Changed template index.php of the Joomla 2.5.8 website - Joomla! Forum - community, help and support

-

hello,

i wandering if can me diagnose website attacked hacker. super administrator credentials changed , index.php of default template changed. contacted hosting provider ran virusf tests , no virus found. replaced hacked index.php original 1 , website went normal. how can protect joomla 2.5.8 website these kind of atacks?

thanking in advance!

problem description :: forum post assistant (v1.2.3) : 16th december 2012 wrote:my website has been hacked. default template\'s index.php replaced! joomla super administrator credentials changed !
last php error(s) reported :: forum post assistant (v1.2.3) : 16th december 2012 wrote:[16-dec-2012 11:49:08 europe/berlin] php deprecated: directive \'register_globals\' deprecated in php 5.3 , greater in unknown on line 0
actions taken resolve forum post assistant (v1.2.3) 16th december 2012 wrote:replaced index.php original one. afraid hacker attack again!
forum post assistant (v1.2.3) : 16th december 2012 wrote:
basic environment :: wrote:joomla! instance :: joomla! 2.5.8-stable (ember) 8-november-2012
joomla! platform :: joomla platform 11.4.0-stable (brian kernighan) 03-jan-2012
joomla! configured :: yes | read-only (444) | owner: kuccompa (uid: 1/gid: 1) | group: kuccompa (gid: 1) | valid for: 2.5
configuration options :: offline: 0 | sef: 1 | sef suffix: 0 | sef rewrite: 1 | .htaccess/web.config: yes | gzip: 0 | cache: 0 | ftp layer: 0 | ssl: 0 | error reporting: default | site debug: 0 | language debug: 0 | default access: 1 | unicode slugs: 0 | database credentials present: yes

host configuration :: os: linux | os version: 2.6.18-238.12.1.el5 | technology: x86_64 | web server: apache/2.2.21 (unix) mod_ssl/2.2.21 openssl/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 frontpage/5.0.2.2635 mod_perl/2.0.5 perl/v5.8.8 | encoding: gzip, deflate | doc root: /home/kuccompa/public_html | system tmp writable: yes

php configuration :: version: 5.3.19 | php api: cgi-fcgi | session path writable: yes | display errors: | error reporting: 30711 | log errors to: error_log | last known error: 16th december 2012 11:54:32. | register globals: 1 | magic quotes: 1 | safe mode: | open base: | uploads: 1 | max. upload size: 150m | max. post size: 150m | max. input time: 120 | max. execution time: 60 | memory limit: 128m

mysql configuration :: version: 5.0.96-community-log (client:5.0.96) | host: --protected-- (--protected--) | collation: latin1_swedish_ci (character set: latin1) | database size: 2.53 mib | #of tables: 121
detailed environment :: wrote:php extensions :: core (5.3.19) | date (5.3.19) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | spl (0.2) | iconv () | session () | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | posix () | pspell () | reflection ($id: 593a0506b01337cfaf9f63ebc12cd60523fc2c41 $) | standard (5.3.19) | imap () | simplexml (0.1) | soap () | sockets () | exif (1.4 $id$) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | pdo (1.0.4dev) | pdo_sqlite (1.0.1) | sqlite (2.0-dev) | pdo_mysql (1.0.2) | ioncube loader () | zend engine (2.3.0) |
potential missing extensions :: suhosin |

switch user environment (experimental) :: php cgi: yes | server su: yes | php su: yes | custom su (litespeed/cloud/grid): yes
potential ownership issues: no
folder permissions :: wrote:core folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

elevated permissions (first 10) ::
extensions discovered :: wrote:components :: site :: com_wrapper (2.5.0) | com_mailto (2.5.0) |
components :: admin :: com_newsfeeds (2.5.0) | com_joomlaupdate (2.5.0) | com_weblinks (2.5.0) | com_categories (2.5.0) | com_content (2.5.0) | webplayer (1.6) | com_templates (2.5.0) | com_finder (2.5.0) | com_installer (2.5.0) | com_login (2.5.0) | com_plugins (2.5.0) | com_cpanel (2.5.0) | com_menus (2.5.0) | acepolls (1.0.8) | acymailing : share on social n (1.0.0) | acymailing : trigger joomla co (3.7.0) | acymailing : statistics plugin (3.7.0) | acymailing tag : content inser (3.7.0) | acymailing module (3.7.0) | acymailing tag : website links (3.7.0) | acymailing : (auto)subscribe d (3.7.0) | acymailing table of contents g (1.0.0) | acymailing tag : date / time (3.7.0) | acymailing tag : joomla user (3.7.0) | acymailing tag : cb user infor (3.7.0) | acymailing tag : subscriber in (3.7.0) | acymailing template class repl (3.7.0) | acymailing tag : manage su (3.7.0) | acymailing manage text (1.0.0) | acymailing (4.0.0) | com_cache (2.5.0) | com_config (2.5.0) | com_modules (2.5.0) | gantry (4.1.4) | com_media (2.5.0) | rokgallery (2.17) | com_users (2.5.0) | com_banners (2.5.0) | com_redirect (2.5.0) | com_admin (2.5.0) | akeeba (3.6.10) | com_messages (2.5.0) | com_checkin (2.5.0) | com_search (2.5.0) | breezingforms (1.7.3 stable ) | roksprocket (1.8.2) | com_xmap (2.2.1) | com_languages (2.5.0) |

