LeTay
asked on
Joomla! outgoing emails scripts hacked ?
My Joomla! website is hosted at OVH since a couple of years.
Now since a couple of days (or weeks ?) I get OVH feedback (automatic email from them) that some outgoing emails (mainly to addresses @gmx.de and gmx.at) are not delivered (names not known etc...)
A dozen of such emails every day, but a total of sometimes more than 40 emails sent ...
My website has RSForm! Pro and a form that sends email to exactly one specific address (that I manage) outside the OVH server.
I wonder how my website has been hacked : the OVH admin password, the Joomla! admin password and ftp password are almost ... random ! (I have them at home written on a paper in my desk, nobody has access to it)
What shell I do to take that hacking away ?
Thanks
Now since a couple of days (or weeks ?) I get OVH feedback (automatic email from them) that some outgoing emails (mainly to addresses @gmx.de and gmx.at) are not delivered (names not known etc...)
A dozen of such emails every day, but a total of sometimes more than 40 emails sent ...
My website has RSForm! Pro and a form that sends email to exactly one specific address (that I manage) outside the OVH server.
I wonder how my website has been hacked : the OVH admin password, the Joomla! admin password and ftp password are almost ... random ! (I have them at home written on a paper in my desk, nobody has access to it)
What shell I do to take that hacking away ?
Thanks
Summary: Machines normally get hacked because software is out of date, or plain text logins are being used + someone just scrapes the login data off the wire.
Hi,
To find out if you have a malware:
You can run this tool on your website to find out if there is any malware https://sitecheck.sucuri.net/
If you have a malware the file is usually located in images folder or in theme folder as the chmod is usually more permissive.
check for recent files changes. check for php file that have strange name.
If you have a good antivirus when you download the site files to your computer it will probably alert you and this will give you the file name that is infected. Or once on your PC scan the entire site folder with antivirus.
Use a security component that monitor file change and malware.
When using Joomla you need to update everything very often, and you should subscribe to get notification on security update.
If you already use up to date Joomla and component version:
Try to add recaptcha to your form
Be aware that bot can bypass recaptcha and use your Joomla forms and there is not much thing you can do if human fill the form.
Uninstall every third party component / module that you are not using.
Add HTTPS certificate this can help a lot.
Also you may want to check if your email is blacklisted
http://www.barracudacentral.org/lookups
https://mxtoolbox.com/
To find out if you have a malware:
You can run this tool on your website to find out if there is any malware https://sitecheck.sucuri.net/
If you have a malware the file is usually located in images folder or in theme folder as the chmod is usually more permissive.
check for recent files changes. check for php file that have strange name.
If you have a good antivirus when you download the site files to your computer it will probably alert you and this will give you the file name that is infected. Or once on your PC scan the entire site folder with antivirus.
Use a security component that monitor file change and malware.
When using Joomla you need to update everything very often, and you should subscribe to get notification on security update.
If you already use up to date Joomla and component version:
Try to add recaptcha to your form
Be aware that bot can bypass recaptcha and use your Joomla forms and there is not much thing you can do if human fill the form.
Uninstall every third party component / module that you are not using.
Add HTTPS certificate this can help a lot.
Also you may want to check if your email is blacklisted
http://www.barracudacentral.org/lookups
https://mxtoolbox.com/
ASKER
There is only one single form on the site
When correctly filled in (with a captcha as well), it send an email to one FIXED address
So the form does not seem to be the guilty (and it is located inside the mySQL database of Joomla!
When correctly filled in (with a captcha as well), it send an email to one FIXED address
So the form does not seem to be the guilty (and it is located inside the mySQL database of Joomla!
ASKER
I maintain Joomla! up to date each time there is a new version ....
I have MalwareBytes on my PC and a full copy (more than 10.000 files) of the Joomla! stuff on my PC
No virus found there till now
I have MalwareBytes on my PC and a full copy (more than 10.000 files) of the Joomla! stuff on my PC
No virus found there till now
If your machine is send Spam + OVH has notified you about this, then you only have a short window to block outgoing Spam before OVH takes your machine offline.
First step, follow my suggestion above.
After your iptables rule is in place, then you can determine your next steps.
Tip: If you wait to long + OVH takes your machine offline, then you may be forced by OVH to do a full reload.
To put this in more simple terms, when OVH takes a machine offline, the only option enabled in the backend dashboard is a full system reinstall.
First step, follow my suggestion above.
After your iptables rule is in place, then you can determine your next steps.
Tip: If you wait to long + OVH takes your machine offline, then you may be forced by OVH to do a full reload.
To put this in more simple terms, when OVH takes a machine offline, the only option enabled in the backend dashboard is a full system reinstall.
ASKER
Well, I have no access to tool or other stuff on the machine hosting my Joomla!
You said, "Well, I have no access to tool or other stuff on the machine hosting my Joomla!"
Question is whether you pay OVH a monthly fee or pay someone else for your hosting.
OVH or other person?
Question is whether you pay OVH a monthly fee or pay someone else for your hosting.
OVH or other person?
ASKER
OVH directly
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Several years ago several Kernel zero days were found.
Fixing this problem requires a fresh install, to be 100% sure of fix.
Since you're using OVH, likely OVH has either already placed your machine in recovery mode or will. The determination here is number of Spam generated by your system.
So your first action will be this.
1) Determine an iptables rule blocking all outgoing SMTP packets... like...
Open in new window
2) If your machine is currently active, then you can login now + input this rule.
Also add a CRON task of...
Open in new window
3) If OVH has already placed your machine in recovery mode (SFTP access only), then call OVH support + tell them you require your machine be brought back online, so you can place a firewall rule blocking outgoing SMTP traffic.
You must do this by phone. If you attempt to just open a support ticket, this type of request will be denied.
If you call in + can convince the human on the phone, your first action will be to place the iptables rule, then they will usually bring your machine back online for a few minutes. Long enough for you to place the rule + stop outgoing Spam.
4) At this point, backup your data + do a fresh install. My preference is using Ubuntu LTS for 5x years support + latest Kernel.
5) Restore your data + problem should be fixed.
6) At this point, you can do a Malware Cleanse of your Joomla site.
7) Other considerations. Any plain text logins will eventually leave you hacked.
If you're using FTP, rather than SFTP, this may be how hackers got in.
If you're running HTTP, rather than HTTPS, this may be how hackers got in.
Same for POP3, instead of POP3s.
Same for IMAP4, instead of IMAP4s.
Be 100% sure 0% plain text data flows in/out of your machine.