Website was hacked - any insights? Topic is solved

[chrispforr]

My webhost emailed me today with this alarming message (see below).
Does this look like the site has indeed been hacked? Should I delete the site and make a fresh install?
I immediately updated to Joomla 4.2.3 (just released today) and changed passwords.
Then I ran the FPA and have posted the result, below the message from my webhost.
Site: https://www.seattlecuba.org/
Thanks in advance for any insights.
Chris

“[AMS Support] Hacked / Exploited Account - seattlecuba.org
AMS Computer Services <[email protected]>
Hello ______
A routine security check on the server found that your account - seattlecuba.org - was being actively exploited.
The malicious files:
/home/seattle/public_html/templates/cassiopeia/a.php
/home/seattle/public_html/templates/mine.php
was found to exist on your account. Due to the nature of these files, these have been removed from your hosting account.
Investigating this found that your account has an outdated Joomla! script
Account: seattlecuba.org
Script: Joomla
Installed Path: /home/seattle/public_html
Installed Version: 4.2.2
Latest Version: 4.2.3
Script Website: http://www.joomla.org
Whether the compromise happened because of the outdated Joomla! script, an admin password compromise, or some extension compromise - we really can't say.
You will need to update these scripts to the latest version. You will also need to update any components, extensions, or themes and insure that everything stays up to date. You will want to be sure that you use only reputable, high-ranking extensions.
If we continue to receive compromise notices regarding your account, then we may have to suspend your account.
If your account has been compromised and you choose to try and clean it or fix it, do not be surprised if the account is suspended at a later date. If your account has been compromised, there is no way to know what all backdoors the hackers or malicious users left behind. You may succeed in temporarily fixing the issue, but unless you clean up all of the backdoor and other malicious code that may be injected around your account, then your account may get hacked and compromised again. We highly recommend that if your account is compromised, then you need to reset the account and start over from scratch. That is the only way you are going be able to insure that all backdoor and malicious code injections have been removed.
We wanted you to be aware of this.”

FPA result:

Joomla! Instance :: Joomla! 4.2.3-Stable (Uaminifu) 27-September-2022
Joomla! Configured :: Yes | Read-Only (400) |
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: false | .htaccess/web.config: No | GZip: false | Cache: false | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: N/A | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: false | SSL: 0 | Error Reporting: maximum | Site Debug: true | Language Debug: false | Default Access: Public | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 4.2.3: Yes | Database Supports J! 4.2.3: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 3.10.0-1160.71.1.el7.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | System TMP Writable: Yes | Free Disk Space : 167.89 GiB |

PHP Configuration :: Version: 8.0.23 | PHP API: fpm-fcgi | Session Path Writable: Yes | Display Errors: 0 | Error Reporting: 30709 | Log Errors To: /home/seattle/logs/ea-php80-php-fpm.log | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: No | Open Base: /home/seattle:/usr/lib/php:/usr/local/lib/php:/tmp | Uploads: 1 | Max. Upload Size: 50M | Max. POST Size: 80M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

Database Configuration :: Version: 10.3.36-MariaDB (Client:mysqlnd 8.0.23) | Database Size: 9.46 MiB | #of Tables with config prefix:  75 | #of other Tables:  0 | User Privileges : GRANT ALL

PHP Extensions :: Core (8.0.23) | date (8.0.23) | libxml (8.0.23) | openssl (8.0.23) | pcre (8.0.23) | zlib (8.0.23) | filter (8.0.23) | hash (8.0.23) | json (8.0.23) | pcntl (8.0.23) | Reflection (8.0.23) | SPL (8.0.23) | session (8.0.23) | standard (8.0.23) | cgi-fcgi (8.0.23) | bcmath (8.0.23) | bz2 (8.0.23) | calendar (8.0.23) | ctype (8.0.23) | curl (8.0.23) | dom (20031129) | mbstring (8.0.23) | fileinfo (8.0.23) | ftp (8.0.23) | gd (8.0.23) | gettext (8.0.23) | gmp (8.0.23) | iconv (8.0.23) | imap (8.0.23) | intl (8.0.23) | exif (8.0.23) | mysqlnd (mysqlnd 8.0.23) | PDO (8.0.23) | Phar (8.0.23) | posix (8.0.23) | SimpleXML (8.0.23) | soap (8.0.23) | sockets (8.0.23) | sqlite3 (8.0.23) | tidy (8.0.23) | tokenizer (8.0.23) | xml (8.0.23) | xmlwriter (8.0.23) | xsl (8.0.23) | zip (1.19.5) | mysqli (8.0.23) | pdo_mysql (8.0.23) | pdo_sqlite (8.0.23) | xmlreader (8.0.23) | Zend OPcache (8.0.23) | Zend Engine (4.0.23) |
Potential Missing Extensions ::
Disabled Functions :: dl | system | exec | shell_exec | popen | passthru | proc_open | ini_restore | symlink | opcache_get_configuration | opcache_get_status | opcache_invalidate | opcache_is_script_cached | opcache_reset |

