Website hacked

Discussion regarding Joomla! 3.x security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
KDABruce
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Feb 05, 2011 7:40 pm

Website hacked

Post by KDABruce » Wed Sep 19, 2018 8:00 pm

Joomla is current for updates.

We performed a link checker the other day and found links to internal pages that were never published by our team. Someone went in and created links on our real (authorized) pages to unauthorized (created) pages on gambling and iRacing and other topics. When you click on the link, it takes me to a page under our Home page (ex. https://www.kennedysdisease.org/how-to- ... d-iracing/ ). See attachment.

Yet, when we search in our back end and in our sitemap, there is no such page. Using FileZilla, I performed several more searches and could not find anything. When I search the authors, there is only authorized users and pages. If I perform a SEARCH for the page on our front end, it does not show up. We are stumped and frustrated. How can a page be hidden within the back end and from the SEARCH and sitemap, yet be there if I use the address above (for example) or click on the hacked link within an authorized page?

How can someone create pages without having the authority and without leaving anything traceable in the Content or Users? Any help would be appreciated. Tks
You do not have the required permissions to view the files attached to this post.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44018
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website hacked

Post by Webdongle » Wed Sep 19, 2018 8:11 pm

http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

KDABruce
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Feb 05, 2011 7:40 pm

Re: Website hacked

Post by KDABruce » Wed Sep 19, 2018 9:04 pm

Our website is a Joomla website with ver. 3.8.12 installed. I am not a developer. I just helped create the Joomla site for our non-profit.

There are just three pages that we need to remove, but cannot locate them. I was hoping someone would be able to help.

User avatar
JAVesey
Joomla! Hero
Joomla! Hero
Posts: 2620
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Website hacked

Post by JAVesey » Wed Sep 19, 2018 9:16 pm

KDABruce wrote:
Wed Sep 19, 2018 9:04 pm
There are just three pages that we need to remove, but cannot locate them. I was hoping someone would be able to help.
All content is stored in the database, which is why you can't find the "pages" using an FTP client like FileZilla; you are looking for something that doesn't exist.

In the first instance, please follow webdongle's advice and post the output from the FPA. It will help others to help you.
John V
Cardiff, Wales, UK
Joomla 5.0.3 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.0.3 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44018
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website hacked

Post by Webdongle » Wed Sep 19, 2018 9:52 pm

KDABruce wrote:
Wed Sep 19, 2018 9:04 pm
... I am not a developer. I just helped create the Joomla site for our non-profit.
...
Then you have to learn quick or pay someone to fix it. You have been hacked your only options are pay someone ... or post the fpa, delete the files and do everything else that is on the list.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20651
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Website hacked

Post by leolam » Thu Sep 20, 2018 4:10 am

Virustotal shows a clean bill of health though......You should post the FPA as requested and I advise you to either use a service aka myjoomla.com (first scan is free) which will indefinitely identify the issue (but if no experience with Joomla coding maybe a bit difficult to digest) but still need a professional to resolve it most likely

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44018
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website hacked

Post by Webdongle » Thu Sep 20, 2018 9:42 am

leolam wrote:
Thu Sep 20, 2018 4:10 am
Virustotal shows a clean bill of health though...
But when you view the page you can see the hyper links to casino and horse racing sites.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
JAVesey
Joomla! Hero
Joomla! Hero
Posts: 2620
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Website hacked

Post by JAVesey » Thu Sep 20, 2018 5:43 pm

Webdongle wrote:
Thu Sep 20, 2018 9:42 am
leolam wrote:
Thu Sep 20, 2018 4:10 am
Virustotal shows a clean bill of health though...
But when you view the page you can see the hyper links to casino and horse racing sites.
Does this signify a hacking or is it just the site's permissions/ACL/site management allowing users to post unwanted new articles and these being set to automatically appear on the homepage?
John V
Cardiff, Wales, UK
Joomla 5.0.3 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.0.3 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44018
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website hacked

Post by Webdongle » Thu Sep 20, 2018 6:36 pm

Good point JAVesey ... but if the ACL settings are that slack then there is a strong possibility that hackers have uploaded files to the server as well?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
JAVesey
Joomla! Hero
Joomla! Hero
Posts: 2620
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Website hacked

Post by JAVesey » Thu Sep 20, 2018 7:09 pm

Webdongle wrote:
Thu Sep 20, 2018 6:36 pm
Good point JAVesey ... but if the ACL settings are that slack then there is a strong possibility that hackers have uploaded files to the server as well?
It is a possibility, but Leo's post suggests that the site is clean. An FPA would help though, otherwise we're just "shootin' critters in the dark" 8)
John V
Cardiff, Wales, UK
Joomla 5.0.3 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.0.3 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44018
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website hacked

Post by Webdongle » Thu Sep 20, 2018 7:52 pm

sucuri says 500 error when trying to scan the site. viewtopic.php?f=714&t=793531 would help.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
bluesardine
Joomla! Guru
Joomla! Guru
Posts: 502
Joined: Fri Nov 16, 2007 10:49 pm
Location: Oxford
Contact:

Re: Website hacked

Post by bluesardine » Thu Sep 20, 2018 9:24 pm

Sign up to MyJoomla, I never looked back after subscribing.
Joomla Web designer Oxford https://www.swankypixels.com
Architectural Photographer UK https://www.peterhaken.com

