Support

Admin Tools

#26525 index.php, framework.php, import.php Keep Getting Hacked But Not Security Event is Generated

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Sunday, 11 December 2016 17:17 CST

[email protected]
Hi,

We have sites that keep having index.php, framework.php and import.php (among others) getting hacked. All Joomla files have been cleaned and replaced with fresh versions, but after a few days the infection reoccur. The odd things are:

1. The file mod dates are not touched.

2. Admin Tools does not show a security event (such as admin login, etc.) associated with this event.

3. We don't believe that FTP is exploited to accomplish these hacks (passwords have been changed, file mod dates not touched).

4. Most of our add-on are current, but there a few that are outdated.

Any ideas what we should be looking for or how this hack is being accomplished? PHP injection? Add-on upload feature?

Thanks in advance,
Chris  

[email protected]
Additionally, after a day or two of infection each of the Admin Tools installations stop loading the Admin Tool component and cannot be managed. So Admin Tools is a) not detecting the infection and b) no longer allows an admin to manage the scan logs or see what is infected.

Help!

tampe125
Akeeba Staff
Hello Jose,

Just because you have Admin Tools installed and a .htaccess file generated doesn't make your site unhackable. The first obvious reason is that no security tool can ever be watertight. All security tools, including Admin Tools, are designed to make it very much harder for someone to hack your site. Making it impossible, though? Not a chance. If there were such a magic solution we'd be selling it for several millions of dollars – just think about how much money big companies lose when their servers are penetrated.

Now, besides that, all security solutions protect you from hacks coming from the outside as long as the requests are routed through them. This has two very important corollaries:

1. It is possible that the attacker is able to execute an arbitrary PHP file or exploit a vulnerability in a directly web accessible .php file. The .htaccess Maker front-end and back-end protection block, by default, access to all .php files except Joomla!'s index.php files. However, you can add exceptions. If you add an exception which allows specific .php files to be accessed and they are vulnerable then you've opened a back door to your site. If you enable direct access to all files (including .php) for a articular directory it is possible that the attacker found a way to upload a malicious script and execute it, hacking your site. If you have a secondary site, e.g. a Wordpress installation, inside your site's root and you allow access to it, it is possible that the attacker hacked it and used it as a back door to hack your Joomla! site. Of course there is also the possibility that if you didn't enable the front-end and back-end protection in Admin Tools .htaccess maker that a hacker found a vulnerability which allowed him to upload and execute a malicious script.

2. There's what I call the "under the radar" attack. On most shared hosts it is possible that if a hacker infiltrates another site on the same server he has write access to your site's files. It all depends on ownership and permissions. If the files are owned by the same user under which the web server runs for all sites hosted on the server (as opposed to being owned by your account's FTP user) then you are definitely vulnerable to this attack. Permissions with their second or third digit set to 6 or 7 (e.g. 664, 646, 775, 757 and so on) may also make you vulnerable to such an attack.

3. If you are using outdated software it is possible that it suffers by a vulnerability which cannot be prevented by a security solution. For example, Joomla! 1.6 and 1.7 allow malicious users to create Super Admin users if the user registration is enabled. Due to the nature of that bug no security solution can prevent this. Check the versions of everything you have installed.

Another possibility is the "exploited yesterday, ready to be hacked tomorrow" method. I've seen that many times. A site was infiltrated by a hacker months ago and they installed a back door. Months later they come back and hack your site. The thing is that all your backups are now "infected" with this back door. Restoring your site from a backup will allow the hacker to hack your site again and again and again.

Of course there is the low tech approach: somehow you admin or FTP credentials were stolen. Stealing admin or FTP credentials is dead simple, as long as the hacker is connected to the same network (wired or wireless) as you and your site does not use HTTPS. Stealing FTP logins can also be performed by malware such as keystroke loggers or by more specialised malware which steals, for example, FileZilla's saved connections INI file which contains the credentials in plain text.

I would recommend following the advice in our Unhacking Your Site walkthrough to first identify the point of entry, unhack your site and patch the security hole which made the hack possible in the first place.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!