Switch User Environment :: PHP CGI: No | Server SU: No | PHP SU: No | Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (---) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (755) |

Elevated Permissions (First 10) ::

Database statistics :: Uptime: 2156724 | Threads: 39 | Questions: 120485553 | Slow queries: 211 | Opens: 325319 | Flush tables: 1 | Open tables: 8192 | Queries per second avg: 55.865 |

Components :: Site ::
Core ::
3rd Party::

Components :: Admin ::
Core :: com_cpanel (4.0.0) 1 | com_joomlaupdate (4.0.3) 1 | com_messages (4.0.0) 1 | com_config (4.0.0) 1 | com_languages (4.0.0) 1 | com_newsfeeds (4.0.0) 1 | com_ajax (4.0.0) 1 | com_login (4.0.0) 1 | com_banners (4.0.0) 1 | com_admin (4.0.0) 1 | com_workflow (4.0.0) 1 | com_users (4.0.0) 1 | com_mails (4.0.0) 1 | com_wrapper (4.0.0) 1 | com_menus (4.0.0) 1 | com_modules (4.0.0) 1 | com_checkin (4.0.0) 1 | com_installer (4.0.0) 1 | com_templates (4.0.0) 1 | com_categories (4.0.0) 1 | com_associations (4.0.0) 1 | com_content (4.0.0) 1 | com_actionlogs (3.9.0) 1 | com_media (3.0.0) 1 | com_fields (4.0.0) 1 | com_postinstall (4.0.0) 1 | com_contenthistory (4.0.0) 1 | com_plugins (4.0.0) 1 | com_cache (4.0.0) 1 | com_redirect (4.0.0) 1 | com_privacy (3.9.0) 1 | com_scheduler (4.1.0) 1 | com_tags (4.0.0) 1 | com_finder (4.0.0) 1 |
3rd Party:: com_akeebabackup (9.3.0) 1 |

Modules :: Site ::
Core :: mod_related_items (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_syndicate (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_articles_archive (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_login (3.0.0) 1 | mod_articles_news (3.0.0) 1 |
3rd Party::

Modules :: Admin ::
Core :: mod_frontend (4.0.0) 1 | mod_user (4.0.0) 1 | mod_logged (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_post_installation_messages (4.0.0) 1 | mod_feed (3.0.0) 1 | mod_version (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_title (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_privacy_status (4.0.0) 1 | mod_messages (4.0.0) 1 | mod_submenu (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_privacy_dashboard (3.9.0) 1 | mod_loginsupport (4.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_login (3.0.0) 1 | mod_latestactions (3.9.0) 1 |
3rd Party::

Libraries ::
Core ::
3rd Party::

