Have I read the related troubleshooter articles above before posting (which pages?)? YES
Have I searched the tickets before posting? YES
Have I read the documentation before posting (which pages?)? Couldn't find anything
Joomla! version: 2.5.9
PHP version: 5.2.17
MySQL version: 5.0.96-community-log - MySQL Community Edition (GPL)
Host: nativespace UK
Admin Tools version: 2.4.4
Description of my issue:
After been blocked by the firewall for failed logins I checked the MySQL database and to my surprise both administrator names (ID 42 and the other one) had been changed to "admin" (I use another name).
It seems that despite this the hacker didn't log in (probably blocked by pass-word protection for adminstrator folder). At least I coundn't find anything suspicious:
• No change in content
• I checked for links in the database (you know, to other sites selling Viagra and stuff) but nothing was added.
• I did a line-by-line comparison of the database with a backup and no line was added, no line was deleted, no new table, etc.
• I have GoogleWebmasterTools and it says the site is free from malware.
• I checked log file for email traffic and no email was sent from site.
• I asked provider to check logs for injections and was told that they but could not found anything for the common type of MYSQL injections which can cause admin username changeinjections like
I have a backup that I can use to restore the site and be 100% sure that nothing has been added.
BUT the vulnerability that the guy used to get in will still be there, so I must find out first what went wrong.
Joomla is uptodate. Besides AdminTools I use only 3 extensions and none is listed as vulnerable by Joomla:
Qlue 404 1.6.2
ITP GoogleSearch 2.1