Menu

Topic-icon site has been hacked

  • herveD
  • herveD's Avatar Topic Author
  • Offline
  • Fresh Boarder
  • Fresh Boarder
More
2 weeks 6 days ago - 2 weeks 6 days ago #6307 by herveD
site has been hacked was created by herveD
Hi,
I just saw that a site that was "protected" by Securitycheck Pro has been hacked severely.
I thought I was protected but I realize that the control center did not have to do its monitoring role and the website darly.org (which has very few extensions) could easily be hacked.

There are dozens of pirate files, I have to delete them one by one.
1/ I send you some pirate files. Can you tell me what he intended to do (spam? ...?) And if you have an idea of ​​the front door as there were no other extensions outside your extension and akkebackup. It was a joomla 3.8

2/ He is completely inaccessible now in front-end or as administrator
Since I do not know since when the site is hacked because it's a small site or associative I never go, I think the best solution is that I reinstall a new version of Joomla 3.9 and I look if the database is corrupt.
What do you think ?
It is rather urgent. Thank you for your answers
Regards
Last edit: 2 weeks 6 days ago by Jose. Reason: Delete file

Please Log in or Create an account to join the conversation.

More
2 weeks 6 days ago #6308 by Jose
Replied by Jose on topic site has been hacked
Hi Herve,

That's really odd; if a site is fully patched it's really difficult to hack it attacking it. But there are many ways to hack a website and my firewall can't avoid all of them.

I think the best option in your case is reinstalling the site. After that launch a complete malware scan (set the timeline to "Any date" and enable the deep scan). Send me an screenshot of the suspicious files shown (maybe the infection was old).

Also, do you have a shared space or a dedicated server? Hosting provider also matters when we talk about security.

Regards,
Jose

Please Log in or Create an account to join the conversation.

More
2 weeks 6 days ago #6309 by Jose
Replied by Jose on topic site has been hacked
Hi Herve,

I have just checked the files and all seems to be webshells; if someone puts a file like this in the filesystem he will be able to avoid any WAF like Securitycheck Pro. The malware scanner detects all of them:


If someone is able to create or upload files maybe your hosting provider should check if its security measures are working fine.I have seen many cases like yours in the past where the server was compromised and hackers were able to upload files easily.

Regards,
Jose
Attachments:

Please Log in or Create an account to join the conversation.

  • herveD
  • herveD's Avatar Topic Author
  • Offline
  • Fresh Boarder
  • Fresh Boarder
More
2 weeks 6 days ago #6310 by herveD
Replied by herveD on topic site has been hacked
Hello,
Thank you for your quick reply.
Yes I am on a shared server. I have several sites hosted in multi-site at OVH

1 / looking at the pirate's files, how do you think it's gone if it's not by the site ?

2 / normally the scanner should have detected it? not sure that the knowledge base was the last, because not sure updates via the control center

3 / for the reinstallation of the sit, are my steps correct :
a) Installing the joomla version 3.9
b) recovering data from the joomla config file
c / verification of the database
d / reinstallation of the 2 extensions

regards
Attachments:

Please Log in or Create an account to join the conversation.

More
2 weeks 6 days ago #6311 by Jose
Replied by Jose on topic site has been hacked
You're welcome!

1 / looking at the pirate's files, how do you think it's gone if it's not by the site ?

If someone is able to upload a webshell he will be able to upload hundred of them because there will not be an attack. The atacker will use the file directly, so there is no query for Joomla and no Web Application Firewall (Joomla based) will be able to detect it.

I clean infected websites and many times the infection doesn't come from Joomla itself; if security is poor someone could be able to infect your site from other sites stored in the same server. In your case this is just a hypothesis because I don't know how your site has been infected. Also sometimes the infection is old, so this is why i recommend a complete malware analysis of the entire filesystem when you install my extension.

2 / normally the scanner should have detected it? not sure that the knowledge base was the last, because not sure updates via the control center

The malware scanner can be launched:
- Manually: In that case all threats would have been detected (setting the timelline to "Anytime").
- Automatically: When a file is added/modified the file integrity reports it to the malware scanner and it's analyzed.

3 / for the reinstallation of the sit, are my steps correct :

If you have a backup (do you have akeeba, don't you?) just use Akeeba kickstart and you will have your site online in a few minutes.

Regards,
Jose

Please Log in or Create an account to join the conversation.

  • herveD
  • herveD's Avatar Topic Author
  • Offline
  • Fresh Boarder
  • Fresh Boarder
More
2 weeks 6 days ago #6312 by herveD
Replied by herveD on topic site has been hacked
Hi,
I tested the installation of your extension a few months ago. There was nothing.

I had changed the password FTP, I would recommend again if it comes from that ?
I actually have another site hacked on the same hosting. Maybe it comes from him, if the hacker can go back from one site to another in a multi site hosting :-( !!

No trust or backup too old .. my method 3/ is correct?
Regards

Please Log in or Create an account to join the conversation.

Time to create page: 0.095 seconds
Powered by Kunena Forum

Login or Sign In