Site Hacked through User Registration

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
dlochner
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sun Apr 13, 2008 5:53 pm

Site Hacked through User Registration

Post by dlochner » Wed Apr 03, 2013 7:31 pm

Over the past week or so I have had several "users" show up on the user list. The site requires Admin approval of all new registrants. The Admin never received notification.

On the site there have been new files installed. several beginning with ._FileName. One folder named Survey contained a folder with .png images that were not accessible. Another file was ._index located in public_html folder.

On the cPanel log, there was a call for the password reminder script at about the same time that the new person registered.

The IP traced back to China, so I blocked those IPs in the .htaccess file, deleted the inserted files, and deleted the user.

Is there anything I can do to prevent future attacks?

Using J2.5.9 with Community Builder

Thanks,

Dave

paulera
Joomla! Explorer
Joomla! Explorer
Posts: 324
Joined: Tue Sep 07, 2010 5:23 pm
Location: Ireland
Contact:

Re: Site Hacked through User Registration

Post by paulera » Wed Apr 03, 2013 9:26 pm

Do you use svn, or any other kind of code repository?

And could you provide your url? Can be by private message, if you do not want to expose your security issue.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37260
Joined: Sat Apr 05, 2008 9:58 pm

Re: Site Hacked through User Registration

Post by Webdongle » Wed Apr 03, 2013 9:33 pm

dlochner wrote:Over the past week or so I have had several "users" show up on the user list. The site requires Admin approval of all new registrants. The Admin never received notification. ...
If your site has been compromised then you will not receive notification. Please follow the instructions on http://forum.joomla.org/viewtopic.php?f=621&t=582854
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

dlochner
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sun Apr 13, 2008 5:53 pm

Re: Site Hacked through User Registration

Post by dlochner » Thu Apr 04, 2013 10:31 pm

As suggested I reviewed the posts recommended mandville.

This is what I know:

The hackers were able to register at the site with out admin approval or notification.

There were several instances of a file named ._index installed on the server; I saved a copy of this file.

There were a bunch of .png files installed in a folder that could not be read, deleted, or downloaded. Low level tech support at the host could not delete them either, issue kicked upstairs.

There are only 2 computers that have been used to access the admin panel or the server. One of them died (dead logic board) before the problem occurred. The other is virus free and a Mac.

I do have a backup of the site and hopefully it is clean. The bigger question is how can I prevent this problem in the future. I should add that I am self-taught and run the website as a volunteer for an organization.

Thanks for any help you can provide.

