I need some help with a website that's been hacked

Hi Sorry I havent been around I have been traveling the last month and returned to find one of my sites hacked. I also found that my auto backups over wrote my backups so I could not just restore my site.

I was wondering if anyone here was familiar with this kind of thing and could show me exactly what these guys did and how to protect against it?

my website www.wwmkr.com it now redirects to some arabic site. I have tried to find what file is being redirected but I cant seem to find any redirects or calls. BTW this is a joomla site.

Any help would be greatly appreciated. I apologize for this being off topic.

JB SKaggs

Ouch! Sorry to hear about that.

In general, the best defense is to make sure you keep everything patched and be very careful with dynamic content. Sanity-check all data that comes from external sources, such as GET/POSTs. Of course, if you are using code written by someone else, then you either need to review it yourself or trust that the coders knew what they were doing…

As for how they got in – It’s hard to say without examining your server logs. Depending on the degree of access they were given, your logs might contact clues or were simply overwritten as part of the attack. It depends on how your web server is configured and what kind of walls your host has between your webpage content and non-served content such as web server logs.

You mentioned Joomla so it’s likely they are utilizing some known hole in that CMS. Were you using any custom-written Joomla code or plugins? If so, you might want to go over that code with a fine-toothed comb.

Unfortunately, I don’t know a thing about Joomla so I can’t give you specific advice on securing that. I do know it’s a popular CMS so there are likely quite a lot of exploits floating around for it, so always keep it up to date. I also disable any extensions or features that I am not using in a program, just to minimize the number of possible exploit vectors.

You have to be careful in scenarios like this. Once you have been compromised, you cannot always be sure how far they have penetrated your system. If this was a mere content-overwriting hack (ie: Joomla content was changed due to some bug/exploit in Joomla permissions), then it amounts to no more than ego-boosting vandalism. But if they have managed to fiddle with your web server process then there could be more yet to be found, such as code running at your user/web process level on the server.

That’s about the best I can come up with on such little information. Personally, I would flash-freeze everything, such making a copy of the entire content and examine it in a read-only environment. Then I would change my passwords! (Ignore if you used a unique password for this site. :slight_smile:)

Seems to work for me… avast didnt pick up anything. Also make sure your ip website didnt get redir via C:\Windows\system32\drivers\etc\hosts.

Thanks you got past because I went through and found that they had overwritten the configuration.php file and so I restored that file and it came back up.

Thanks to you both for helping:)

JB Skaggs

Ah, you’re using Joomla, which occasionally suffers from security holes - and when one has been found, every kid googles for random joomlas to try it for themselves.

If you’ve written custom stuff, make sure you sanitize your inputs! 90% of all the security leaks exist because someone was too lazy to escape apostrophes.

Glad you were able to get it back up. Did you find out how they were able to gain access? I highly recommend trying to work that out, so they won’t just come back and deface your website again.

Also, were you able to restore the content from a sane copy? If you merely replaced the configuration.php and returned the site to service, I would be careful. Any of the archives you host might have been modified and have had viruses/trojans inserted.

I wouldn’t trust any of it and would restore everything from an offsite copy. Call me paranoid, but you really can’t be sure after a compromise.

I had my Joomla website hacked a while back - bloody irritating. In my case they had figured out a way to edit the languages file - effectively the languages file had been rewritten to not put any content in and instead output their webpage. Anyway, I figured this out as I could work out the precise time the hack took place, and then look at last edit times for the files - confirm that was the only file hit. I restored that file from the same version of Joomla, read through the entire database (!) to check it hadn’t been touched, updated to a newer version and changed all the passwords. Don’t know how far that approach would take you, but maybe worth a shot - something has changed! could always try a diff with the same version files also.

Edit: Just noticed you fixed it. I would take the paranoia advice…!

Mine appeared to be completely my fault:

It seems my configuration file had been set to 755 instead of 644- so they just overwrote it.

I also searched the database and files for more offenders and it seems I have caught them all.


755 is rwx-rx-rx whereas 644 is rw-r-r. I believe any scripts run by a remote user are executed as the session user, who is probably the owner of the files. In that case, to prevent your scripts from being altered, you’d either need to change them to 444 (or 555) or change the owner to a different user (which is more secure in case the imposter gains shell access to chmod the file).

If all the files are locked like this, any intruder can only gain access to the database and possibly try to upload and run files. I’d recommend that the session user’s home directory be the folder the site is stored on and that the user be locked in that directory as well as write access be disabled for all the folders (and their owner be set to a different user).

As for the database, make sure all connections made to it is by an unprivileged user and that a backup is regularly made (that does not overwrite the already existing backups) to a file outside the session user’s home directory.