Joomla hacked?

[sylwekb]

Hello
Have you ever encountered a situation where someone called you and said that they could do everything from the registered user level, e.g. replace photos, etc.? Can you fully protect yourself from it?

Regards

Joomla 3.10.11

[AMurray]

Do you mean this caller claims he can change only content an Editor or Publisher might create and edit from the front-end, and not administrative functions normally done by a Manager, Administrator or Super administrator in the back-end?

Suggest updating to Joomla 4. (Joomla 3.10.11 will be out of support by August). While 3.10 gets security updates, the team needs to know about security issues. If concerned, I suggest reporting it to https://issues.joomla.org - with full details and where possible, methodology to replicate the problem.

If the caller is claiming he can do things normally prohibited as a registered user, I'd have thought there would be some record of it in the User Action Log. "Joe Bloggs updated [such and such] article on DD/MM/YYYY") or things like that.

Are you sure they are not registered as an Editor or Publisher, rather than just Registered?

Check the User Manager list and see if you can identify any registered user that looks "out of place".

https://docs.joomla.org/J3.x:User_Action_Logs
https://docs.joomla.org/Help310:Compone ... gs_Options

As to protecting users:

• Have your registered users use very strong passwords (no words commonly known, and none from dictionaries)
• increase the number of characters required in a password e.g. minimum 12 characters.
• Set minimum numbers of different characters - e.g. mix of alpha-numeric and symbols (e.g.mini 2 numbers, min 2 symbols).
• Encourage the use of Multi-factor authentication (MFA). (As you're on 3.10, suggest the inbuilt 2FA, or Akeeba's Login Guard (which in J4, is now part of the core as of v4.2), but is still available as a download for J3.x

[sylwekb]

Thank you for your answer. Indeed, in the event log I have such a user Suddeas77777 and his IP address, he is only registered but I do not see a hack. I scanned the server for antivirus and found nothing. Yes, it claims that from the level of registered permissions it can do everything, but I don't see it. I don't see anything unusual in the server logs for this IP address. The hosting provider also confirmed that he did not see anything unusual in this user's behavior. As a preventive measure, I changed the admin, database and FTP user passwords to very strong ones. All in all, these passwords were already very strong and in line with current standards.

[AMurray]

if still concerned, suggest doing a full audit of the site with mysites.guru (first audit is free) but it is a subscription service well worth its weight in Euros, so to speak.

[sylwekb]

I monitor the site all the time and my hosting provider has turned on additional monitoring for this site and has not detected anything so far. My website has a lot of data. I am aware of the end of support for Joomla 3.10.11 and I am planning to migrate to Joomla 4 but for now there are no add-ons for Joomla 4.

[Per Yngve Berg]

Photos etc. are stored as regular files on the server. They can be accessed directly without going through Joomla. Are file permissions set correctly on the server?

[sylwekb]

The hosting provider says all permissions are correct. I checked in Filezilla and they also agree with the Joomla documentation. I will be migrating to Joomla 4 soon but I have a problem because I have over 10000 attachments and the developer of the add-on has opted out of updating to Joomla 4 https://extensions.joomla.org/extension/attachments/. This is a really great addition to handle attachments in an article. I looked at other add-ons but they work differently and there will be a problem with automatic migration. Handling such a large amount by hand is a lot of work.

[Webdongle]

Hello
Have you ever encountered a situation where someone called you and said that they could do everything from the registered user level, e.g. replace photos, etc.? Can you fully protect yourself from it?

Regards

Joomla 3.10.11

If they could do it they would have done it. If they done it they would only contact you if they locked you out and ransomed the site.