Here's the output from FPA;
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.3) : 4th April 2013 wrote:[03-Apr-2013 12:46:58 America/Denver] PHP Warning: scandir(): (errno 13): Permission denied in /home1/oswegoya/public_html/jamss.php on line 179
Forum Post Assistant (v1.2.3) : 4th April 2013 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.9-Stable (Ember) 4-February-2013
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: oswegoya (uid: 1/gid: 1) | Group: oswegoya (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 1 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 1 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-20130307.60.9.bh6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home1/oswegoya/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.22 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 22527 | Log Errors To: error_log | Last Known Error: 03rd April 2013 12:46:58. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 15M | Max. POST Size: 10M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.30-log (Client:5.5.30) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 4.29 MiB | #of Tables:  160
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.22) | date (5.3.22) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dba () | dom (20031129) | enchant (1.1.0) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | gmp () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | odbc (1.0) | pcntl () | standard (5.3.22) | PDO (1.0.4dev) | pdo_dblib (1.0.1) | pdo_mysql (1.0.2) | PDO_ODBC (1.0.1) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | Phar (2.0.1) | posix () | pspell () | readline () | recode () | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | imap () | shmop () | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | sysvmsg () | sysvsem () | sysvshm () | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | Zend Guard Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (2.5.0) | CB Mambo Author Tab (1.2) | CB Mamblog Tab (1.2) | Yanc Integration (1.2) | com_mailto (2.5.0) |
Components :: ADMIN :: com_cache (2.5.0) | com_languages (2.5.0) | com_phocamaps (2.0.6) | com_finder (2.5.0) | com_menus (2.5.0) | com_content (2.5.0) | PJ Installer (2.2.0) | swMenuFree (6.6) | Notice board (1.0) | com_messages (2.5.0) | com_redirect (2.5.0) | JoomGallery (2.1.3) | com_kunena (2.0.4) | mod_kunenamenu (2.0.4) | Kunena Menu (2.0.4) | plg_system_kunena (-) | plg_finder_kunena (2.0.4) | Kunena - Joomla Integration (2.0.4) | plg_kunena_kunena (2.0.4) | Kunena - Kunena Integration (2.0.4) | Kunena - AlphaUserPoints Integ (2.0.4) | plg_kunena_alphauserpoints (2.0.4) | Kunena - Gravatar Integration (2.0.4) | plg_kunena_gravatar (2.0.4) | plg_kunena_finder (2.0.1) | plg_quickicon_kunena (2.0.4) | plg_kunena_uddeim (2.0.4) | Kunena - UddeIM Integration (2.0.4) | plg_system_kunena (2.0.4) | System - Kunena Forum (2.0.4) | Kunena - JomSocial Integration (2.0.4) | plg_kunena_community (2.0.4) | plg_kunena_joomla (2.0.4) | plg_kunena_comprofiler (2.0.4) | Kunena - CommunityBuilder Inte (2.0.4) | com_cpanel (2.5.0) | com_joomlaupdate (2.5.0) | comprofiler (1.9) | comprofiler (1.9) | com_banners (2.5.0) | com_installer (2.5.0) | COM_GCALENDAR (2.6.2) | com_templates (2.5.0) | Photogallery For Cb (1.0) | com_login (2.5.0) | com_newsfeeds (2.5.0) | com_checkin (2.5.0) | com_categories (2.5.0) | jDownloads (1.9.0 Stable ) | com_plugins (2.5.0) | com_modules (2.5.0) | com_admin (2.5.0) | com_config (2.5.0) | com_media (2.5.0) | com_users (2.5.0) | Akeeba (3.7.4) | com_search (2.5.0) | Content - Hikashop Social Plug (1.0.0) | Search - Hikashop Categories/M (1) | Hikashop Bank Transfer Payment (1.0.0) | Hikashop History Plugin (1.0.0) | Hikashop Paypal Payment Plugin (1.0.0) | Hikashop eWAY Payment Plugin (1.0.0) | Hikashop Moneybookers Payment (1.0.0) | Hikashop Innovative Gateway Pa (1.0.0) | User - HikaShop (1.0.0) | Hikashop CyberMuth CIC Payment (1.0.0) | Hikashop Authorize.net Payment (1.0.0) | Hikashop iVeri Payment Plugin (1.0.0) | Hikashop Servired Payment Plug (1.0.0) | Hikashop WorldPay Business Gat (0.0.2) | Hikashop Paypal Pro Payment Pl (1.0.0) | Hikashop Check Payment Plugin (1.0.0) | Hikashop Alphauserpoints Payme (1.0.0) | Hikashop - VirtueMart Fallback (1.0.0) | Hikashop Google Analytics Plug (1.0.0) | Hikashop Manual Shipping Plugi (1.0.0) | Hikashop Collect On Delivery P (1.0.0) | Hikashop - Product Cron Update (1.0.0) | Hikashop Google Products Plugi (1.0.0) | Hikashop Cart Module (1.0.0) | Hikashop AcyMailing Plugin (1.0.0) | Hikashop AlertPay Payment Plug (1.0.0) | Hikashop ePay Payment Plugin (1.0.0) | Hikashop User account Plugin (1.0.0) | Hikashop Bluepaid Payment Plug (1.0.0) | Hikashop Google Checkout Payme (1.0.0) | Hikashop SIPS ATOS Payment Plu (1.0.0) | Hikashop Australia Post eDeliv (1.0.0) | Hikashop Currency Rates Plugin (1.0.0) | Hikashop Registration Redirect (1.0.0) | Hikashop HSBC Payment Plugin (1.0.0) | Hikashop Worldpay Global Gatew (0.0.7) | Hikashop Western Union Payment (1.0.0) | System - HikaShop Affiliate (1.0.0) | Hikashop out of order notifica (1.0.0) | Hikashop Orders Automatic Canc (1.0.0) | Hikashop SagePay Payment Plugi (1.0.0) | Hikashop Currency Switcher Mod (1.0.0) | Hikashop Credit Card Payment P (1.0.0) | Hikashop Validate free order P (1.0.0) | Hikashop WaitList notification (1.0.0) | Hikashop Group Plugin (1.0.0) | Search - Hikashop Products (1) | Hikashop Geolocation Plugin (1.0.0) | Hikashop Payment Express Payme (1.0.0) | Hikashop CardSave Payment Plug (1.0.0) | AcyMailing Tag : HikaShop cont (1.0.0) | Hikashop Filtering Module (1.0.0) | Hikashop PayJunction Payment P (1.0.0) | Hikashop Module (1.0.0) | Hikashop UPS Shipping Plugin (1.0.0) | Hikashop FirstData Payment Plu (1.0.0) | HikaShop (1.5.7) | com_weblinks (2.5.0) |

