6

My Joomla 2.5.4 site was cracked last night. Moreover, the Joomla forum is currently down, and I can't even run Joomla's diagnostic utility. (fpa-en.php)

I have followed Joomla's instructions for diagnosis with no success. (See below) I have also emailed my webhost (I am on a shared server, but I use a host recommended by Joomla that is a specialist in Joomla sites). So, my question is what do I do next?

Here is the info that I have so far.

Using Joomla 2.54 (the latest). All extension were updated to most recent release, and none are on the Joomla vulnerable extensions list.

Passwords of other administrators were changed but not mine fortunately.

User_notes table deleted, which renders the User Manager in the admin section useless.

According to logs the attack hit the following files in this sequence:

  1. /administrator/index.php
  2. /index.php (Root)
  3. /plugins/authentication/joomla/joomla.php
  4. /plugins/user/joomla/joomla.php

and then the changes to the users and user_notes tables.

There is no junk in either index.php

Attack ip was 199.15.234.216, which is from a Fort Worth server of supremetelecom.com

Fortunately, I have backups and there was no defacement, but until I can't get fpa-en.php to work and access to the Joomla forums, I am not sure what to d0 other than change all passwords and block the ip.

Thanks in advance for any help!

AstroCB
  • 12,337
  • 20
  • 57
  • 73
user1456634
  • 63
  • 1
  • 3
  • By fpa-en.php do you mean "Forum Post Assistant" ? (Note this is not a Joomla! product). – Craig Jun 14 '12 at 22:58

4 Answers4

12

Firstly, reset the passwords of all the administrators, including yours, then change them and ensure they include letters and numbers. Then change the password for the host control panel using the password generator if they provide one. If not, use a password generator online. Once this is done change the password for your database username and don't forget to also update the configuration.php with your new password.

Secondly, download and install Admin Tools which will add more security to your site for the future. Admin Tools also comes with an Emergency Offline button which is useful.

Then download and install Saxum IP Logger which will trace all the registered users, giving you their IP address, country and so on and you can also block IP addresses using the plugin that comes with it.

Next, go to the host control panel and look at the logs to see which IP addresses have entered your website and while files they have accessed. The IP address that coresponds to the files edited, you can then block using the plugin I mentioned before. Joomla 2.5 is very hard to hack so it is rather likely you have an extension that is badly developed and allows SQL injection. Therefore you should always choose popular extensions to install on your website when they are database related.

Hope this helps you in the future. Regards

EDIT : You can also password protect your folders in the FTP for additional security.

You may also find this extension quite useful

Riccardo Zorn
  • 5,590
  • 1
  • 20
  • 36
Lodder
  • 19,758
  • 10
  • 59
  • 100
  • Hey All - First, I sure hope its not zero day. Second, sorry I meant Forum Post Assistant. Lodder and Riley, very helpful comments. I have made changes suggested: new passwords, restored files and database from healthy backup, blocked the attackers ip and am using Admin Tools Emergency Offline. I am befuddled though, because the extensions I am using, I think, have a good reputation: Admin Tools, Akeeba Backup, RSFirewall and YKhoon Account Lock (Brute Force Prevention). None are on the vulnerable extensions list. Alas, I am wondering whether there was a virus on one of my admins computers? – user1456634 Jun 15 '12 at 02:47
  • One other thing... the config file as well as the temp and logs folder were already below the root. – user1456634 Jun 15 '12 at 03:02
  • 1
    a virus froma computer that was uploaded wouldn't have been programmed to do the attack you described. Its was most likely SQL injection. – Lodder Jun 15 '12 at 03:02
  • Hmm. So, I still have to find the vulnerability. Thanks. – user1456634 Jun 15 '12 at 03:04
  • I have used Admin Tools and Saxum IP Logger and have to they they are really useful and would recommend them all the way. –  Jul 01 '12 at 15:39
  • I do use Admin Tools and love it, but I am not familiar with Saxum. I will give it a try. Thanks for the tip! – user1456634 Jul 01 '12 at 22:32
1

After you recover from this, make sure you place a password on the /administrator directory with .htaccess, assuming this is a Linux based server.

Edward
  • 9,430
  • 19
  • 48
  • 71
0

Couple of steps that will help you identify the point of access. Also depends on if you have access to some server side tools.

  1. Contact host and ask them if they run Mod_Sec if so ask them for the Mod_sec flag for that IP.
  2. Ask the host if they run any type of maldet tools - if so ask for a scan of your account.
  3. If you have shell access run a check on what were the most recent files changes... Side from tmp and cache files.

Fixing the hack 1. Change all your passwords - 2. Install project honey pot. 3. Admin tools install is good but you need the pro version to really gain access to the security tools. 4. Migrate to a host that specializes in Joomla platforms, in most cases they already have the accounts configured for common security issues in Joomla.

Getting hacked really sucks... Good luck!

Cloakendagger
  • 1
  • 1
-2

Relocate your administrator page by editing the config.php files .. and edit your FTP permission settings. If your administration login url was the standard location. (www.site.com/administrator ) change this location and block access using your hosting control panel to only certain ip address (and even restrict access by hours of availability. How many administrator user accounts do you have. There really should be only one person with super user access . It is really not productive or safe to have other users that do minor edits of the website with administrator privileges; and they could accidentally cause issues. These are basic steps and there is a lot more you can do. Send an email if you need help/step by step instructions. Hope all goes well.

IMS Studio
  • 305
  • 5
  • 16
  • you can't just simply change the folder name from "administrator" to something else. It will cause problem when installing extensions. – Lodder Jun 14 '12 at 18:14
  • also, if you are referring to chmod settings when you mention FTP settings, I assume you mean changing folders from 755 and files from 644 to something lower however this will also prevent extensions from being installed properly, if not at all – Lodder Jun 14 '12 at 18:19
  • Hi - I distrust FTPs; just use cPanel. Permissions were set at 755 and 644. Argg. – user1456634 Jun 15 '12 at 02:55