Site Hacked And Cannot Login to Admin Area

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
313designs
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Fri May 11, 2007 6:47 pm

Site Hacked And Cannot Login to Admin Area

Post by 313designs » Fri Jan 04, 2008 7:33 pm

Greetings,

On January 1, my fraternity site had been hacked. I was able to replace the index.php file and reset the permissions to 444. Now, I cannot login to the admin area. Apparently, the hacker found a way to create a user for himself and locked me out . How do I regain access and also how to better secure my site so this doesn't happen again.

Jay

gooseandluba
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Tue Dec 25, 2007 5:08 pm

Re: Site Hacked And Cannot Login to Admin Area

Post by gooseandluba » Fri Jan 04, 2008 8:20 pm

I have the exact same problem! My hosting company restored my site but now I also cannot login to the admin area. I wonder if we were hacked by the same crew.

Any help from the forum would be greatly appreciated. I know there is a lot of information on this site but I haven't found anything that relates specifically to this problem. I hope to tighten up my site before these guys strike again.

Thanks.

User avatar
volmark
Joomla! Intern
Joomla! Intern
Posts: 76
Joined: Thu Dec 13, 2007 2:37 am

Re: Site Hacked And Cannot Login to Admin Area

Post by volmark » Fri Jan 04, 2008 9:22 pm

Check carefully files and directories permissions and the ownership especially on directory where sessions files are stored.
I have had this problem some times not because of crackers but because my shred host has PHP safe mode on and HTTPD process changes permissions on sessions files.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Site Hacked And Cannot Login to Admin Area

Post by PhilD » Fri Jan 04, 2008 9:30 pm

I believe setting the index.php permissions to 444 will prevent you from accessing the file in order to log in. try setting the permissions to 644 on files
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
fw116
Joomla! Ace
Joomla! Ace
Posts: 1368
Joined: Tue Sep 06, 2005 11:18 am
Location: Germany

Re: Site Hacked And Cannot Login to Admin Area

Post by fw116 » Fri Jan 04, 2008 9:41 pm

nope... setting index.php to 444  in the admin area does not affect the login process.

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1292
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: Site Hacked And Cannot Login to Admin Area

Post by PhilTaylor-Prazgod » Sat Jan 05, 2008 9:46 pm

WARNING the following recommendation will nuke/delete/kill all existing users on a Joomla site - only use it if thats what you want to do

You can run the following SQL in phpMyAdmin, this will nuke ALL USERS and will create a single super admin called "admin" with a password of "admin" - after running this you should change that password.

By removing all existing users you can be sure that the hackers changes are removed.

If this is the true nature  of your login problems then the following will fix this.

Code: Select all

-- phpMyAdmin SQL Dump
-- version 2.11.1
-- http://www.phpmyadmin.net
--
-- Host: localhost
-- Generation Time: Jan 05, 2008 at 09:44 PM
-- Server version: 5.0.45
-- PHP Version: 5.2.3-1ubuntu6.2

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";

--
-- Database: `FRESH`
--

-- --------------------------------------------------------

--
-- Table structure for table `jos_core_acl_aro`
--

DROP TABLE IF EXISTS `jos_core_acl_aro`;
CREATE TABLE IF NOT EXISTS `jos_core_acl_aro` (
  `aro_id` int(11) NOT NULL auto_increment,
  `section_value` varchar(240) NOT NULL default '0',
  `value` varchar(240) NOT NULL default '',
  `order_value` int(11) NOT NULL default '0',
  `name` varchar(255) NOT NULL default '',
  `hidden` int(11) NOT NULL default '0',
  PRIMARY KEY  (`aro_id`),
  UNIQUE KEY `jos_gacl_section_value_value_aro` (`section_value`(100),`value`(100)),
  KEY `jos_gacl_hidden_aro` (`hidden`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=11 ;

--
-- Dumping data for table `jos_core_acl_aro`
--

INSERT INTO `jos_core_acl_aro` VALUES(10, 'users', '62', 0, 'Administrator', 0);

