Please Help ????????

[neweb]

Please Help

Just had a site hacked, its at
Shanowenfiles.ie/site

Please look at the site and see if you can tell me how to get out of this or have you see it before.

I have tried opening the site using FTP but it makes my system go all funny.
This is a clients site and I don't know how to fix this.

 

[jhegarty]

what happens when you try to ftp in ?

 

[mneylon]

Do you have a recent backup?

Which CMS were you using?

 

[neweb]

When I try to FTP in my system becomes very slow and almost unresponsive.

After investigating a little further I don't think it was the CMS site that was hacked. I think it was the server.

The site is located at ….../site
When I try to access the main directory I get the same page as the hacked page. I get this no mater what directory I try enter. Even if I enter an incorrect address after shanowenfiles.ie I get the same thing.

I'm not sure about the backup. I will have to dig into my files and find it.
The CMS is Joomla, but again, I don't think this is the problem.

Just managed to get access to the Joomla back end and everything seems fine there.
All the files are ok and no passwords have been changed.

 

[dave]

This 'looks' like a Joomla hack. I used to manage a couple of hundred Joomla installs and any vulnerabilities would get you hacked by this turkish crew.

I haven't seen these particular guys before. But some things to look at are.

See which folders in you web root were world writable. Have a look in those folders for any files that seem out of place. They usually try to upload a php script that runs os system commands, has a directory browser and file upload capabilities.

Also look at the tables in the database. I have seen them before run a sql injection attack that inserts code into a menu item field or content item field.
Though I am not sure that this is the case here as the site is not being directed to their own sites, which is usually the case with that particular hack.

 

[neweb]

It seems to be Joomla Hack after all Dave.

I have deleted a folder that had some out of place files in it. But still the site is showing the hack on the front end. I just can't find where the problem is.

There are a lot of add-ons on this site so taking it down will be a nightmare to say the least.

Any suggestions where I should look!!!

 

[dave]

Do all valid urls show the page that is currently visible?

I haven't seen this before but has the index.php file in the webroot folder been changed?
Are you using the .htaccess file for SEF urls? Has this been modified?

I haven't seen a successful attack on a 1.5.x version of Joomla before only the older versions, so it could be down to one of the installed components, or modules. Have a look into those as I have seen some of those vulnerable to sql injection attacks. Check what the latest version of the component/module is and what you have installed.

One quick check I'd try is to turn off all modules on the site including menus and all Joomla installed modules and modules you installed your self, try the site with no modules on it.

Finally check the template to see if there have been any modifications to it.

Sorry about all the suggestions but I've seen so many different types of attack on Joomla it's hard to say exactly what the solution is.

 

[Lottoplus]

Typical joomla hack it could be just the index page thats hacked but the whole administrator folder could be gone too!

Pages are still there


Contact Shanowen Files
Company Profile for Shanowen Files
Shanowen File News

Just fix the index and upgrage to joomla 1.7

 

[neweb]

Sorry for the delay in getting back about this one.

I finally got the problem sorted and the site back up and running.

I replaced the index.php and index2.php pages. It looks like they where the files affected.

I also deleted another section in the admin/components section called com_sobi2

The site loaded as normal. Thank god for that!

I have now added another layer to the security so hopefully no more problems.
The customer was over the moon that the site was back up and running as he only informed me about it late last night.

I'm not going to charge him for the repair as it was a good learning curve for me.

 

[ciar4n]

I had a very similar sounding problem in the past. It turned out not to be a Joomla hack but a virus i had accidently uploaded onto the server. The virus use to attack all the index.* files on the server.

Just thought I'd mention it because I use to fix the problem by uploading backup index.* files as you mentioned.. problem was the virus use to re-emerge every couple of weeks so I'd recommend keeping a close eye on it.

Finish up I had to contact my host to do a full virus scan.

 

[greenpixel]

And try to update the core and all the modules to the latest version whenever you can.