modules :: site :: bgmax (1.7.1) | rokgallery module (2.17) | mod_wrapper (2.5.0) | mod_languages (2.5.0) | mod_search (2.5.0) | mod_articles_latest (2.5.0) | s5 vertical accordion (2.0.0) | mod_login (2.5.0) | webplayer search (1.6) | breezingforms (1.7.3) | mod_articles_news (2.5.0) | hd-background selector (1.2) | rokajaxsearch (1.3.0) | s5 image scroll (1.6.0) | mod_banners (2.5.0) | s5 flow (1.0.0) | mod_stats (2.5.0) | mod_footer (2.5.0) | mod_finder (2.5.0) | mod_whosonline (2.5.0) | acymailing module (3.7.0) | s5 quick contact (1.6.0) | roknewsflash (1.4) | mod_breadcrumbs (2.5.0) | mod_articles_categories (2.5.0) | s5 box (3.0.0) | mod_random_image (2.5.0) | mod_articles_archive (2.5.0) | mod_weblinks (2.5.0) | rs-flashmatic (1.5) | mod_custom (2.5.0) | acepolls (1.0.0) | webplayer (1.6) | date2 (2.2.34b) | mod_users_latest (2.5.0) | roksprocket module (1.8.2) | mod_menu (2.5.0) | mod_articles_popular (2.5.0) | zt contact pro (2.5.0) | mod_syndicate (2.5.0) | mod_articles_category (2.5.0) | snowing (2.5) | mod_feed (2.5.0) | roknavmenu (1.16) | mod_related_items (2.5.0) |
modules :: admin :: mod_status (2.5.0) | mod_login (2.5.0) | mod_version (2.5.0) | mod_latest (2.5.0) | mod_multilangstatus (2.5.0) | mod_quickicon (2.5.0) | mod_submenu (2.5.0) | mod_custom (2.5.0) | mod_menu (2.5.0) | mod_popular (2.5.0) | mod_logged (2.5.0) | mod_feed (2.5.0) | mod_title (2.5.0) | mod_toolbar (2.5.0) |

plugins :: site :: acymailing template class repl (3.7.0) | acymailing tag : cb user infor (3.7.0) | acymailing tag : joomla user (3.7.0) | acymailing tag : virtuemart in (1.2.1) | acymailing : statistics plugin (3.7.0) | acymailing manage text (1.0.0) | acymailing tag : subscriber in (3.7.0) | acymailing tag : insert modu (3.7.0) | acymailing : handle click trac (3.7.0) | acymailing tag : date / time (3.7.0) | acymailing : share on social n (1.0.0) | acymailing table of contents g (1.0.0) | acymailing tag : manage su (3.7.0) | acymailing tag : content inser (3.7.0) | acymailing tag : website links (3.7.0) | acymailing : trigger joomla co (3.7.0) | plg_content_emailcloak (2.5.0) | content - rokbox (1.3) | plg_content_geshi (2.5.0) | webplayer (1.6) | plg_content_vote (2.5.0) | content - load acepolls (1.0.0) | plg_content_pagebreak (2.5.0) | content - rokinjectmodule (1.3) | plg_content_loadmodule (2.5.0) | plg_content_joomla (2.5.0) | plg_tooltipgc_xml_name (3.0.2) | plg_content_finder (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_authentication_gmail (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_joomla (2.5.0) | plg_captcha_recaptcha (2.5.0) | button - rokgallery (2.17) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_jmonitoring_akeebabackup_t (1.0) | plg_search_content (2.5.0) | plg_search_categories (2.5.0) | search - acepolls (1.0.0) | plg_search_contacts (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_weblinks (2.5.0) | user - acymailing (1.2.0) | plg_user_contactcreator (2.5.0) | plg_user_profile (2.5.0) | plg_user_joomla (2.5.0) | acepolls - jomsocial (1.0.0) | acepolls - mighty touch (1.0.0) | acepolls - alphauserpoints (1.0.0) | plg_extension_joomla (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | system - rokcommon (3.1.3) | system - rokgallery (2.17) | plg_system_p3p (2.5.0) | system - rokextender (1.1) | plg_system_sef (2.5.0) | plg_system_cache (2.5.0) | plg_system_languagefilter (2.5.0) | system - roksprocket (1.8.2) | system - rokbox (1.3) | plg_system_logout (2.5.0) | plg_system_remember (2.5.0) | plg_system_log (2.5.0) | plg_system_highlight (2.5.0) | plg_system_debug (2.5.0) | acymailing : (auto)subscribe d (3.7.0) | plg_system_redirect (2.5.0) | system - gantry (4.1.4) | plg_system_languagecode (2.5.0) | plg_system_popup_anywhere (1.6.0) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.5.4.1) | plg_finder_content (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_weblinks (2.5.0) | xmap - weblinks plugin (2.0) | xmap - virtuemart plugin (2.0.0) | xmap - content plugin (2.0.3) | xmap - sobipro plugin (2.0.1) | xmap - kunena plugin (2.0.2) | xmap - mosets tree plugin (2.0.2) |
templates discovered :: wrote:templates :: site :: beez5 (2.5.0) | rt_fresco (1.1) | beez_20 (2.5.0) | atomic (2.5.0) |
templates :: admin :: hathor (2.5.0) | bluestork (2.5.0) |

