Joomla site hacked
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
-
- Joomla! Apprentice
- Posts: 6
- Joined: Tue Jan 15, 2008 1:00 am
Joomla site hacked
Hello
We have problems whit multiple Joomla site that got hacked on a reseller server using Cpanel WHM
2 times this month
Happens this way
A new Module got installed: Simple File Upload v1.3 (for Joomla 3)
The Joomla Super User admin account changed to [ redacted ]
Created some email acounts [ redacted ]
The exsting email accounts on Cpanel changed all password
No email got deleted
Each user account changed password on reseller
Please help
Mochima
We have problems whit multiple Joomla site that got hacked on a reseller server using Cpanel WHM
2 times this month
Happens this way
A new Module got installed: Simple File Upload v1.3 (for Joomla 3)
The Joomla Super User admin account changed to [ redacted ]
Created some email acounts [ redacted ]
The exsting email accounts on Cpanel changed all password
No email got deleted
Each user account changed password on reseller
Please help
Mochima
Last edited by toivo on Thu Apr 01, 2021 11:24 pm, edited 1 time in total.
Reason: mod note: kudos removed - please read the forum rules from https://forum.joomla.org/viewtopic.php?f=8&t=65
Reason: mod note: kudos removed - please read the forum rules from https://forum.joomla.org/viewtopic.php?f=8&t=65
- AMurray
- Joomla! Exemplar
- Posts: 9744
- Joined: Sat Feb 13, 2010 7:35 am
- Location: Australia
Re: Joomla site hacked
I don't know if this started as a problem external to Joomla - with your actual hosting systems. You talk about the hacker creating email addresses in WHM That might be your first starting point - is WHM secure/up to date?
I can't really understand the question - the things listed, did the hacker do or did your customers changes their account details?
From what I can tell you're using a very old version of "Simple File UPload" - it's not on the JED and your stated version 1.3 is not the latest; the latest I can identify is 1.4.0 from 5 years ago.
I assume this is the one you're using: Refer https://www.oceantheme.org/joomla-exten ... pload.html (this is not on the Extensions directory).
First, I'd stop using this Simple File Upload extension - it is risky to use it.
Second, I'd run an audit/scan through the mysites.guru service (first audit is free but otherwise a subscription service). This will identify any security issues.
Third, clean out the site completely; delete all files and restore a clean back up of your site.
Fourth, talk to your host - they would have security tools to scan your hosting or may provide them for your hosting account(s) and may identify the problems.
I can't really understand the question - the things listed, did the hacker do or did your customers changes their account details?
From what I can tell you're using a very old version of "Simple File UPload" - it's not on the JED and your stated version 1.3 is not the latest; the latest I can identify is 1.4.0 from 5 years ago.
I assume this is the one you're using: Refer https://www.oceantheme.org/joomla-exten ... pload.html (this is not on the Extensions directory).
First, I'd stop using this Simple File Upload extension - it is risky to use it.
Second, I'd run an audit/scan through the mysites.guru service (first audit is free but otherwise a subscription service). This will identify any security issues.
Third, clean out the site completely; delete all files and restore a clean back up of your site.
Fourth, talk to your host - they would have security tools to scan your hosting or may provide them for your hosting account(s) and may identify the problems.
Regards - A Murray
General Support Moderator
General Support Moderator
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Joomla site hacked
searching my archives from round 2012 wasen.net SUP pre 1.3.5 had numerous vulnerabilities
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla site hacked
Please see viewtopic.php?f=714&t=946026
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 6
- Joined: Tue Jan 15, 2008 1:00 am
Re: Joomla site hacked
We never use module Simple File Upload v1.3.. it apears when the sites are hacked
All the emails change passwords.. and the admin super user on joomla changes to: [ redacted ]
Best regards
Diego R
Last edited by toivo on Fri Apr 02, 2021 1:25 am, edited 1 time in total.
Reason: mod note: kudos removed - please read the forum rules from https://forum.joomla.org/viewtopic.php?f=8&t=65
Reason: mod note: kudos removed - please read the forum rules from https://forum.joomla.org/viewtopic.php?f=8&t=65
- toivo
- Joomla! Master
- Posts: 17443
- Joined: Thu Feb 15, 2007 5:48 am
- Location: Sydney, Australia
Re: Joomla site hacked
@mochima, please stop posting names of hacks, hackers or hacking teams! That practice gives kudos to criminals peddling malware, which is against the rules of this forum.
Instead, please post the results from the Forum Post Assistant (FPA) by following the instructions at https://forumpostassistant.github.io/docs so that our volunteer experts can review the configuration and provide advice.
Instead, please post the results from the Forum Post Assistant (FPA) by following the instructions at https://forumpostassistant.github.io/docs so that our volunteer experts can review the configuration and provide advice.
Toivo Talikka, Global Moderator
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla site hacked
Please follow the instructions on viewtopic.php?f=714&t=946026
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 6
- Joined: Tue Jan 15, 2008 1:00 am
Re: Joomla site hacked
We know how to recover the sites and databases.Webdongle wrote: ↑Fri Apr 02, 2021 9:07 amPlease follow the instructions on viewtopic.php?f=714&t=946026
We restore from backup on the reseller account for each one
I'm looking for a solution so this stops.. Does not happen again. We host 23 different Joomla sites.
When we recover we proceed to change to strong passwords to the server and the Joomla admin.
Thanks
- toivo
- Joomla! Master
- Posts: 17443
- Joined: Thu Feb 15, 2007 5:48 am
- Location: Sydney, Australia
Re: Joomla site hacked
Passwords are not everything and restoring from a backup may not get rid of a vulnerability, unless it was introduced recently. Study the instructions provided by @Webdongle, they are based on experience.
There are also other possible reasons why a website gets hacked like obsolete and vulnerable extensions and outdated versions of Joomla.
Therefore posting the FPA results would be a chance to benefit from expert advice.
There are also other possible reasons why a website gets hacked like obsolete and vulnerable extensions and outdated versions of Joomla.
Therefore posting the FPA results would be a chance to benefit from expert advice.
Toivo Talikka, Global Moderator
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla site hacked
Either that or pay someone to clean your site.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".