Front page now only writes "ttmaintt #success connection# No articles where specified."

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
MicLes
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Fri May 25, 2018 2:08 am

Front page now only writes "ttmaintt #success connection# No articles where specified."

Post by MicLes » Sat Jul 14, 2018 12:22 am

Greetings,

After a SPAM bot somehow added over one hundred posts (with no author), our front page now only declares "ttmaintt
#success connection#
No articles where specified."
The source code shows only

Code: Select all

<html><head></head><body><br>ttmaintt<br>#success connection#<br>No articles where specified.</body></html>
After deleting the post, I ...
  • updated to site to the newest version : 3.8.10 Stable
  • removed all Akeeba bits as they were causing site bugs, notably making site updates fail
  • also had to switch to tinyMCE text editor as JCE stopped working (I prefer tinyMCE anyway, but saying in case it gives you a clue about something.
  • corrected a strangeness where the welcome article (front page) could be modified by Public (odd).
  • all templates, when previewed, show the same ttmaintt... message
The menus, articles and categories all look fine.

It seems the spam-hack broke something, but wouldn't the system update replace any broken files, etc.? Any clues ? I am posting in the Admin topic of this forum as I am looking for a bad or modified configuration or glitch, but any clue would be appreciated.
Last edited by imanickam on Sat Jul 14, 2018 2:48 am, edited 1 time in total.
Reason: Moved the topic from the forum Administration - Joomla! 3.x to the forum Security in Joomla! 3.x

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 34742
Joined: Sat Apr 05, 2008 9:58 pm

Re: Front page now only writes "ttmaintt #success connection# No articles where specified."

Post by Webdongle » Sat Jul 14, 2018 5:55 pm

MicLes wrote:... but wouldn't the system update replace any broken files, etc.? ...
. But it wouldn't get rid of the hack. Please see viewtopic.php?f=714&t=946026

MicLes
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Fri May 25, 2018 2:08 am

Re: Front page now only writes "ttmaintt #success connection# No articles where specified."

Post by MicLes » Sun Jul 15, 2018 7:30 pm

Webdongle wrote:
MicLes wrote:... but wouldn't the system update replace any broken files, etc.? ...
. But it wouldn't get rid of the hack. Please see viewtopic.php?f=714&t=946026
Your short response got me thinking ...
Mostly, via FTP, I was able to easily remove new files that are not part of Joomla. They were disguised as web.php and helper.php notably.

I suspect some old Akeeba files, and maybe the libraries, were exploited to add those files without really having a direct access to the FTP nor to the site/database. I will patch the holes (fresh Akeeba files and libraries if needed).

EDIT : almost every folder had an index.html file, which of course is abnormal and a doorway used by the hacker. Just saying for other amateur webmasters : there should not be any index.html all other your Zoomla folders. :P
RE-EDIT : strangely enough, in the Zoomla download as such, there are many index.html files...?!

MicLes
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Fri May 25, 2018 2:08 am

Re: Front page now only writes "ttmaintt #success connection# No articles where specified."

Post by MicLes » Sun Jul 15, 2018 9:35 pm

Ignore my last bit about index.html. It is an intentional Joomla security feature. My bad.
I would edit my post if I could.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 34742
Joined: Sat Apr 05, 2008 9:58 pm

Re: Front page now only writes "ttmaintt #success connection# No articles where specified."

Post by Webdongle » Sun Jul 15, 2018 10:02 pm

One a hacker has access to your server you need to follow a process to clean the site. Just deleting the files that you find will not get rid of the hack. viewtopic.php?f=714&t=946026

MicLes
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Fri May 25, 2018 2:08 am

Re: Front page now only writes "ttmaintt #success connection# No articles where specified."

Post by MicLes » Mon Jul 16, 2018 4:19 am

Webdongle wrote:One a hacker has access to your server you need to follow a process to clean the site. Just deleting the files that you find will not get rid of the hack. viewtopic.php?f=714&t=946026
Yes, I have done many things to try and patch whatever hole has been used. I removed many third-party extensions, changed password though clearly the hacker did not use our accounts, an update was made after the hack, added a security extension that seems to be help a lot (based on logs), etc. I can't do a miracle though.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 34742
Joined: Sat Apr 05, 2008 9:58 pm

Re: Front page now only writes "ttmaintt #success connection# No articles where specified."

Post by Webdongle » Mon Jul 16, 2018 8:46 am

Did you delete A/ll the folders/files from the server before changing passwords ?

MicLes
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Fri May 25, 2018 2:08 am

Re: Front page now only writes "ttmaintt #success connection# No articles where specified."

Post by MicLes » Mon Jul 16, 2018 6:47 pm

Webdongle wrote:Did you delete A/ll the folders/files from the server before changing passwords ?
Almost all ; I made some exceptions as I do not know where are the user-modified files, like the config file if any (I am a Joomla noob and deleting a config file without a backup would have been hell).

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 34742
Joined: Sat Apr 05, 2008 9:58 pm

Re: Front page now only writes "ttmaintt #success connection# No articles where specified."

Post by Webdongle » Mon Jul 16, 2018 7:59 pm

Step #f of viewtopic.php?f=714&t=946026 creates a new configuration.php file. All you need do then is edit it to connect to the original database.

You need to delete all the files from the server so that you make sure you remove all the hack files.
Your database is your site ... first and foremost make a backup of your database.

All the files do is put/get data to/from the database and display the data on the screen.


Post Reply

Return to “Security in Joomla! 3.x”