Urgent help with website security after hacking

_Andy_

Hi, hoping there might be a security guru here who could help.
If someone here is able to help, I can't offer to pay as such but would happily make a donation to your favourite charity..

I have several Joomla (v1.5.23) sites hosted on the same hosting package. Today they got hacked/had front pages defaced. I have restored the previous versions which is fine.
Obviously what I want to do now is prevent further attacks.
I've changed all the Joomla admin passwords (and also my Gmail and PayPal ones to be sure).
My host (Vidahost) haven't been especially helpful in terms of how to secure things from here.
I've seen some suggestions about .htaccess but any of them Ive tried just lead to 403 errors across all sites.
I have got rid of an old install of Wordpress in case.

Basically, help! Can anyone assist with securing this to prevent a further attack?

Thanks in advance

ETA: doesn't appear to be something like a password stolen off the pc by a trojan etc, have done a couple of scans and although of course I can't rule that out it doesn't seem to be the case (plus my email and various accounts etc haven't been touched)

steve1980

Are you hosting all the sites on your own server? Has YOUR PC been infected?

_Andy_

steve1980 wrote: »

Are you hosting all the sites on your own server? Has YOUR PC been infected?

hi Steve

Have done some scans and from what I can see the PC isn't infected. The hacker in question has 'done' a couple of other sites today also using Joomla and various ones before according to zone-h.org

I believe I've now undone all the damage (thankfully they hadn't deleted anything) but I just feel a bit lost now as to how to prevent it again.

Ps it's not my own server its shared hosting on Vidahost

Thanks

steve1980

I'd be contacting your host if your pc is not infected with a keylogger.

Otherwise, change host.

S0litaire

If possible UPGRADE Joomla to the latest version 1.7.0 or 1.6.6 ASAP!!!

If you can't, then make arrangements to move to a host that will let you use the latest version! as you're more than likely to be attacked again with probably worse results!

The main reason they were ably to deface the sites was probably a flaw in the older version.

steve1980

S0litaire wrote: »

If possible UPGRADE Joomla to the latest version 1.7.0 or 1.6.6 ASAP!!!

If you can't, then make arrangements to move to a host that will let you use the latest version! as you're more than likely to be attacked again with probably worse results!

The main reason they were ably to deface the sites was probably a flaw in the older version.

A friend of mine uses Joomla and he hasn't been hacked so upgrading to 1.7 is not going to make any difference.

Ny money is still on your host being infected rather than you.

_Andy_

S0litaire wrote: »

If possible UPGRADE Joomla to the latest version 1.7.0 or 1.6.6 ASAP!!!

If you can't, then make arrangements to move to a host that will let you use the latest version! as you're more than likely to be attacked again with probably worse results!

The main reason they were ably to deface the sites was probably a flaw in the older version.

Hi Sol

Will upgrading to 1.6/7 affect currently installed modules/plugins though?
Thanks

steve1980

_Andy_ wrote: »

Hi Sol

Will upgrading to 1.6/7 affect currently installed modules/plugins though?
Thanks

There is a possibility if they have not been tested with 1.7.

Before upgrading anything (bearing in mind 1.7 has only just come out) speak to your host and make sure that they have plugged the leak in their security system.

_Andy_

Thanks Steve

Vidahost don't seem to think it's a problem with them as such.
I have removed a J! component (CK forms) which apparently isn't secure although that wasn't on the main site. Also have uninstalled the old Wordpress and deleted the old folders etc.
Have tried various things with htaccess but all results in errors when visiting the site.

Looking like I will purchase a Joomla firewall/security component but not ideal.

steve1980

_Andy_ wrote: »

Vidahost don't seem to think it's a problem with them as such.

I bet they don't! They are never going to admit to a security breach.

If your computer is clean then there is only one way they could have accessed it.

_Andy_

Could it not be something specific to my Joomla though? Looking at the other sites hacked on same day it's not like he/she has done a whole load.
Have read about SQL injection attacks and changing table prefixes from jos_ but again it's all a bit of a minefield to me and not something I want to touch without help