I have just had a new client's site hacked. J version 1.5.15.
It installed a configuration.php file in to the RHUK Milkyway template folder, with login credentials in it. The site had user 62 with username 'admin' (OK I inherited this site - not my idea!)

The only way I found out about the hack was that I downloaded a site backup last week to do some work for them, and my antivirus found the hack in my backup file.

I deleted all the standard templates, deleted user 62, changed all the pwds.

Just thought I should let people know. I'm starting recently to hear about some J 1.5 hacks.

Thanks for that Dex,

I had a two more J1.5.15 sites that have been hacked last month as well. Not on my server but on their own.

These other ones had mailing scripts implanted in to the CACHE folder that was set to 777. How they got the files in I'm not sure.

I don't understand much about hacking but I also had a 1.5.15 site hacked last month.

All of the .html files were infected with an iframe attack. It appears that the hack went through the entire site adding the attack on to every .php and .html based file in the entire public_html directory.

Google branded the site as infected so it looked pretty bad as everyone was warned not to enter. I even had the Australian Computer Emergency Response Team at
The University of Queensland contact us to let us know (after Google of course).

Anyways, I reverted to our last backup and changed all passwords, etc throughout the site and the cpanel, changed the database name, user, etc.

I checked all extensions for updates (most were up to date but jomComment and Xmap were not. I upgraded to the new jSecure (paid version) as well.

Does anyone know how an iframe attack works? Does it go through something in Joomla or was it more likely to be on the server?

I contacted the host immediately but they didn't seem to report any issues with other sites on the server.

That Iframe hack that appears on every php file usually occurs if access to the site is somehow writable.

I just dealt with another client that had a similar hack but was JS based, it embedded an encoded JS file as the bottom of every page even the admin area of the site.

It was made possible because some of the folders were set to permissions 777 and a script managed to upload itself to one of those folders. I think it was the cache folder. From there the script search for all .php files on the site and inserted the encoded JS at the top of the php file.

Everything hacked and has been for about a month.

All passwords once again changed.

Regards,

Peter

That's good to know for future reference. Thanks!