Modules :: SITE :: mod_related_items (2.5.0) | jDownloads Latest (2.0.1) | mod_phocagallery_tree (3.1.2) | Notice board general (1.0) | jDownloads Stats (2.0.1) | mod_phocagallery_menu (3.2.0) | mod_articles_category (2.5.0) | mod_users_latest (2.5.0) | mod_finder (2.5.0) | jDownloads Top (2.0.3) | mod_weblinks (2.5.0) | mod_stats (2.5.0) | mod_login (2.5.0) | swMenuFree (6.6) | jDownloads Rated (2.0) | CB Login (1.9) | Hikashop Cart Module (1.0.0) | mod_breadcrumbs (2.5.0) | CB Workflows (1.9) | mod_menu (2.5.0) | CB Online (1.9) | mod_articles_news (2.5.0) | mod_custom (2.5.0) | mod_languages (2.5.0) | mod_whosonline (2.5.0) | MOD_GCALENDAR_UPCOMING (2.6.2) | mod_search (2.5.0) | Hikashop Currency Switcher Mod (1.0.0) | mod_articles_archive (2.5.0) | MOD_GCALENDAR (2.6.2) | mod_articles_latest (2.5.0) | mod_feed (2.5.0) | mod_articles_popular (2.5.0) | mod_random_image (2.5.0) | mod_wrapper (2.5.0) | mod_banners (2.5.0) | MOD_GCALENDAR_NEXT (2.6.2) | mod_articles_categories (2.5.0) | jDownloads Last Updated (2.0) | ProJoom Multi Rotator (2.0.6) | Hikashop Filtering Module (1.0.0) | Hikashop Module (1.0.0) | mod_footer (2.5.0) | mod_syndicate (2.5.0) |
Modules :: ADMIN :: mod_status (2.5.0) | mod_latest (2.5.0) | jDownloads Admin Icon (2.0) | mod_logged (2.5.0) | mod_quickicon (2.5.0) | mod_login (2.5.0) | mod_popular (2.5.0) | mod_multilangstatus (2.5.0) | mod_title (2.5.0) | mod_menu (2.5.0) | mod_submenu (2.5.0) | mod_custom (2.5.0) | mod_version (2.5.0) | mod_feed (2.5.0) | mod_toolbar (2.5.0) |

