I've gone to login to a few of my sites that I have super administrator rights to and found I've been unable to login.
When going into the backend of my database I've found the username for the super admin has been changed to "[redacted]_<random three letters>".
I've got a mix of both Joomla 4 and Joomla 3 sites that I host - all the sites are hosted on their own separate CPanel account through my reseller hosting account and each site has it's own database with it's own unique database password, the admin accounts also all have their own unique username and password (no site shares the same password).
I've noticed none of the Joomla 3 sites have been affected with this issue, only the Joomla 4 sites. The Joomla 4 sites that have been affected are all running templates from Joomlart - however I've asked Joomlart's tech team if they were aware of anything like this - and they said they've had no reports come in about it.
Up until recently I noticed the only sites that were affected were the ones without Akeeba LoginGuard installed, but the other day one of the sites with Akeeba LoginGuard had the username changed and the only user with permissions to change usernames (without directly accessing the database) would be the user protected by Akeeba LoginGuard - so either whatever is changing the usernames bypassed Akeeba LoginGuard or is just writing directly to the database - I have a feeling that it's writing directly to the database as the username change isn't even recorded in the site log.
I googled [redacted] (as the username always seems to be changed to [redacted]_<random letters> and the only thing that came up was some kind of cPanel vulnerability. I also used Visual Studio to search through the entire sites code for any mention of [redacted] but also nothing.
The cPanel accounts are also protected with both a random password and 2fa too.
Has anyone else had this issue and why is it only targetting Joomla 4 sites with Joomlart templates - is there something in Joomla 4 that's causing this?
Here is the FPA from one of the affected sites...
Forum Post Assistant (v1.6.4) : 12-Jan-2022 wrote:Basic Environment :: wrote:Joomla! Instance :: Joomla! 4.0.5-Stable (Furaha) 11-December-2021
Joomla! Configured :: Yes | Writable (644) |
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: false | .htaccess/web.config: Yes | GZip: false | Cache: false | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: N/A | Proxy: N/A | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: false | SSL: 0 | Error Reporting: default | Site Debug: false | Language Debug: false | Default Access: 1 | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 4.0.5: Yes | Database Supports J! 4.0.5: Yes | Database Credentials Present: Yes |
Host Configuration :: OS: Linux | OS Version: 3.10.0-962.3.2.lve1.5.44.el7.x86_64 | Technology: x86_64 | Web Server: LiteSpeed | Encoding: gzip, deflate, br | System TMP Writable: Yes | Free Disk Space : 156.67 GiB |
PHP Configuration :: Version: 8.0.14 | PHP API: litespeed | Session Path Writable: Yes | Display Errors: 0 | Error Reporting: 32759 | Log Errors To: error_log | Last Known Error: 12th January 2022 07:23:52. | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: | Open Base: | Uploads: 1 | Max. Upload Size: 1024M | Max. POST Size: 1024M | Max. Input Time: 600 | Max. Execution Time: 300 | Memory Limit: 1024M
