Hi,

I just had a site hacked today by GOY hackers. They completely replaced the home page of one of my sites with their page and had blocked my administrator access. The joomla version was 1.5.22 (which I have now upgraded)

Has anyone else experienced this? I don't know how they did this or what damage they might have done. I have since reverted back to an earlier backup version but there are approx. 150 registered users on the site and I don't know if their login info would have been obtained.

I'm wondering if there is some way to change everyones passwords and notify them or should I just send out an email to all users and get them to change their passwords.

Any help would be appreciated.

littleET

Could possibly have been obtained. All of the passwords are stored in Md5 hash encoding but you can un-encode it.
It is more likely that the emails have been obtained for spammers more than anything.

Get the list of all the website members and email them the link to have their passwords reset from com_user component. Better be safe than sorry.

I had a little look on the web for GOY Hackers and looks like they've been hacking sites since J1.5.5 days.

Might be worth having a look at what version of PHP and apache you're running on the server and make sure they're not out of date. From memory, PHP 5.2.x is now unsupported since Dec 2010.

PHP version is 5.2 17 but it will be updated in a week or so to 5.3.x

I was going to email all users to tell them to reset their password but I'm pretty sure they most of them will be unlikely to do this themselves.

I'm thinking of using the Userport extension to export all the current users and then reimport them which will at the same time create a new unique password for each user and email them to tell them this has been done and supply them with their new login - at least this will make sure all passwords are changed.

Do you know how they would have gained access? I couldn't find any details on this.

I wouldn't worry about the users unless they have admin access or above. As far as I know, they wouldn't be able to do anything to the site if they don't. It's only if their own profiles get compromised you will have an issue and I expect someone will scream sooner rather than later. I really doubt this will happen though as hackers tend to target where they can do a fair bit of damage as opposed to an individual low order account.

I haven't heard of this mob, but have had heaps of hacks on one of my sites. I installed several security extensions where the administrator area has a further extension to gain access and also deleted User 62 and changed the superadmin to another number so it wasn't as transparent.

You might ask your host how they got access. Sometimes they are familiar with these exploits. However, if it is through their poor securing of your server, don't expect them to be too forthcoming.

Cheers,

It would be a lot easier if I didn't have to reset all passwords so I will start with those with admin access or above as mentioned.

I suspect that is was more my lack of security than my hosts, so I am definately increasing all my security measures now and will implement on all sites.

Thanks for the advice.

Yeh a large portion of site security is all at server level.

I turned on fopen on one of our boxes last week and one of our sites got hacked a few days after.

There are a whole list of other PHP functions that should be completely turned off as well.

On our server accounts we also have CSF running on the box. Apparently it uses a bit of CPU but I think it is worth it. Blocking access and monitoring hacks is a priority over the CPU usage.

Peter

Hi LittleET,

To help with site security so that only your IP address can access the joomla admin login page place a .htaccess file in the administrator folder on your site as below if you have a static IP address. Don't if you use a dynamic IP address, because dynamic means your IP address will change and you will be locked out and require constant ftp file changes of the .htacess file.

You can find out from your ISP if you are using static or dynamic IP's for your internet connection. If static then visit the website www.whatsmyip.org/ to obtain your IP.

If you use static IP then follow these instructions..

Create a .htaccess file and place in folder as below.

public-html/administrator/ folder

Then place below in bold in the .htaccess file.

Order Deny,Allow
Deny from all
Allow from yyy.yyy.yyy.yyy



yyy.yyy.yyy.yyy = your IP address

Also to improve security make sure you update your login passwords with good strong security passwords for ftp,cpanel and joomla access.

Hope this helps.
Cheers

Thanks for the tip Lenfitz. I actually have a dynamic IP.

restore your admin and frontend template then you will have access to your admins section with right user name password.

As soon as you get the access upgrade joomla and apply security patches and worth to install security component.