-- --------------------------------------------------------

--
-- Table structure for table `jos_core_acl_aro_groups`
--

DROP TABLE IF EXISTS `jos_core_acl_aro_groups`;
CREATE TABLE IF NOT EXISTS `jos_core_acl_aro_groups` (
  `group_id` int(11) NOT NULL auto_increment,
  `parent_id` int(11) NOT NULL default '0',
  `name` varchar(255) NOT NULL default '',
  `lft` int(11) NOT NULL default '0',
  `rgt` int(11) NOT NULL default '0',
  PRIMARY KEY  (`group_id`),
  KEY `parent_id_aro_groups` (`parent_id`),
  KEY `jos_gacl_parent_id_aro_groups` (`parent_id`),
  KEY `jos_gacl_lft_rgt_aro_groups` (`lft`,`rgt`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=31 ;

--
-- Dumping data for table `jos_core_acl_aro_groups`
--

INSERT INTO `jos_core_acl_aro_groups` VALUES(17, 0, 'ROOT', 1, 22);
INSERT INTO `jos_core_acl_aro_groups` VALUES(28, 17, 'USERS', 2, 21);
INSERT INTO `jos_core_acl_aro_groups` VALUES(29, 28, 'Public Frontend', 3, 12);
INSERT INTO `jos_core_acl_aro_groups` VALUES(18, 29, 'Registered', 4, 11);
INSERT INTO `jos_core_acl_aro_groups` VALUES(19, 18, 'Author', 5, 10);
INSERT INTO `jos_core_acl_aro_groups` VALUES(20, 19, 'Editor', 6, 9);
INSERT INTO `jos_core_acl_aro_groups` VALUES(21, 20, 'Publisher', 7, 8);
INSERT INTO `jos_core_acl_aro_groups` VALUES(30, 28, 'Public Backend', 13, 20);
INSERT INTO `jos_core_acl_aro_groups` VALUES(23, 30, 'Manager', 14, 19);
INSERT INTO `jos_core_acl_aro_groups` VALUES(24, 23, 'Administrator', 15, 18);
INSERT INTO `jos_core_acl_aro_groups` VALUES(25, 24, 'Super Administrator', 16, 17);

-- --------------------------------------------------------

--
-- Table structure for table `jos_core_acl_aro_sections`
--

DROP TABLE IF EXISTS `jos_core_acl_aro_sections`;
CREATE TABLE IF NOT EXISTS `jos_core_acl_aro_sections` (
  `section_id` int(11) NOT NULL auto_increment,
  `value` varchar(230) NOT NULL default '',
  `order_value` int(11) NOT NULL default '0',
  `name` varchar(230) NOT NULL default '',
  `hidden` int(11) NOT NULL default '0',
  PRIMARY KEY  (`section_id`),
  UNIQUE KEY `value_aro_sections` (`value`),
  UNIQUE KEY `jos_gacl_value_aro_sections` (`value`),
  KEY `hidden_aro_sections` (`hidden`),
  KEY `jos_gacl_hidden_aro_sections` (`hidden`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=11 ;

--
-- Dumping data for table `jos_core_acl_aro_sections`
--

INSERT INTO `jos_core_acl_aro_sections` VALUES(10, 'users', 1, 'Users', 0);

-- --------------------------------------------------------

--
-- Table structure for table `jos_core_acl_groups_aro_map`
--

DROP TABLE IF EXISTS `jos_core_acl_groups_aro_map`;
CREATE TABLE IF NOT EXISTS `jos_core_acl_groups_aro_map` (
  `group_id` int(11) NOT NULL default '0',
  `section_value` varchar(240) NOT NULL default '',
  `aro_id` int(11) NOT NULL default '0',
  UNIQUE KEY `group_id_aro_id_groups_aro_map` (`group_id`,`section_value`,`aro_id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

--
-- Dumping data for table `jos_core_acl_groups_aro_map`
--

INSERT INTO `jos_core_acl_groups_aro_map` VALUES(25, '', 10);

-- --------------------------------------------------------

--
-- Table structure for table `jos_users`
--

DROP TABLE IF EXISTS `jos_users`;
CREATE TABLE IF NOT EXISTS `jos_users` (
  `id` int(11) NOT NULL auto_increment,
  `name` varchar(50) NOT NULL default '',
  `username` varchar(25) NOT NULL default '',
  `email` varchar(100) NOT NULL default '',
  `password` varchar(100) NOT NULL default '',
  `usertype` varchar(25) NOT NULL default '',
  `block` tinyint(4) NOT NULL default '0',
  `sendEmail` tinyint(4) default '0',
  `gid` tinyint(3) unsigned NOT NULL default '1',
  `registerDate` datetime NOT NULL default '0000-00-00 00:00:00',
  `lastvisitDate` datetime NOT NULL default '0000-00-00 00:00:00',
  `activation` varchar(100) NOT NULL default '',
  `params` text NOT NULL,
  PRIMARY KEY  (`id`),
  KEY `usertype` (`usertype`),
  KEY `idx_name` (`name`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=63 ;

