Code injection attacks on joomla 4 site
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
- sitesrus
- Joomla! Ace
- Posts: 1469
- Joined: Mon Nov 12, 2012 10:48 pm
Code injection attacks on joomla 4 site
After migrating, it appears we are now vulnerable to code exploits. Every week a generic exploit is being done to do the following,
1) modify our .htaccess file
2) modify our index.php file
3) upload files/folders under a wp-content folder
4) delete critical joomla files to disable our access
We know how to recover, this forum post is more about how is this happening in Joomla 4? We only have latest extentions, latest J4, turned off any new features like API tokens and etc. The hosting is on cloudaccess.net and we've reached out to their team to disable more insecure PHP functions...
But this has never happened on previous J3 and below versions or on other hosting providers so wondering if others have had this happen recently and if there is a known security bug inside joomla or an extension?
Other problem can be 3rd party, we use widgetkit, joomshaper (template + addons), and akeeba but I'd consider all these extensions top shelf and on top of this sort of thing?
I am hoping the hosting company allows us to disable more PHP functions but any other suggestions on how we can plug this ourselves, we have no front end features just informational site so this really shouldn't be happening or possible.
Mitigations steps already done each time,
1) Restore from old backup
2) Make sure all files/folders permissions are correct
3) htpasswd protect admin area + use MFA on super user accounts
- change super user account passwords
4) change hosting passwords for all accounts (ssh/ftp/sql, update joomla config accordingly)
5) Behind cloudflare, set more aggressive security policies (ie high vs medium/low security settings)
6) Re-install joomla core, extensions, remove any compromised files
So we need some power user help here or maybe I should just switch hosting?
1) modify our .htaccess file
2) modify our index.php file
3) upload files/folders under a wp-content folder
4) delete critical joomla files to disable our access
We know how to recover, this forum post is more about how is this happening in Joomla 4? We only have latest extentions, latest J4, turned off any new features like API tokens and etc. The hosting is on cloudaccess.net and we've reached out to their team to disable more insecure PHP functions...
But this has never happened on previous J3 and below versions or on other hosting providers so wondering if others have had this happen recently and if there is a known security bug inside joomla or an extension?
Other problem can be 3rd party, we use widgetkit, joomshaper (template + addons), and akeeba but I'd consider all these extensions top shelf and on top of this sort of thing?
I am hoping the hosting company allows us to disable more PHP functions but any other suggestions on how we can plug this ourselves, we have no front end features just informational site so this really shouldn't be happening or possible.
Mitigations steps already done each time,
1) Restore from old backup
2) Make sure all files/folders permissions are correct
3) htpasswd protect admin area + use MFA on super user accounts
- change super user account passwords
4) change hosting passwords for all accounts (ssh/ftp/sql, update joomla config accordingly)
5) Behind cloudflare, set more aggressive security policies (ie high vs medium/low security settings)
6) Re-install joomla core, extensions, remove any compromised files
So we need some power user help here or maybe I should just switch hosting?
I like working with Joomla . I offer the following professional services: Custom extension development, SEO/marketing, maintenance/support, security and WCAG audits, and will work on websites at a reasonable rate.
- pe7er
- Joomla! Master
- Posts: 24974
- Joined: Thu Aug 18, 2005 8:55 pm
- Location: Nijmegen, Netherlands
- Contact:
Re: Code injection attacks on joomla 4 site
Do you have the access logs of your server from the day that hackers are active (like modifying files) ?
Could you check in those access logs if they are using some backdoor PHP script on your server?
Could you check in those access logs if they are using some backdoor PHP script on your server?
Kind Regards,
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
- Per Yngve Berg
- Joomla! Master
- Posts: 30892
- Joined: Mon Oct 27, 2008 9:27 pm
- Location: Romerike, Norway
Re: Code injection attacks on joomla 4 site
wp-content is not a Joomla folder. Are you running WP in the same account?
- Webdongle
- Joomla! Master
- Posts: 44073
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Code injection attacks on joomla 4 site
1. Then you know you need to ALL folders/files including the WP ones as well?
2. You know that you need to follow the same steps for WP as well as Joomla?
3. What you probably don't know is that if WP is on the same server as Joomla then it is most likely WP that was the 'open door' for the hack?
4. Are you using a managed server or are you managing the server yourself?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
- sitesrus
- Joomla! Ace
- Posts: 1469
- Joined: Mon Nov 12, 2012 10:48 pm
Re: Code injection attacks on joomla 4 site
Sorry, I may have added confusion in my original post. I will clarify regarding wordpress,
This is not a WP site, it's a joomla site. The attacker is likely using wp/extension/custom PHP code and part of the injection attack includes adding the wp-content folder, modifying htaccess to allow access to all files they've added within that folder, and modifying our index.php joomla file. So these don't exist until after the attack. So there is nothing to do against the wp-content folder/sub files because they should not exist and are added by the attacker, when we fix the server these are 100% removed.
So word press is not on the same folder I can only guess they are using some tool / word press attack tool someone crafted and the injection indicates that because of the wp-content folder being added. Hopefully this clarifies any confusion from responses.
