They hacked our Joomla, help!
September 4, 2008 12:43 AM   Subscribe

We've been hacked! We were just about to upgrade the Joomla version, and then we get this. Looks to be a ransom page, but we obviously want to reverse the hack. How do we do this?

We can still access the administrative panel, but obviously our user/pass doesn't work. They were able to manipulate the hole in the older version 1.0.x (I forget the exact version it was, and can't check now) so can we do this as well? I don't want to publish the site name here, but if someone has valid reasons for requiring it, I can PM it.

Not sure what other info is relevant, but I will be watching all day so ask away.

Thanks.
posted by wile e to Computers & Internet (12 answers total) 2 users marked this as a favorite
 
If its the exploit I'm thinking of:

1. Go to url : yourdomain.com/index.php?option=com_user&view=reset&layout=confirm

2. Put an apostrophe in the token field

Your should now be able to reset the admin password.
posted by missmagenta at 1:15 AM on September 4, 2008


Do you have a recent database backup? If so, you can restore the database which will restore the passwords as well as the content. (make a backup of the hacked version to go through later)

If you just want access to the admin account you can set the password of the admin account in the jos_users tables to an md5 hash of the password you want to use. This will allow you to access the control panel. (although I think Joomla 1.0.x moved away from the md5 storage in 1.0.13 or 1.0.14, so it might depend on the version you have).

You don't know what else was changed so the best option would be to replace the whole database if possible as well as do a restore of the files. Then you could upgrade to the latest version of 1.0.15 and change all the passwords for that system.
posted by Gomez_in_the_South at 1:28 AM on September 4, 2008


Do you have FTP access?
posted by Happy Dave at 1:31 AM on September 4, 2008


If you can't access the password reset page you'll need to bring the site back online by manually editing the configuration.php and make sure line 3 reads: var $offline = '0';
posted by missmagenta at 1:38 AM on September 4, 2008


missmagenta-

I tried that, and unfortunately I just get a message from the hosting company that the page doesn't exist.

And as for the rest, yes I have access to the FTP. I will be trying those ideas in a moment.

Thanks to all, please keep all suggestions coming.
posted by wile e at 1:42 AM on September 4, 2008


I guess a lot depends on what has been changed. If you get a hosting company 404 message when trying to access yourdomain.com/index.php then it looks like they removed or changed some of the core joomla files.

(p.s. I sent an email to the address in your profile)
posted by Gomez_in_the_South at 1:49 AM on September 4, 2008


Well we're back online! I need to thank Gomez_in_the_South as he was a huge help in getting it back online. Fortunately not much was disturbed.

Thank you all for your help, couldn't have done this without askmefi.
posted by wile e at 4:44 AM on September 4, 2008


Fortunately not much was disturbed.

Thing is, with a compromised system you just can't tell. Short of a bare-metal restore to a known good copy you are much more vulnerable than before. The group that hacked you may very well still have access to your server and may use it for nefarious purposes. You should contact your hosting company.
posted by splice at 5:02 AM on September 4, 2008


Splice is right. In addition to that, you need to check if any of the template pages have been changed. Possibilities are malwear downloads and even hidden links designed to increase their Google page rank (yes, this has actually seemed like a great strategy to more than one moron.)

Assume everything is compromised and work from that premise.
posted by DarlingBri at 5:06 AM on September 4, 2008


Actually if you can still get access to your CPanel, you can easily change the password via phpMyAdmin, it's really, really, simple. MeFi mail me about how to do that if you need to.
posted by TomMelee at 5:13 AM on September 4, 2008


Yes, you must assume your box is toast. I ran a Debian server a few years ago and was lax in keeping the security updates up-to-date. This, of course, led to it getting hacked every 6 months or so by these strange Brazilian hacker gangs competing against each other to see how many boxes they could compromise. Such a strange game they were playing...

Anyway, best to backup your most important files and databases and re-install the OS, with all new passwords.

Your hosting company should be able to help. It's in their best interest to not have a compromised box on their network.
posted by camworld at 8:56 AM on September 4, 2008


There are countless posts in the Joomla forums about overcoming and preventing hacks. I'm not going to link anything because there are just too many useful articles, but search for joomla security and make some changes
posted by Sufi at 1:51 PM on September 4, 2008


« Older How to solve the GREs-- not th...   |  Some publisher used to do a se... Newer »
This thread is closed to new comments.