Main Menu

Login Form



Syndication

feed-image

Deprecated: Function ereg() is deprecated in /home/content/54/11657554/html/GELEMBJUK.COM/administrator/components/com_joomlastats/count.classes.php on line 381

Warning: fsockopen() [function.fsockopen]: unable to connect to 193.0.6.135:43 (Connection refused) in /home/content/54/11657554/html/GELEMBJUK.COM/administrator/components/com_joomlastats/count.classes.php on line 1038

Warning: fsockopen() [function.fsockopen]: unable to connect to 200.3.14.10:43 (Connection refused) in /home/content/54/11657554/html/GELEMBJUK.COM/administrator/components/com_joomlastats/count.classes.php on line 1038

Warning: fsockopen() [function.fsockopen]: unable to connect to 196.216.2.20:43 (Connection refused) in /home/content/54/11657554/html/GELEMBJUK.COM/administrator/components/com_joomlastats/count.classes.php on line 1038


Joomla 1.7 site hacked. What to do? PDF Print E-mail

Recently my Joomla 1.7 site was hacked. I knew nothing about this. The site worked fine. But when i did some test search with Google and found that the site is found with keywords that are not used in my site. When i looked at Google cache i was impressed that there are different pages. Contents of my pages was replaced with advertising links and texts.

This was some sort of cloaking. And this meant my Joomla site is infected with something bad.

I already sow similar problem for my another Joomla 1.5 site year ago. So this time i know what to do.

 

1. Block access to the bot on the site.

After quick look on site folders i found that there is folder components/downloads. It is not usual folder for Joomla. Inside this folder i found PHP file with strange contents. "define("thrnutm", "65c756b2f3019890375e66f239328727"); $GLOBALS['_1516428634_']=Array(.....". Definitely this is not part of Joomla. I have removed that file. But is this the only such file inside Joomla folders?

I decided to block access to all PHP files that are different from index.php in Joomla root.

I created small PHP script:

<?php

$s=$_SERVER['REQUEST_URI'];

$h=fopen('../cache/d.txt','a');
fwrite($h,'['.date('d-m-Y H:i:s').']: '.$s."\n");
fwrite($h,print_r($_REQUEST,true)."\n");
fwrite($h,print_r($_SERVER,true)."\n");
fclose($h);

?>

And put it in file components/stop.php

Also i have done change in file .htaccess . I have added:

RewriteCond %{REQUEST_URI} !^/administrator/index
RewriteCond %{REQUEST_URI} !^/components/stop.php
RewriteRule ^(.+/.+\.php)$ /components/stop.php/$1 [L]

After this i was able to see all direct requests to php files that are different from index.php in file cache/d.txt and i located that files.

2. The problem is still there.

In folder components/downloads there was also file .htaccess with contents:

RewriteEngine On
RewriteBase /components/downloads

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f

RewriteRule index.php.* - [L]

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f

RewriteRule ^(.*) index.php?id=$1

This means that hacker can access and configure his bot with URIs that don't contain .php extension and my protection will not help.

I had to find all .htaccess files in Joomla folders and delete them.

3. Find all infections.

I downloaded my Joomla site files to local drive and did search with text "$GLOBALS". There were near 10 not Joomla files with such text. Totally there were 3 types of scripts. All of them can be used to do everything with site files/folders and have full control of the site.

4. How the site was infected.

This is most interesting question. It is needed to find how initially your site was infected.

In did this with following way:

- Collect IP addresses that were used to access PHP scripts directly and collected in cache/d.txt file.

- Use found files to find what else requests were done from them to your site . Find IPs in access logs to your site (apache logs or something). Usually your will see some strange request with SQL instructions in it.

In my case i found that the site was hacked using SQL injection. One of installed components had bug.

5. Summary.

After fixing of bug in component and disabling pf direct access to PHP files in Joomla folders my site was fixed.

Last Updated on Monday, 31 October 2011 07:42
 

Comments  

 
#4 Maratha 2012-07-04 06:08
Hello Friend, Its really bad thing happened with site. On this I like to share my past experience and things which I do for keeping my website safe.
1) My website get hacked because I stored my username and password with my all FTP clients. So some viruses took my data and sent it towards hacker..
2) Never store your credentials with any FTP client and always make sure you change your password every 45 days and keep it as strong as possible.
 
 
#3 skaz 2012-01-08 23:18
The detailed analysis of your experience
that you described, is very good for us (new on joomla)
 
 
#2 Administrator 2011-10-29 04:43
Quoting Michel13:
Merci beaucoup ...

Thank you so much for sharing the detailed analysis of your experience.

Can you tell us which of the components was attacked?
If not, how have you identified it ?

How disabling pf direct access to PHP files in Joomla folders ?

If necessary, can you answer my email address

Thank you.

I have not found yet what component was attacked on Joomla 1.7 site. After i did protection there was no any changes on the site and no new attempts to hack it. So i still wait.
But for my Joomla 1.5 site (this site) that was hacked 6 months ago it was the component "Joomla Tags".
I had posted message in Joomla Tags support forum about this.
 
 
#1 Michel13 2011-10-28 17:44
Merci beaucoup ...

Thank you so much for sharing the detailed analysis of your experience.

Can you tell us which of the components was attacked?
If not, how have you identified it ?

How disabling pf direct access to PHP files in Joomla folders ?

If necessary, can you answer my email address

Thank you.