Does this look like the site has indeed been hacked? Should I delete the site and make a fresh install?
I immediately updated to Joomla 4.2.3 (just released today) and changed passwords.
Then I ran the FPA and have posted the result, below the message from my webhost.
Site: https://www.seattlecuba.org/
Thanks in advance for any insights.
Chris
“[AMS Support] Hacked / Exploited Account - seattlecuba.org
AMS Computer Services <[email protected]>
Hello ______
A routine security check on the server found that your account - seattlecuba.org - was being actively exploited.
The malicious files:
/home/seattle/public_html/templates/cassiopeia/a.php
/home/seattle/public_html/templates/mine.php
was found to exist on your account. Due to the nature of these files, these have been removed from your hosting account.
Investigating this found that your account has an outdated Joomla! script
Account: seattlecuba.org
Script: Joomla
Installed Path: /home/seattle/public_html
Installed Version: 4.2.2
Latest Version: 4.2.3
Script Website: http://www.joomla.org
Whether the compromise happened because of the outdated Joomla! script, an admin password compromise, or some extension compromise - we really can't say.
You will need to update these scripts to the latest version. You will also need to update any components, extensions, or themes and insure that everything stays up to date. You will want to be sure that you use only reputable, high-ranking extensions.
If we continue to receive compromise notices regarding your account, then we may have to suspend your account.
If your account has been compromised and you choose to try and clean it or fix it, do not be surprised if the account is suspended at a later date. If your account has been compromised, there is no way to know what all backdoors the hackers or malicious users left behind. You may succeed in temporarily fixing the issue, but unless you clean up all of the backdoor and other malicious code that may be injected around your account, then your account may get hacked and compromised again. We highly recommend that if your account is compromised, then you need to reset the account and start over from scratch. That is the only way you are going be able to insure that all backdoor and malicious code injections have been removed.
We wanted you to be aware of this.”
FPA result:
Forum Post Assistant (v1.6.5) : 27-Sep-2022 wrote:Basic Environment :: wrote:Joomla! Instance :: Joomla! 4.2.3-Stable (Uaminifu) 27-September-2022
Joomla! Configured :: Yes | Read-Only (400) |
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: false | .htaccess/web.config: No | GZip: false | Cache: false | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: N/A | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: false | SSL: 0 | Error Reporting: maximum | Site Debug: true | Language Debug: false | Default Access: Public | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 4.2.3: Yes | Database Supports J! 4.2.3: Yes | Database Credentials Present: Yes |
Host Configuration :: OS: Linux | OS Version: 3.10.0-1160.71.1.el7.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | System TMP Writable: Yes | Free Disk Space : 167.89 GiB |
PHP Configuration :: Version: 8.0.23 | PHP API: fpm-fcgi | Session Path Writable: Yes | Display Errors: 0 | Error Reporting: 30709 | Log Errors To: /home/seattle/logs/ea-php80-php-fpm.log | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: No | Open Base: /home/seattle:/usr/lib/php:/usr/local/lib/php:/tmp | Uploads: 1 | Max. Upload Size: 50M | Max. POST Size: 80M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M
