Joomla site hacked

[mochima]

Hello

We have problems whit multiple Joomla site that got hacked on a reseller server using Cpanel WHM

2 times this month

Happens this way

A new Module got installed: Simple File Upload v1.3 (for Joomla 3)
The Joomla Super User admin account changed to [ redacted ]
Created some email acounts [ redacted ]
The exsting email accounts on Cpanel changed all password
No email got deleted
Each user account changed password on reseller

Please help


Mochima

[AMurray]

I don't know if this started as a problem external to Joomla - with your actual hosting systems. You talk about the hacker creating email addresses in WHM That might be your first starting point - is WHM secure/up to date?

I can't really understand the question - the things listed, did the hacker do or did your customers changes their account details?

From what I can tell you're using a very old version of "Simple File UPload" - it's not on the JED and your stated version 1.3 is not the latest; the latest I can identify is 1.4.0 from 5 years ago.

I assume this is the one you're using: Refer https://www.oceantheme.org/joomla-exten ... pload.html (this is not on the Extensions directory).

First, I'd stop using this Simple File Upload extension - it is risky to use it.

Second, I'd run an audit/scan through the mysites.guru service (first audit is free but otherwise a subscription service). This will identify any security issues.

Third, clean out the site completely; delete all files and restore a clean back up of your site.

Fourth, talk to your host - they would have security tools to scan your hosting or may provide them for your hosting account(s) and may identify the problems.

[mandville]

searching my archives from round 2012 wasen.net SUP pre 1.3.5 had numerous vulnerabilities

[Webdongle]

Please see viewtopic.php?f=714&t=946026

[mochima]

From what I can tell you're using a very old version of "Simple File UPload" - it's not on the JED and your stated version 1.3 is not the latest; the latest I can identify is 1.4.0 from 5 years ago.

We never use module Simple File Upload v1.3.. it apears when the sites are hacked

All the emails change passwords.. and the admin super user on joomla changes to: [ redacted ]

Best regards

Diego R

[toivo]

@mochima, please stop posting names of hacks, hackers or hacking teams! That practice gives kudos to criminals peddling malware, which is against the rules of this forum.

Instead, please post the results from the Forum Post Assistant (FPA) by following the instructions at https://forumpostassistant.github.io/docs so that our volunteer experts can review the configuration and provide advice.

[Webdongle]

Please follow the instructions on viewtopic.php?f=714&t=946026

[mochima]

Please follow the instructions on viewtopic.php?f=714&t=946026

We know how to recover the sites and databases.

We restore from backup on the reseller account for each one

I'm looking for a solution so this stops.. Does not happen again. We host 23 different Joomla sites.

When we recover we proceed to change to strong passwords to the server and the Joomla admin.

Thanks

[toivo]

Passwords are not everything and restoring from a backup may not get rid of a vulnerability, unless it was introduced recently. Study the instructions provided by @Webdongle, they are based on experience.

There are also other possible reasons why a website gets hacked like obsolete and vulnerable extensions and outdated versions of Joomla.

Therefore posting the FPA results would be a chance to benefit from expert advice.

[Webdongle]

Either that or pay someone to clean your site.