Support

Please note that Admin Tools Professional can only protect you against hacking attempts which go through your site's index*.php files. When you use the .htaccess Maker, it will also create a .htaccess which prevents direct access to .php files on your site, unless you allow specific files to be directly accessible.

From that point, your site can be hacked with one of the following ways (these are the most common ways, not an exclusive list):
- Bad ownership/permissions. Please note that permissions alone mean NOTHING AT ALL. For more information, you can consult Akeeba Backup User's Guide, the Security chapter. If you have bad ownership/permissions, it is possible that another hacked account on the same server can overwrite your files, i.e. hack your site.
- Direct access to vulnerable .php files. If you have not used .htaccess Maker or if you have added exceptions for some .php files and these are vulnerable, an attacker can very easily access them over the web to hack your site. Since the access to these files does not pass through Joomla!'s index*.php files, Admin Tools is not running and can not protect you.
- Stolen FTP access. It's not that hard. Malware on your or your client's (if you're managing a client's site) computer can steal your FTP login information. This gives the attacker a "free pass" to hack your site.
- Exploited yesterday, ready to be hacked tomorrow as Brian Teeman has shown. In this very common scenario, the attacker has infiltrated your site a while ago, then hacks it at his convenience in a later date.
- Some attacks may pass through Admin Tools Professional, albeit it take a lot of skill and a scandalously badly coded extension for this to happen. For example, if you have an extension which allows an attacker to execute PHP code passed in a POST request without a PHP tag (e.g. the developer is using PHP's eval() with unvalidated input data) there's no way Admin Tools can protect you. I have not seen such extensions in the wild, only custom extensions written by underskilled (or, should I say, unskilled), idiotic freelancers of the 1$/hour rent-a-coder variety.

So, what can you do? Start by reading my Unhacking your site walkthrough. It will help you not only fix the hack, but also secure your site.

The next step you can do is to wait just a few days for me to publish the new alpha release of Admin Tools. I have just (as in, ten days ago) completed writing a handy new tool which allows you to run a security assessment of your site's files. It does throw a lot of false positives in the first run, but it will narrow down the list of possibly suspicious files to about 100 of them. The documentation explains how you can check those files against the "official" files of Joomla! itself or the extension they belong to to make sure they are not suspicious. If you find a compromised file, you will immediately know how you're being hacked.

If, despite the above, you still get hacked, you are on a host with one or more hacked sites and screwed up ownership/permissions which allow the hacker to hack your site through the "back door", i.e. by directly modifying your site's files from the other hacked site on the same server. Besides fixing your ownership and permissions (as explained in the Unhacking Your Site walkthrough) the only other workaround is to actually move to a different host.

I know this is a LOT of information to take in. Let me give you a sound advice. Don't panic. The situation can't get much worse than it is right now and doing things hastily will end up to offering no solution, only wasting your time. Start by meticulously following the unhacking instructions and you'll see that things will start making sense. It will take you 1-2 days, but in the end you'll end up with a much more secure site.

Good luck and, should you get stuck, please post back so that I can help you!

Hi,

I think you are confusing the action verbs' context. The first verb (GET, POST) is the HTTP command. these are the two most common, accounting for 99.9% of all requests you'll see in the log. Some more exotic HTTP verbs are HEAD, TRACE, PUT and DELETE, but I don't think you're going to see them in your logs. Now, the INSERT/UPDATE/DELETE verbs are SQL commands and would only appear in the URL (not the column before the URL!) if an attacker tried to launch a SQL injection (a.k.a. SQLi) attack on your site. If you don't see any of them, the attacker is not using an SQL injection attack.

The next bit you mention is a case-breaker:

All files got about the same timestanp, and were modified up to 4 subdirectories from the root directory

Let me analyse this. Something scans and modifies all PHP files, 4 levels deep, within a few seconds. This means that there is a PHP file which performs that malicious act. In your previous email you also told me that this always happens around 3 p.m. every day. You know what that sounds like? A CRON job. Check the CRON jobs on your site. If you see anything you didn't put in there yourself, remove it (after noting down the file which was being called), then remove the file which was being called. Also change all of your passwords, including your hosting account password. Better be safe than sorry.

You should also follow all of the other security advice in the unhacking guide, including the tip to restore your site using Kickstart's FTP mode to make sure your files are not writable by another hacked site on the same server.

The PHP version seems to be quite irrelevant with this hack. I think that there is a hacking script somewhere in your site which is being run every so often, re-hacking your site all over again. This is what you have to locate and remove.

If you can't make heads and tails of that, please send me a Personal Message. I can give you contact details for Joomla! professionals who can do the whole unhacking deal for you, albeit for a fee. They will also help you secure your site.

OK, it's not a CRON job, the only CRON file (the one you posted) is perfectly safe as it is. This leaves only a handful of possibilities:
- A hacking script left in a directory and being called by the attacker to re-hack your site (Using Admin Tools' .htaccess Maker with the default settings will rule that out)
- Another compromised account on your server hacking your site (you should restore using Kickstart's FTP mode and use Joomla!'s FTP feature to allow extension installation, do not use 0777 permissions)
- Stolen FTP information (this won't be a factor once you change your passwords)
I'd say we're in a good track. You've ruled out a few possibilities so far, which means that you're closing in to the solution.

Yes, all passwords are stored in the configuration file as cleartext.

You are absolutely correct. Worse yet, since all of your files are owned by Apache, they can be read and written to by all users on this web server. That's why I asked you to restore your site using Kickstart's FTP mode. This will change the ownership to your site's user. From that point, it's your host's responsibility to ensure that the home directory's permissions are 0700 to prevent any unauthorised user from peeking at your files. If they can't do that, it's a good idea to move to a secure host, like CloudAccess.net, iRedHost or Rochen.

You're welcome! Let me know how it works out!

Hi,

1. It actually depends on ownership. 0770 sounds a typical case. Not very secure, but unless your host is using suPHP or Apache's mod_itk this is the closes to secure you can possibly get.

2. You have to do a little trick. Set the permissions of configuration.php to 0777, go to Global Configuration, set up the FTP mode and click on Save. This will replace the configuration.php (owned by apache) with a new one (owned by your FTP user) and change its permissions back to 0444. Talking about killing two birds with one stone ;)

3. No, not really. You can have the FTP mode turned on but without a password. What I mean is that after installing the extension, go back to Global Configuration and delete the FTP password, but please leave the FTP enabled. Next time you try to install an extension, Joomla! will ask you for your FTP password. Clever, huh?

You will only need to supply your FTP password to Global Configuration before using an extension which needs to modify site files, like Admin Tools' Fix Permissions or Clean Temporary Directory tool.

That's easy! Go to Components, Admin Tools, .htaccess Maker and expand the "Server Protection" pane. Add the following line to the "Allow direct access to these files" text area:
administrator/components/com_extplorer/fetchscript.php
Then click on Save and Create .htaccess.

FYI, the exact instructions for coming to this conclusion yourself are listed in the documentation and our troubleshooting guide.

You're welcome! If you get stuck and can't figure it out on your own, just post here and include a URL if it's a front-end item. It allows me to just go to that page, take a look and tell you what needs to be added.