Site hacked!

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
tonytimms
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 210
Joined: Wed Jan 06, 2010 2:19 pm

Site hacked!

Post by tonytimms » Wed Apr 22, 2015 7:56 am

My site seems to have been hacked this morning, some of the articles are in Polish or some other language. I don't know how this happened but what is the best solution? The structure of the site seems ok with menus etc intact. Any help much appreciated.

Regards

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 26016
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Site hacked!

Post by Per Yngve Berg » Wed Apr 22, 2015 10:50 am


tonytimms
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 210
Joined: Wed Jan 06, 2010 2:19 pm

Re: Site hacked!

Post by tonytimms » Wed Apr 22, 2015 2:32 pm

Problem Description :: Forum Post Assistant (v1.2.4) : 22nd April 2015 wrote:A number of articles including those on the index page are in another language.
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.4) : 22nd April 2015 wrote:[22-Apr-2015 12:35:39 Europe/London] PHP Warning: Invalid argument supplied for foreach() in /home/w10mich/public_html/libraries/joomla/string/string.php on line 970
Actions Taken To Resolve by Forum Post Assistant (v1.2.4) 22nd April 2015 wrote:No actions have been taken as yet
Forum Post Assistant (v1.2.4) : 22nd April 2015 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.8-Stable (Ember) 8-November-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: 2248 (uid: /gid: ) | Group: 2247 (gid: ) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-531.1.2.lve1.2.54.el6.x86_64 | Technology: x86_64 | Web Server: LiteSpeed | Encoding: gzip, deflate | Doc Root: /home/w10mich/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.29 | PHP API: litespeed | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: error_log | Last Known Error: 22nd April 2015 12:35:39. | Register Globals: 0 | Magic Quotes: | Safe Mode: 0 | Open Base: /home/w10mich:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp | Uploads: 1 | Max. Upload Size: 256M | Max. POST Size: 256M | Max. Input Time: 120 | Max. Execution Time: 120 | Memory Limit: 256M

MySQL Configuration :: Version: 5.5.42-cll (Client:5.5.42) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 22045.22 MiB | #of Tables:  82
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.29) | date (5.3.29) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | enchant (1.1.0) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | standard (5.3.29) | Phar (2.0.1) | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | imap () | SimpleXML (0.1) | snmp () | soap () | sockets () | exif (1.4 $Id$) | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | litespeed () | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | imagick (3.1.2) | SourceGuardian (10.1) | ionCube Loader () | Zend Guard Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (2.5.0) | com_wrapper (2.5.0) |
Components :: ADMIN :: com_weblinks (2.5.0) | COM_K2 (2.6.2) | mod_k2_comments (-) | mod_k2_comments (-) | K2 (2.5.7) | com_templates (2.5.0) | com_newsfeeds (2.5.0) | com_cpanel (2.5.0) | Gantry (4.1.4) | com_login (2.5.0) | com_content (2.5.0) | com_plugins (2.5.0) | com_users (2.5.0) | com_search (2.5.0) | com_menus (2.5.0) | com_messages (2.5.0) | com_admin (2.5.0) | RokCandy (1.3) | com_banners (2.5.0) | com_redirect (2.5.0) | com_config (2.5.0) | com_media (2.5.0) | com_joomlaupdate (2.5.0) | com_installer (2.5.0) | com_languages (2.5.0) | com_modules (2.5.0) | com_checkin (2.5.0) | com_categories (2.5.0) | com_cache (2.5.0) | aiContactSafe (2.0.21c.stabl) | aiContactSafe - Form (1.0.15.stable) | aiContactSafe - Link (1.0.10.stable) | aiContactSafe (1.0.0) | aiContactSafe module (1.0.13.stable) | com_finder (2.5.0) |

Modules :: SITE :: K2 Login (2.5.7) | mod_menu (2.5.0) | mod_articles_news (2.5.0) | K2 User (2.6.2) | K2 Tools (2.6.2) | mod_wrapper (2.5.0) | mod_articles_category (2.5.0) | mod_feed (2.5.0) | mod_finder (2.5.0) | mod_breadcrumbs (2.5.0) | mod_footer (2.5.0) | mod_banners (2.5.0) | MOD_JGMAP (0.16.35) | K2 Users (2.6.2) | mod_languages (2.5.0) | mod_articles_archive (2.5.0) | mod_search (2.5.0) | mod_related_items (2.5.0) | mod_weblinks (2.5.0) | K2 Content (2.6.2) | mod_superfish_menu (2.5.0) | mod_syndicate (2.5.0) | mod_articles_latest (2.5.0) | mod_stats (2.5.0) | mod_custom (2.5.0) | mod_random_image (2.5.0) | K2 Comments (2.6.2) | mod_whosonline (2.5.0) | RokNavMenu (1.12) | mod_login (2.5.0) | mod_users_latest (2.5.0) | mod_articles_categories (2.5.0) | mod_articles_popular (2.5.0) | K2 FlexSlider (2.1) |
Modules :: ADMIN :: mod_menu (2.5.0) | mod_toolbar (2.5.0) | K2 Quick Icons (admin) (2.6.2) | mod_latest (2.5.0) | mod_feed (2.5.0) | mod_logged (2.5.0) | mod_popular (2.5.0) | mod_version (2.5.0) | mod_multilangstatus (2.5.0) | mod_title (2.5.0) | mod_status (2.5.0) | K2 Stats (admin) (2.6.2) | mod_custom (2.5.0) | mod_submenu (2.5.0) | mod_login (2.5.0) | mod_quickicon (2.5.0) |

