0
Welcome Guest! Login
0 items Join Now

SOLVED My Oculus based website hacked

  • SOLVED My Oculus based website hacked

    Posted 8 years 5 months ago
    • I have been a software developer for many years, but I am a relatively new user of joomla and RocketTheme Templates. I am using arvixe.com (actually recommended by RocketTheme) to host a personal photography website and am using the Oculus template.

      Recently, my site was hacked by some a$$hole from Algeria. I was able to clean this up on my own. I changed all passwords into my arvixe account as well as the admin passwords for Joomla in the configuration.php file and MySQL database. I have also blocked access from IP ranges associated with Algeria. I have submitted a support ticket with Arvixe, and posted on their forum, but so far I haven't had a response from these contacts. I am hoping that this foru may provide some useful suggestions to my question (below).

      Part of the hack used a file named 1337w0rm.php. It appears that this exploit is used to crack cPanel security. The result was that the hacker was able to get admin access through joomla and install a couple of packages (Paypal.zip, Update.zip), as well as other files. My site is a simple site which does not involve credit cards, Paypal, or email. I have since deleted all the files added by the hacker.

      MY QUESTION IS THIS: Does anyone know which vunerability allows this type of exploit? Also, what can be done in joomla, cPanel, or with the service provider configuration and/or utilities to prevent a re-occurance of this exploit?

      One of the php files only contained this string: "hacked by amine bekkadour sorry admin".

      Another part of the hack looked like it was trying to set up a fake Paypal login and send login info to This email address is being protected from spambots. You need JavaScript enabled to view it..

      In yet another file, there was a reference to "MASTER OF SADNESS"; apparently, a hacker known on the internet.

      I am building my personal website for the enjoyment of sharing my photography with friends and others. I am not trying to sell anything. I have been building ASP.NET websites in a comercial enviornment for many years. Now that I'm retired, I've switched to Joomla, and other open source technologies and I like these. I am a paid member of RoketTheme, and like the templates. I am also starting a Gantry 5 based website for my camera club with the Callisto template. But now, I'm wondering about the security provided by this strategy. Any suggestions or information you can reply with will be greatly appreciated by me.
    • Last Edit: 8 years 5 months ago by Dennis Morgan.
    • The following users have thanked you: Vitaly

    • Matt's Avatar
    • Matt
    • Preeminent Rocketeer
    • Posts: 21503
    • Thanks: 3081
    • messin' with stuff

    Re: My Oculus based website hacked

    Posted 8 years 5 months ago
    • I'm not a security expert by any means though I've dealt with a number of "hacked" sites... which is more correctly said in that I've dealt with a number of "exploited" sites, sites always based on a CMS of some kind. You were most likely the victim of a published exploit in an older version of Joomla. When someone with a least a little bit of skills finds a security vulnerability in a piece of software they often publish that exploit... most popular CMS' are quick to respond and release security updates but that can actually make the vulnerability more widely known... though there's really no getting around that.

      what then happens is low level scum, like the turds who exploited your site, use that published data to exploit non-upgraded sites. They aren't really hackers by any stretch of the imagination... often times people just write scripts to exploit sites at random by scanning for the vulnerabilities... so I also wouldn't feel "targetted" if I were you.

      I unfortunately don't have the resources to research your specific exploit... you say it was a cPanel exploit? If you're on a fully managed server then shame on your Hosting company for not keeping WHM/cPanel up to date. Was Joomla up to date at the time of your hack? Always always always check on new releases from any CMS... be it Joomla, WordPress, Magento, whatever... and see if they note any security fixes in the update... if security enhancements were released then you should almost always upgrade immediately.

      You should do the same with plugin or extension updates though security vulnerabilities in those is much much more rare.

      Keep your CMS and your Server software up to date and 99% of the time, you'll be just fine... there's lots of security forums out there around web technologies if you want to/need to take it to the next level.

      If you have any specific questions I can at least give you my thoughts/opinion :)
    • Last Edit: 8 years 5 months ago by Matt.
    • The following users have thanked you: Vitaly

    • SEARCH the forum first! These boards are rich in knowledge and vast in topics. This includes searching just the 'Solved' forums, using Google, and using ChatGPT :woohoo:
  • Re: My Oculus based website hacked

    Posted 8 years 5 months ago
    • Thanks for the feedback Matt. I am looking into possible version upgrades today.

      Current versions on hosting server and my Joomla site:
      Joomla version: 3.3.5
      Joomla Platform version: 13.1.0 (I'm not sure what the Platform version is)
      PHPVersion: 5.4.44
      MySQL Version: 5.5.45-37.4
      cPanel Version: 11.50.1 (build 3)

      BTW, I do like the Oculus template. I will also be building another site using Gantry 5 and the Callisto or Requiem templates. I am hoping to modify these templates to use an image background similiar to the Oculus template.

