Page 1 of 1

My Joomla 3.9.3 got hacked? Website Marco's interceptor warning

Posted: Wed Apr 03, 2019 12:45 pm
by niitpro
Hi, the Community

Today, I got an email from my Joomla 3.9.3 warning as below
** PATTERNS MATCHED (possible hack attempts)

* Local File Inclusion $_GET['f'] => ../../../configuration.php
* Local File Inclusion $_REQUEST['f'] => ../../../configuration.php


** PAGE / SERVER INFO

*REMOTE_ADDR : 54.37.196.192
*HTTP_USER_AGENT : python-requests/2.21.0
*REQUEST_METHOD : GET
*QUERY_STRING : f=../../../configuration.php


** SUPERGLOBALS DUMP (sanitized)

*$_GET DUMP:
Array
(
[f] => ../../../configuration.php
)


*$_POST DUMP:
Array
(
)


*$_COOKIE DUMP:
Array
(
)


*$_REQUEST DUMP:
Array
(
[f] => ../../../configuration.php
)
Is that mean someone is trying to hack my Joomla website?

I have upgraded it to latest version 3.9.4 and changed the database password, chmod configuration.php file to 0400. That's all I do

I also banned the IP above from Cpanel

Please advice.
Thanks

Re: My Joomla 3.9.3 got hacked? Website Marco's interceptor warning

Posted: Wed Apr 03, 2019 3:46 pm
by JAVesey
Is that a Joomla 3rd-party extension that has generated that warning or has it come from another source?

Re: My Joomla 3.9.3 got hacked? Website Marco's interceptor warning

Posted: Wed Apr 03, 2019 4:06 pm
by sozzled
What the OP is saying is that someone tried to open the file configuration.php for reading. That's all that's being claimed.

Re: My Joomla 3.9.3 got hacked? Website Marco's interceptor warning

Posted: Wed Apr 03, 2019 4:27 pm
by Webdongle
** SUPERGLOBALS DUMP (sanitized) afaik shows the hack attempt failed.

Re: My Joomla 3.9.3 got hacked? Website Marco's interceptor warning

Posted: Wed Apr 03, 2019 4:34 pm
by frostmakk
And the extension responsible for blocking and reporting this is https://extensions.joomla.org/extension ... injection/

Re: My Joomla 3.9.3 got hacked? Website Marco's interceptor warning

Posted: Wed Apr 03, 2019 6:08 pm
by JAVesey
niitpro wrote:
Wed Apr 03, 2019 12:45 pm
chmod configuration.php file to 0400.
The ideal permissions for configuration.php is "444"

Re: My Joomla 3.9.3 got hacked? Website Marco's interceptor warning

Posted: Thu Apr 04, 2019 7:40 am
by niitpro
I guess the component Securitycheck send the message

@JAVesey, I guessCHMOD 400 is more secure and it's still working fine

Re: My Joomla 3.9.3 got hacked? Website Marco's interceptor warning

Posted: Thu Apr 04, 2019 8:03 am
by Webdongle

Re: My Joomla 3.9.3 got hacked? Website Marco's interceptor warning

Posted: Sun Apr 07, 2019 11:49 am
by Afflospark
This means somebody was trying to access your configuraion.php with python agent (hacker was python language to automate brute-force attack using default python agent ) to achieve LFI (local file inclusion)( Reading local classified files by public access and later can be used to get full access to the server).
This message was generated through one of your security extensions.

now let me tell you about permissions. In Linux 400 permission means "the only owner of the file can read the file" nobody else can't see the file. Means if you provide 400 permission to your configuration file nobody will be able to access the file. and your system will be safe somehow.