1

My Joomla website was the victim of a hacker attack recently.

Hackers had access to my server and added some PHP files and mostly modified some index.php files. THe code is unfortunately ununderstandable to me and obviously too long to show here (if you want some specific file, please ask in comments). All variable and folder names were obfuscated.

Each time they do so, my host (1and1) will switch the chmod to 200 and my website will go offline.

Of course I changed all my passwords but in vain.

From the few things I got from the modified/added files, the hackers seems to be Russian/Ukrainian and they seems to point to games/pornsites, as these links were somewhere in the code (I wont post pornsite links):

http://mobjava.ru/uploads/posts/2012-07/1343378677_i.png
https://www.google.fr/search?q=%D0%A1%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C%20%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE%20java%20%D0%B8%D0%B3%D1%80%D1%83%20Fishing%20Legend&oq=%D0%A1%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C%20%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE%20java%20%D0%B8%D0%B3%D1%80%D1%83%20Fishing%20Legend&aqs=chrome..69i57.3693j0j7&sourceid=chrome&ie=UTF-8

One folder was once full of 2 551 files without extensions and containing simple HTML and which names are pinterest posts.

I understand I should get the help of a professionnal but for now I cannot afford it.

What I'd need to know to go on is :

  • Could the security hole come from Joomla itself ?
  • Else, could it come from my template (Purity III) or module ?
  • Else, is there some "easy" way to find it ?

Joomla version: Joomla! 3.8.5 Stable [ Amani ] 6-February-2018 15:00 GMT
PHP version: 5.6.33

dench
  • 11
  • 2
  • 1
    Possible duplicate of [How do I deal with a compromised server?](https://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – AndrolGenhald Mar 06 '18 at 17:34
  • @AndrolGenhald I've seen this post, it's a little overcomplicated for me. More, I'm using a CMS so this makes it somehow irrelevant. – dench Mar 06 '18 at 17:37
  • 1
    There's nothing magical about a CMS that makes any of that post irrelevant. Ignore reasonable advice at your & your customers' peril. – tjd Mar 06 '18 at 17:42
  • OK, you made a point for the second part of my previous coment. But still, I should magicaly understand what is beyond my comprehension ? – dench Mar 06 '18 at 17:43
  • @dench Sorry to hear your server was hacked. You need to take your site offline now, and then you need to get some professional help to deal with this situation. Unfortunately, taking care of a compromised server is a big job, and nothing that can be solved in a singel Q&A. – Anders Mar 06 '18 at 17:46
  • @Anders thank you for your comprehensive comment. Unfortunately I cannot afford a professional help for now. I modified my question to take account of what you said. – dench Mar 06 '18 at 17:53
  • 1
    While the title does not match the body, I'll answer the body questions. "How did the hackers hack my site?" We cannot tell you without extensive review of logs, files, and cooperation from your hosting company. Could it be from a vulnerability in the CMS itself? Yes. Could it be from a template or module? Yes. Is there some easy way to find it? Maybe, maybe not. You need to do a full code and forensic review. – schroeder Mar 06 '18 at 18:03
  • @dench There's not really any better advice anyone can give beyond the linked post. You need to review your logs, ISP records, etc to figure out how they compromised you, then re-build your website. While rebuilding the website you need to close the hole they got in through, and review your processes to determine where else similar holes might exist. – Monica Apologists Get Out Mar 06 '18 at 18:04
  • It appears Joomla and components for it have a long storied history of vulnerabilities, mainly SQL injection [sigh] and one fairly recently that [allowed attackers to take over administration of the server](https://arstechnica.com/information-technology/2015/10/joomla-bug-puts-millions-of-websites-at-risk-of-remote-takeover-hacks/). Your version isn't subject to that specific one but I'm guessing it's not the only Clowntown coding that's been added in the app. – JimmyJames Mar 06 '18 at 18:18
  • Forgot to post [the list](https://nvd.nist.gov/vuln/search/results?adv_search=false&form_type=basic&results_type=overview&search_type=all&query=Joomla). Note: these are just the vulnerabilities that have been filed. There are potentially many that are unfiled. There are a lot that have been posted in the last month for components. You should check what you are using against the list. – JimmyJames Mar 06 '18 at 18:23
  • Adonalsium JimmyJames @schroeder : thanks for your kind responses – dench Mar 07 '18 at 11:58

0 Answers0