      Thanks again for your advice. RocketTheme and your support are fantastic. Once I complete the version upgrades, I will reply one more time to this thread, and mark it as solved.
    • Last Edit: 8 years 5 months ago by Dennis Morgan.
    • The following users have thanked you: Vitaly

    • Matt's Avatar
    • Matt
    • Preeminent Rocketeer
    • Posts: 21503
    • Thanks: 3081
    • messin' with stuff

    Re: My Oculus based website hacked

    Posted 8 years 5 months ago
    • 3.3.6, 3.4.2, and 3.4.4 all had security patches... with 3.3.6 being the only one with a security patch in the 3.3.x line

      www.joomla.org/announcements/release-news.html

      Your cPanel appears up to date in-so-far-as the automatic updates go... 11.52 has been released though... cPanel is good about pushing security issues via their auto-updates though so I reckon you're good there.

      releases.cpanel.com/

      PHP 5.4.44 is secure as well

      php.net/ChangeLog-5.php
    • Last Edit: 8 years 5 months ago by Matt.
    • The following users have thanked you: Vitaly

    • SEARCH the forum first! These boards are rich in knowledge and vast in topics. This includes searching just the 'Solved' forums, using Google, and using ChatGPT :woohoo:
  • Re: My Oculus based website hacked

    Posted 8 years 5 months ago
    • I have come to the conclusion that the exploit used to hack into my system was most likely due to the Joomla version I was using, i.e. version 3.3.5. This version has known security issues. This is also my first attempt at building a website with Joomla and Rockettheme templates. I still have a lot more to learn about Joomla, PHP programming, etc.

      Since then, I have restored and updated my site so that it is now running Joomla version 3.4.4. Unfortunately, version 3.3.5 was not a version that could be updated with the normal update process. My first attempt to update (using Extension Manager) failed and deleted some essential directories which blocked me from logging into the Joomla admin/backend (did not even get the login screen; only white screen of death). I identified the missing folders, and copied over these folders from another implementation of 3.3.5. What finally worked for me was unzipping a 3.3.6 patch version and copying it to the tmp folder of the website and using Extension Manager to install from that directory. Subsequently, I updated 3.3.6 with 3.4.4. I did all this on a test server on my local network, and once all updates were successful, I copied the entire website back to the production server (after deleting the complete hacked version of the website).

      Lessons learned:

      1) Always update to latest Joomla version.
      2) Monitor Joomla.org or other sites for security notifications regarding website security vulnerabilities and updates.
      3) Backup website every time you make changes to it.
      4) Take additional steps to protect your website (as appropriate). Learn as much as you can about website security.

      I'm still working on #4. I am looking into software that can be used to scan for changes (made by someone other than me), and ways to make backups a bit more easy. One thing I'm beginning to do is block IP address ranges from countries that are the greatest source of hacking attempts. The access history (and other clues) indicated the exploit originated from Algeria. Now, no one located in Algeria gets to access my website. I am also seeing accesses from Russia, Ukraine, and China. I am considering blocking these countries as well. I am just building my website as a hobby, and to display my photos (mainly to family and friends). I'm not trying to sell anything, and don't need the "MASTER OF SADNESS" to screw up my day.
    • The following users have thanked you: Matt, Vitaly

    • Matt's Avatar
    • Matt
    • Preeminent Rocketeer
    • Posts: 21503
    • Thanks: 3081
    • messin' with stuff

    Re: My Oculus based website hacked

    Posted 8 years 5 months ago
    • Nice wrap up post :)

      I block geo IPs from russia, china, and turkey on most all of my sites as well.

      Akeeba Backup is by far and away the best backup solution for both Joomla and WordPress in my opinion... it's also how I personally launch sites from Local to Live... I do an Akeeba Backup of my local and then use Akeeba Kickstart to launch it live.

      Happy Buildin'

      :)
    • The following users have thanked you: findhab, Vitaly

    • SEARCH the forum first! These boards are rich in knowledge and vast in topics. This includes searching just the 'Solved' forums, using Google, and using ChatGPT :woohoo:
    • findhab's Avatar
    • findhab
    • Rocketeer
    • Posts: 55
    • Thanks: 4

    Re: My Oculus based website hacked

    Posted 7 years 9 months ago
    • Hi Matt,

      How do you block geo IPs? Google Analytics shows me unusual constant accesses from weird countries and I want to block them.

      Regards,
    • The following users have thanked you: Vitaly

    • Henning's Avatar
    • Henning
    • Preeminent Rocketeer
    • Posts: 29362
    • Thanks: 954
    • Volunteer

    Re: My Oculus based website hacked

    Posted 7 years 9 months ago
    • Akeeba admintools lets you do that
    • The following users have thanked you: findhab, Vitaly

    • findhab's Avatar
    • findhab
    • Rocketeer
    • Posts: 55
    • Thanks: 4

    Re: My Oculus based website hacked

    Posted 7 years 9 months ago
    • Thanks
      I will check it out.
    • The following users have thanked you: Vitaly

Time to create page: 0.048 seconds