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20651
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Website hacked

Post by leolam » Fri Sep 21, 2018 5:15 pm

Webdongle wrote:
Thu Sep 20, 2018 7:52 pm
sucuri says 500 error when trying to scan the site.
Not for me and virustotal is using also sucuri with no issues Attachment from a few minutes ago

Leo 8)
sucuri.jpg
You do not have the required permissions to view the files attached to this post.
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20651
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Website hacked

Post by leolam » Fri Sep 21, 2018 5:18 pm

bluesardine wrote:
Thu Sep 20, 2018 9:24 pm
Sign up to MyJoomla, I never looked back after subscribing.
Agreed +1 , but Myjoomla is rather expensive for the average user (I pay GBP 195 each year which is a lot -even maybe too much- of money!) despite me thinking a price performance ratio for this product is probably right

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44018
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website hacked

Post by Webdongle » Fri Sep 21, 2018 5:42 pm

Doesn't now but did when I checked it before.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

KDABruce
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Feb 05, 2011 7:40 pm

Re: Website hacked

Post by KDABruce » Fri Sep 21, 2018 7:49 pm

JAVesey wrote:
Thu Sep 20, 2018 5:43 pm
Webdongle wrote:
Thu Sep 20, 2018 9:42 am
leolam wrote:
Thu Sep 20, 2018 4:10 am
Virustotal shows a clean bill of health though...
But when you view the page you can see the hyper links to casino and horse racing sites.
Does this signify a hacking or is it just the site's permissions/ACL/site management allowing users to post unwanted new articles and these being set to automatically appear on the homepage?
There are only four people who can create new web pages or make changes to current content. None of us,
or is anyone else, shown accessing the hacked pages or creating the new pages. Not being able to locate the new pages is more of a frustration. Why they do not show up anywhere in Joomla, yet can be accessed through the links, is our greatest concern. It makes us wonder what else might be out there that we don't know about.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44018
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website hacked

Post by Webdongle » Fri Sep 21, 2018 7:57 pm

Content >>> Articles ... order by ID descending will show the lates files that were created. You can also sort by date modified.

If you are confident that you have been hacked please see viewtopic.php?f=714&t=946026 and follow the instructions.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

KDABruce
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Feb 05, 2011 7:40 pm

Re: Website hacked

Post by KDABruce » Fri Sep 21, 2018 8:19 pm

Webdongle wrote:
Fri Sep 21, 2018 7:57 pm
Content >>> Articles ... order by ID descending will show the lates files that were created. You can also sort by date modified.

If you are confident that you have been hacked please see viewtopic.php?f=714&t=946026 and follow the instructions.
When you search the Content-Articles-Order by ID descending (and any other search for that matter), it does not show the newly created pages that the links point to. When you look at the pages that the links to the fraudulent pages have been added, it doesn't show anyone recently modifying the pages.

I'll try to get the fpa run. Thanks again.

User avatar
JAVesey
Joomla! Hero
Joomla! Hero
Posts: 2620
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Website hacked

Post by JAVesey » Sat Sep 22, 2018 12:20 pm

KDABruce wrote:
Fri Sep 21, 2018 8:19 pm
When you look at the pages that the links to the fraudulent pages have been added, it doesn't show anyone recently modifying the pages.
So, just to be clear:

1. Are these newly created pages or existing ones that have been modified?
2. Who is the author of these pages (you will be able to see in admin even if you can't on the public part of your site)?
John V
Cardiff, Wales, UK
Joomla 5.0.3 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.0.3 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 30809
Joined: Mon Oct 27, 2008 9:27 pm
Location: Romerike, Norway

Re: Website hacked

Post by Per Yngve Berg » Sat Sep 22, 2018 8:01 pm

1) Have you checked the .htaccess file?

2) Turn off SEF in Global Configuration so you can see the real URL. Does it still work with that URL?

KDABruce
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Feb 05, 2011 7:40 pm

Re: Website hacked

Post by KDABruce » Sun Sep 23, 2018 10:17 am

JAVesey wrote:
Sat Sep 22, 2018 12:20 pm
KDABruce wrote:
Fri Sep 21, 2018 8:19 pm
When you look at the pages that the links to the fraudulent pages have been added, it doesn't show anyone recently modifying the pages.
So, just to be clear:

1. Are these newly created pages or existing ones that have been modified?
2. Who is the author of these pages (you will be able to see in admin even if you can't on the public part of your site)?
1. There are two newly created pages. There are three existing pages where links were created to the new pages.
2. I am still trying to find the new pages in Joomla's backend to see if there is an author. On the existing pages where links were created, it does not show any recent modification or changes to it.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44018
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website hacked

Post by Webdongle » Sun Sep 23, 2018 10:33 am

PM me a Super User login and I will see if I can find them.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

KDABruce
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Sat Feb 05, 2011 7:40 pm

Re: Website hacked

Post by KDABruce » Wed Sep 26, 2018 1:50 pm

Thank you for all your support and suggestions. We have talked it over and have decided to try MyJoomla.Com. We hope they can find and fix the problem. Then, we try their ongoing monitoring/support. Thanks again. You have been great.


Locked

Return to “Security in Joomla! 3.x”