Website hacked

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
KDABruce
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Feb 05, 2011 7:40 pm

Website hacked

Post by KDABruce » Wed Sep 19, 2018 8:00 pm

Joomla is current for updates.

We performed a link checker the other day and found links to internal pages that were never published by our team. Someone went in and created links on our real (authorized) pages to unauthorized (created) pages on gambling and iRacing and other topics. When you click on the link, it takes me to a page under our Home page (ex. https://www.kennedysdisease.org/how-to- ... d-iracing/ ). See attachment.

Yet, when we search in our back end and in our sitemap, there is no such page. Using FileZilla, I performed several more searches and could not find anything. When I search the authors, there is only authorized users and pages. If I perform a SEARCH for the page on our front end, it does not show up. We are stumped and frustrated. How can a page be hidden within the back end and from the SEARCH and sitemap, yet be there if I use the address above (for example) or click on the hacked link within an authorized page?

How can someone create pages without having the authority and without leaving anything traceable in the Content or Users? Any help would be appreciated. Tks
You do not have the required permissions to view the files attached to this post.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36157
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website hacked

Post by Webdongle » Wed Sep 19, 2018 8:11 pm

http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

KDABruce
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Feb 05, 2011 7:40 pm

Re: Website hacked

Post by KDABruce » Wed Sep 19, 2018 9:04 pm

Our website is a Joomla website with ver. 3.8.12 installed. I am not a developer. I just helped create the Joomla site for our non-profit.

There are just three pages that we need to remove, but cannot locate them. I was hoping someone would be able to help.

User avatar
JAVesey
Joomla! Ace
Joomla! Ace
Posts: 1848
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Website hacked

Post by JAVesey » Wed Sep 19, 2018 9:16 pm

KDABruce wrote:
Wed Sep 19, 2018 9:04 pm
There are just three pages that we need to remove, but cannot locate them. I was hoping someone would be able to help.
All content is stored in the database, which is why you can't find the "pages" using an FTP client like FileZilla; you are looking for something that doesn't exist.

In the first instance, please follow webdongle's advice and post the output from the FPA. It will help others to help you.
John V
Cardiff, Wales, UK
Uses Joomla 3.9.1

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36157
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website hacked

Post by Webdongle » Wed Sep 19, 2018 9:52 pm

KDABruce wrote:
Wed Sep 19, 2018 9:04 pm
... I am not a developer. I just helped create the Joomla site for our non-profit.
...
Then you have to learn quick or pay someone to fix it. You have been hacked your only options are pay someone ... or post the fpa, delete the files and do everything else that is on the list.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19139
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Website hacked

Post by leolam » Thu Sep 20, 2018 4:10 am

Virustotal shows a clean bill of health though......You should post the FPA as requested and I advise you to either use a service aka myjoomla.com (first scan is free) which will indefinitely identify the issue (but if no experience with Joomla coding maybe a bit difficult to digest) but still need a professional to resolve it most likely

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
Member Joomla Bug Squad & Joomla CMS Release Team

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36157
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website hacked

Post by Webdongle » Thu Sep 20, 2018 9:42 am

leolam wrote:
Thu Sep 20, 2018 4:10 am
Virustotal shows a clean bill of health though...
But when you view the page you can see the hyper links to casino and horse racing sites.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
JAVesey
Joomla! Ace
Joomla! Ace
Posts: 1848
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Website hacked

Post by JAVesey » Thu Sep 20, 2018 5:43 pm

Webdongle wrote:
Thu Sep 20, 2018 9:42 am
leolam wrote:
Thu Sep 20, 2018 4:10 am
Virustotal shows a clean bill of health though...
But when you view the page you can see the hyper links to casino and horse racing sites.
Does this signify a hacking or is it just the site's permissions/ACL/site management allowing users to post unwanted new articles and these being set to automatically appear on the homepage?
John V
Cardiff, Wales, UK
Uses Joomla 3.9.1

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36157
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website hacked

Post by Webdongle » Thu Sep 20, 2018 6:36 pm

Good point JAVesey ... but if the ACL settings are that slack then there is a strong possibility that hackers have uploaded files to the server as well?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
JAVesey
Joomla! Ace
Joomla! Ace
Posts: 1848
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Website hacked

Post by JAVesey » Thu Sep 20, 2018 7:09 pm

Webdongle wrote:
Thu Sep 20, 2018 6:36 pm
Good point JAVesey ... but if the ACL settings are that slack then there is a strong possibility that hackers have uploaded files to the server as well?
It is a possibility, but Leo's post suggests that the site is clean. An FPA would help though, otherwise we're just "shootin' critters in the dark" 8)
John V
Cardiff, Wales, UK
Uses Joomla 3.9.1

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36157
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website hacked

Post by Webdongle » Thu Sep 20, 2018 7:52 pm

sucuri says 500 error when trying to scan the site. viewtopic.php?f=714&t=793531 would help.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
bluesardine
Joomla! Explorer
Joomla! Explorer
Posts: 478
Joined: Fri Nov 16, 2007 10:49 pm
Location: Cornwall
Contact:

Re: Website hacked

Post by bluesardine » Thu Sep 20, 2018 9:24 pm

Sign up to MyJoomla, I never looked back after subscribing.
Joomla Web design Cornwall https://www.swankypixels.com/
Wedding Photographer Cornwall https://www.peterhaken.com/
"I am enough of an artist to draw freely upon my imagination"
Albert Einstein