Plugins :: SITE :: Hikashop WaitList notification (1.0.0) | Hikashop - Product Cron Update (1.0.0) | Hikashop User account Plugin (1.0.0) | Hikashop AcyMailing Plugin (1.0.0) | Hikashop Orders Automatic Canc (1.0.0) | Hikashop History Plugin (1.0.0) | Hikashop Currency Rates Plugin (1.0.0) | Hikashop Google Products Plugi (1.0.0) | Hikashop Group Plugin (1.0.0) | Hikashop out of order notifica (1.0.0) | Hikashop Validate free order P (1.0.0) | plg_content_pagenavigation (2.5.0) | plg_content_vote (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_joomla (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_geshi (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_finder (2.5.0) | PLG_CONTENT_JDOWNLOADFILELIST (2.1) | plg_gcalendar_next (2.6.2) | Content - jDownloads (2.0.6) | Content - Hikashop Social Plug (1.0.0) | ProJoom Multi Rotator (2.0.5) | Phoca Maps Plugin (2.0.5) | plg_search_content (2.5.0) | plg_search_contacts (2.5.0) | Search - Hikashop Products (1) | Search - Hikashop Categories/M (1) | plg_search_weblinks (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_gcalendar (2.6.2) | plg_search_jdownloads (2.0.1) | plg_search_categories (2.5.0) | plg_quickicon_kunena (2.0.4) | plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | plg_kunena_kunena (2.0.4) | plg_kunena_gravatar (2.0.4) | plg_kunena_uddeim (2.0.4) | plg_kunena_community (2.0.4) | plg_kunena_joomla (2.0.4) | plg_kunena_comprofiler (2.0.4) | plg_kunena_alphauserpoints (2.0.4) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) | plg_captcha_recaptcha (2.5.0) | AcyMailing Tag : HikaShop cont (1.0.0) | plg_system_remember (2.5.0) | plg_system_kunena (2.0.4) | Hikashop Google Analytics Plug (1.0.0) | plg_system_languagefilter (2.5.0) | plg_system_redirect (2.5.0) | plg_system_sef (2.5.0) | plg_system_debug (2.5.0) | Hikashop Geolocation Plugin (1.0.0) | System - HikaShop Affiliate (1.0.0) | User - HikaShop (1.0.0) | Hikashop - VirtueMart Fallback (1.0.0) | plg_system_p3p (2.5.0) | plg_system_cache (2.5.0) | plg_system_languagecode (2.5.0) | plg_system_log (2.5.0) | plg_system_jdownloads (2.0.1) | Hikashop Registration Redirect (1.0.0) | plg_system_logout (2.5.0) | plg_system_highlight (2.5.0) | plg_user_contactcreator (2.5.0) | plg_user_joomla (2.5.0) | plg_user_profile (2.5.0) | plg_finder_content (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_categories (2.5.0) | Hikashop Manual Shipping Plugi (1.0.0) | Hikashop Australia Post eDeliv (1.0.0) | Hikashop UPS Shipping Plugin (1.0.0) | plg_authentication_ldap (2.5.0) | plg_authentication_gmail (2.5.0) | plg_authentication_joomla (2.5.0) | Authentication - Master User (1.1.1) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.5.4.1) | Hikashop Credit Card Payment P (1.0.0) | Hikashop eWAY Payment Plugin (1.0.0) | Hikashop Payment Express Payme (1.0.0) | Hikashop Paypal Payment Plugin (1.0.0) | Hikashop Bank Transfer Payment (1.0.0) | Hikashop CyberMuth CIC Payment (1.0.0) | Hikashop iVeri Payment Plugin (1.0.0) | Hikashop Innovative Gateway Pa (1.0.0) | Hikashop SIPS ATOS Payment Plu (1.0.0) | Hikashop HSBC Payment Plugin (1.0.0) | Hikashop Check Payment Plugin (1.0.0) | Hikashop Collect On Delivery P (1.0.0) | Hikashop Paypal Pro Payment Pl (1.0.0) | Hikashop Worldpay Global Gatew (0.0.7) | Hikashop Western Union Payment (1.0.0) | Hikashop WorldPay Business Gat (0.0.2) | Hikashop Servired Payment Plug (1.0.0) | Hikashop FirstData Payment Plu (1.0.0) | Hikashop Moneybookers Payment (1.0.0) | Hikashop PayJunction Payment P (1.0.0) | Hikashop AlertPay Payment Plug (1.0.0) | Hikashop Alphauserpoints Payme (1.0.0) | Hikashop Bluepaid Payment Plug (1.0.0) | Hikashop CardSave Payment Plug (1.0.0) | Hikashop SagePay Payment Plugi (1.0.0) | Hikashop Authorize.net Payment (1.0.0) | Hikashop ePay Payment Plugin (1.0.0) | Hikashop Google Checkout Payme (1.0.0) | plg_editors-xtd_pagebreak (2.5.0) | Button - jDownloads Content (2.0.1) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_readmore (2.5.0) | plg_extension_joomla (2.5.0) |
Templates Discovered :: wrote:Templates :: SITE :: atomic (2.5.0) | beez5 (2.5.0) | beez_20 (2.5.0) | js_studio_free (1.0.0) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37260
Joined: Sat Apr 05, 2008 9:58 pm

Re: Site Hacked through User Registration

Post by Webdongle » Thu Apr 04, 2013 11:37 pm

Mac's don't get viruses is a fallacy. When you have deleted everything then replace with fresh files. The images not being able to be deleted by you possibly suggests a breach of security server side ? Is it shared or dedicated Hosting ? Try Googling for your Host's name with words like 'Hacked' ... it may show other users of that Host have been hacked. Did you check the VEL ? http://docs.joomla.org/Vulnerable_Exten ... oticeboard may be of interest.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19602
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Site Hacked through User Registration

