Front page now only writes "ttmaintt #success connection# No articles where specified."

[MicLes]

Greetings,

After a SPAM bot somehow added over one hundred posts (with no author), our front page now only declares "ttmaintt
#success connection#
No articles where specified."
The source code shows only

Code: Select all

<html><head></head><body><br>ttmaintt<br>#success connection#<br>No articles where specified.</body></html>

After deleting the post, I ...

• updated to site to the newest version : 3.8.10 Stable
• removed all Akeeba bits as they were causing site bugs, notably making site updates fail
• also had to switch to tinyMCE text editor as JCE stopped working (I prefer tinyMCE anyway, but saying in case it gives you a clue about something.
• corrected a strangeness where the welcome article (front page) could be modified by Public (odd).
• all templates, when previewed, show the same ttmaintt... message

The menus, articles and categories all look fine.

It seems the spam-hack broke something, but wouldn't the system update replace any broken files, etc.? Any clues ? I am posting in the Admin topic of this forum as I am looking for a bad or modified configuration or glitch, but any clue would be appreciated.

[Webdongle]

... but wouldn't the system update replace any broken files, etc.? ...

. But it wouldn't get rid of the hack. Please see viewtopic.php?f=714&t=946026

[MicLes]

... but wouldn't the system update replace any broken files, etc.? ...

. But it wouldn't get rid of the hack. Please see viewtopic.php?f=714&t=946026

Your short response got me thinking ...
Mostly, via FTP, I was able to easily remove new files that are not part of Joomla. They were disguised as web.php and helper.php notably.

I suspect some old Akeeba files, and maybe the libraries, were exploited to add those files without really having a direct access to the FTP nor to the site/database. I will patch the holes (fresh Akeeba files and libraries if needed).

EDIT : almost every folder had an index.html file, which of course is abnormal and a doorway used by the hacker. Just saying for other amateur webmasters : there should not be any index.html all other your Zoomla folders. :P
RE-EDIT : strangely enough, in the Zoomla download as such, there are many index.html files...?!

[MicLes]

Ignore my last bit about index.html. It is an intentional Joomla security feature. My bad.
I would edit my post if I could.

[Webdongle]

One a hacker has access to your server you need to follow a process to clean the site. Just deleting the files that you find will not get rid of the hack. viewtopic.php?f=714&t=946026

[MicLes]

One a hacker has access to your server you need to follow a process to clean the site. Just deleting the files that you find will not get rid of the hack. viewtopic.php?f=714&t=946026

Yes, I have done many things to try and patch whatever hole has been used. I removed many third-party extensions, changed password though clearly the hacker did not use our accounts, an update was made after the hack, added a security extension that seems to be help a lot (based on logs), etc. I can't do a miracle though.

[Webdongle]

Did you delete A/ll the folders/files from the server before changing passwords ?

[MicLes]

Did you delete A/ll the folders/files from the server before changing passwords ?

Almost all ; I made some exceptions as I do not know where are the user-modified files, like the config file if any (I am a Joomla noob and deleting a config file without a backup would have been hell).

[Webdongle]

Step #f of viewtopic.php?f=714&t=946026 creates a new configuration.php file. All you need do then is edit it to connect to the original database.

You need to delete all the files from the server so that you make sure you remove all the hack files.

Your database is your site ... first and foremost make a backup of your database.

All the files do is put/get data to/from the database and display the data on the screen.