--
-- Dumping data for table `jos_users`
--

INSERT INTO `jos_users` VALUES(62, 'Administrator', 'admin', 'admin@127.0.0.1', '1b6c9ca60503cf3e784fb05611320fc8:NEQuJ5psDbwIXt2Q', 'Super Administrator', 0, 1, 25, '2007-11-09 23:41:17', '0000-00-00 00:00:00', '', 'expired=\nexpired_time=');
Phil Taylor
Founder, Lead Developer, Idiot.
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

313designs
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Fri May 11, 2007 6:47 pm

Re: Site Hacked And Cannot Login to Admin Area

Post by 313designs » Sun Jan 06, 2008 10:00 pm

Greetings,


I applied the Query and I now can login. Only issue is losing those who signed up as site users but hey...I'll take the grunts and complaints on that one.

Thanks for the fix. Now I have to work on better securing this site.

Jay

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1292
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: Site Hacked And Cannot Login to Admin Area

Post by PhilTaylor-Prazgod » Sun Jan 06, 2008 10:13 pm

313designs wrote: Greetings,


I applied the Query and I now can login. Only issue is losing those who signed up as site users but hey...I'll take the grunts and complaints on that one.

Thanks for the fix. Now I have to work on better securing this site.

Jay
I'm glad you are now all sorted :-)
Phil Taylor
Founder, Lead Developer, Idiot.
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

poks
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Jan 21, 2008 8:56 am

Re: Site Hacked And Cannot Login to Admin Area

Post by poks » Wed Jan 30, 2008 6:42 am

Hi all,

there's a similar problem with my site, http://www.theurbanwire.com

however, not only is it that i cant login to the admin area, but also cannot login to the server, which is lunarpages. also, any links clicked on the mainpage (which is the only accessible page), leads to this message:

"If you're a Singnet user, you may not be able to access theurbanwire.com and many other webpages. Please call 1800 848 6933 to have your access restored. Thank you!"

Trying to login to the admin page, http://www.theurbanwire.com/stories/administrator also brings me to the same message.

Would appreciate if someone could advice me about the situation soon as it's a very important online business which will affect many.

Thank you very much!

 

User avatar
dhuelsmann
Joomla! Master
Joomla! Master
Posts: 19659
Joined: Sun Oct 02, 2005 12:50 am
Location: Omaha, NE
Contact:

Re: Site Hacked And Cannot Login to Admin Area

Post by dhuelsmann » Fri Feb 01, 2008 1:47 pm

poks wrote: Hi all,

there's a similar problem with my site, http://www.theurbanwire.com

however, not only is it that i cant login to the admin area, but also cannot login to the server, which is lunarpages. also, any links clicked on the mainpage (which is the only accessible page), leads to this message:

"If you're a Singnet user, you may not be able to access theurbanwire.com and many other webpages. Please call 1800 848 6933 to have your access restored. Thank you!"

Trying to login to the admin page, http://www.theurbanwire.com/stories/administrator also brings me to the same message.

Would appreciate if someone could advice me about the situation soon as it's a very important online business which will affect many.

Thank you very much!

 
I suggest you call the telephone number.
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org

Corsulian
Joomla! Apprentice
Joomla! Apprentice
Posts: 31
Joined: Wed Sep 03, 2008 11:14 pm
Contact:

Re: Site Hacked And Cannot Login to Admin Area

Post by Corsulian » Fri Apr 03, 2009 3:36 pm

Ask your host to roll back your site to a time before the attack (though this was a while back so they might keep the backups for that long).

For your next site, try jSecure Authentication. It's free and will thwart most of these casual attacks.

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1292
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: Site Hacked And Cannot Login to Admin Area

Post by PhilTaylor-Prazgod » Fri Apr 03, 2009 3:45 pm

thats *IF* the webhost has done a backup - most contracts state data backup is the customers responsibility - and so you should NEVER rely on your provider doing a backup for you. After all its YOUR data :-) Your responsibility :-)

P.
Phil Taylor
Founder, Lead Developer, Idiot.
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

eradio
Joomla! Apprentice
Joomla! Apprentice
Posts: 48
Joined: Mon Apr 28, 2008 9:45 pm

Re: Site Hacked And Cannot Login to Admin Area

Post by eradio » Mon Aug 24, 2009 4:38 pm

I ran script and nuked all users, but still cannot login with default credentials as mentioned. Would this imply another issue entirely?