Database Configuration :: Version: 10.3.36-MariaDB (Client:mysqlnd 8.0.23) | Database Size: 9.46 MiB | #of Tables with config prefix: 75 | #of other Tables: 0 | User Privileges : GRANT ALLDetailed Environment :: wrote:PHP Extensions :: Core (8.0.23) | date (8.0.23) | libxml (8.0.23) | openssl (8.0.23) | pcre (8.0.23) | zlib (8.0.23) | filter (8.0.23) | hash (8.0.23) | json (8.0.23) | pcntl (8.0.23) | Reflection (8.0.23) | SPL (8.0.23) | session (8.0.23) | standard (8.0.23) | cgi-fcgi (8.0.23) | bcmath (8.0.23) | bz2 (8.0.23) | calendar (8.0.23) | ctype (8.0.23) | curl (8.0.23) | dom (20031129) | mbstring (8.0.23) | fileinfo (8.0.23) | ftp (8.0.23) | gd (8.0.23) | gettext (8.0.23) | gmp (8.0.23) | iconv (8.0.23) | imap (8.0.23) | intl (8.0.23) | exif (8.0.23) | mysqlnd (mysqlnd 8.0.23) | PDO (8.0.23) | Phar (8.0.23) | posix (8.0.23) | SimpleXML (8.0.23) | soap (8.0.23) | sockets (8.0.23) | sqlite3 (8.0.23) | tidy (8.0.23) | tokenizer (8.0.23) | xml (8.0.23) | xmlwriter (8.0.23) | xsl (8.0.23) | zip (1.19.5) | mysqli (8.0.23) | pdo_mysql (8.0.23) | pdo_sqlite (8.0.23) | xmlreader (8.0.23) | Zend OPcache (8.0.23) | Zend Engine (4.0.23) |
Potential Missing Extensions ::
Disabled Functions :: dl | system | exec | shell_exec | popen | passthru | proc_open | ini_restore | symlink | opcache_get_configuration | opcache_get_status | opcache_invalidate | opcache_is_script_cached | opcache_reset |
Switch User Environment :: PHP CGI: No | Server SU: No | PHP SU: No | Potential Ownership Issues: NoFolder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (---) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (755) |
Elevated Permissions (First 10) ::Database Information :: wrote:Database statistics :: Uptime: 2156724 | Threads: 39 | Questions: 120485553 | Slow queries: 211 | Opens: 325319 | Flush tables: 1 | Open tables: 8192 | Queries per second avg: 55.865 |Extensions Discovered :: wrote:Components :: Site ::
Core ::
3rd Party::
Components :: Admin ::
Core :: com_cpanel (4.0.0) 1 | com_joomlaupdate (4.0.3) 1 | com_messages (4.0.0) 1 | com_config (4.0.0) 1 | com_languages (4.0.0) 1 | com_newsfeeds (4.0.0) 1 | com_ajax (4.0.0) 1 | com_login (4.0.0) 1 | com_banners (4.0.0) 1 | com_admin (4.0.0) 1 | com_workflow (4.0.0) 1 | com_users (4.0.0) 1 | com_mails (4.0.0) 1 | com_wrapper (4.0.0) 1 | com_menus (4.0.0) 1 | com_modules (4.0.0) 1 | com_checkin (4.0.0) 1 | com_installer (4.0.0) 1 | com_templates (4.0.0) 1 | com_categories (4.0.0) 1 | com_associations (4.0.0) 1 | com_content (4.0.0) 1 | com_actionlogs (3.9.0) 1 | com_media (3.0.0) 1 | com_fields (4.0.0) 1 | com_postinstall (4.0.0) 1 | com_contenthistory (4.0.0) 1 | com_plugins (4.0.0) 1 | com_cache (4.0.0) 1 | com_redirect (4.0.0) 1 | com_privacy (3.9.0) 1 | com_scheduler (4.1.0) 1 | com_tags (4.0.0) 1 | com_finder (4.0.0) 1 |
3rd Party:: com_akeebabackup (9.3.0) 1 |
Modules :: Site ::
Core :: mod_related_items (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_syndicate (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_articles_archive (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_login (3.0.0) 1 | mod_articles_news (3.0.0) 1 |
3rd Party::
Modules :: Admin ::
Core :: mod_frontend (4.0.0) 1 | mod_user (4.0.0) 1 | mod_logged (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_post_installation_messages (4.0.0) 1 | mod_feed (3.0.0) 1 | mod_version (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_title (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_privacy_status (4.0.0) 1 | mod_messages (4.0.0) 1 | mod_submenu (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_privacy_dashboard (3.9.0) 1 | mod_loginsupport (4.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_login (3.0.0) 1 | mod_latestactions (3.9.0) 1 |
3rd Party::
Libraries ::
Core ::
3rd Party::
Plugins ::