The server is hosted on linux under cloudaccess.net, which has Joomla affiliations but we aren't getting any useful support from them and they seem to just be giving generic tier 1 type support, and thinking of switching to VPS to at least harden the server ourselves.
The error logs in PHP look like you can see a bunch of failed attempts in their attack, running eval on code and using XMLRPC client (maybe from wordpress) to open server connections and write files or interact with Joomla php code (can't tell which code) to push content onto the server. I see some originating IP's and the website in the referrer (which can be faked) looked like some chinese site.
This is not a WP site, it's a joomla site. The attacker is likely using wp/extension/custom PHP code and part of the injection attack includes adding the wp-content folder, modifying htaccess to allow access to all files they've added within that folder, and modifying our index.php joomla file. So these don't exist until after the attack. So there is nothing to do against the wp-content folder/sub files because they should not exist and are added by the attacker, when we fix the server these are 100% removed.
So word press is not on the same folder I can only guess they are using some tool / word press attack tool someone crafted and the injection indicates that because of the wp-content folder being added. Hopefully this clarifies any confusion from responses.
The server is hosted on linux under cloudaccess.net, which has Joomla affiliations but we aren't getting any useful support from them and they seem to just be giving generic tier 1 type support, and thinking of switching to VPS to at least harden the server ourselves.
The error logs in PHP look like you can see a bunch of failed attempts in their attack, running eval on code and using XMLRPC client (maybe from wordpress) to open server connections and write files or interact with Joomla php code (can't tell which code) to push content onto the server. I see some originating IP's and the website in the referrer (which can be faked) looked like some chinese site.
I like working with Joomla . I offer the following professional services: Custom extension development, SEO/marketing, maintenance/support, security and WCAG audits, and will work on websites at a reasonable rate.
- Webdongle
- Joomla! Master
- Posts: 44073
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Code injection attacks on joomla 4 site
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
- Maradona
- Joomla! Enthusiast
- Posts: 154
- Joined: Fri Aug 30, 2013 2:08 pm
- Location: Argentina
Re: Code injection attacks on joomla 4 site
I think i've read it somewhere about this wp-content in JOOMLA thing but can't remember where.
Is https://blog.sucuri.net/2019/05/htacces ... sites.html a relevant read to this topic?
Is https://blog.sucuri.net/2019/05/htacces ... sites.html a relevant read to this topic?
- pe7er
- Joomla! Master
- Posts: 24974
- Joined: Thu Aug 18, 2005 8:55 pm
- Location: Nijmegen, Netherlands
- Contact:
Re: Code injection attacks on joomla 4 site
It's a bot, an automated script, that makes use of PHP backdoor scripts that have been added in the past.sitesrus wrote: ↑Mon Nov 07, 2022 6:38 pmThis is not a WP site, it's a joomla site. The attacker is likely using wp/extension/custom PHP code and part of the injection attack includes adding the wp-content folder, modifying htaccess to allow access to all files they've added within that folder, and modifying our index.php joomla file. So these don't exist until after the attack. So there is nothing to do against the wp-content folder/sub files because they should not exist and are added by the attacker, when we fix the server these are 100% removed.
In this case you don't need to check the error logs: it's all actions that did not work and generated errors.The error logs in PHP look like you can see a bunch of failed attempts in their attack, running eval on code and using XMLRPC client (maybe from wordpress) to open server connections and write files or interact with Joomla php code (can't tell which code) to push content onto the server. I see some originating IP's and the website in the referrer (which can be faked) looked like some chinese site.
You need the access log instead. Check the time of the changed files and or the added wp-content folder. Check the access log around that time to see which scripts (non Joomla files or files that have replaced original Joomla files) to find backdoor scripts.
Another method: install your hacked site locally. Install a clean Joomla (same version) with the same extensions alongside. Compare the hacked folder with the clean folder using a diff tool (like meld or WinMerge) and check all the different files. And check the /images/ folder for .php files.
Kind Regards,
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
- sitesrus
- Joomla! Ace
- Posts: 1469
- Joined: Mon Nov 12, 2012 10:48 pm
Re: Code injection attacks on joomla 4 site
Ah this is a good idea, see what is different.
I am thinking of just moving to a VPS, docker, or setup like AWS beanstalk to configure the server ourselves easily and harden it so we don't have issues like this.
It would be nice if there was a simple way to compare or detect changes in joomla using git + contents of files on server, doesn't wordpress do this in admin area? Checking checksums, added files, would all be a good idea here and same with extensions to confirm any alterations.
Without it sounds like it will take me a while to do this approach.
I am thinking of just moving to a VPS, docker, or setup like AWS beanstalk to configure the server ourselves easily and harden it so we don't have issues like this.
It would be nice if there was a simple way to compare or detect changes in joomla using git + contents of files on server, doesn't wordpress do this in admin area? Checking checksums, added files, would all be a good idea here and same with extensions to confirm any alterations.
Without it sounds like it will take me a while to do this approach.
I like working with Joomla . I offer the following professional services: Custom extension development, SEO/marketing, maintenance/support, security and WCAG audits, and will work on websites at a reasonable rate.