | PayPal (3.0.18) 1 | AMAZON (3.0.18) 1 | Sofort (3.0.18) 1 | Standard (3.0.18) 1 | Heidelpay (3.0.0) 1 | sh404sef - Analytics plugin (4.6.0.2718) 1 | sh404sef - Similar urls plugin (4.6.0.2718) 1 | sh404sef - Offline code plugin (4.6.0.2718) 1 | PLG_SH404SEFCORE_SH404SEFSOCIA (4.6.0.2718) 1 | plg_user_contactcreator
Last edited by fcoulter on Mon Jan 15, 2018 11:32 am, edited 1 time in total.
Reason: edited to make the fpa post readable
Top
User avatar
JAVesey
Joomla! Hero
Joomla! Hero
Posts: 2631
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:
Contact JAVesey

Re: Hacked - Welcome To Our Shell - [redacted]

Post by JAVesey » Tue Jan 16, 2018 9:36 am

You have outdated extensions:

Smartslider 2.3.10 --> current version 3.2.8
AdminTools 4.1.3 --> current version 4.3.1
Modules Anywhere: 3.6.4 (free) --> current version 7.4.0

Looks like there will be others.

You are not keeping your site's code/extensions up to date. This will help keep your site secure.

See the sticky-posts at the top of the Forum about cleaning your site(s). Also, consider submitting for a (free initial) audit/scan at myjoomla.com; this will help you understand your situation more fully.
John V
Cardiff, Wales, UK
Joomla 5.0.3 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.0.3 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28
Top
User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:
Contact leolam

Re: Hacked - Welcome To Our Shell - [redacted]

Post by leolam » Thu Jan 18, 2018 7:14 am

And this "Session Path Writable: No" should be "Session Path Writable: Yes"

Also if these sites are on the same server it could well be that the server is compromised

And most of your extensions are indeed outdated... JCE for instance is on 2.6.23, VM Allinone is prehistoric, Foxcontact 3.7.1

FPA is incomplete: Templates are missing

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
Top
User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44068
Joined: Sat Apr 05, 2008 9:58 pm

Re: Hacked - Welcome To Our Shell - [redacted]

Post by Webdongle » Fri Jan 19, 2018 11:07 am

That is step #A of viewtopic.php?f=714&t=946026 ... have you performed steps #C & #D yet ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
Top
Locked

Return to “Security in Joomla! 3.x”