Urgent help with website security after hacking

steve1980

Just spoke to a friend who says......

do NOT upgrade!!!! First advice to give him.... He will have to rebuild his site... content, modules... everything

Changing the SQL prefix is a good idea... however it will require work and a possible new install.... "SHOULD" take someone like me a few hours to do it. The first thing to do.... change SQL passwords, admin passwords and hosting passwords....

Also is he able to provide a link to the site or a more detailed desciption of the attack.... what did they change? What wording did they put in??

Also do you have statcounter installed?

payless

are you running any "free" php scripts .. they seem to be the source of previous hacks into my sites

steve1980

Also, check out this site...

http://forum.joomla.org/viewtopic.php?p=2557046

tibbyuk

In terms of SQL-Injection, do you perform sanitisation and/or validation on inputs?

Also an obvious one, but did you change default admin user/pass?

It is most likely a vulnerability in your hosts environment setup, but it's worth checking.

_Andy_

tibbyuk wrote: »

In terms of SQL-Injection, do you perform sanitisation and/or validation on inputs?

Also an obvious one, but did you change default admin user/pass?

It is most likely a vulnerability in your hosts environment setup, but it's worth checking.

Hi Tibby

1) No idea what you mean by sanitisation etc sorry!
2) Yep changed all passwords etc

cheers

_Andy_

Well, Vidahost say there isn't anything further they can do, but they've enabled raw logs 'going foward' and that as long as i've change passwords I should be ok. hm.

Looking at zone-h.org the IP (I'm guessing Vidahost server) was hacked in July (large amount of sites done) as well as yesterday (seven of mine and a few others).
Would this indicate it was a hosting/server issue rather than something specific to my joomla etc?

thanks again for help

tibbyuk

I haven't worked with Joomla, but I expect it should perform sanitisation.

Basically it means checking any user input for special characters which are intended to subversively pass on commands to your database hosting your site.

One way to test this is to go to a user input, such as a user login, and put in a word followed by ' OR 'x'='x' (the ' are important).

For example try putting in: andy' OR 'x'='x'

If this comes back with an input error saying you have put in invalid characters you should be fine.

If it comes back with just a user not found you could be at risk.

_Andy_

Appreciate this isn't in English but can anyone here watch one of the hacker's YouTube vids and make out what exploit he's using (looks fairly simple though I don't understand it) and tell me how best to patch against future attacks?
thanks!

http://www.youtube.com/user/WUGW#p/u/22/3PP9dbR_h0Q

chewynut

This probably won't be extremely helpful as it's second hand, sorry.

But a couple of years ago I worked for a small charity that had this problem. Over the course of a few weeks the charity website and a few of the tech guy's personal projects were repeatedly hacked and they couldn't work out hackers were doing it. The contents of the sites were untouched but the front pages were black and had pictures of Willy Wonka on them for some reason.

It turned out that the hackers were gaining access through the Joomla templates the tech guy was using.

HTH in some way!

devon_scouse

As well as changing your passwords I would change my security questions,just to be on the safe side.