Need expert to unhack our site

[Burbclaver]

I am running Mambo 4.5.1 on our camera club site. It has been maliciously hacked and replaced with something else. This is a free site that promotes photography group shoots in San Diego. The site has built a following of mebers who have made good friendships with other photographers through it.

I have managed to collect $600 as donations from members who do not want to see this site disappear, but without technical expertise we will have to abandon the site. If you are a Joomla expert who can update us to the latest version and link back the databases, we will be happy to pass the Paypal donation of $600 to you.

At the moment, our members are unable to use the site or contact each other: http://www.sandiegodslr.com. Please email me at [email protected] if you can help.

Here's what I got from our hosting company:

Hello Mark,

Most likely the hacker had gained access to your account through a security loophole in one of your scripts.

At this time, we recommend that you delete any of your current scripts and files and then re-install them using the latest versions available.

Typically newer versions of scripts will close any security loopholes that were previously discovered and help prevent future instances of this situation from happening again.

In regards to recovering your lost content, you may wish to contact your script provider for assistance on transporting your previous database information to your new installation.  I have checked your database and it appears to still be in-tact.

If you have any additional questions or concerns, please feel free to contact us again.

Regards,

Steve
Doteasy Customer Service

[avec]

Hi Mark

We also had a Mambo 4.5.1 site that was recently hacked (we'd forgotten to upgrade it) but we have since repaired it and it's now running happily on Joomla! 1.0.10.

I have emailed you to see if you still need help.

Regards
Geoffrey

---
Avec Solutions
Not-for-profit IT consultancy

[RobinH]

Most of these malicious hacks are simple to fix, and in several we've seen here it's as simple as replacing the index.php and config.php files with backups of the original.  Do you have a recent backup of your site?  If not, can you contact your hosting provider and find out when their latest backup was?  It's odd that they didn't offer that to you, but I'm assuming you're on a shared server.  If your not on a shared server then they likely won't have a recent backup.

[avec]

Yep, that's our experience too (that they can be easy to fix, particularly if you have a backup).

A useful thread on this subject is:
http://forum.joomla.org/index.php/topic,20701.0.html

It's certainly a wake up call for keeping sites up to date with the latest patches and for keeping backups.

If you can't rely on your web hosting company for making backups, consider one of the Joomla backup components. We're now using Site Backup (GPL) from bigAPE Development: http://www.bigape.co.uk/index.php?optio ... &Itemid=26 on a lot of our sites.

Geoffrey

[RobinH]

Yep, that's our experience too (that they can be easy to fix, particularly if you have a backup).

A useful thread on this subject is:
http://forum.joomla.org/index.php/topic,20701.0.html

It's certainly a wake up call for keeping sites up to date with the latest patches and for keeping backups.

If you can't rely on your web hosting company for making backups, consider one of the Joomla backup components. We're now using Site Backup (GPL) from bigAPE Development: http://www.bigape.co.uk/index.php?optio ... &Itemid=26 on a lot of our sites.

Geoffrey

I'm going in now and setting up a cron job for backups as all this talk on hacks that have occurred in the past 30 days makes me nervous.  Just finished backups of all my sql databases plus my root directory, but can't do a full backup until like 2 am as it'll take too much processor time.  I do a backup generally when I do a mod to a site, rather than doing sequential backups at a given period, but think I'm going to change that now and do at minimum a weekly.  So far I've been lucky and haven't had any attempts in the past year or so but that doesn't mean much nowadays.

[RobInk]

Hi,

@ Steve, I might have the 4.5.1. version still archived and available for you. RobinH could be right, it might be as simple as re-uploading index.php and configuration.php again.

[Burbclaver]

Thanks. I'm pretty certain it is simple as described. I haven't asked the hosting company about a backup, but I'm pretty certain they'll say it was my responsibility. It was on a shared server.

I think I could fix it myself, except I am leaving on a business trip next month and working to tight deadlines to get my current projects done by then. I have very little bandwidth. Also, although the database is still there, it's not that straight forward for reasons described below. I know very little about MySQL, so don't know if I can do it.

