Website hacked
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
-
- Joomla! Apprentice
- Posts: 10
- Joined: Sat Feb 05, 2011 7:40 pm
Website hacked
Joomla is current for updates.
We performed a link checker the other day and found links to internal pages that were never published by our team. Someone went in and created links on our real (authorized) pages to unauthorized (created) pages on gambling and iRacing and other topics. When you click on the link, it takes me to a page under our Home page (ex. https://www.kennedysdisease.org/how-to- ... d-iracing/ ). See attachment.
Yet, when we search in our back end and in our sitemap, there is no such page. Using FileZilla, I performed several more searches and could not find anything. When I search the authors, there is only authorized users and pages. If I perform a SEARCH for the page on our front end, it does not show up. We are stumped and frustrated. How can a page be hidden within the back end and from the SEARCH and sitemap, yet be there if I use the address above (for example) or click on the hacked link within an authorized page?
How can someone create pages without having the authority and without leaving anything traceable in the Content or Users? Any help would be appreciated. Tks
We performed a link checker the other day and found links to internal pages that were never published by our team. Someone went in and created links on our real (authorized) pages to unauthorized (created) pages on gambling and iRacing and other topics. When you click on the link, it takes me to a page under our Home page (ex. https://www.kennedysdisease.org/how-to- ... d-iracing/ ). See attachment.
Yet, when we search in our back end and in our sitemap, there is no such page. Using FileZilla, I performed several more searches and could not find anything. When I search the authors, there is only authorized users and pages. If I perform a SEARCH for the page on our front end, it does not show up. We are stumped and frustrated. How can a page be hidden within the back end and from the SEARCH and sitemap, yet be there if I use the address above (for example) or click on the hacked link within an authorized page?
How can someone create pages without having the authority and without leaving anything traceable in the Content or Users? Any help would be appreciated. Tks
You do not have the required permissions to view the files attached to this post.
- Webdongle
- Joomla! Master
- Posts: 44018
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Website hacked
Please see viewtopic.php?f=714&t=946026
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 10
- Joined: Sat Feb 05, 2011 7:40 pm
Re: Website hacked
Our website is a Joomla website with ver. 3.8.12 installed. I am not a developer. I just helped create the Joomla site for our non-profit.
There are just three pages that we need to remove, but cannot locate them. I was hoping someone would be able to help.
There are just three pages that we need to remove, but cannot locate them. I was hoping someone would be able to help.
- JAVesey
- Joomla! Hero
- Posts: 2620
- Joined: Tue May 14, 2013 1:21 pm
- Location: Cardiff, Wales, UK
- Contact:
Re: Website hacked
All content is stored in the database, which is why you can't find the "pages" using an FTP client like FileZilla; you are looking for something that doesn't exist.
In the first instance, please follow webdongle's advice and post the output from the FPA. It will help others to help you.
John V
Cardiff, Wales, UK
Joomla 5.0.3 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.0.3 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28
Cardiff, Wales, UK
Joomla 5.0.3 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.0.3 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28
- Webdongle
- Joomla! Master
- Posts: 44018
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Website hacked
Then you have to learn quick or pay someone to fix it. You have been hacked your only options are pay someone ... or post the fpa, delete the files and do everything else that is on the list.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
- leolam
- Joomla! Master
- Posts: 20651
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Website hacked
Virustotal shows a clean bill of health though......You should post the FPA as requested and I advise you to either use a service aka myjoomla.com (first scan is free) which will indefinitely identify the issue (but if no experience with Joomla coding maybe a bit difficult to digest) but still need a professional to resolve it most likely
Leo
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- Webdongle
- Joomla! Master
- Posts: 44018
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Website hacked
But when you view the page you can see the hyper links to casino and horse racing sites.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
- JAVesey
- Joomla! Hero
- Posts: 2620
- Joined: Tue May 14, 2013 1:21 pm
- Location: Cardiff, Wales, UK
- Contact:
Re: Website hacked
Does this signify a hacking or is it just the site's permissions/ACL/site management allowing users to post unwanted new articles and these being set to automatically appear on the homepage?
