Hi all, I need some urgent help over here... My Joomla site hosted with Frihost had been hacked (probably today)... currently I am still able to login to my frihost cpanel... This is the first my Joomla site had been hack thus I'm not sure what I can do to salvage and to prevent it from happening again. Any help would be very much appreciated.
If i'm not wrong I found that exploit used in hacking my Joomla account. But in order not to expose this exploit to potential hackers, I would only reply to PMs for the solution. I'll be sending a PM to one of the mods in a short while to inform them of the details of the exploit.
Here are the symtoms I faced:
Home page of Joomla site replaced. (Also shows a "Hacked By JaCKaL" site name)
Home page of Joomla administrator site replaced. (Also shows a "Hacked By JaCKaL" site name)
Login to both sites failed.
Access to cPanel is still allowed.
Access to database through cPanel is still allowed.
This exploit is in Joomla version 1.5.5 and all previous 1.5 releases. My advice to all who are using these versions, upgrade IMMEDIATELY.
Do you want your account to be reset (removed/recreated)?
I'll create an announcement about it. There is no real reason to not mention the exploit since it's already mentioned on Joomla and patched.
Thanks for your prompt reply. I managed to regain access by changing the admin password for my Joomla site through cPanel. I had also patched the reset.php file to prevent future exploitations. I'm intending to upgrade the entire version to the latest 1.5.6 after I confirmed that my site is now safe.
At the moment it seems like there is no need to reset my account but is there any way I (or you) could check the changes made by the hacker? I need to be sure that it is the only way the hacker came into my site and that no backdoor was created. Thanks.
if I where you I'd check for any new accounts, change all the admin passwords and let the admins change it to what they want afterwards and then backup the database, remove all the joomla files and put the new joomla back in.
If the hacker could have gotten a backup from the database you should reset all passwords, tell the users their passwords might have been hacked and they need to change it and make sure they don't have the same password set on their email account.
I know it's not easy to get passwords from a database like this, but I am sure it is possible.
Over the past few days I had checked my site and did some measures to protect it. I had checked and there are no new accounts created. Admin passwords, both the site and cPanel had been changed. Files and database had been backed up.
Regarding removing of the existing Joomla files would be hard for me as I had done a relative amount of customisation to some of the files and using a fresh copy would take me quite alot of work. But I had updated it to the latest version (v1.5.6) using the patch available on the Joomla website.
Thanks for all the support, Frihost!