Hello Miroslaw,
Just because you have Admin Tools installed and a .htaccess file generated doesn't make your site unhackable. The first obvious reason is that no security tool can ever be watertight. All security tools, including Admin Tools, are designed to make it very much harder for someone to hack your site. Making it impossible, though? Not a chance. If there were such a magic solution we'd be selling it for several millions of dollars – just think about how much money big companies lose when their servers are penetrated.
Now, besides that, all security solutions protect you from hacks coming from the outside as long as the requests are routed through them. This has two very important corollaries:
1. It is possible that the attacker is able to execute an arbitrary PHP file or exploit a vulnerability in a directly web accessible .php file. The .htaccess Maker front-end and back-end protection block, by default, access to all .php files except Joomla!'s index.php files. However, you can add exceptions. If you add an exception which allows specific .php files to be accessed and they are vulnerable then you've opened a back door to your site. If you enable direct access to all files (including .php) for a articular directory it is possible that the attacker found a way to upload a malicious script and execute it, hacking your site. If you have a secondary site, e.g. a Wordpress installation, inside your site's root and you allow access to it, it is possible that the attacker hacked it and used it as a back door to hack your Joomla! site. Of course there is also the possibility that if you didn't enable the front-end and back-end protection in Admin Tools .htaccess maker that a hacker found a vulnerability which allowed him to upload and execute a malicious script.
2. There's what I call the "under the radar" attack. On most shared hosts it is possible that if a hacker infiltrates another site on the same server he has write access to your site's files. It all depends on ownership and permissions. If the files are owned by the same user under which the web server runs for all sites hosted on the server (as opposed to being owned by your account's FTP user) then you are definitely vulnerable to this attack. Permissions with their second or third digit set to 6 or 7 (e.g. 664, 646, 775, 757 and so on) may also make you vulnerable to such an attack.
3. If you are using outdated software it is possible that it suffers by a vulnerability which cannot be prevented by a security solution. For example, Joomla! 1.6 and 1.7 allow malicious users to create Super Admin users if the user registration is enabled. Due to the nature of that bug no security solution can prevent this. Check the versions of everything you have installed.
Another possibility is the "exploited yesterday, ready to be hacked tomorrow" method. I've seen that many times. A site was infiltrated by a hacker months ago and they installed a back door. Months later they come back and hack your site. The thing is that all your backups are now "infected" with this back door. Restoring your site from a backup will allow the hacker to hack your site again and again and again.
Of course there is the low tech approach: somehow you admin or FTP credentials were stolen. Stealing admin or FTP credentials is dead simple, as long as the hacker is connected to the same network (wired or wireless) as you and your site does not use HTTPS. Stealing FTP logins can also be performed by malware such as keystroke loggers or by more specialised malware which steals, for example, FileZilla's saved connections INI file which contains the credentials in plain text.
I would recommend following the advice in our
Unhacking Your Site walkthrough to first identify the point of entry, unhack your site and patch the security hole which made the hack possible in the first place.
Davide Tampellini
Developer and Support Staff
🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!