Support

Admin Tools

#10164 First hack on AdminTools protected site

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 20 December 2011 06:12 CST

Tuesday, 20 December 2011 04:57 CST

arcascomputing
Just had our first site hack since shoring up our sites after recent hacking attempts and since installing AT (mainly when making use of the .htaccess filemaker) we've had no more troubles ... until this morning.

Don't worry, I know AT isn't a complete protection but was just curious as to what I might have been missing. I'd used the .htaccess maker, changed the table prefix and admin ID, configured the WAF and reset passwords (FTP etc) to something more secure and patched Joomla plus its extensions to the latest. The only things I know hadn't been done were an update to FrontPageSlideshow and Anonymous FTP was still turned on. Obviously it's impossible for you to say but is there anything I've missed?

They replaced the index.php file in the template folder and the following (rather scarily information-rich!) page was being displayed ... attached.

 web design edinburgh - https://www.arcas.co.uk

Tuesday, 20 December 2011 05:16 CST

brianteeman
Was this on a completely clean install of Joomla. Or was this on your previously "cleaned" install. I suspect the latter and you obviously didnt "clean" everything

Tuesday, 20 December 2011 05:42 CST

arcascomputing
To be honest I'm not sure as it wasn't me who repaired the install the last time, I just installed the additional tools. I did run a scanner to look for hacker dust and am just about to run a site diff against a clean 1.5.25 install.

If I were to set up a clean install of 1.5.25, then add in the extensions they require again, plus copy across the template folder (once checked!) and files they've uploaded (ie images etc, again once checked) would it be safe enough to then just reconnect to the old database? Otherwise we're talking about completely rebuilding the whole site including adding all the content back in, utterly from scratch.

 web design edinburgh - https://www.arcas.co.uk

Tuesday, 20 December 2011 06:12 CST

nicholas
Even if it was a perfectly clean Joomla! installation, it is possible to be hacked from the "back door" if you're on a shared host. Some ways this can happen:
- Permissions alone don't mean much. It's the combination of permissions and ownership which can protect your site. If your site's files and/or folders are owned by the user Apache runs under, your site is by definition insecure. Any other site on the same shared host will be able to modify your files or write file to your site's folders unless your host has given 0700 permissions to your home directory. Most hosts, even some very high quality ones, don't do that.
- Depending on the permissions/ownership combination, it is still possible that a compromised account on the same server may be able to read your site's files. If you have enabled Joomla!'s FTP layer, therefore storing your FTP password to your configuration.php file, an attacker could read the file and gain FTP access to your account.
- If you or your client are using FileZilla, it is possible that malware on your computer accessed the plain text (not encrypted) password storage file of FileZilla and the attacker gained FTP access to your site. The same thing goes in case you are infected with a keylogger or other monitoring malware.
- If you or your client connect to your site's frontend, backend or FTP from a public location or from a compromised Wi-Fi connection it is trivial for an attacker to steal either the login information or the login cookies.
- If you have Joomla! 1.0.x, 1.5.0-1.5.24 or 1.6.0-1.7.2 and an older PHP version then your site is susceptible to a very disturbing hack which allows an attacker to override the password. In this case, you absolutely need to upgrade to at least Joomla! 1.5.25 or 1.7.3 which solve this security issue.

However, I tend to think that Brian is right and you have most likely some leftovers from a previous hack. Please note that it's not sufficient to scan the core files against a stock installation. The hacker may have put new files or modified files in other extensions as well.

Some site unhacking and protection resources:
- Unhacking Your Site by yours truly
- Help my Joomla web site has been hacked!! by Brian
- The standard instructions given in the Joomla! forum. I would like to specially stress that Security Checklist 7 is of paramount importance. I would like to, however, note that instead of merely taking your site off-line you should use Admin Tools' Emergency Off-Line Mode. Joomla!'s off-line mode is not really off-line.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!