Support

Admin Tools

#11866 Hacked site recovery

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Thursday, 05 April 2012 11:17 CDT

Thursday, 05 April 2012 09:31 CDT

user61605
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Reports, firewall and PHP scanner
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: 1.5.26
PHP version: (unknown)
MySQL version: (unknown)
Host: extremeslovenia.com
Admin Tools version: Pro 2.2.3

Description of my issue:
After my site was recently hacked I performed the following:
-Uninstalled the 2 plug-ins that I had installed last week (one to add social networking Icons and one to do language translations)
-Deleted the infected .htaccess file and replaced it with one from Joomla.com
-Found a repeated "POST" in the server logs: "95.163.67.202 - - [04/Apr/2012:07:00:58 +0100] "POST /tmp/jos_ftnq.php HTTP/1.1" 200 162" from a russian IP address
-Cleared the jos_ftnq.php from the tmp folder and moved the tmp folder out of the HTDOCS folder up one level
-I have now installed the ProAdmin tools and done a basic configuration with the following current problems

1-PHP scan does not seem to complete, even after more that 30 minutes
2-When creating a new .htaccess file I get a "500 Internal server" error

My site is currently offline untill I can resolve this, any help would be much appreeciated.
Thanks
Bevan

Thursday, 05 April 2012 10:33 CDT

nicholas
Hello Bevan,

First, I would urge you to read the Unhacking your site tutorial.

Regarding your issues:

1. Depending on the number of PHP files you have on your site and the speed of your server, it may take a long time to complete. As a rule of thumb, scanning your site takes 3-5 times as long as backing it up with Akeeba Backup.

2. Read our troubleshooting instructions regarding this issue.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 05 April 2012 10:57 CDT

user61605
Strange... I logged the ticket twice because it is not showning in the "My Tickets" page?

Anyhow, the emergency site offline feature is not working. My site only goes offline using the built in Joomla offline button.

I am busy looking through the article you sent me- is there another way of scanning the php files? The AdminTools version seems to time out after 45 minutes or so?
Thanks
Bevan

Thursday, 05 April 2012 11:17 CDT

nicholas
There is no other way to look at the PHP files. The only workaround that spring to mind is taking a backup and restoring it on your local PC, running a local web server (e.g. WAMPServer, XAMPP or similar), then performing the scan there. Usually local servers are much better for these long tasks that live servers.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!