Plugins ::
Core :: plg_authentication_ldap (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_cookie (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_media-action_rotate (4.0.0) 1 | plg_media-action_crop (4.0.0) 1 | plg_media-action_resize (4.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_subform (4.0.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_api-authentication_token (4.0.0) 1 | plg_api-authentication_basic (4.0.0) 0 | plg_system_jooa11y (4.2.0) 1 | plg_system_actionlogs (3.9.0) 1 | plg_system_httpheaders (4.0.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_debug (3.0.0) 1 | plg_system_sessiongc (3.8.6) 1 | plg_system_fields (3.7.0) 1 | plg_system_privacyconsent (3.9.0) 0 | plg_system_languagecode (3.0.0) 0 | plg_system_cache (3.0.0) 0 | plg_system_webauthn (4.0.0) 1 | plg_system_skipto (4.0.0) 1 | plg_system_schedulerunner (4.1) 1 | plg_system_logout (3.0.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_shortcut (4.2.0) 1 | plg_system_logrotation (3.9.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_log (3.0.0) 1 | plg_system_accessibility (4.0.0) 0 | plg_system_highlight (3.0.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_task_notification (4.1) 1 | plg_system_remember (3.0.0) 1 | plg_filesystem_local (4.0.0) 1 | plg_actionlog_joomla (3.9.0) 1 | plg_workflow_featuring (4.0.0) 1 | plg_workflow_publishing (4.0.0) 1 | plg_workflow_notification (4.0.0) 1 | plg_extension_finder (4.0.0) 1 | plg_extension_namespacemap (4.0.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_webservices_newsfeeds (4.0.0) 1 | plg_webservices_templates (4.0.0) 1 | plg_webservices_config (4.0.0) 1 | plg_webservices_modules (4.0.0) 1 | plg_webservices_media (4.1.0) 1 | plg_webservices_banners (4.0.0) 1 | plg_webservices_menus (4.0.0) 1 | plg_webservices_languages (4.0.0) 1 | plg_webservices_tags (4.0.0) 1 | plg_webservices_users (4.0.0) 1 | plg_webservices_messages (4.0.0) 1 | plg_webservices_redirect (4.0.0) 1 | plg_webservices_privacy (4.0.0) 1 | plg_webservices_installer (4.0.0) 1 | plg_webservices_plugins (4.0.0) 1 | plg_webservices_content (4.0.0) 1 | plg_privacy_actionlogs (3.9.0) 1 | plg_privacy_consents (3.9.0) 1 | plg_privacy_message (3.9.0) 1 | plg_privacy_user (3.9.0) 1 | plg_privacy_content (3.9.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | plg_installer_webinstaller (4.0.0) 1 | plg_installer_override (4.0.0) 1 | plg_installer_folderinstaller (3.6.0) 1 | plg_installer_urlinstaller (3.6.0) 1 | plg_task_check_files (4.1) 1 | plg_task_requests (4.1) 1 | plg_task_demo_tasks (4.1) 1 | plg_task_site_status (4.1) 1 | plg_user_terms (3.9.0) 0 | plg_user_token (3.9.0) 1 | plg_user_profile (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_contactcreator (3.0.0) 0 | plg_captcha_recaptcha (3.4.0) 0 | plg_captcha_recaptcha_invisible (3.8) 0 | plg_multifactorauth_fixed (4.2.0) 0 | plg_multifactorauth_webauthn (4.2.0) 0 | plg_multifactorauth_yubikey (3.2.0) 0 | plg_multifactorauth_email (4.2.0) 0 | plg_multifactorauth_totp (3.2.0) 0 | plg_content_finder (3.0.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_confirmconsent (3.9.0) 0 | plg_content_vote (3.0.0) 0 | plg_content_joomla (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_quickicon_downloadkey (4.0.0) 1 | plg_quickicon_privacycheck (3.9.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_overridecheck (4.0.0) 1 | plg_sampledata_multilang (4.0.0) 1 | plg_behaviour_taggable (4.0.0) 1 | plg_behaviour_versionable (4.0.0) 1 |
3rd Party:: plg_editors_tinymce (5.10.5) 1 | plg_editors_codemirror (5.65.6) 1 | PLG_QUICKICON_AKEEBABACKUP (9.3.0) 1 |

Templates :: Site :: cassiopeia (1.0) 1 |
Templates :: Admin :: atum (1.0) 1 |

[toivo]

SEF ReWrite: false | .htaccess/web.config: No

Enable SEF URLs by saving the file htaccess.txt as .htaccess and then setting the options 'Search Engine Friendly URLs' and 'Use URL Rewriting' in Global Configuration - Site - SEO.

The rewriting rules in the .htaccess file act as the first line of defence against malicious requests. A security extension, for example Akeeba's Admin Tools, will scan the incoming requests and improve the security of the website.

Allow url fopen: No

Ask your host to change the following directive in the php.ini file to its default value, as shown here:

Code: Select all

allow_url_fopen = On

[chrispforr]

Thank you Toivo,
For your quick response & recommendations.
I've done everything you suggested.
Do you recommend that I delete the site and reinstall, or just wait & see?
Chris

[toivo]

The recommendation at this Security in Joomla! 4.x forum is to clean and reinstall everything to make sure that no backdoors are left in place.

There are also online services available to audit and identify extra files and modified files, for example Phil Taylor's mysite.guru, where the first audit has been free and now it looks like the first month is free.

[chrispforr]

Thank you for further advice, Toivo!

[PhilTaylor-Prazgod]

for example Phil Taylor's mysite.guru,

Just to be clear, the correct domain name is plural, mySites.guru is the correct domain name.