Site hacked :(

25 views
Skip to first unread message

Traci Lovelace

unread,
Feb 18, 2013, 2:11:35 PM2/18/13
to novaj...@googlegroups.com
I serve as webmaster to a volunteer group (as a volunteer) and my joomla 1.5.13 site has been hacked.  The security patches would never take and I kept meaning to rebuild it but didn't get to it in time.  My web host, who is a very patient man, says this: C:\Inetpub\vhosts\mgpw.org\httpdocs\images\stories\modules.php  needs to be renamed, as it is hacking other sites.

I am not a programmer and this is well beyond my knowledge.  Since this is a volunteer site, I will be paying someone to fix it out of my own pocket.  Can anyone recommend an honest person who can help?

Thank you

Traci Lovelace


 

Bruce Scherzinger

unread,
Feb 18, 2013, 2:18:30 PM2/18/13
to novaj...@googlegroups.com

I could possibly take a look later today. Would need access to your control panel. Not sure exactly when I'll get back home. Might be 6 or 7pm.

__________________________________
Bruce Scherzinger * br...@scherzinger.org

sent via phone. please excuse errors.

--
NoVAJoomla is not affiliated with or endorsed by the Joomla! Project or Open Source Matters. The Joomla! logo is used under a limited license granted by Open Source Matters the trademark holder in the United States and other countries.
---
You received this message because you are subscribed to the Google Groups "Joomla! User Group of Northern Virginia" group.
To unsubscribe from this group and stop receiving emails from it, send an email to novajoomla+...@googlegroups.com.
To post to this group, send email to novaj...@googlegroups.com.
Visit this group at http://groups.google.com/group/novajoomla?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

Dan Cogliano

unread,
Feb 18, 2013, 4:52:38 PM2/18/13
to novaj...@googlegroups.com
At a minimum, you  can delete that file. There should be no .php files in that folder or folders below it.
--
NoVAJoomla is not affiliated with or endorsed by the Joomla! Project or Open Source Matters. The Joomla! logo is used under a limited license granted by Open Source Matters the trademark holder in the United States and other countries.
---
You received this message because you are subscribed to the Google Groups "Joomla! User Group of Northern Virginia" group.
To unsubscribe from this group and stop receiving emails from it, send an email to novajoomla+...@googlegroups.com.
To post to this group, send email to novaj...@googlegroups.com.
Visit this group at http://groups.google.com/group/novajoomla?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 


--
Dan Cogliano
Z Content

Bruce Scherzinger

unread,
Feb 18, 2013, 5:00:04 PM2/18/13
to novaj...@googlegroups.com

Yep. That's the quick fix. We should also taker a look at the permissions on that folder and how the provider has ownership set up.

__________________________________
Bruce Scherzinger * br...@scherzinger.org

sent via phone. please excuse errors.

Sully Sullivan

unread,
Feb 18, 2013, 5:13:45 PM2/18/13
to novaj...@googlegroups.com

1.5.13 is thirteen security releases behind the most current. That site should be updated to Joomla! 1.5.26 as soon as the malware is removed, or the problem will recur.

 

This might be helpful:

https://github.com/btoplak/Joomla-Anti-Malware-Scan-Script

 

Sully

Dorothy Firsching

unread,
Feb 18, 2013, 5:34:51 PM2/18/13
to novaj...@googlegroups.com
One potential avenue is an old, insecure version of JCE. In addition to updating Joomla, components need to be looked at. But that is one suspect that could allow uploading into the images/stories area.

Dorothy


At 05:13 PM 2/18/2013, Sully Sullivan wrote:
1.5.13 is thirteen security releases behind the most current. That site should be updated to Joomla! 1.5.26 as soon as the malware is removed, or the problem will recur.
 
This might be helpful:
https://github.com/btoplak/Joomla-Anti-Malware-Scan-Script
 
Sully
 
F
 

Dorothy Firsching
Dorothy Firsching, PMP
Ursa Major Consulting, LLC
9536 Stevebrook Road
Fairfax, VA  22032
phone (703) 425-6236
fax (703) 345-9354
www.ursamajorconsulting.com
www.talltreesouth.com
Twitter: @dbfirsching

Steve Smith

unread,
Feb 18, 2013, 5:36:01 PM2/18/13
to novaj...@googlegroups.com
Sorry to hear that. Been there. 
Three immediate things you can do to reduce collateral damage in the interim if you have access to Joomla backend:
1.  Assuming you have Super Use/Super Administrator permission/access status: 
Go to Site->Global Configuration->Site ->Site Offline and change to Yes if you haven't already.

2. Go to Users -> New.  Create a new user with Super permissions with a new username (not 'admin' or 'super' or the like and strong password.  Logout and Re-login as this new Super User to test and ensure you have full permissions.  Then Delete the old Super Administrator, probably the one with ID=63.  

3. Go to Users  and set Filter to Super Users. Click the checkbox next to Name and then click on BLOCK to Disable all other Super Users or any other User Groups who have access to the Administrator back end.

