Joomla website Hacked by: ~Abo Al-EoS

Portal Home > Knowledgebase > Articles Database > Joomla website Hacked by: ~Abo Al-EoS

Posted by ronelgon, 09-16-2013, 06:53 AM
Hello, My Joomla website was Hacked by: ~Abo Al-EoS. Even other websites not developed with joom where hacked but i have been able to restore them by editing the index file. I have tried to do the same on joomla sites but it has failed to work. I have edited all index files in both the root directory and the template but it has failed to work. So, where could these people possibly have hidden their files? Your help will be highly appreciated Thank you Ronnie
Posted by Dr_Michael, 09-16-2013, 07:40 AM
Did you check php.ini? Search your db as well.
Posted by Mohammed H, 09-16-2013, 08:11 AM
could be a malicious plugin/component .
Posted by ronelgon, 09-16-2013, 08:43 AM
It was a rootserver hacking. All my websites both in joomla and not in joomla where hacked. I have been able to restore sites not in joomla by editing the index files . But all sites developed with joomla are still facing the problem. The hacker replaced index.php and index.hmtl/ with their codes in all websites including sub-domins. So, am confused with what to do Your help will be highly appreciated Thnk you Ronnie
Posted by Dr_Michael, 09-16-2013, 08:48 AM
First, scan your PC with a good antivirus and antimalware.
Posted by Time4VPS, 09-16-2013, 08:54 AM
Check JCE editor. If you have old version, update it.
Posted by net, 09-16-2013, 08:54 AM
Moved > Hosting Security and Technology .
Posted by starline, 09-16-2013, 10:40 AM
If your server root is compromised, backup all user data and re-install the os freshly with new root ssh key and password.
Posted by AttackerNET, 09-16-2013, 05:51 PM
They might have injected your databases with a malicious code as well, Check your database tables, values and entries. A FULL backup restoration including databases is recommended then you can scan the accounts and upgrade all of your outdated Joomla installations and all associated plugins and themes. A full server security review is also highly recommended.
Posted by lynxmaestro, 09-17-2013, 12:36 AM
If you suspect a Root level hack, do a full scan at the earliest checking through the logs to see how they managed to get-in first time. From the looks ,its probably a SymLink attack. Check through all site files for filetype 'l'
Posted by foobic, 09-17-2013, 01:25 AM
Are you using shared hosting or a VPS / dedicated server? If it's shared hosting then it's most likely not a root compromise, but limited to your account. (In that case the attacker would still have access to all your websites). If it's a VPS or dedicated server and you're sure that root is compromised then as others have said, you need to reload the operating system. Either way you need to wipe out the Joomla installs completely and restore from earlier backups that you know are clean. Or install Joomla and all your themes and plugins again from scratch and then very carefully restore the sites' content, checking for malware as you go. There's simply no way to know how many back-doors the attackers left behind in your filesystem and databases or where they're hidden. Do you have an idea of how they got in? Obviously if you had vulnerable / outdated stuff installed on any of the websites (or as mentioned earlier, malware on your own PC) you also need to fix that or they'll come straight back in the same way.