Joomla hacked. How to prevent? [closed]
https://stackoverflow.com/questions/12960852
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Ok, so one of my websites ( on joomla) is being hacked like the 6th time...
I won't tell you any stories. Only facts:
Firstly, I found that in template index file appeared some alien code:
<div id='hideMe'> <p>Every person knows the large quan...|...ur cure Viagra <a href="xxxxx">Viagra</a> </div><script type='text/javascript'>if(document.getElementById('hideMe') != null){document.getElementById('hideMe').style.visibility = 'hidden';document.getElementById('hideMe').style.display = 'none';}</script>
Then I found in tmp folder a file named asd.php
with content: http://www.codr.cc/bb027a
I tried to decode that and got something like: http://www.codr.cc/97c183
How did this happen? How hacker got an access to create a file? All folders perms were 755 and files - 644.
Joomla doesn't have any unsafe modules, components or templates. Everything is up to date.
What else should I do to prevent future hacks?
Solution
It hasn't been hacked for the 6th time. You have been hacked by dozens of bots and your system is backdoored. You remove the infection and a bot will just restore it.
This happened because your software is out of date. It likely some plugin or even joomla its self is very old.
How to prevent this? Well you can look up system hardening guides, and there are a lot of them out there. Regardless, you need to start for scratch. Completely reinstall joomla and all of its components, scorched earth style. Make sure everything is up to date on the new system.
If you are still having problems, hire a professional.
OTHER TIPS
- Your website has very old extensions installed: This is the top and most common reason behind a hacked Joomla website. You should always keep your extensions up-to-date, and if you’re using an extension that is no longer supported, then try to find an alternative. If not, have a developer take a look at that extension to ensure it has no vulnerability issues.
- You’re using an older version of Joomla: We know that it’s hard to keep your Joomla website up-to-date with the latest version, especially if you have a lot of extensions (components, modules, plugins) that will be broken if you upgrade Joomla. But you must do this, you can’t keep on using an outdated version forever.
- You have write permissions on your .htacess file: By default, your .htaccess file has write permissions on it because Joomla has to update it, especially when you’re using SEF. The problem is that this will leave your .htaccess vulnerable to attacks that aim at changing it. You should always set your .htaccess permission to 444 (r–r–r–) or maybe 440 (r–r—–).
- You have write permissions on your *.php files: Neither the web server nor the world should have write permissions on your Joomla *.php files. You should ensure that the permissions of all your *.php are set to 444.
- Allowing users to upload scripts: For example, if a component accepts images, you should ensure that only images are allowed to be uploaded. Users should not be able to upload scripts (such as *.php files)
- Giving execute permissions on public directories: In this context, public directories mean those directories where users are able to upload their files to. Imagine someone uploading a file to one of your upload directory (in a way or another). If that file is a script, and if that directory allows for scripts to run, then the individual can easily run the malicious script. Public (upload) directories should all be given a permission of 766 (owner can read, write, and execute. The rest can only read and write).
- Using non-prominent extensions: You should always use extensions that are used and tested by many people. Using an extension that is used by very few people is not a good practice, and can get your website hacked (attacker can use several techniques such as XSS, SQL injection, etc…). In case you feel obliged to use such an extension,
- Have a developer review it for security. Giving credentials to untrusted developers: You shouldn’t give your website credentials to untrusted developers. And, if you really have to, then change all your passwords once the developer is done working.
- Giving all the possible permissions to the database user: Once your Joomla website is setup, the database user should only INSERT rows, UPDATE rows, DELETE rows, and CREATE tables. He should not DROP tables or DROP the database. Ensure that only the necessary permissions are given for the Joomla database user.
- Feeling confident that your website cannot get hacked or that no one would hack your website: Regardless of whether you have a small charity website or a huge school website, your website is susceptible for hacking. Many hackers use software to scan the Internet for websites with vulnerabilities and attack them, just because they can! Always take your website’s security seriously, don’t think that if you’re too small no one would consider hacking your website, or that if you’re too big you are secure enough and no one would be able to hack your website.
Check which one affects you and correct the mistakes you have made.
