My Joomla Site Just Got Hacked

Hi, today two, yes two, of my not popular sites were hacked by "Xx-DEPREM-xX." I have no idea how this happened. First hack was on my image hosting site (uploading.cc) which has only been open for about a week and barely any visitors. That site I do not really care about since I needed a better script anyways. Moving on, I just checked my Joomla site (forumclique.info) which again is fairly new, only 2 months or so, and barely any visitors. I went to the homepage and saw that it had been hacked. There was the hacker's image saying that the site had been hacked. It is still there if you want to take a look at it. I am thinking it was a CSS attack although I am not sure. I am able to login to the admin panel but changing the template of the site does not help. I spent a lot of time tweaking little things in that joomla installation to make it just right so reinstallation is not an option unless one of you can tell me which files to back up. If this happened to me I am pretty sure other sites have been hacked as well.

I'll appreciate any help!

-Mike aka miktor

 

I fixed my site and for anyone else who might have been hacked by the same idiot, I just downloaded the Joomla installation package and only uploaded the index.php file onto my server.

Although my site has been fixed, I am still curious of how the site was hacked. If any of you would like to see the hacked index.php file just go to forumclique.info/hacked/index.php

I am pretty sure my secuirty habits were not an issue since my computer is 100% virus/spyware/adware free and I am the only one who uses it. I never login to my websites or ftp from anywhere else but my computer. This is just too wierd.

-miktor

 

Joomla just get the old bugs from mambo ... Always Joomla/Mambo had this problems ... Just update your site everytime when a security update appears and I think will be ok ...

Regards

 

So what do best to avoid hacking, any I software you know?

 

A method is to configure mod_security for you site (if your hosting supports that)
Read this :
http://www.webmasterstalks.com/security/modsecurity-instalationconfiguration-t163.0.html

 

Thanks for the link, very helpful.

 

Miktor provide me with the Raw access Logs by PM please.

 

If you are on shared hosting maybe he used some other account to reach your files.

Some things you have to take into consideration when building a joomla site are the following:

Don't leave any dirs with 777 permissions. I you need to install a component or module chmod the required dirs to 777 and when you are done chmod them back to 755

same for configuration.php set 444 permisions to it

if you use any extra components/modules make a search first to find out if they have any vulnerabilities, especially if they are old. There is a big list of vulnerable componets.

Leaving dir permissions to 777 is a secutity risk

 

i am using godaddy and i do not know how to get those with the provided hosting control panel. i had another hosting account with globat which had that feature but i have not seen it with godaddy

 

mike, that is not pleasant experience you have m8. I had mine the other time as well. What i did was to remove the site to another server and fix my script.

 

Hello
Try to get the following mod security rules added it will save you most of the trouble

http://unix.org.in/2007/02/16/modsecurity-rules/

Greets