My postfix/Joomla Ubuntu machine hacked

Hi,
I'm running on old version of Joomla (1.5) on Ubuntu. The machine has postfix running on it.
Joomla got hacked, I'm not sure how, but I see various .php files appearing in my web site home directory from time to time. I'm removing the files of course, but they keep coming back.
I know the 'right' way to do this, but I don't  have time to take care of that now.

The hacker is using my machine to send out spam. I see in /var/spool there are lots of spam messages and I see a lot of smtp process running. For now, I've stopped Postfix, though I actually need to to run to send out results of a form I have on my website.
So, I'm asking this:
If I remove all of the hacker uploaded php files, but mail is still being sent out, how else can they be getting in to send the mail out?
I need a quick fix for this and some places to look for things. I can't upgrade Joomla right now and I can't move to another machine. Need to keep this one up as long as possible.

Thanks!
Nacht






postfix   4065  3977  0 13:21 ?        00:00:00 bounce -z -t unix -u -c
postfix   4066  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4067  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4068  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4069  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4070  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4073  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4080  3977  1 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4082  3977  0 13:21 ?        00:00:00 smtp -t unix -u -c
postfix   4083  3977  1 13:21 ?        00:00:00 smtp -t unix -u -c
LVL 1
nachtmskAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GaryCommented:
Check all your joomla files for inserted code (usually base64)
Change all your passwords.

Of course if you are not going to upgrade they will likely just break in again an hour later.
0
RobOwner (Aidellio)Commented:
And check your database for Cross Site Scripting / SQL Injection attacks (See section 5. The Code).  If you allow comments in your CMS, I'd be checking there first.
0
Steve BinkCommented:
Seconding Gary's comment - you need to upgrade this installation.  No one ever has time to upgrade - you need to make that time, especially when you are two major versions behind current.  This will reoccur, guaranteed.

My experience is limited to J2.5 and J3, but I've generally seen file upload vulnerabilities, and intrusions on the admin panel through brute force, or maybe an information leak.  The usual method is the attacker uploads and installs a new module into Joomla, which acts as a remote server admin panel.  In many cases, this panel is equipped to do nasty things like gather information, send spam, etc.  

Start with going through /components, /modules, and /plugins.  You can also query the database to see all installed items:
SELECT name,type,element,enabled,protected FROM ##_extensions;

Open in new window

Pay close attention to the names.  Many of the bogus installs I've seen use tricky naming conventions, like webllinks and systym.  If you don't know what an item is, take a quick look at some of the code.  IME, the panel code is always heavily obfuscated (e.g., minified, uses base64 encoding with calls to eval(), etc.), and they use short, generic variable names.  If you find any, delete them, and try to remove the extension from Joomla.  Where there is one, there are probably others.  Keep looking until you've covered everything.

There are also file upload vulnerabilities in older Joomla versions.  I have forgotten many of the details, but IIRC, some can overwrite existing files, like Joomla's core files.  If you've been hit with this, good luck.  Their code could be sitting anywhere inside the site's document root.  

Again ... can't stress this enough ... upgrade the installation.  Yup, it's a pain, but is it more pain than dealing with this over and over?  Recovering from this one (hopefully) intrusion will not solve the problem of how the intruder got in.  As long as you leave the door open, they will come right in and make themselves at home.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

nachtmskAuthor Commented:
Thanks everyone. I really appreciate the comments.
I know an upgrade is necessary but it's not something I can do now, so I needed some band-aids.

Nacht
0
lenamtlCommented:
Most of the time hacker will edit the Joomla template file (index file) and add a php file in the template directory.
Remove the code form the template and delete the php file which usually name random letter & number (the file name doesn't make sens) like this xrtt756jaue.php

When I find this I check the date and time of these files and I'm looking for other files that have the same date and time to find out if other files where modified too.

You could check the awstat or other stats apps to find the Ip address related to that date and time and block it using htaccess.
Also you can block some countries IP (you can find a list of countries to block) till you update or change the site cms.

It's not perfect but it can help you for now.

I personally stop using Joomla because too much security bugs and updates.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nachtmskAuthor Commented:
Thanks. Yeah, I would stop using Joomla too if I could. This site was inherited and I just keep it together as best I can.
0
lenamtlCommented:
I understand I was in similar situation and its require a lot of time to convert to something new if there is a lot of content.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Joomla

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.