Website was hacked - any insights? Topic is solved

Discussion regarding Joomla! 4.x security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Post Reply
chrispforr
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Thu Dec 21, 2006 4:46 am
Location: Cebu, Philippines
Contact:

Website was hacked - any insights?

Post by chrispforr » Wed Sep 28, 2022 3:23 am

My webhost emailed me today with this alarming message (see below).
Does this look like the site has indeed been hacked? Should I delete the site and make a fresh install?
I immediately updated to Joomla 4.2.3 (just released today) and changed passwords.
Then I ran the FPA and have posted the result, below the message from my webhost.
Site: https://www.seattlecuba.org/
Thanks in advance for any insights.
Chris

“[AMS Support] Hacked / Exploited Account - seattlecuba.org
AMS Computer Services <staff@ams-salesandsupport.com>
Hello ______
A routine security check on the server found that your account - seattlecuba.org - was being actively exploited.
The malicious files:
/home/seattle/public_html/templates/cassiopeia/a.php
/home/seattle/public_html/templates/mine.php
was found to exist on your account. Due to the nature of these files, these have been removed from your hosting account.
Investigating this found that your account has an outdated Joomla! script
Account: seattlecuba.org
Script: Joomla
Installed Path: /home/seattle/public_html
Installed Version: 4.2.2
Latest Version: 4.2.3
Script Website: http://www.joomla.org
Whether the compromise happened because of the outdated Joomla! script, an admin password compromise, or some extension compromise - we really can't say.
You will need to update these scripts to the latest version. You will also need to update any components, extensions, or themes and insure that everything stays up to date. You will want to be sure that you use only reputable, high-ranking extensions.
If we continue to receive compromise notices regarding your account, then we may have to suspend your account.
If your account has been compromised and you choose to try and clean it or fix it, do not be surprised if the account is suspended at a later date. If your account has been compromised, there is no way to know what all backdoors the hackers or malicious users left behind. You may succeed in temporarily fixing the issue, but unless you clean up all of the backdoor and other malicious code that may be injected around your account, then your account may get hacked and compromised again. We highly recommend that if your account is compromised, then you need to reset the account and start over from scratch. That is the only way you are going be able to insure that all backdoor and malicious code injections have been removed.
We wanted you to be aware of this.”

FPA result:
Forum Post Assistant (v1.6.5) : 27-Sep-2022 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 4.2.3-Stable (Uaminifu) 27-September-2022
Joomla! Configured :: Yes | Read-Only (400) |
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: false | .htaccess/web.config: No | GZip: false | Cache: false | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: N/A | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: false | SSL: 0 | Error Reporting: maximum | Site Debug: true | Language Debug: false | Default Access: Public | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 4.2.3: Yes | Database Supports J! 4.2.3: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 3.10.0-1160.71.1.el7.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | System TMP Writable: Yes | Free Disk Space : 167.89 GiB |

PHP Configuration :: Version: 8.0.23 | PHP API: fpm-fcgi | Session Path Writable: Yes | Display Errors: 0 | Error Reporting: 30709 | Log Errors To: /home/seattle/logs/ea-php80-php-fpm.log | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: No | Open Base: /home/seattle:/usr/lib/php:/usr/local/lib/php:/tmp | Uploads: 1 | Max. Upload Size: 50M | Max. POST Size: 80M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

Database Configuration :: Version: 10.3.36-MariaDB (Client:mysqlnd 8.0.23) | Database Size: 9.46 MiB | #of Tables with config prefix:  75 | #of other Tables:  0 | User Privileges : GRANT ALL
Detailed Environment :: wrote:PHP Extensions :: Core (8.0.23) | date (8.0.23) | libxml (8.0.23) | openssl (8.0.23) | pcre (8.0.23) | zlib (8.0.23) | filter (8.0.23) | hash (8.0.23) | json (8.0.23) | pcntl (8.0.23) | Reflection (8.0.23) | SPL (8.0.23) | session (8.0.23) | standard (8.0.23) | cgi-fcgi (8.0.23) | bcmath (8.0.23) | bz2 (8.0.23) | calendar (8.0.23) | ctype (8.0.23) | curl (8.0.23) | dom (20031129) | mbstring (8.0.23) | fileinfo (8.0.23) | ftp (8.0.23) | gd (8.0.23) | gettext (8.0.23) | gmp (8.0.23) | iconv (8.0.23) | imap (8.0.23) | intl (8.0.23) | exif (8.0.23) | mysqlnd (mysqlnd 8.0.23) | PDO (8.0.23) | Phar (8.0.23) | posix (8.0.23) | SimpleXML (8.0.23) | soap (8.0.23) | sockets (8.0.23) | sqlite3 (8.0.23) | tidy (8.0.23) | tokenizer (8.0.23) | xml (8.0.23) | xmlwriter (8.0.23) | xsl (8.0.23) | zip (1.19.5) | mysqli (8.0.23) | pdo_mysql (8.0.23) | pdo_sqlite (8.0.23) | xmlreader (8.0.23) | Zend OPcache (8.0.23) | Zend Engine (4.0.23) |
Potential Missing Extensions ::
Disabled Functions :: dl | system | exec | shell_exec | popen | passthru | proc_open | ini_restore | symlink | opcache_get_configuration | opcache_get_status | opcache_invalidate | opcache_is_script_cached | opcache_reset |

