• 1

Read this first!

We do not monitor these forums. The forum is provided to exchange information and experience with other users ONLY. Forum responses are not guaranteed.

However, please submit a ticket if you have an active subscription and wish to receive support. Our ticketing system is the only way of getting in touch with RSJoomla! and receiving the official RSJoomla! Customer Support.

For more information, the Support Policy is located here.

Thank you!

TOPIC: Joomla site hacked need advise

Joomla site hacked need advise 3 years 11 months ago #33667

I've got a joomla website that has been hacked

I've received the following message for my hosting company
[Received: from localhost
([127.0.0.1] helo=dedi101.cpt1.host-h.net ident=Debian-exim)
by dedi101.cpt1.host-h.net with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128)
(Exim 4.80)
(envelope-from < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >)
id 1aHzj5-0003B4-9t
for This e-mail address is being protected from spambots. You need JavaScript enabled to view it ; Sat, 09 Jan 2016 22:03:03 +0200
Received: from siyaycmrfz by dedi101.cpt1.host-h.net with local (Exim 4.80)
(envelope-from < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >)
id 1aHzj4-0003Ao-Ew
for This e-mail address is being protected from spambots. You need JavaScript enabled to view it ; Sat, 09 Jan 2016 22:03:02 +0200
To: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Subject: You Have 1 InstaH00kup Request
X-PHP-Originating-Script: 1271:session.php(1947) : eval()'d code
Date: Sat, 9 Jan 2016 22:03:02 +0200
From: Shirley Harmon < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
Message-ID: < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
X-Priority: 3
X-Mailer: PHPMailer 5.2.9 (https//github.com/PHPMailer/PHPMailer/)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_fac5e186bdc805441a15e35072ca18a9"
Content-Transfer-Encoding: 8bit

--b1_fac5e186bdc805441a15e35072ca18a9
Content-Type: text/plain; charset=us-ascii

want to have some fun? I'm 28/f with a double D chest...

i'm 31/f with a very tight pu$$y and a$$
[ httprestaurantmediterranicom/dbphp?a=40&4F9GrrG1Rnj2g=g8cMeZbx ]
see my naughty pics here


TALK S00N !:)


--b1_fac5e186bdc805441a15e35072ca18a9
Content-Type: text/html; charset=us-ascii

<html>
<body>
<br>
want to have some fun? I'm 28/f with a double D chest...
<br>
i'm 31/f with a very tight pu$$y and a$$<br>
<a href="http//restaurantmediterrani.com/db.php? a=40&4F9GrrG1Rnj2g=g8cMeZbx">
see my naughty pics here
</a>
<br>
TALK S00N !:)
<br>
</html>
</body>



--b1_fac5e186bdc805441a15e35072ca18a9--


and the malleolus content was X-PHP-Originating-Script: 1271:session.php(1947) : eval()'d code

now I have taken steps to step up my security to the site but they still manage to hack my website

Steps like:
1. Ensure all updates are done to joomla, modules an plugins etc.
2. Install rs pro firewall(block certain countries ips from previous attacks.)
and I've enable all the features on the firewall configuration
3. Changed all passwords(ftp, joomla admin and db)

Ive managed to look at the logs and found something relating to the infected file.

Please see below ""Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344" 7625 285 SOL-FTTB.83.112.119.46.sovam.net.ua - - [08/Jan/2016:23:45:17 +0200] "GET /administrator/index.php HTTP/1.1" 403 848 "-" "Mozilla/5.0 (Windows NT 5.1; rv:29.0) Gecko/20100101 Firefox/29.0" 185 1217 ip-192-169-227-215.ip.secureserver.net - - [08/Jan/2016:23:45:34 +0200] "POST /layouts/libraries/cms/html/session.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26" 6851 285 gator3010.hostgator.com - - [08/Jan/2016:23:49:18 +0200] "POST /layouts/libraries/cms/html/session.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26" 4804 285 crawl-66-249-64-130.googlebot.com - - [08/Jan/2016:23:49:31 +0200] "GET /index.php HTTP/1.1" 200 7302 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http//wwwgoogle.com/bot.html)" 353 7909 192.241.234.23 - - [08/Jan/2016:23:49:43 +0200] "POST /layouts/libraries/cms/html/session.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0" 7580 285 m22.maxer.hu - - [08/Jan/2016:23:51:50 +0200] "POST /layouts/libraries/cms/html/session.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0" 7631 285 175.138.67.70 - - [08/Jan/2016:23:53:54 +0200] "POST /layouts/libraries/cms/html/session.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36" 7672 285 207.46.234.137 - - [08/Jan/2016:23:56:01 +0200] "POST /layouts/libraries/cms/html/session.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26" 7628 285 173.252.88.87 - - [08/Jan/2016:23:56:43 +0200] "GET /images/banners/Siyaya_disability_01.jpg HTTP/1.1" 200 80643 "-" "facebookexternalhit/1.1 (+http//wwwfacebook.com/externalhit_uatext.php)" 237 80924 p3nlhg853.shr.prod.phx3.secureserver.net - - [08/Jan/2016:23:57:22 +0200] "POST /layouts/libraries/cms/html/session.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26" 4820 285 173.252.120.104 - - [08/Jan/2016:23:57:48 +0200] "GET /images/new_banners/Siyaya_homepage_01BEE.jpg HTTP/1.1" 200 189609 "-" "facebookexternalhit/1.1 (+http//wwwfacebook.com/externalhit_uatext.php)" 242 189891 gen204.hs.shared.masterhost.ru - - [08/Jan/2016:23:58:04 +0200] "POST /layouts/libraries/cms/html/session.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344" 7586 285 msnbot-207-46-13-11.search.msn.com - - [08/Jan/2016:23:58:21 +0200] "GET /index.php/online-tests/document-1-b HTTP/1.1" 404 717 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http//wwwbing.com/bingbothtm)" 310 1202 "

Any idea how they got access to the website ?

And any methods on how to stop them ?
The administrator has disabled public write access.
  • 1

Read this first!

We do not monitor these forums. The forum is provided to exchange information and experience with other users ONLY. Forum responses are not guaranteed.

However, please submit a ticket if you have an active subscription and wish to receive support. Our ticketing system is the only way of getting in touch with RSJoomla! and receiving the official RSJoomla! Customer Support.

For more information, the Support Policy is located here.

Thank you!