Yann de Champlain
asked on
Joomla website getting hacked - When refer is google, redirected to porn ads
Hi,
I am maintainting a website site for a non profit organization. They get hacked often by the same hacker and I can't find the security hole.
I'm not a Joomla guru.
1. I validated file and dir permissions, owner. (755/644)
2. I upgraded Joomla to latest on the main website (there are 3)
3. I installed a "firewall" and an "antivirus" inside Joomla (Plugins).
4. Online scanners do not detect anything wrong
5. .htaccess is:
6. Unzipping the 351 Full package and deleting the install directory "fix" the website.
-What can I do next to prevent any future malware insert?
-When it gets back again, how can I find it?
thanks.
I am maintainting a website site for a non profit organization. They get hacked often by the same hacker and I can't find the security hole.
I'm not a Joomla guru.
1. I validated file and dir permissions, owner. (755/644)
2. I upgraded Joomla to latest on the main website (there are 3)
3. I installed a "firewall" and an "antivirus" inside Joomla (Plugins).
4. Online scanners do not detect anything wrong
5. .htaccess is:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule !(js|ico|gif|jpg|png|css|swf|flv|libraries|maint|admin|login|logout|reg) index.php [QSA,L]
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
I'm pretty good on wordpress security, not so confortable on Joomla. 6. Unzipping the 351 Full package and deleting the install directory "fix" the website.
-What can I do next to prevent any future malware insert?
-When it gets back again, how can I find it?
thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://extensions.joomla.org/extension/admin-tools-professional
ASKER
thanks a lot guys
Everything that William said should solve your problem for sure.
Baseline check and hardening as well and also delete extensions, which you are not going to use.
Don’t use “admin” as your username and choose a more complex password.https://www.keycdn.com/blog/joomla-security/
scan your Joomla site with Sucuri’s Website Malware and Security Scanner and Unmask Parasites. If the test doesn’t show any threats, it does not guarantee your website is completely secure, it just shows that the site poses no immediate threat to visitors.
Joomla security extension we recommend taking a look at is jSecure. It offers two-factor authentication to further prevent someone from getting access to your site.
It is also important to note that as of Joomla 1.7, they started using random database prefixes for more security.
All files should have good CHMOD configuration. Preferably,
PHP files – 644
Config Files – 666
Other folders – 755
Below are six common HTTP security headers we recommend implementing and or updating.
Content-Security Policy
X-XSS-Protection
Strict-Transport-Security
X-Frame-Options
Public-Key-Pins
X-Content-Type
There is a cool tool to convert Joomla to WordPress, https://wordpress.org/plugins/fg-joomla-to-wordpress/. I have used it a few times to help Joomla website owners who have been hacked.
ASKER
Ok. For now this is not an option.
Joomla is really poor in security plugins. I tested admin-tools-professional as proposed but it's much more than the others.
Joomla is really poor in security plugins. I tested admin-tools-professional as proposed but it's much more than the others.
ASKER
To keep you informed... I've been working with siteguarding and by changing the antivirus settings for euristic search, we found almost 100 injected files and other hacker tools installed.
Did they exploit some flaw in Joomla or were they able to phish a password? How did they do this? Any ideas. I'm curious.
ASKER
For now i don't know yet. I think it must be joomla, and perhaps through an extension. The types of files that were added or injected is pretty impressive. Tool to upload a file, tool to send mails, Shell managers etc.
Open CMS like joomla, wordpress and drupal have their fair share of gaps due to mostly the extension and being able to keep up with latest patch. Fact of rat race ...
ASKER
In my experience on Wordpress, once I patched and implemented firewall/antivirus plugins, I never had any other attacks passing through.
This one is also harder to fix also because of it's hosting structure. 4 websites configured into the root of the main one. It helps hackers quite a bit.
This one is also harder to fix also because of it's hosting structure. 4 websites configured into the root of the main one. It helps hackers quite a bit.
Will minimally ensure:
different admin password where possible,
update joomla and all the extensions
removed unnecessary extensions
asked the server admin to scan website reguarly and closed the findings
different admin password where possible,
update joomla and all the extensions
removed unnecessary extensions
asked the server admin to scan website reguarly and closed the findings
ASKER
thanks guys