Site hacked and now trying to restore

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
handsun
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Sun Jul 04, 2010 3:00 am
Contact:

Site hacked and now trying to restore

Post by handsun » Sat Aug 04, 2018 12:23 pm

I had the exact same hack, and was able to restore by replacing the folders in my account with fresh ones and deleting all non-joomla files, in my case it was helper.php that was causing the #success connection#
No articles where specified."
The source code shows only and baseball articles all jibberish over 100 of them. I'm pretty sure it was an FTP hack because an HTML site in the same shared cpanel had the same injected links for baseball jerseys in the html above the <html> tag
Last edited by toivo on Sat Aug 04, 2018 7:19 pm, edited 1 time in total.
Reason: mod note: split from someone else's topic - please create your own topics in the future

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35236
Joined: Sat Apr 05, 2008 9:58 pm

Re: Front page now only writes "ttmaintt #success connection# No articles where specified."

Post by Webdongle » Sat Aug 04, 2018 5:07 pm

handsun wrote:
Sat Aug 04, 2018 12:23 pm
I had the exact same hack, and was able to restore by replacing the folders in my account with fresh ones and deleting all non-joomla files,...
'Cherry picking' the files to delete is not advised.

Best delete all the files from the server then replace the Joomla (and 3rd party) files. Replacing the files can be done easily by installing Joomla (of the same version) to a new database then installing the 3rd party extensions into it. Then edit the configuration.php to connect the original database. Quicker (and more certain) than cherry picking the files to delete.

viewtopic.php?f=714&t=946026 summarises the recommended method with a link to the full process for securing the site.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

handsun
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Sun Jul 04, 2010 3:00 am
Contact:

Re: Front page now only writes "ttmaintt #success connection# No articles where specified."

Post by handsun » Sat Aug 04, 2018 6:02 pm

I am keeping an eye on it, even when I was working on it, before I deleted the helper.php another folder got inserted into the root with a jibberish name, I deleted it and the helper.php and since then all quiet, but thanks for the complete absolute way to clean it up, if I get more activity malware int he site, i will follow that protocal.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 35236
Joined: Sat Apr 05, 2008 9:58 pm

Re: Front page now only writes "ttmaintt #success connection# No articles where specified."

Post by Webdongle » Sat Aug 04, 2018 6:35 pm

handsun wrote:
Sat Aug 04, 2018 6:02 pm
I am keeping an eye on it, ...
You won't see it. All you saw was the result of the hack. The fact that you were hacked means that the hackers have access to your server. They will be active on your server and you will not know. And what's worse they can place hacks on your server that will infect browsers that visit your site.Your over confidence is allowing the hackers to use your server for their own purposes.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein


Post Reply

Return to “Security in Joomla! 3.x”