1

one of my clients complained that she cannot log into her Joomla installation anymore. So I checked the database and saw, that all the user names and passwords (md5 value, I used a rainbowtable to check) are set to "harun". Did anyone ever hear about that? Google doesn't...

Also: what do I need to to now (besides changing passwords)? I'm not that "big" in web-dev and never faced such a problem.

Any help appreciated.

AstroCB
  • 12,337
  • 20
  • 57
  • 73
Owlbertz
  • 33
  • 1
  • 5
  • Off topic. Tip: update your joomla to the latest version. I am not sure but it is using mysql_* functions. And of course you have to change admin, users and mysql user's passwords. – HddnTHA Jun 02 '14 at 21:31
  • Are the emails still valid? Obviously you need to do total clean up of your site. – Elin Jun 03 '14 at 02:32

3 Answers3

1

Clearly you have a great deal of cleanup to do....I hope you have a database backup! We had the same kind of thing happen to us a couple of years back, and installed RSFirewall. While attacks still occasionally occur, this wonderful extension has cut the damage by 99% for us. Good luck!

GDP
  • 8,109
  • 6
  • 45
  • 82
0

You need to clean up the website and find and fix the point of entry.

1. clean up the website

You could restore from a backup but it can be difficult to determine the exact date the website was compromised.

You could spend days trying to find and fix compromised files yourself.

The best option is probably to use a commercial service like www.myjoomla.com or sucuri.net which cost very little and are usually effective at finding and fixing infected websites. In particular, the myJoomla security tool can identify core Joomla files that have been changed and replace the changed ones with the original files.

2. find and fix the point of entry

Update Joomla to the latest version in the series.

Update all third party extensions to the latest versions.

Update Joomla, FTP/cPanel and Database passwords.

Check the Vulnerable Extensions List at vel.joomla.org to ensure you are not using any vulnerable extensions.

Also see the Official Security Checklist at http://docs.joomla.org/Security_Checklist and https://stackoverflow.com/a/19139389/1983389 and https://joomla.stackexchange.com/a/180/120 for tips on keeping your Joomla website secure.

Community
  • 1
  • 1
Neil Robertson
  • 3,295
  • 3
  • 28
  • 49
0

For long time solution its an suggestion please change your server or host. As you said MD5 are set as "harun" as per my opinion its change by some kid's hacker by sim-link or some local jommala vul. attack . If its sim-link attack then you need to worried about host else if its jommla vul. then simply change the version or update it and make cleanup on your publichtml/ or soo on .And make sure there is no other php script or perl / python script not found on your Host.

Simmant
  • 1,477
  • 25
  • 39