Switch User Environment :: PHP CGI: No | Server SU: No | PHP SU: No | Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (---) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (755) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 2156724 | Threads: 39 | Questions: 120485553 | Slow queries: 211 | Opens: 325319 | Flush tables: 1 | Open tables: 8192 | Queries per second avg: 55.865 |
Extensions Discovered :: wrote:Components :: Site ::
Core ::
3rd Party::

Components :: Admin ::
Core :: com_cpanel (4.0.0) 1 | com_joomlaupdate (4.0.3) 1 | com_messages (4.0.0) 1 | com_config (4.0.0) 1 | com_languages (4.0.0) 1 | com_newsfeeds (4.0.0) 1 | com_ajax (4.0.0) 1 | com_login (4.0.0) 1 | com_banners (4.0.0) 1 | com_admin (4.0.0) 1 | com_workflow (4.0.0) 1 | com_users (4.0.0) 1 | com_mails (4.0.0) 1 | com_wrapper (4.0.0) 1 | com_menus (4.0.0) 1 | com_modules (4.0.0) 1 | com_checkin (4.0.0) 1 | com_installer (4.0.0) 1 | com_templates (4.0.0) 1 | com_categories (4.0.0) 1 | com_associations (4.0.0) 1 | com_content (4.0.0) 1 | com_actionlogs (3.9.0) 1 | com_media (3.0.0) 1 | com_fields (4.0.0) 1 | com_postinstall (4.0.0) 1 | com_contenthistory (4.0.0) 1 | com_plugins (4.0.0) 1 | com_cache (4.0.0) 1 | com_redirect (4.0.0) 1 | com_privacy (3.9.0) 1 | com_scheduler (4.1.0) 1 | com_tags (4.0.0) 1 | com_finder (4.0.0) 1 |
3rd Party:: com_akeebabackup (9.3.0) 1 |

Modules :: Site ::
Core :: mod_related_items (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_syndicate (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_articles_archive (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_login (3.0.0) 1 | mod_articles_news (3.0.0) 1 |
3rd Party::

Modules :: Admin ::
Core :: mod_frontend (4.0.0) 1 | mod_user (4.0.0) 1 | mod_logged (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_post_installation_messages (4.0.0) 1 | mod_feed (3.0.0) 1 | mod_version (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_title (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_privacy_status (4.0.0) 1 | mod_messages (4.0.0) 1 | mod_submenu (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_privacy_dashboard (3.9.0) 1 | mod_loginsupport (4.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_login (3.0.0) 1 | mod_latestactions (3.9.0) 1 |
3rd Party::

Libraries ::
Core ::
3rd Party::

