Page 1 of 1

Website hacked

Posted: Wed Sep 19, 2018 8:00 pm
by KDABruce
Joomla is current for updates.

We performed a link checker the other day and found links to internal pages that were never published by our team. Someone went in and created links on our real (authorized) pages to unauthorized (created) pages on gambling and iRacing and other topics. When you click on the link, it takes me to a page under our Home page (ex. https://www.kennedysdisease.org/how-to- ... d-iracing/ ). See attachment.

Yet, when we search in our back end and in our sitemap, there is no such page. Using FileZilla, I performed several more searches and could not find anything. When I search the authors, there is only authorized users and pages. If I perform a SEARCH for the page on our front end, it does not show up. We are stumped and frustrated. How can a page be hidden within the back end and from the SEARCH and sitemap, yet be there if I use the address above (for example) or click on the hacked link within an authorized page?

How can someone create pages without having the authority and without leaving anything traceable in the Content or Users? Any help would be appreciated. Tks

Re: Website hacked

Posted: Wed Sep 19, 2018 8:11 pm
by Webdongle

Re: Website hacked

Posted: Wed Sep 19, 2018 9:04 pm
by KDABruce
Our website is a Joomla website with ver. 3.8.12 installed. I am not a developer. I just helped create the Joomla site for our non-profit.

There are just three pages that we need to remove, but cannot locate them. I was hoping someone would be able to help.

Re: Website hacked

Posted: Wed Sep 19, 2018 9:16 pm
by JAVesey
KDABruce wrote:
Wed Sep 19, 2018 9:04 pm
There are just three pages that we need to remove, but cannot locate them. I was hoping someone would be able to help.
All content is stored in the database, which is why you can't find the "pages" using an FTP client like FileZilla; you are looking for something that doesn't exist.

In the first instance, please follow webdongle's advice and post the output from the FPA. It will help others to help you.

Re: Website hacked

Posted: Wed Sep 19, 2018 9:52 pm
by Webdongle
KDABruce wrote:
Wed Sep 19, 2018 9:04 pm
... I am not a developer. I just helped create the Joomla site for our non-profit.
...
Then you have to learn quick or pay someone to fix it. You have been hacked your only options are pay someone ... or post the fpa, delete the files and do everything else that is on the list.

Re: Website hacked

Posted: Thu Sep 20, 2018 4:10 am
by leolam
Virustotal shows a clean bill of health though......You should post the FPA as requested and I advise you to either use a service aka myjoomla.com (first scan is free) which will indefinitely identify the issue (but if no experience with Joomla coding maybe a bit difficult to digest) but still need a professional to resolve it most likely

Leo 8)

Re: Website hacked

Posted: Thu Sep 20, 2018 9:42 am
by Webdongle
leolam wrote:
Thu Sep 20, 2018 4:10 am
Virustotal shows a clean bill of health though...
But when you view the page you can see the hyper links to casino and horse racing sites.

Re: Website hacked

Posted: Thu Sep 20, 2018 5:43 pm
by JAVesey
Webdongle wrote:
Thu Sep 20, 2018 9:42 am
leolam wrote:
Thu Sep 20, 2018 4:10 am
Virustotal shows a clean bill of health though...
But when you view the page you can see the hyper links to casino and horse racing sites.
Does this signify a hacking or is it just the site's permissions/ACL/site management allowing users to post unwanted new articles and these being set to automatically appear on the homepage?

Re: Website hacked

Posted: Thu Sep 20, 2018 6:36 pm
by Webdongle
Good point JAVesey ... but if the ACL settings are that slack then there is a strong possibility that hackers have uploaded files to the server as well?

Re: Website hacked

Posted: Thu Sep 20, 2018 7:09 pm
by JAVesey
Webdongle wrote:
Thu Sep 20, 2018 6:36 pm
Good point JAVesey ... but if the ACL settings are that slack then there is a strong possibility that hackers have uploaded files to the server as well?
It is a possibility, but Leo's post suggests that the site is clean. An FPA would help though, otherwise we're just "shootin' critters in the dark" 8)

Re: Website hacked

Posted: Thu Sep 20, 2018 7:52 pm
by Webdongle
sucuri says 500 error when trying to scan the site. viewtopic.php?f=714&t=793531 would help.

Re: Website hacked

Posted: Thu Sep 20, 2018 9:24 pm
by bluesardine
Sign up to MyJoomla, I never looked back after subscribing.