Database Configuration :: Version: 5.5.5-10.5.13-MariaDB-cll-lve (Client:mysqlnd 8.0.14) | Database Size: 24.88 MiB | #of Tables with config prefix: 72 | #of other Tables: 213 | User Privileges : GRANT ALLDetailed Environment :: wrote:PHP Extensions :: Core (8.0.14) | date (8.0.14) | libxml (8.0.14) | openssl (8.0.14) | pcre (8.0.14) | zlib (8.0.14) | filter (8.0.14) | hash (8.0.14) | json (8.0.14) | pcntl (8.0.14) | readline (8.0.14) | Reflection (8.0.14) | SPL (8.0.14) | session (8.0.14) | standard (8.0.14) | litespeed () | bcmath (8.0.14) | bz2 (8.0.14) | ctype (8.0.14) | curl (8.0.14) | dba (8.0.14) | dom (20031129) | enchant (8.0.14) | mbstring (8.0.14) | fileinfo (8.0.14) | ftp (8.0.14) | gd (8.0.14) | gettext (8.0.14) | gmp (8.0.14) | iconv (8.0.14) | imap (8.0.14) | ldap (8.0.14) | exif (8.0.14) | mysqlnd (mysqlnd 8.0.14) | odbc (8.0.14) | PDO (8.0.14) | pgsql (8.0.14) | Phar (8.0.14) | posix (8.0.14) | pspell (8.0.14) | shmop (8.0.14) | SimpleXML (8.0.14) | snmp (8.0.14) | soap (8.0.14) | sockets (8.0.14) | sqlite3 (8.0.14) | sysvmsg (8.0.14) | sysvsem (8.0.14) | sysvshm (8.0.14) | tokenizer (8.0.14) | xml (8.0.14) | xmlwriter (8.0.14) | xsl (8.0.14) | zip (1.19.5) | mysqli (8.0.14) | pdo_mysql (8.0.14) | PDO_ODBC (8.0.14) | pdo_pgsql (8.0.14) | pdo_sqlite (8.0.14) | xmlreader (8.0.14) | redis (5.3.2) | timezonedb (2021.5) | Zend OPcache (8.0.14) | Zend Engine (4.0.14) |
Potential Missing Extensions ::
Switch User Environment :: PHP CGI: No | Server SU: No | PHP SU: No | Potential Ownership Issues: NoFolder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (---) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (755) |
Elevated Permissions (First 10) ::Database Information :: wrote:Database statistics :: Uptime: 1828478 | Threads: 43 | Questions: 4917678892 | Slow queries: 2662 | Opens: 12333397 | Open tables: 199999 | Queries per second avg: 2689.493 |Extensions Discovered :: wrote:Components :: Site ::
Core ::
3rd Party::
Components :: Admin ::
Core :: com_config (4.0.0) 1 | com_newsfeeds (4.0.0) 1 | com_categories (4.0.0) 1 | com_login (4.0.0) 1 | com_users (4.0.0) 1 | com_redirect (4.0.0) 1 | com_admin (4.0.0) 1 | com_cpanel (4.0.0) 1 | com_content (4.0.0) 1 | com_joomlaupdate (4.0.3) 1 | com_checkin (4.0.0) 1 | com_languages (4.0.0) 1 | com_banners (4.0.0) 1 | com_associations (4.0.0) 1 | com_menus (4.0.0) 1 | com_postinstall (4.0.0) 1 | com_tags (4.0.0) 1 | com_media (3.0.0) 1 | com_actionlogs (3.9.0) 1 | com_installer (4.0.0) 1 | com_workflow (4.0.0) 1 | com_privacy (3.9.0) 1 | com_finder (4.0.0) 1 | com_templates (4.0.0) 1 | com_ajax (4.0.0) 1 | com_cache (4.0.0) 1 | com_wrapper (4.0.0) 1 | com_mails (4.0.0) 1 | com_messages (4.0.0) 1 | com_plugins (4.0.0) 1 | com_contenthistory (4.0.0) 1 | com_modules (4.0.0) 1 | com_fields (4.0.0) 1 |
3rd Party:: com_jaextmanager (2.5.3) 1 | com_jaextmanager (2.7.1) 1 | LOGINGUARD (5.0.5) 1 |
Modules :: Site ::
Core :: mod_random_image (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_stats (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_articles_news (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_custom (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_login (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_articles_categories (3.0.0) 1 |
3rd Party:: JA Quick Contact (2.7.0) 1 | MOD_JA_ACM (2.2.7) 1 | JA Masthead (1.1.2) 1 |
Modules :: Admin ::
Core :: mod_latest (3.0.0) 1 | mod_post_installation_messages (4.0.0) 1 | mod_user (4.0.0) 1 | mod_version (3.0.0) 1 | mod_privacy_status (4.0.0) 1 | mod_logged (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_privacy_dashboard (3.9.0) 1 | mod_latestactions (3.9.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_login (3.0.0) 1 | mod_loginsupport (4.0.0) 1 | mod_frontend (4.0.0) 1 | mod_messages (4.0.0) 1 | mod_menu (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_submenu (3.0.0) 1 | mod_title (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_toolbar (3.0.0) 1 |
3rd Party::
Libraries ::
Core ::
3rd Party::
Plugins ::
