CODEWITHSUNDEEP
securityjoomla
Owlbertz
Owlbertz

Reputation: 33

"Harun" Joomla Hack? Please help me securing this website

one of my clients complained that she cannot log into her Joomla installation anymore. So I checked the database and saw, that all the user names and passwords (md5 value, I used a rainbowtable to check) are set to "harun". Did anyone ever hear about that? Google doesn't...

Also: what do I need to to now (besides changing passwords)? I'm not that "big" in web-dev and never faced such a problem.

Any help appreciated.

Upvotes: 1

Views: 100

Answers (3)

Simmant
Simmant

Reputation: 1513

For long time solution its an suggestion please change your server or host. As you said MD5 are set as "harun" as per my opinion its change by some kid's hacker by sim-link or some local jommala vul. attack . If its sim-link attack then you need to worried about host else if its jommla vul. then simply change the version or update it and make cleanup on your publichtml/ or soo on .And make sure there is no other php script or perl / python script not found on your Host.

Upvotes: 0

Neil Robertson
Neil Robertson

Reputation: 3345

You need to clean up the website and find and fix the point of entry.

1. clean up the website

You could restore from a backup but it can be difficult to determine the exact date the website was compromised.

You could spend days trying to find and fix compromised files yourself.

The best option is probably to use a commercial service like www.myjoomla.com or sucuri.net which cost very little and are usually effective at finding and fixing infected websites. In particular, the myJoomla security tool can identify core Joomla files that have been changed and replace the changed ones with the original files.

2. find and fix the point of entry

Update Joomla to the latest version in the series.

Update all third party extensions to the latest versions.

Update Joomla, FTP/cPanel and Database passwords.

Check the Vulnerable Extensions List at vel.joomla.org to ensure you are not using any vulnerable extensions.

Also see the Official Security Checklist at http://docs.joomla.org/Security_Checklist and https://stackoverflow.com/a/19139389/1983389 and https://joomla.stackexchange.com/a/180/120 for tips on keeping your Joomla website secure.

Upvotes: 0

GDP
GDP

Reputation: 8178

Clearly you have a great deal of cleanup to do....I hope you have a database backup! We had the same kind of thing happen to us a couple of years back, and installed RSFirewall. While attacks still occasionally occur, this wonderful extension has cut the damage by 99% for us. Good luck!

Upvotes: 1

Related Questions