John V
Cardiff, Wales, UK
Joomla 5.0.3 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.0.3 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28
Cardiff, Wales, UK
Joomla 5.0.3 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.0.3 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28
- Webdongle
- Joomla! Master
- Posts: 44018
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Website hacked
Good point JAVesey ... but if the ACL settings are that slack then there is a strong possibility that hackers have uploaded files to the server as well?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
- JAVesey
- Joomla! Hero
- Posts: 2620
- Joined: Tue May 14, 2013 1:21 pm
- Location: Cardiff, Wales, UK
- Contact:
Re: Website hacked
It is a possibility, but Leo's post suggests that the site is clean. An FPA would help though, otherwise we're just "shootin' critters in the dark"
John V
Cardiff, Wales, UK
Joomla 5.0.3 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.0.3 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28
Cardiff, Wales, UK
Joomla 5.0.3 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.0.3 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28
- Webdongle
- Joomla! Master
- Posts: 44018
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Website hacked
sucuri says 500 error when trying to scan the site. viewtopic.php?f=714&t=793531 would help.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
- bluesardine
- Joomla! Guru
- Posts: 502
- Joined: Fri Nov 16, 2007 10:49 pm
- Location: Oxford
- Contact:
Re: Website hacked
Sign up to MyJoomla, I never looked back after subscribing.
Joomla Web designer Oxford https://www.swankypixels.com
Architectural Photographer UK https://www.peterhaken.com
Architectural Photographer UK https://www.peterhaken.com
- leolam
- Joomla! Master
- Posts: 20651
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Website hacked
Not for me and virustotal is using also sucuri with no issues Attachment from a few minutes ago
Leo
You do not have the required permissions to view the files attached to this post.
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- leolam
- Joomla! Master
- Posts: 20651
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Website hacked
Agreed +1 , but Myjoomla is rather expensive for the average user (I pay GBP 195 each year which is a lot -even maybe too much- of money!) despite me thinking a price performance ratio for this product is probably rightbluesardine wrote: ↑Thu Sep 20, 2018 9:24 pmSign up to MyJoomla, I never looked back after subscribing.
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- Webdongle
- Joomla! Master
- Posts: 44018
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Website hacked
Doesn't now but did when I checked it before.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 10
- Joined: Sat Feb 05, 2011 7:40 pm
Re: Website hacked
There are only four people who can create new web pages or make changes to current content. None of us,
or is anyone else, shown accessing the hacked pages or creating the new pages. Not being able to locate the new pages is more of a frustration. Why they do not show up anywhere in Joomla, yet can be accessed through the links, is our greatest concern. It makes us wonder what else might be out there that we don't know about.
- Webdongle
- Joomla! Master
- Posts: 44018
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Website hacked
Content >>> Articles ... order by ID descending will show the lates files that were created. You can also sort by date modified.
If you are confident that you have been hacked please see viewtopic.php?f=714&t=946026 and follow the instructions.
If you are confident that you have been hacked please see viewtopic.php?f=714&t=946026 and follow the instructions.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 10
- Joined: Sat Feb 05, 2011 7:40 pm
Re: Website hacked
When you search the Content-Articles-Order by ID descending (and any other search for that matter), it does not show the newly created pages that the links point to. When you look at the pages that the links to the fraudulent pages have been added, it doesn't show anyone recently modifying the pages.Webdongle wrote: ↑Fri Sep 21, 2018 7:57 pmContent >>> Articles ... order by ID descending will show the lates files that were created. You can also sort by date modified.
If you are confident that you have been hacked please see viewtopic.php?f=714&t=946026 and follow the instructions.
I'll try to get the fpa run. Thanks again.
- JAVesey
- Joomla! Hero
- Posts: 2620
- Joined: Tue May 14, 2013 1:21 pm
- Location: Cardiff, Wales, UK
- Contact:
Re: Website hacked
So, just to be clear:
1. Are these newly created pages or existing ones that have been modified?
2. Who is the author of these pages (you will be able to see in admin even if you can't on the public part of your site)?
John V
Cardiff, Wales, UK
Joomla 5.0.3 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.0.3 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28
Cardiff, Wales, UK
Joomla 5.0.3 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.0.3 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28
- Per Yngve Berg
- Joomla! Master
- Posts: 30809
- Joined: Mon Oct 27, 2008 9:27 pm
- Location: Romerike, Norway
Re: Website hacked
1) Have you checked the .htaccess file?
2) Turn off SEF in Global Configuration so you can see the real URL. Does it still work with that URL?
2) Turn off SEF in Global Configuration so you can see the real URL. Does it still work with that URL?
-
- Joomla! Apprentice
- Posts: 10
- Joined: Sat Feb 05, 2011 7:40 pm
Re: Website hacked
1. There are two newly created pages. There are three existing pages where links were created to the new pages.
2. I am still trying to find the new pages in Joomla's backend to see if there is an author. On the existing pages where links were created, it does not show any recent modification or changes to it.
- Webdongle
- Joomla! Master
- Posts: 44018
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Website hacked
PM me a Super User login and I will see if I can find them.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 10
- Joined: Sat Feb 05, 2011 7:40 pm
Re: Website hacked
Thank you for all your support and suggestions. We have talked it over and have decided to try MyJoomla.Com. We hope they can find and fix the problem. Then, we try their ongoing monitoring/support. Thanks again. You have been great.