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19139
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Website hacked

Post by leolam » Fri Sep 21, 2018 5:15 pm

Webdongle wrote:
Thu Sep 20, 2018 7:52 pm
sucuri says 500 error when trying to scan the site.
Not for me and virustotal is using also sucuri with no issues Attachment from a few minutes ago

Leo 8)
sucuri.jpg
You do not have the required permissions to view the files attached to this post.
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
Member Joomla Bug Squad & Joomla CMS Release Team

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19139
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Website hacked

Post by leolam » Fri Sep 21, 2018 5:18 pm

bluesardine wrote:
Thu Sep 20, 2018 9:24 pm
Sign up to MyJoomla, I never looked back after subscribing.
Agreed +1 , but Myjoomla is rather expensive for the average user (I pay GBP 195 each year which is a lot -even maybe too much- of money!) despite me thinking a price performance ratio for this product is probably right

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
Member Joomla Bug Squad & Joomla CMS Release Team

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36157
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website hacked

Post by Webdongle » Fri Sep 21, 2018 5:42 pm

Doesn't now but did when I checked it before.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

KDABruce
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Feb 05, 2011 7:40 pm

Re: Website hacked

Post by KDABruce » Fri Sep 21, 2018 7:49 pm

JAVesey wrote:
Thu Sep 20, 2018 5:43 pm
Webdongle wrote:
Thu Sep 20, 2018 9:42 am
leolam wrote:
Thu Sep 20, 2018 4:10 am
Virustotal shows a clean bill of health though...
But when you view the page you can see the hyper links to casino and horse racing sites.
Does this signify a hacking or is it just the site's permissions/ACL/site management allowing users to post unwanted new articles and these being set to automatically appear on the homepage?
There are only four people who can create new web pages or make changes to current content. None of us,
or is anyone else, shown accessing the hacked pages or creating the new pages. Not being able to locate the new pages is more of a frustration. Why they do not show up anywhere in Joomla, yet can be accessed through the links, is our greatest concern. It makes us wonder what else might be out there that we don't know about.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36157
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website hacked

Post by Webdongle » Fri Sep 21, 2018 7:57 pm

Content >>> Articles ... order by ID descending will show the lates files that were created. You can also sort by date modified.

If you are confident that you have been hacked please see viewtopic.php?f=714&t=946026 and follow the instructions.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

KDABruce
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Feb 05, 2011 7:40 pm

Re: Website hacked

Post by KDABruce » Fri Sep 21, 2018 8:19 pm

Webdongle wrote:
Fri Sep 21, 2018 7:57 pm
Content >>> Articles ... order by ID descending will show the lates files that were created. You can also sort by date modified.

If you are confident that you have been hacked please see viewtopic.php?f=714&t=946026 and follow the instructions.
When you search the Content-Articles-Order by ID descending (and any other search for that matter), it does not show the newly created pages that the links point to. When you look at the pages that the links to the fraudulent pages have been added, it doesn't show anyone recently modifying the pages.

I'll try to get the fpa run. Thanks again.

User avatar
JAVesey
Joomla! Ace
Joomla! Ace
Posts: 1848
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Website hacked

Post by JAVesey » Sat Sep 22, 2018 12:20 pm

KDABruce wrote:
Fri Sep 21, 2018 8:19 pm
When you look at the pages that the links to the fraudulent pages have been added, it doesn't show anyone recently modifying the pages.
So, just to be clear:

1. Are these newly created pages or existing ones that have been modified?
2. Who is the author of these pages (you will be able to see in admin even if you can't on the public part of your site)?
John V
Cardiff, Wales, UK
Uses Joomla 3.9.1

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 24990
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Website hacked

Post by Per Yngve Berg » Sat Sep 22, 2018 8:01 pm

1) Have you checked the .htaccess file?

2) Turn off SEF in Global Configuration so you can see the real URL. Does it still work with that URL?

KDABruce
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Feb 05, 2011 7:40 pm

Re: Website hacked

Post by KDABruce » Sun Sep 23, 2018 10:17 am

JAVesey wrote:
Sat Sep 22, 2018 12:20 pm
KDABruce wrote:
Fri Sep 21, 2018 8:19 pm
When you look at the pages that the links to the fraudulent pages have been added, it doesn't show anyone recently modifying the pages.
So, just to be clear:

1. Are these newly created pages or existing ones that have been modified?
2. Who is the author of these pages (you will be able to see in admin even if you can't on the public part of your site)?
1. There are two newly created pages. There are three existing pages where links were created to the new pages.
2. I am still trying to find the new pages in Joomla's backend to see if there is an author. On the existing pages where links were created, it does not show any recent modification or changes to it.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36157
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website hacked

Post by Webdongle » Sun Sep 23, 2018 10:33 am

PM me a Super User login and I will see if I can find them.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

KDABruce
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Feb 05, 2011 7:40 pm

Re: Website hacked

Post by KDABruce » Wed Sep 26, 2018 1:50 pm

Thank you for all your support and suggestions. We have talked it over and have decided to try MyJoomla.Com. We hope they can find and fix the problem. Then, we try their ongoing monitoring/support. Thanks again. You have been great.


Post Reply

Return to “Security in Joomla! 3.x”