Thanks for the help Phil.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15100
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Site Hacked And Cannot Login to Admin Area

Post by mandville » Mon Aug 24, 2009 5:11 pm

eradio wrote:I ran script and nuked all users, but still cannot login with default credentials as mentioned. Would this imply another issue entirely?

Thanks for the help Phil.
this 6 month old topic is probably very different to yours. please run the forum post tool and then start a new topic
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

mhadipour
Joomla! Intern
Joomla! Intern
Posts: 70
Joined: Thu Jan 08, 2009 11:22 am

Re: Site Hacked And Cannot Login to Admin Area

Post by mhadipour » Sat Mar 06, 2010 11:29 am

hi eradio

did you solve your problem ? because i have the same problem.

MCC
Joomla! Apprentice
Joomla! Apprentice
Posts: 32
Joined: Wed Oct 08, 2008 3:47 am

Re: Site Hacked And Cannot Login to Admin Area

Post by MCC » Tue Oct 19, 2010 7:22 pm

I am not a php guy, but I am learning...Do I use the entire block of code below or only a portion? And should I change the 'admin@127.0.0.1' to my personal e-mail? Any other changes?

THANK YOU!!!
PhilTaylor-Prazgod wrote:WARNING the following recommendation will nuke/delete/kill all existing users on a Joomla site - only use it if thats what you want to do

You can run the following SQL in phpMyAdmin, this will nuke ALL USERS and will create a single super admin called "admin" with a password of "admin" - after running this you should change that password.

By removing all existing users you can be sure that the hackers changes are removed.

If this is the true nature  of your login problems then the following will fix this.

Code: Select all

-- phpMyAdmin SQL Dump
-- version 2.11.1
-- http://www.phpmyadmin.net
--
-- Host: localhost
-- Generation Time: Jan 05, 2008 at 09:44 PM
-- Server version: 5.0.45
-- PHP Version: 5.2.3-1ubuntu6.2

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";

--
-- Database: `FRESH`
--

-- --------------------------------------------------------

--
-- Table structure for table `jos_core_acl_aro`
--

DROP TABLE IF EXISTS `jos_core_acl_aro`;
CREATE TABLE IF NOT EXISTS `jos_core_acl_aro` (
  `aro_id` int(11) NOT NULL auto_increment,
  `section_value` varchar(240) NOT NULL default '0',
  `value` varchar(240) NOT NULL default '',
  `order_value` int(11) NOT NULL default '0',
  `name` varchar(255) NOT NULL default '',
  `hidden` int(11) NOT NULL default '0',
  PRIMARY KEY  (`aro_id`),
  UNIQUE KEY `jos_gacl_section_value_value_aro` (`section_value`(100),`value`(100)),
  KEY `jos_gacl_hidden_aro` (`hidden`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=11 ;

--
-- Dumping data for table `jos_core_acl_aro`
--

INSERT INTO `jos_core_acl_aro` VALUES(10, 'users', '62', 0, 'Administrator', 0);

-- --------------------------------------------------------

--
-- Table structure for table `jos_core_acl_aro_groups`
--

DROP TABLE IF EXISTS `jos_core_acl_aro_groups`;
CREATE TABLE IF NOT EXISTS `jos_core_acl_aro_groups` (
  `group_id` int(11) NOT NULL auto_increment,
  `parent_id` int(11) NOT NULL default '0',
  `name` varchar(255) NOT NULL default '',
  `lft` int(11) NOT NULL default '0',
  `rgt` int(11) NOT NULL default '0',
  PRIMARY KEY  (`group_id`),
  KEY `parent_id_aro_groups` (`parent_id`),
  KEY `jos_gacl_parent_id_aro_groups` (`parent_id`),
  KEY `jos_gacl_lft_rgt_aro_groups` (`lft`,`rgt`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=31 ;