Core :: plg_authentication_ldap (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_cookie (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_media-action_rotate (4.0.0) 1 | plg_media-action_crop (4.0.0) 1 | plg_media-action_resize (4.0.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_subform (4.0.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_api-authentication_token (4.0.0) 1 | plg_api-authentication_basic (4.0.0) 0 | plg_system_jooa11y (4.2.0) 1 | plg_system_actionlogs (3.9.0) 1 | plg_system_httpheaders (4.0.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_debug (3.0.0) 1 | plg_system_sessiongc (3.8.6) 1 | plg_system_fields (3.7.0) 1 | plg_system_privacyconsent (3.9.0) 0 | plg_system_languagecode (3.0.0) 0 | plg_system_cache (3.0.0) 0 | plg_system_webauthn (4.0.0) 1 | plg_system_skipto (4.0.0) 1 | plg_system_schedulerunner (4.1) 1 | plg_system_logout (3.0.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_shortcut (4.2.0) 1 | plg_system_logrotation (3.9.0) 1 | plg_system_sef (3.0.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_log (3.0.0) 1 | plg_system_accessibility (4.0.0) 0 | plg_system_highlight (3.0.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_task_notification (4.1) 1 | plg_system_remember (3.0.0) 1 | plg_filesystem_local (4.0.0) 1 | plg_actionlog_joomla (3.9.0) 1 | plg_workflow_featuring (4.0.0) 1 | plg_workflow_publishing (4.0.0) 1 | plg_workflow_notification (4.0.0) 1 | plg_extension_finder (4.0.0) 1 | plg_extension_namespacemap (4.0.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_webservices_newsfeeds (4.0.0) 1 | plg_webservices_templates (4.0.0) 1 | plg_webservices_config (4.0.0) 1 | plg_webservices_modules (4.0.0) 1 | plg_webservices_media (4.1.0) 1 | plg_webservices_banners (4.0.0) 1 | plg_webservices_menus (4.0.0) 1 | plg_webservices_languages (4.0.0) 1 | plg_webservices_tags (4.0.0) 1 | plg_webservices_users (4.0.0) 1 | plg_webservices_messages (4.0.0) 1 | plg_webservices_redirect (4.0.0) 1 | plg_webservices_privacy (4.0.0) 1 | plg_webservices_installer (4.0.0) 1 | plg_webservices_plugins (4.0.0) 1 | plg_webservices_content (4.0.0) 1 | plg_privacy_actionlogs (3.9.0) 1 | plg_privacy_consents (3.9.0) 1 | plg_privacy_message (3.9.0) 1 | plg_privacy_user (3.9.0) 1 | plg_privacy_content (3.9.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | plg_installer_webinstaller (4.0.0) 1 | plg_installer_override (4.0.0) 1 | plg_installer_folderinstaller (3.6.0) 1 | plg_installer_urlinstaller (3.6.0) 1 | plg_task_check_files (4.1) 1 | plg_task_requests (4.1) 1 | plg_task_demo_tasks (4.1) 1 | plg_task_site_status (4.1) 1 | plg_user_terms (3.9.0) 0 | plg_user_token (3.9.0) 1 | plg_user_profile (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_user_contactcreator (3.0.0) 0 | plg_captcha_recaptcha (3.4.0) 0 | plg_captcha_recaptcha_invisible (3.8) 0 | plg_multifactorauth_fixed (4.2.0) 0 | plg_multifactorauth_webauthn (4.2.0) 0 | plg_multifactorauth_yubikey (3.2.0) 0 | plg_multifactorauth_email (4.2.0) 0 | plg_multifactorauth_totp (3.2.0) 0 | plg_content_finder (3.0.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_loadmodule (3.0.0) 1 | plg_content_confirmconsent (3.9.0) 0 | plg_content_vote (3.0.0) 0 | plg_content_joomla (3.0.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_quickicon_downloadkey (4.0.0) 1 | plg_quickicon_privacycheck (3.9.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_overridecheck (4.0.0) 1 | plg_sampledata_multilang (4.0.0) 1 | plg_behaviour_taggable (4.0.0) 1 | plg_behaviour_versionable (4.0.0) 1 |
3rd Party:: plg_editors_tinymce (5.10.5) 1 | plg_editors_codemirror (5.65.6) 1 | PLG_QUICKICON_AKEEBABACKUP (9.3.0) 1 |Templates Discovered :: wrote:Templates :: Site :: cassiopeia (1.0) 1 |
Templates :: Admin :: atum (1.0) 1 |