Hi,
you think you have been hacked? We will try to give you some help on how to proceed further.
Please note that this thread is locked.
At first we have to gather some information:
- What version of Joomla do you have?
- What version of PHP/MySQL/Apache do you have?
- What kind of hosting do you have?
- Do you have access to the access logs of the server?
- Which third party extensions do you have installed? (Components, modules, plugins/mambots)
- Which informations do you have from your provider? Did they send you something in addition?
- Do you have a backup?
- Have you checked the folder permissions?
- Have you really been hacked?
What version of Joomla do you have?
There are currently no known vulnerabilities in Joomla 1.0.11! If you have a version prior to this, please update as soon as possible. Prior versions of Joomla have some serious vulnerabilities, which sometimes can lead to a complete loss of your server!
What version of PHP/MySQL/Apache do you have?
PHP 4.3 had some reported bugs and vulnerabilities and you should consider upgrading to a newer version. (4.4.x will be fine) In general you should not use versions of PHP and MySQL that are older than the 4.x versions. If you plan to upgrade to Joomla 1.5 later, you should consider updating to at least PHP 4.4.x and MySQL 4.1.13, since these versions are the minimum requirement for native UTF-8 support. (Joomla 1.5 will work with older versions though)
In general, you should use the latest versions of the used software to prevent any vulnerabilities from this side.
What kind of hosting do you have?
There are several kinds of hosting and only a few provide a single server for you alone. If you don't have a server for your site(s) alone, you have a shared hosting environment. Sometimes your account can get hacked by accounts for other sites on that server. This is a configuration error by your provider and can be prevented, but not all providers are so thorough. If you find out, that your account has been hacked via another users account, contact your provider and demand him to correct his configuration to prevent this in the future. If he does not respond positive, you should think about changing your provider.
Do you have access to the access logs of the server?
If Joomla was the target for the attack, we need to know how. Most servers have access logs that can give more information in that regard and save the used URL.
There was a problem with code/SQL injection in Joomla 1.0.3. URLs like these pointed to an hack attempt:
If you see URLs like that or your provider suspends your account because of URLs of this kind, make sure you have the latest Joomla installed. The current version is not vulnerable to these kinds of attack. All core code uses a function that filters all input variables for SQL or code injections. However, this is not allways the case for third party extensions! Some of them are potentially vulnerable to code injection because of poor coding practice.
Which third party extensions do you have installed? (Components, modules, plugins/mambots)
The Joomla core itself is very secure, but some extensions, especially those coded fast and nasty, are vulnerable to certain attacks. Bigger and established extensions like Community Builder or Joom!fish are thoroughly tested and use the proposed coding techniques. If you are not a coder and can look for this yourself, look for reviews by other people in the forum. If you want to check this yourself (This article has been written for Joomla 1.5, but the code is somewhat similar to the Joomla 1.0.x series)
In the last months, a lot of unsecure extensions have been discovered.
Which informations do you have from your provider? Did they send you something in addition?
If you have been informed by your provider that you have been hacked, they should give you a reason how they have noticed that and what they can tell you besides that. Information from their side is often the most important part.
Do you have a backup?
If you have a backup, save the current files of your webserver and make a dump from your database to save evidence. This way the core can investigate this further without any additional downtime from your page.
If you don't have a backup, save all images of your page and make a dump from your database. After that, erase EVERYTHING! You can't be sure if there is no file of the hacker left in some very deep folder of your installation, that could help him gaining control again. Yes, you may have needed a lot of time to customize your page, but the risk is to high.
Have you checked the folder permissions?
A webserver has a sophisticated system to control the read, write and execute permissions of its files. If you give to much access to your folders, your server gets vulnerable and can be hacked easily. Thats why you shouldn't give more than the standard 755 for folders and 644 for files. This is a number combination that represents a certain kind of read/write access. Basically you give full access to the owner of the file and only restricted access to others. The ownership is another problem and both are well discussed in the forum.
Have you really been hacked?
This is a question you should really consider. Have I been hacked? Have I removed every other option? Some provider do changes on their system without informing you, or your server had a hardware failure, which is the reason why he is not responding like normal. Also, do you probably have misconfigured your page? Have you changed the database password and forgot to change it in Joomla? Please take all this into consideration!
I have checked all this, what can I do now?
Ok, you have collected all the files, you are sure that its Joomla and not your or your providers configuration that has caused the hacker to gain access to your server and you also have eliminated all third party extensions as source of the vulnerability. Now wrap all that information up in a nice mail and send it to security [at] joomla [dot] org. With this mailinglist you reach the developers and they will investigate this further.
Please be sure that your request is valid. If you send a non valid request to the core team, they will have to waste time on this and if to many people do this, the core has to stop this service.
They are trying to help you and the other users, but if they are swamped with requests or non-security related topics, they don't have enough time for all requests or they wont be able to review them as thoroughly.
Ok, I have informed the core and I have restored my server. What should I do next?
First of all: Change all passwords. No matter what kind of password it was, change them all. Also, change all passwords from your Joomla users that are higher than "Registered". It will not help if you changed all your passwords but the super-admin account of your colleague has still the same old password that the hacker could crack. (The passwords are hashed with the MD5 algorithm and should not be able to be decoded. however, the algorithm has been cracked and if you know the hash code, you can calculate a password with the same hash. In Joomla 1.5 you can choose between different coding formats.)
One last thing: When you reinstall Joomla, you don't have to have all folders to be writeable. In general, you only need the images and media folder to be set to that. All other folders are only needed to be writeable when you want to install an extension. Keeping them unwriteable will greatly improve your security!
After that, you can continously check your files. For this you can use the tool mentioned. Further check the folder permissions and file ownership. You should search for this one on the forum. There are numerous posts about this and about as many solutions.
