Code injection attacks on joomla 4 site

[sitesrus]

After migrating, it appears we are now vulnerable to code exploits. Every week a generic exploit is being done to do the following,

1) modify our .htaccess file
2) modify our index.php file
3) upload files/folders under a wp-content folder
4) delete critical joomla files to disable our access

We know how to recover, this forum post is more about how is this happening in Joomla 4? We only have latest extentions, latest J4, turned off any new features like API tokens and etc. The hosting is on cloudaccess.net and we've reached out to their team to disable more insecure PHP functions...

But this has never happened on previous J3 and below versions or on other hosting providers so wondering if others have had this happen recently and if there is a known security bug inside joomla or an extension?

Other problem can be 3rd party, we use widgetkit, joomshaper (template + addons), and akeeba but I'd consider all these extensions top shelf and on top of this sort of thing?

I am hoping the hosting company allows us to disable more PHP functions but any other suggestions on how we can plug this ourselves, we have no front end features just informational site so this really shouldn't be happening or possible.

Mitigations steps already done each time,

1) Restore from old backup
2) Make sure all files/folders permissions are correct
3) htpasswd protect admin area + use MFA on super user accounts
- change super user account passwords
4) change hosting passwords for all accounts (ssh/ftp/sql, update joomla config accordingly)
5) Behind cloudflare, set more aggressive security policies (ie high vs medium/low security settings)
6) Re-install joomla core, extensions, remove any compromised files

So we need some power user help here or maybe I should just switch hosting?

[pe7er]

Do you have the access logs of your server from the day that hackers are active (like modifying files) ?
Could you check in those access logs if they are using some backdoor PHP script on your server?

[Per Yngve Berg]

wp-content is not a Joomla folder. Are you running WP in the same account?

[Webdongle]

...

We know how to recover, this forum post is more about how is this happening in Joomla 4?...

1. Then you know you need to ALL folders/files including the WP ones as well?
2. You know that you need to follow the same steps for WP as well as Joomla?
3. What you probably don't know is that if WP is on the same server as Joomla then it is most likely WP that was the 'open door' for the hack?
4. Are you using a managed server or are you managing the server yourself?

[sitesrus]

Sorry, I may have added confusion in my original post. I will clarify regarding wordpress,

This is not a WP site, it's a joomla site. The attacker is likely using wp/extension/custom PHP code and part of the injection attack includes adding the wp-content folder, modifying htaccess to allow access to all files they've added within that folder, and modifying our index.php joomla file. So these don't exist until after the attack. So there is nothing to do against the wp-content folder/sub files because they should not exist and are added by the attacker, when we fix the server these are 100% removed.

So word press is not on the same folder I can only guess they are using some tool / word press attack tool someone crafted and the injection indicates that because of the wp-content folder being added. Hopefully this clarifies any confusion from responses.

The server is hosted on linux under cloudaccess.net, which has Joomla affiliations but we aren't getting any useful support from them and they seem to just be giving generic tier 1 type support, and thinking of switching to VPS to at least harden the server ourselves.

The error logs in PHP look like you can see a bunch of failed attempts in their attack, running eval on code and using XMLRPC client (maybe from wordpress) to open server connections and write files or interact with Joomla php code (can't tell which code) to push content onto the server. I see some originating IP's and the website in the referrer (which can be faked) looked like some chinese site.

[Webdongle]

https://forumpostassistant.github.io/docs/ please

[Maradona]

I think i've read it somewhere about this wp-content in JOOMLA thing but can't remember where.
Is https://blog.sucuri.net/2019/05/htacces ... sites.html a relevant read to this topic?

[pe7er]

This is not a WP site, it's a joomla site. The attacker is likely using wp/extension/custom PHP code and part of the injection attack includes adding the wp-content folder, modifying htaccess to allow access to all files they've added within that folder, and modifying our index.php joomla file. So these don't exist until after the attack. So there is nothing to do against the wp-content folder/sub files because they should not exist and are added by the attacker, when we fix the server these are 100% removed.

It's a bot, an automated script, that makes use of PHP backdoor scripts that have been added in the past.

The error logs in PHP look like you can see a bunch of failed attempts in their attack, running eval on code and using XMLRPC client (maybe from wordpress) to open server connections and write files or interact with Joomla php code (can't tell which code) to push content onto the server. I see some originating IP's and the website in the referrer (which can be faked) looked like some chinese site.

In this case you don't need to check the error logs: it's all actions that did not work and generated errors.
You need the access log instead. Check the time of the changed files and or the added wp-content folder. Check the access log around that time to see which scripts (non Joomla files or files that have replaced original Joomla files) to find backdoor scripts.

Another method: install your hacked site locally. Install a clean Joomla (same version) with the same extensions alongside. Compare the hacked folder with the clean folder using a diff tool (like meld or WinMerge) and check all the different files. And check the /images/ folder for .php files.

[sitesrus]

Ah this is a good idea, see what is different.

I am thinking of just moving to a VPS, docker, or setup like AWS beanstalk to configure the server ourselves easily and harden it so we don't have issues like this.

It would be nice if there was a simple way to compare or detect changes in joomla using git + contents of files on server, doesn't wordpress do this in admin area? Checking checksums, added files, would all be a good idea here and same with extensions to confirm any alterations.

Without it sounds like it will take me a while to do this approach.