Gantry hacked

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
charris
Joomla! Apprentice
Joomla! Apprentice
Posts: 37
Joined: Sun Nov 09, 2008 2:36 am

Gantry hacked

Post by charris » Wed Jun 28, 2017 10:21 pm

I am running Gantry 4.1.27 on Joomla 3.7.2. I think the site has been hacked.

The site now comes up with the following page:

Image

I have searched the entire site trying to find where page is being rendered. It appears when the page is opened on the front side or when in admin and trying to open Extensions->Templates->Gantry - Default. It does not appear on the front side when gantry is not the default.

I currently have the site offline. I made beez the default template the default in order to do this.

I would appreciate any suggestions for how to locate and remove the malware or other steps. I considered reinstalling Gantry but I'm not sure how that would affect my current layout.

Thanking everyone in advance.
Last edited by toivo on Wed Jun 28, 2017 10:23 pm, edited 1 time in total.
Reason: mod note: moved to 3.x Security

User avatar
websitedons
I've been banned!
Posts: 389
Joined: Sat May 27, 2017 9:42 am

Re: Gantry hacked

Post by websitedons » Wed Jun 28, 2017 10:54 pm

Delete all items related to gantry.
Keep any files you modified.
Scan the server for malware. (many scanners available)
Confirm with the gantry devs that there is no known vulnerability.
Reinstall if all is well

If you don't use all the gantry fandangles, you should keep the system as simple as possible. The more parts you insert, the greater chance of failure.

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Gantry hacked

Post by fcoulter » Thu Jun 29, 2017 9:36 am

It seems that the Gantry template is hacked.

However you cannot assume from that, that this is due to a vulnerability in Gantry, or that removing items related to Gantry will solve the issue. The vulnerability may well be elsewhere, if it allows an attacker to modify your template files then it could cause this. For example a compromised super administrator account could allow a user to do this.

There may well be additional hack code elsewhere on your site. I think that you need to regard your site as completely compromised, and do a complete cleanup. There are instructions on how to do this here: viewtopic.php?f=714&t=946026
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

User avatar
JAVesey
Joomla! Hero
Joomla! Hero
Posts: 2272
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Gantry hacked

Post by JAVesey » Thu Jun 29, 2017 9:45 am

fcoulter wrote:I think that you need to regard your site as completely compromised, and do a complete cleanup. There are instructions on how to do this here: viewtopic.php?f=714&t=946026
@OP:

Follow this advice, not the advice in the post above it. You must not assume that only the Gantry template is affected.
John V
Cardiff, Wales, UK
Uses Joomla 3.9.23 and PHP7.4.11


Locked

Return to “Security in Joomla! 3.x”