Plugins ::
Core :: plg_authentication_ldap (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_cookie (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_media-action_rotate (4.0.0) 1 | plg_media-action_crop (4.0.0) 1 | plg_media-action_resize (4.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_subform (4.0.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_api-authentication_token (4.0.0) 1 | plg_api-authentication_basic (4.0.0) 0 | plg_system_jooa11y (4.2.0) 1 | plg_system_actionlogs (3.9.0) 1 | plg_system_httpheaders (4.0.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_debug (3.0.0) 1 | plg_system_sessiongc (3.8.6) 1 | plg_system_fields (3.7.0) 1 | plg_system_privacyconsent (3.9.0) 0 | plg_system_languagecode (3.0.0) 0 | plg_system_cache (3.0.0) 0 | plg_system_webauthn (4.0.0) 1 | plg_system_skipto (4.0.0) 1 | plg_system_schedulerunner (4.1) 1 | plg_system_logout (3.0.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_shortcut (4.2.0) 1 | plg_system_logrotation (3.9.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_log (3.0.0) 1 | plg_system_accessibility (4.0.0) 0 | plg_system_highlight (3.0.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_task_notification (4.1) 1 | plg_system_remember (3.0.0) 1 | plg_filesystem_local (4.0.0) 1 | plg_actionlog_joomla (3.9.0) 1 | plg_workflow_featuring (4.0.0) 1 | plg_workflow_publishing (4.0.0) 1 | plg_workflow_notification (4.0.0) 1 | plg_extension_finder (4.0.0) 1 | plg_extension_namespacemap (4.0.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_webservices_newsfeeds (4.0.0) 1 | plg_webservices_templates (4.0.0) 1 | plg_webservices_config (4.0.0) 1 | plg_webservices_modules (4.0.0) 1 | plg_webservices_media (4.1.0) 1 | plg_webservices_banners (4.0.0) 1 | plg_webservices_menus (4.0.0) 1 | plg_webservices_languages (4.0.0) 1 | plg_webservices_tags (4.0.0) 1 | plg_webservices_users (4.0.0) 1 | plg_webservices_messages (4.0.0) 1 | plg_webservices_redirect (4.0.0) 1 | plg_webservices_privacy (4.0.0) 1 | plg_webservices_installer (4.0.0) 1 | plg_webservices_plugins (4.0.0) 1 | plg_webservices_content (4.0.0) 1 | plg_privacy_actionlogs (3.9.0) 1 | plg_privacy_consents (3.9.0) 1 | plg_privacy_message (3.9.0) 1 | plg_privacy_user (3.9.0) 1 | plg_privacy_content (3.9.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | plg_installer_webinstaller (4.0.0) 1 | plg_installer_override (4.0.0) 1 | plg_installer_folderinstaller (3.6.0) 1 | plg_installer_urlinstaller (3.6.0) 1 | plg_task_check_files (4.1) 1 | plg_task_requests (4.1) 1 | plg_task_demo_tasks (4.1) 1 | plg_task_site_status (4.1) 1 | plg_user_terms (3.9.0) 0 | plg_user_token (3.9.0) 1 | plg_user_profile (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_contactcreator (3.0.0) 0 | plg_captcha_recaptcha (3.4.0) 0 | plg_captcha_recaptcha_invisible (3.8) 0 | plg_multifactorauth_fixed (4.2.0) 0 | plg_multifactorauth_webauthn (4.2.0) 0 | plg_multifactorauth_yubikey (3.2.0) 0 | plg_multifactorauth_email (4.2.0) 0 | plg_multifactorauth_totp (3.2.0) 0 | plg_content_finder (3.0.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_confirmconsent (3.9.0) 0 | plg_content_vote (3.0.0) 0 | plg_content_joomla (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_quickicon_downloadkey (4.0.0) 1 | plg_quickicon_privacycheck (3.9.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_overridecheck (4.0.0) 1 | plg_sampledata_multilang (4.0.0) 1 | plg_behaviour_taggable (4.0.0) 1 | plg_behaviour_versionable (4.0.0) 1 |
3rd Party:: plg_editors_tinymce (5.10.5) 1 | plg_editors_codemirror (5.65.6) 1 | PLG_QUICKICON_AKEEBABACKUP (9.3.0) 1 |
Templates Discovered :: wrote:Templates :: Site :: cassiopeia (1.0) 1 |
Templates :: Admin :: atum (1.0) 1 |
Last edited by toivo on Wed Sep 28, 2022 4:07 am, edited 2 times in total.
Reason: mod note: retitled

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 15239
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: Website was hacked - any insights?

Post by toivo » Wed Sep 28, 2022 4:05 am

chrispforr wrote:
Wed Sep 28, 2022 3:23 am
SEF ReWrite: false | .htaccess/web.config: No
Enable SEF URLs by saving the file htaccess.txt as .htaccess and then setting the options 'Search Engine Friendly URLs' and 'Use URL Rewriting' in Global Configuration - Site - SEO.

The rewriting rules in the .htaccess file act as the first line of defence against malicious requests. A security extension, for example Akeeba's Admin Tools, will scan the incoming requests and improve the security of the website.

chrispforr wrote:
Wed Sep 28, 2022 3:23 am
Allow url fopen: No
Ask your host to change the following directive in the php.ini file to its default value, as shown here:

Code: Select all

allow_url_fopen = On
Toivo Talikka, Global Moderator

chrispforr
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Thu Dec 21, 2006 4:46 am
Location: Cebu, Philippines
Contact:

Re: Website was hacked - any insights?

Post by chrispforr » Wed Sep 28, 2022 4:26 am

Thank you Toivo,
For your quick response & recommendations.
I've done everything you suggested.
Do you recommend that I delete the site and reinstall, or just wait & see?
Chris

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 15239
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: Website was hacked - any insights?

Post by toivo » Wed Sep 28, 2022 4:50 am

The recommendation at this Security in Joomla! 4.x forum is to clean and reinstall everything to make sure that no backdoors are left in place.

There are also online services available to audit and identify extra files and modified files, for example Phil Taylor's mysite.guru, where the first audit has been free and now it looks like the first month is free.
Toivo Talikka, Global Moderator

chrispforr
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Thu Dec 21, 2006 4:46 am
Location: Cebu, Philippines
Contact:

Re: Website was hacked - any insights?

Post by chrispforr » Wed Sep 28, 2022 5:40 am

Thank you for further advice, Toivo!

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1310
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: Website was hacked - any insights?

Post by PhilTaylor-Prazgod » Wed Sep 28, 2022 9:11 am

for example Phil Taylor's mysite.guru,
Just to be clear, the correct domain name is plural, mySites.guru is the correct domain name.
Phil Taylor
Founder, Lead Developer, Idiot.
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/


Post Reply

Return to “Security in Joomla! 4.x”