Post by leolam » Fri Apr 05, 2013 4:44 am

So you "reviewed" the post of Mandville: Did you actually follow up on all including Security Checklist 7? You did http://docs.joomla.org/Security_Checklist_7 and especially:

* save the configuration.php file and your images and personal files one by one, (not the folder as it may contain unwanted files)
* wipe the entire folder where Joomla! is installed
* upload a new clean full package latest version of joomla 1.5.x or Joomla 2.5.x (minus the install folder)[2]
* reupload your configuration file & images.
* reupload or reinstall the latest versions of your extensions , templates (even better is to use original clean copies to ensure that the hacker/defacer did not leave any shell script files in your site)

all in less than 24-hours? It looks like you think that these steps are not needed since you cannot remove and reinstall all what is posted in the 'FPA' imho? You need to do it you have no choice (!!!)

Also read this: http://forum.joomla.org/viewtopic.php?f=621&t=784054

Also look at this excellent script by Bernard: http://forum.joomla.org/viewtopic.php?f=621&t=777957

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
-> Joomla Webmaster Services: gws-webmaster.services

dlochner
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sun Apr 13, 2008 5:53 pm

Re: Site Hacked through User Registration

Post by dlochner » Fri Apr 05, 2013 11:08 am

Leo,

I have what I believe is a clean backup file from a couple of weeks ago, before there was evidence of being hacked. So, I deleted all files from the server.

Once I install the back up I will look for evidence that this back up has been hacked, i.e., are there unknown users in the user list, is there a ._index file, and a folder of .png files that I can't open or delete. If any of these conditions exist, then I will reinstall Joomla, the template and the components from fresh downloads. I already have clean copies of the images stored on my computer that can installed. Finding the ._index file was the key to knowing that I had been hacked.

Webdongle:

Yes, there are some Mac viruses and malware, but as a probability statement having mac means that you are less likely to have one. I do run antivirus on my mac and it is clean.

I googled "Hostname Hacked" and found very few complaints directed towards the company. So, as a probability statement, it seems unlikely that the problem is the host company. Generally I've found this company to be pretty responsive to my concerns.

The most important concern I have is how to prevent this from happening again.

Thanks for your help.

Dave

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37260
Joined: Sat Apr 05, 2008 9:58 pm

Re: Site Hacked through User Registration

Post by Webdongle » Fri Apr 05, 2013 11:46 am

dlochner wrote:...
I have what I believe is a clean backup file from a couple of weeks ago, before there was evidence of being hacked. ....
Hacks can be on the server months before they are noticed. Checking that your back is clean takes longer than doing the job properly.
dlochner wrote:I googled "Hostname Hacked" and found very few complaints directed towards the company. So, as a probability statement, it seems unlikely that the problem is the host company.
Then the hack was, as a probability statement, your fault not theirs.

dlochner wrote:Generally I've found this company to be pretty responsive to my concerns.
Have they explained why there are files on the server that you can not delete ?

dlochner wrote:The most important concern I have is how to prevent this from happening again
All that information has been provided for you ... directly and by links pointing to the information. leolam has also (in is last post) emphasised the importance of the importance of the information given.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

santiago2927
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sun Mar 08, 2015 7:34 am

Re: Site Hacked through User Registration

Post by santiago2927 » Sun Mar 08, 2015 7:42 am

I have the same problem. I had hundreds of new users. I deleted all the users. I upgraded joomla from 2.5.28 to 3.4
Unfortunately that didn't help the problem.
Can someone please give me some advice. There are new users being added every minute.

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 11161
Joined: Thu Feb 15, 2007 5:48 am
Location: Oxford, UK

Re: Site Hacked through User Registration

Post by toivo » Sun Mar 08, 2015 8:09 am

I deleted all the users. I upgraded joomla from 2.5.28 to 3.4
Unfortunately that didn't help the problem.
If you read carefully the posts of mandville, webdongle and leolam, you should follow those recommendations.
Toivo Talikka, Global Moderator


Locked

Return to “Security in Joomla! 2.5”