Mandatory information about my setup:
Have I read the related troubleshooter articles above before posting? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting. Yes
Joomla! version: 2.5.4 Stable
PHP version: 5.3.9
MySQL version: 5.1.62-cll
Host: Rochen
Admin Tools version: Deluxe/Pro 2.2.5
Description of my issue:
Hello, Nicholas your tools are very intuitive and very, very well documented. You've put much thought into your tools and documentation. Thank God for you. Your expertise and skills are apparently top notch. I wish I would have taken your advice sooner instead of snoozing at the wheel, so to say.
Just a little background info first. Hind site is 20/20. It's time to get PROACTIVE with security. I've been building Joomla sites for a few years, more or less, to help some of the small businesses that I work with, and I'm making next to nothing so I haven't been motivated to take yet more time to dive into security and the people I've helped know this. But I'm starting to find more and more people are asking for my help and I can actually make some money, so I'm taking this very serious now as I will be becoming a Rochen reseller very soon. I live in a retirement community and we have many small businesses that want a web presense.
Anyways... The same site that I just rebuilt at the beginning of the year (was running Joomla 1.5.25) was hosting a hacked subsite that went un-noticed for some time, and appears to have had a similar breach after doing a complete fresh install of Joomla 2.5 with minimal extesnions. Upon doing some updates to Joomla and extensions for one of our customers (the one mentioned above), I noticed that while I was in Cpanels file manager that there was a "sonographers" directory in the root of "public_html", containing a "cream.php" script of some sort, of which, I can't make heads or tails of because I'm not a PHP programmer. I also noticed that the timestamp on the .htaccess file in the root of "public_html" was also modified on the same date and time that the "sonographers" directory and accompanying script were created. After futher research, I started to get very worried, as the info I found from others that had a similar script running had their .htaccess files modified to redirect visitors to malicious websites. I don't see similar entries in the .htaccess file that was modified but am unsure as everthing is cryptic even after reading up on how .htaccess rules/statements work in general.
I removed the "sonographers" directory and files. I've purchased the Delux Akeeba tools and installed them, read through the docs and configured the Web Application Firewall and run the .htaccess maker. I just hope it's not to late for this customer.
Notes on the new Joomla instalation:
The original .htaccess file on this server was automatically created when Joomla 2.5x was installed via the Rochen Joomla auto-installer utility that Rochen offers, of which Nicholas helped develope I believe, a while back. But from what he told me, that .htaccess file was for Joomla 1.5x, not the newer versions of Joomla.
I've scoured logs and looked through all the directories for suspicious looking files and corresponding timestamps, file persmissioin, spikes in bandwidth usage, etc..etc.. Before installing the Akeeba Admin Tools. But I'm new to this and can't tell if this breach was stopped some way durning the excalation process or is lying hidden and alive right under my nose. I would appreciate if someone can take a look at the modified .htaccess file and cream.php script and tell me what I should be looking for possbily. I've spent hours upon hours reading, sifting through logs and code that makes no sense to me and it's time I ask for some guidance from the experienced pro-active security conscious Joomla users.
Please help a guy that wants to help himself and his customers and learn some best practices. If someone is willing to look at these files, let me know the best way to deliver them.
Thanks for your time,
Joshua
Have I read the related troubleshooter articles above before posting? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting. Yes
Joomla! version: 2.5.4 Stable
PHP version: 5.3.9
MySQL version: 5.1.62-cll
Host: Rochen
Admin Tools version: Deluxe/Pro 2.2.5
Description of my issue:
Hello, Nicholas your tools are very intuitive and very, very well documented. You've put much thought into your tools and documentation. Thank God for you. Your expertise and skills are apparently top notch. I wish I would have taken your advice sooner instead of snoozing at the wheel, so to say.
Just a little background info first. Hind site is 20/20. It's time to get PROACTIVE with security. I've been building Joomla sites for a few years, more or less, to help some of the small businesses that I work with, and I'm making next to nothing so I haven't been motivated to take yet more time to dive into security and the people I've helped know this. But I'm starting to find more and more people are asking for my help and I can actually make some money, so I'm taking this very serious now as I will be becoming a Rochen reseller very soon. I live in a retirement community and we have many small businesses that want a web presense.
Anyways... The same site that I just rebuilt at the beginning of the year (was running Joomla 1.5.25) was hosting a hacked subsite that went un-noticed for some time, and appears to have had a similar breach after doing a complete fresh install of Joomla 2.5 with minimal extesnions. Upon doing some updates to Joomla and extensions for one of our customers (the one mentioned above), I noticed that while I was in Cpanels file manager that there was a "sonographers" directory in the root of "public_html", containing a "cream.php" script of some sort, of which, I can't make heads or tails of because I'm not a PHP programmer. I also noticed that the timestamp on the .htaccess file in the root of "public_html" was also modified on the same date and time that the "sonographers" directory and accompanying script were created. After futher research, I started to get very worried, as the info I found from others that had a similar script running had their .htaccess files modified to redirect visitors to malicious websites. I don't see similar entries in the .htaccess file that was modified but am unsure as everthing is cryptic even after reading up on how .htaccess rules/statements work in general.
I removed the "sonographers" directory and files. I've purchased the Delux Akeeba tools and installed them, read through the docs and configured the Web Application Firewall and run the .htaccess maker. I just hope it's not to late for this customer.
Notes on the new Joomla instalation:
The original .htaccess file on this server was automatically created when Joomla 2.5x was installed via the Rochen Joomla auto-installer utility that Rochen offers, of which Nicholas helped develope I believe, a while back. But from what he told me, that .htaccess file was for Joomla 1.5x, not the newer versions of Joomla.
I've scoured logs and looked through all the directories for suspicious looking files and corresponding timestamps, file persmissioin, spikes in bandwidth usage, etc..etc.. Before installing the Akeeba Admin Tools. But I'm new to this and can't tell if this breach was stopped some way durning the excalation process or is lying hidden and alive right under my nose. I would appreciate if someone can take a look at the modified .htaccess file and cream.php script and tell me what I should be looking for possbily. I've spent hours upon hours reading, sifting through logs and code that makes no sense to me and it's time I ask for some guidance from the experienced pro-active security conscious Joomla users.
Please help a guy that wants to help himself and his customers and learn some best practices. If someone is willing to look at these files, let me know the best way to deliver them.
Thanks for your time,
Joshua