Re: Website hacked

Posted: Fri Sep 21, 2018 5:15 pm
by leolam
Webdongle wrote:
Thu Sep 20, 2018 7:52 pm
sucuri says 500 error when trying to scan the site.
Not for me and virustotal is using also sucuri with no issues Attachment from a few minutes ago

Leo 8)
sucuri.jpg

Re: Website hacked

Posted: Fri Sep 21, 2018 5:18 pm
by leolam
bluesardine wrote:
Thu Sep 20, 2018 9:24 pm
Sign up to MyJoomla, I never looked back after subscribing.
Agreed +1 , but Myjoomla is rather expensive for the average user (I pay GBP 195 each year which is a lot -even maybe too much- of money!) despite me thinking a price performance ratio for this product is probably right

Leo 8)

Re: Website hacked

Posted: Fri Sep 21, 2018 5:42 pm
by Webdongle
Doesn't now but did when I checked it before.

Re: Website hacked

Posted: Fri Sep 21, 2018 7:49 pm
by KDABruce
JAVesey wrote:
Thu Sep 20, 2018 5:43 pm
Webdongle wrote:
Thu Sep 20, 2018 9:42 am
leolam wrote:
Thu Sep 20, 2018 4:10 am
Virustotal shows a clean bill of health though...
But when you view the page you can see the hyper links to casino and horse racing sites.
Does this signify a hacking or is it just the site's permissions/ACL/site management allowing users to post unwanted new articles and these being set to automatically appear on the homepage?
There are only four people who can create new web pages or make changes to current content. None of us,
or is anyone else, shown accessing the hacked pages or creating the new pages. Not being able to locate the new pages is more of a frustration. Why they do not show up anywhere in Joomla, yet can be accessed through the links, is our greatest concern. It makes us wonder what else might be out there that we don't know about.

Re: Website hacked

Posted: Fri Sep 21, 2018 7:57 pm
by Webdongle
Content >>> Articles ... order by ID descending will show the lates files that were created. You can also sort by date modified.

If you are confident that you have been hacked please see viewtopic.php?f=714&t=946026 and follow the instructions.

Re: Website hacked

Posted: Fri Sep 21, 2018 8:19 pm
by KDABruce
Webdongle wrote:
Fri Sep 21, 2018 7:57 pm
Content >>> Articles ... order by ID descending will show the lates files that were created. You can also sort by date modified.

If you are confident that you have been hacked please see viewtopic.php?f=714&t=946026 and follow the instructions.
When you search the Content-Articles-Order by ID descending (and any other search for that matter), it does not show the newly created pages that the links point to. When you look at the pages that the links to the fraudulent pages have been added, it doesn't show anyone recently modifying the pages.

I'll try to get the fpa run. Thanks again.

Re: Website hacked

Posted: Sat Sep 22, 2018 12:20 pm
by JAVesey
KDABruce wrote:
Fri Sep 21, 2018 8:19 pm
When you look at the pages that the links to the fraudulent pages have been added, it doesn't show anyone recently modifying the pages.
So, just to be clear:

1. Are these newly created pages or existing ones that have been modified?
2. Who is the author of these pages (you will be able to see in admin even if you can't on the public part of your site)?

Re: Website hacked

Posted: Sat Sep 22, 2018 8:01 pm
by Per Yngve Berg
1) Have you checked the .htaccess file?

2) Turn off SEF in Global Configuration so you can see the real URL. Does it still work with that URL?

Re: Website hacked

Posted: Sun Sep 23, 2018 10:17 am
by KDABruce
JAVesey wrote:
Sat Sep 22, 2018 12:20 pm
KDABruce wrote:
Fri Sep 21, 2018 8:19 pm
When you look at the pages that the links to the fraudulent pages have been added, it doesn't show anyone recently modifying the pages.
So, just to be clear:

1. Are these newly created pages or existing ones that have been modified?
2. Who is the author of these pages (you will be able to see in admin even if you can't on the public part of your site)?
1. There are two newly created pages. There are three existing pages where links were created to the new pages.
2. I am still trying to find the new pages in Joomla's backend to see if there is an author. On the existing pages where links were created, it does not show any recent modification or changes to it.

Re: Website hacked

Posted: Sun Sep 23, 2018 10:33 am
by Webdongle
PM me a Super User login and I will see if I can find them.

Re: Website hacked

Posted: Wed Sep 26, 2018 1:50 pm
by KDABruce
Thank you for all your support and suggestions. We have talked it over and have decided to try MyJoomla.Com. We hope they can find and fix the problem. Then, we try their ongoing monitoring/support. Thanks again. You have been great.