Core :: plg_actionlog_joomla (3.9.0) 1 | plg_privacy_consents (3.9.0) 1 | plg_privacy_actionlogs (3.9.0) 1 | plg_privacy_message (3.9.0) 1 | plg_privacy_content (3.9.0) 1 | plg_privacy_user (3.9.0) 1 | plg_system_cache (3.0.0) 0 | plg_system_highlight (3.0.0) 1 | plg_system_accessibility (4.0.0) 0 | plg_system_actionlogs (3.9.0) 0 | plg_system_sessiongc (3.8.6) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_privacyconsent (3.9.0) 0 | plg_system_log (3.0.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_logout (3.0.0) 1 | plg_system_debug (3.0.0) 1 | plg_system_remember (3.0.0) 1 | plg_system_logrotation (3.9.0) 1 | plg_system_languagecode (3.0.0) 0 | plg_system_skipto (4.0.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_fields (3.7.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_webauthn (4.0.0) 1 | plg_system_httpheaders (4.0.0) 0 | plg_media-action_crop (4.0.0) 1 | plg_media-action_rotate (4.0.0) 1 | plg_media-action_resize (4.0.0) 1 | plg_captcha_recaptcha_invisible (3.8) 0 | plg_captcha_recaptcha (3.4.0) 0 | plg_webservices_modules (4.0.0) 1 | plg_webservices_templates (4.0.0) 1 | plg_webservices_privacy (4.0.0) 1 | plg_webservices_config (4.0.0) 1 | plg_webservices_tags (4.0.0) 1 | plg_webservices_languages (4.0.0) 1 | plg_webservices_users (4.0.0) 1 | plg_webservices_messages (4.0.0) 1 | plg_webservices_installer (4.0.0) 1 | plg_webservices_banners (4.0.0) 1 | plg_webservices_plugins (4.0.0) 1 | plg_webservices_content (4.0.0) 1 | plg_webservices_menus (4.0.0) 1 | plg_webservices_redirect (4.0.0) 1 | plg_webservices_newsfeeds (4.0.0) 1 | plg_quickicon_downloadkey (4.0.0) 1 | plg_quickicon_overridecheck (4.0.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_privacycheck (3.9.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_cookie (3.0.0) 1 | plg_sampledata_multilang (4.0.0) 1 | plg_api-authentication_basic (4.0.0) 0 | plg_api-authentication_token (4.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_filesystem_local (4.0.0) 1 | plg_installer_folderinstaller (3.6.0) 1 | plg_installer_override (4.0.0) 1 | plg_installer_urlinstaller (3.6.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | plg_installer_webinstaller (4.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_content_vote (3.0.0) 0 | plg_content_emailcloak (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_confirmconsent (3.9.0) 0 | plg_content_finder (3.0.0) 0 | plg_content_pagebreak (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_behaviour_taggable (4.0.0) 1 | plg_behaviour_versionable (4.0.0) 1 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_twofactorauth_totp (3.2.0) 0 | plg_workflow_publishing (4.0.0) 1 | plg_workflow_featuring (4.0.0) 1 | plg_workflow_notification (4.0.0) 1 | plg_user_token (3.9.0) 1 | plg_user_profile (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_contactcreator (3.0.0) 0 | plg_user_terms (3.9.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_subform (4.0.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_extension_finder (4.0.0) 1 | plg_extension_namespacemap (4.0.0) 1 |
3rd Party:: PLG_ACTIONLOG_LOGINGUARD (5.0.5) 1 | plg_system_t4 (2.0.9) 1 | System - JA Google Map (2.7.2) 1 | PLG_SYSTEM_LOGINGUARD (5.0.5) 1 | PLG_USER_LOGINGUARD (5.0.5) 1 | plg_editors_codemirror (5.64.0) 1 | plg_editors_tinymce (5.10.2) 1 | PLG_LOGINGUARD_EMAIL (5.0.5) 1 | PLG_LOGINGUARD_FIXED (5.0.5) 0 | PLG_LOGINGUARD_PUSHBULLET (5.0.5) 0 | PLG_LOGINGUARD_SMSAPI (5.0.5) 0 | PLG_LOGINGUARD_TOTP (5.0.5) 1 | PLG_LOGINGUARD_U2F (5.0.5) 1 | PLG_LOGINGUARD_WEBAUTHN (5.0.5) 1 | PLG_LOGINGUARD_YUBIKEY (5.0.5) 1 |Templates Discovered :: wrote:Templates :: Site :: cassiopeia (1.0) 0 | ja_ego (2.0.0) 1 |
Templates :: Admin :: atum (1.0) 1 |