In case the hack was monitoring the above actions and the setting of the new password, re-login to Administrator and once again change your strong password.

Now you are the only one with access to Joomla thru Joomla.  I think these will help minimize any further access to the Joomla parts of your website thru Joomla. 

A further thought:  modules.php doesn't sound like a document or image for your website and may be the program hack.  You can try to delete this program via the Joomla Media or File Manager.  Via Admistration ->Control Panel select Media Manager.  This brings up a tree of folders under /Images, including /Images/Stories. Go to this directory locate the modules.php file and Delete.

Note this doesn't resolve the issues - merely stops the bleeding.  If the hacker has access to your Host Server through the Control Panel or FTP via something like FileZilla that's more serious, and involve the Host provider as well.  

[Note also that the default directory /Stories is a favorite target for Joomla hackers because its usually left relatively open for folks to upload images and documents.  Strongly suggest that this directory be given a new, custom name and links to items be accordingly re-adjusted before going back on-line. Access and upload rights ought be examined and constrained)

The adage of being a good neighbor means having good fences applies here:  to avoid being hacked by other sites or causing the hack of other sites, I recommend requesting host to give you a 'dedicated IP' address.

J1.5 can be made secure 'enough' in various ways so updating is not the only option. 

From: Traci Lovelace <lovelace...@gmail.com>
To: novaj...@googlegroups.com
Sent: Monday, February 18, 2013 2:11 PM
Subject: [NoVA JUG] Site hacked :(

Traci Lovelace

unread,
Feb 18, 2013, 7:35:33 PM2/18/13
to novaj...@googlegroups.com
Thanks everyone for your comments.  I found the hack (hacked by Hmei7) and am going to attempt the fix.

The comments about the old version are completely true.  I've  spent a lot of time trying to figure out how to update the site.  It is convoluted, unlike other sites I have been able to do without issue.  I kept meaning to redo it, and now I have a very compelling reason.  I knew better, and it caught up to me.

So, here's hoping that the fix works.  Lesson learned, I will invest whatever time necessary to straighten this mess out.

Thanks

Traci Lovelace

--
NoVAJoomla is not affiliated with or endorsed by the Joomla! Project or Open Source Matters. The Joomla! logo is used under a limited license granted by Open Source Matters the trademark holder in the United States and other countries.
---
You received this message because you are subscribed to the Google Groups "Joomla! User Group of Northern Virginia" group.
To unsubscribe from this group and stop receiving emails from it, send an email to novajoomla+...@googlegroups.com.
To post to this group, send email to novaj...@googlegroups.com.
Visit this group at http://groups.google.com/group/novajoomla?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 



--
Traci Lovelace

Dorothy Firsching

unread,
Feb 18, 2013, 9:01:55 PM2/18/13
to novaj...@googlegroups.com
I suggest using the free audit trial of Phil Taylor's Audit My Joomla. He's speaking Thursday evening at our JUG!
When I ran it on a hacked site, I was very impressed that it found what I had already suspected (but more quickly).
I found it worth passing on to the group, though I'm sure others will have even more suggestions.

Dorothy

Sully Sullivan

unread,
Feb 18, 2013, 9:04:08 PM2/18/13
to novaj...@googlegroups.com

I’ll pile on one more compelling reason to migrate: All Joomla! 1.5 extensions will be unpublished from the Joomla! Extensions Directory on 3/15/2013.

 

From: novaj...@googlegroups.com [mailto:novaj...@googlegroups.com] On Behalf Of Dorothy Firsching
Sent: Monday, February 18, 2013 9:02 PM
To: novaj...@googlegroups.com
Subject: Re: [NoVA JUG] Site hacked :(

 

I suggest using the free audit trial of Phil Taylor's Audit My Joomla. He's speaking Thursday evening at our JUG!

Bruce Scherzinger

unread,
Feb 18, 2013, 9:05:33 PM2/18/13
to novaj...@googlegroups.com
I've logged into the back of Traci's site. It's got bigger problems than just being hacked. All your suggestions are good ones, but we have to plug the big holes first.

Bruce

Bruce Scherzinger * br...@scherzinger.org

Gene Crawford

unread,
Feb 22, 2013, 4:02:46 PM2/22/13
to novaj...@googlegroups.com

Will I see anyone from NoVA Joomla here tomorrow?

 

Gene

 

image001.png

Joseph LeBlanc

unread,
Feb 22, 2013, 4:21:38 PM2/22/13
to novaj...@googlegroups.com
I'm not sure, but be sure to say 'hi' to Cory Webb for me :)

-Joe

On Feb 22, 2013, at 3:02 PM, Gene Crawford wrote:

Will I see anyone from NoVA Joomla here tomorrow?
 
Gene
 
<image001.png>
 
Gene Crawford
Emedia Associates

Sully Sullivan

unread,
Feb 22, 2013, 5:57:37 PM2/22/13
to novaj...@googlegroups.com

Not I, but please congratulate Jon for me!

 

Best,

Sully

--

image001.png
Reply all
Reply to author
Forward
0 new messages