--
-- Dumping data for table `jos_core_acl_aro_groups`
--

INSERT INTO `jos_core_acl_aro_groups` VALUES(17, 0, 'ROOT', 1, 22);
INSERT INTO `jos_core_acl_aro_groups` VALUES(28, 17, 'USERS', 2, 21);
INSERT INTO `jos_core_acl_aro_groups` VALUES(29, 28, 'Public Frontend', 3, 12);
INSERT INTO `jos_core_acl_aro_groups` VALUES(18, 29, 'Registered', 4, 11);
INSERT INTO `jos_core_acl_aro_groups` VALUES(19, 18, 'Author', 5, 10);
INSERT INTO `jos_core_acl_aro_groups` VALUES(20, 19, 'Editor', 6, 9);
INSERT INTO `jos_core_acl_aro_groups` VALUES(21, 20, 'Publisher', 7, 8);
INSERT INTO `jos_core_acl_aro_groups` VALUES(30, 28, 'Public Backend', 13, 20);
INSERT INTO `jos_core_acl_aro_groups` VALUES(23, 30, 'Manager', 14, 19);
INSERT INTO `jos_core_acl_aro_groups` VALUES(24, 23, 'Administrator', 15, 18);
INSERT INTO `jos_core_acl_aro_groups` VALUES(25, 24, 'Super Administrator', 16, 17);

-- --------------------------------------------------------

--
-- Table structure for table `jos_core_acl_aro_sections`
--

DROP TABLE IF EXISTS `jos_core_acl_aro_sections`;
CREATE TABLE IF NOT EXISTS `jos_core_acl_aro_sections` (
  `section_id` int(11) NOT NULL auto_increment,
  `value` varchar(230) NOT NULL default '',
  `order_value` int(11) NOT NULL default '0',
  `name` varchar(230) NOT NULL default '',
  `hidden` int(11) NOT NULL default '0',
  PRIMARY KEY  (`section_id`),
  UNIQUE KEY `value_aro_sections` (`value`),
  UNIQUE KEY `jos_gacl_value_aro_sections` (`value`),
  KEY `hidden_aro_sections` (`hidden`),
  KEY `jos_gacl_hidden_aro_sections` (`hidden`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=11 ;

--
-- Dumping data for table `jos_core_acl_aro_sections`
--

INSERT INTO `jos_core_acl_aro_sections` VALUES(10, 'users', 1, 'Users', 0);

-- --------------------------------------------------------

--
-- Table structure for table `jos_core_acl_groups_aro_map`
--

DROP TABLE IF EXISTS `jos_core_acl_groups_aro_map`;
CREATE TABLE IF NOT EXISTS `jos_core_acl_groups_aro_map` (
  `group_id` int(11) NOT NULL default '0',
  `section_value` varchar(240) NOT NULL default '',
  `aro_id` int(11) NOT NULL default '0',
  UNIQUE KEY `group_id_aro_id_groups_aro_map` (`group_id`,`section_value`,`aro_id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

--
-- Dumping data for table `jos_core_acl_groups_aro_map`
--

INSERT INTO `jos_core_acl_groups_aro_map` VALUES(25, '', 10);

-- --------------------------------------------------------

--
-- Table structure for table `jos_users`
--

DROP TABLE IF EXISTS `jos_users`;
CREATE TABLE IF NOT EXISTS `jos_users` (
  `id` int(11) NOT NULL auto_increment,
  `name` varchar(50) NOT NULL default '',
  `username` varchar(25) NOT NULL default '',
  `email` varchar(100) NOT NULL default '',
  `password` varchar(100) NOT NULL default '',
  `usertype` varchar(25) NOT NULL default '',
  `block` tinyint(4) NOT NULL default '0',
  `sendEmail` tinyint(4) default '0',
  `gid` tinyint(3) unsigned NOT NULL default '1',
  `registerDate` datetime NOT NULL default '0000-00-00 00:00:00',
  `lastvisitDate` datetime NOT NULL default '0000-00-00 00:00:00',
  `activation` varchar(100) NOT NULL default '',
  `params` text NOT NULL,
  PRIMARY KEY  (`id`),
  KEY `usertype` (`usertype`),
  KEY `idx_name` (`name`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=63 ;

--
-- Dumping data for table `jos_users`
--

INSERT INTO `jos_users` VALUES(62, 'Administrator', 'admin', 'admin@127.0.0.1', '1b6c9ca60503cf3e784fb05611320fc8:NEQuJ5psDbwIXt2Q', 'Super Administrator', 0, 1, 25, '2007-11-09 23:41:17', '0000-00-00 00:00:00', '', 'expired=\nexpired_time=');


Locked

Return to “Security - 1.0.x”