Plugins :: SITE :: plg_finder_categories (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_content (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_k2 (2.6.2) | plg_editors_tinymce (3.5.4.1) | plg_editors_codemirror (1.0) | plg_system_redirect (2.5.0) | plg_system_highlight (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_languagecode (2.5.0) | plg_system_sef (2.5.0) | System - RokBox (1.2) | System - jQuery Easy (1.4.0) | System - RokExtender (1.0) | plg_system_logout (2.5.0) | System - Gantry (4.1.4) | plg_system_debug (2.5.0) | System - RokCandy (1.3) | plg_system_cache (2.5.0) | plg_system_log (2.5.0) | plg_system_p3p (2.5.0) | System - K2 (2.6.2) | plg_system_remember (2.5.0) | Josetta - K2 Categories (2.6.2) | Josetta - K2 Items (2.6.2) | plg_content_emailcloak (2.5.0) | plg_content_finder (2.5.0) | plg_content_pagenavigation (2.5.0) | AllVideos (by JoomlaWorks) (4.4) | Content - RokBox (1.2) | plg_content_geshi (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_joomla (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_vote (2.5.0) | plg_extension_joomla (2.5.0) | plg_user_contactcreator (2.5.0) | plg_user_profile (2.5.0) | plg_user_joomla (2.5.0) | User - K2 (2.6.2) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_article (2.5.0) | Button - RokCandy (1.3) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_search_categories (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_content (2.5.0) | plg_search_contacts (2.5.0) | plg_search_weblinks (2.5.0) | Search - K2 (2.6.2) | plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | plg_authentication_gmail (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_joomla (2.5.0) | plg_captcha_recaptcha (2.5.0) |
Templates Discovered :: wrote:Templates :: SITE :: beez_20 (2.5.0) | beez5 (2.5.0) | atomic (2.5.0) | theme1279 (2.5) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Site hacked!

Post by Bernard T » Mon May 04, 2015 5:21 pm

You use 2.5 year old Joomla version, with known vulnerabilities - 2.5.8.


Follow this instructions:
  1. Preparation
    • Note which version of Joomla you have. Download the "Joomla Full Install" package for this version. (you will upgrade later)
    • Also note which 3rd party extensions you have installed.
    • Review Vulnerable Extensions List to make sure any 3rd party extensions versions used don't appear on the Live Vulnerable list. If they do, note them and don't install them, search for alternative extension.
    • Download all 3rd party extensions packages only from the developer's website in versions that are currently use. (you will upgrade later)
    • Review and action Security Checklist 7. Ensure you follow all of the steps above.
  2. Backup and remove all Website Files
    • Save a copy of the configuration.php file to your PC.
    • Delete ALL files in your Joomla installation. This is ONLY the files and directories in the joomla_root/ directory NOT the database!
    • Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Security Checklist 7 contains a list or recommended scanners.
    • Change all passwords and if possible user names for the website host control panel.
    • Change the Joomla database user name and password.
    • Use proper permissions on files and directories.
      • They should never be 777,
      • Use 644 for files and 755 for directories.
      • The configuration.php file can be set to 444 which is read only.
    • Check your .htaccess for for any odd code (i.e. code which is not in the standard htaccess.txt supplied as part of the Joomla installation).
    • Check the crontab or Task Scheduler for unexpected jobs/tasks.
    • Ensure you do not have anonymous FTP enabled.
    • Verify individually that any non-Joomla file that will be placed back on the website (such as, but not limited to, images, pdf files, files for download, and other documents and files) are valid and are supposed to be a part of your website.
  3. Install the clean Joomla - the same version you had until now (you will upgrade later)
    • Extract/copy the Joomla files to your FTP root folder
    • Create a NEW database and install without sample data to it
    • Install the 3rd party extensions(including any custom template) to the new Joomla. (That insures you have the files in place for the 3rd party extensions)
    • Edit the configuration.php file of the new Joomla to connect to your original database. (we installed some moments ago to new database, you can delete it thereafter)
  4. Update Joomla and extensions
    • Make a backup
    • update your Joomla to the current stable version
    • update all extensions of your site to the current version (skip those that you found on Live VEL and don't have appropriate updates)
  5. Reinstate the deleted files
    • Upload any non-Joomla files (images, movies, download documents etc.) that are necessary for your website.
IMPORTANT
Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the back-doors that may have been inserted and hidden in various files and directories.
More detailed information can be found in the security Checklist 7 link above.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak


Locked

Return to “Security in Joomla! 2.5”