aantickg wrote:hello,

i wandering if can me diagnose website attacked hacker. super administrator credentials changed , index.php of default template changed. contacted hosting provider ran virusf tests , no virus found.

problem description :: forum post assistant (v1.2.3) : 16th december 2012 wrote:php configuration :: version: 5.3.19 | php api: cgi-fcgi | session path writable: yes | display errors: | error reporting: 30711 | log errors to: error_log | last known error: 16th december 2012 11:54:32. | register globals: 1 | magic quotes: 1 | safe mode: | open base: | uploads: 1 | max. upload size: 150m | max. post size: 150m | max. input time: 120 | max. execution time: 60 | memory limit: 128m

hi aantickg!

one thing catches eye, have register_globals turned on, big no no. joomla works without dangerous php setting, , should consult hosting provider asap how turn off account.

secondly, max_upload_size , max_post_size unusually high, need high?

did take other proper cleanup steps viewtopic.php?f=621&t=582854, except of replacing template's index.php file? ... find many useful additional tips , suggestions reading other security checklists in wiki.

depending on experience php, try jamss viewtopic.php?f=621&t=777957, aware interpreting of scan results requires knowledge , experience.





Comments

Post a Comment

Popular posts from this blog

How to change text Component easybook reloaded *newbee* - Joomla! Forum - community, help and support

-
Image
hi all, i started building websites joomla not long ago, can use help.. for got problem guestbook. i have installed easybook. , running on following website http://odoorn321.nl/ (under gastenboek) i want change text: waardering website (is dutch valuate website) waardering. idea rid of word website, because have valuate vacation home, not website. i have made screenshot of text want change. where , how going find css file change text? your appreciated! thanks no one? Board index Joomla! Older Version Support Joomla! 2.5 General Questions/New to Joomla! 2.5
Read more

After Effect warning: A problem occurred when processing OpenGL commands

-
i have after effects cs6 in computer cs5.5 installed. 64bit windows 7 ultimate 20gb memory , 2 amd radeon hd 6900 series display adapters drivers updated hour ago (driver date 27.7.2012, version 8.982.0.0).   when trying use after ecffects, error message " after effect warning: problem occurred when processing opengl commands " when clicking composition window.   what done? not much, i'm afraid. need older graphics driver. other disable second card or play configuration. unfortunately not smart person decided cs6 no longer need manual opengl control user, there's no way suppress within program force-revert software-only modes in case of such issues...   mylenium More discussions in After Effects adobe
Read more

Preconditions Failed. - Joomla! Forum - community, help and support

-
hello! i'm having problem; every time click save&close button, or save button, or close button module; following message appears: "precondition failed the precondition on request url /administrator/index.php evaluated false. additionally, 404 not found error encountered while trying use errordocument handle request." it happens modules. thanks in advance. problem description :: forum post assistant (v1.2.3) : 13th november 2012 wrote: can\'t save changes or close module. log/error message :: forum post assistant (v1.2.3) : 13th november 2012 wrote: precondition failed precondition on request url /administrator/index.php evaluated false. additionally, 404 not found error encountered while trying use errordocument handle request. last php error(s) reported :: forum post assistant (v1.2.3) : 13th november 2012 wrote: [04-mar-2012 01:25:56] php fatal error: call member function get() on non-object in /home/joommmy1/addon/youngstaer/sub/teenace/public_html/templates/...
Read more