The installation is pretty standard. I made no manual patches that I can remember. Components included a Simpleboard forum and a Zoom picture gallery. We also had a calendar of events, Community Builder, and a private message module. We stopped using Zoom, because it was so buggy and now use an unconnected Coppermine gallery that has not been affected. The Zoom gallery remains as an archive and I would like to extract the pictures from its database and import them into Coppermine. Importing is no problem, but I don't know how to export them. I have heard Simpleboard is no longer supported in Joomla so I want to replace it with a board that is. I don't care about the messages, but it needs to use the member database and, ideally, Community Builder.

We need to upgrade the site to the latest Joomla and make it link to the database, preserving all users, menus, news and articles. It also needs to use our template that still exists in the template gallery and the template need to be tested that it still works and fixed if not.

My meagre budget looks more meagre by he minute.

[RobinH]

If you can't rely on your web hosting company for making backups, consider one of the Joomla backup components. We're now using Site Backup (GPL) from bigAPE Development: http://www.bigape.co.uk/index.php?optio ... &Itemid=26 on a lot of our sites.

Geoffrey

I went and checked out this package, are you sure it works with 1.0.10?  It's quite and old package, from April 2005.

[RobinH]

Thanks. I'm pretty certain it is simple as described. I haven't asked the hosting company about a backup, but I'm pretty certain they'll say it was my responsibility. It was on a shared server.

Because the index.php and configuration.php files change only seldom, your original files may work fine.  Have you been on your public_html directory to look at these files and see if they've been modified.  I know you say you're busy and don't have much time, but curious if these are the hacked files and if you have your originals. I could help at minimum reviewing those but would need ftp access to your root.  If you're interested in me taking a look, you'll need to PM me or email me as you don't want to post publicly your specific site info.

[avec]

Site Backup seems to work fine under Joomla for me and, according to the following reviews, most people:

http://extensions.joomla.org/component/ ... 35/#action

There seem to be minor issues with folders starting with a '.' but otherwise it simply archives all folders and a copy of the database.

Geoffrey

[RobinH]

Very good info, loading the componnent now, will give it a test drive. 

[RobinH]

loaded fine and did first backup, failed due to file size.  Found two files, but which is the real backup? One is under /administrator/backups and is about 28k, the other is under /administrator/components/com_babackup/backups/ and is about 89 meg. That's the one that an attempt to email failed on. 

[avec]

The backup failed? Or the email failed?

I haven't tried the email option -- no point in having the files emailed to me, if I can just download them from the server.

Which one is real? Both!

The large one will be the .tar.gz archive of all folders and files.

The small one will be the .gz of a dump of the MySQL database.

Geoffrey

[RobinH]

ah so... okay thanks!  The email failed, not the b/u, and it failed only because of the attachment size.

[Burbclaver]

I replaced the index.php file and everything is back, but now I have to upgrade. I'll check out the forums for how to do that.

[RobinH]

I replaced the index.php file and everything is back, but now I have to upgrade. I'll check out the forums for how to do that.

Great!  Sounds like you may have saved yourself some money!!!!  Let us know how it goes and if you need any other help.

[avec]

Great news!

Now, don't forget to back up before upgrading! 

Geoffrey

[Burbclaver]

Yes, I'm currently backing up several gb of data. After upgrading I'll replace any components that can't be upgraded to be secure.

Great news!

Now, don't forget to back up before upgrading! 

Geoffrey

[Burbclaver]

Well, I'm kind of getting there. I upgraded and everything looks ok until I try to login. Then I get a browser message saying 'You are not authorized to view this page'. Any ideas?

[RobInk]

Hi Steve,

You upgraded to Joomla! 1.0.10? If so, did you follow the migration article posted here: http://help.joomla.org/content/view/818/132/

Regards Robin

[Burbclaver]

Yes, I found that article linked from the upgrade forum and used to upgrade.

Hi Steve,

You upgraded to Joomla! 1.0.10? If so, did you follow the migration article posted here: http://help.joomla.org/content/view/818/132/

Regards Robin

[RobInk]

Okay great! So all you have left is the "You are not authorized to view this page" message when you login?

[Burbclaver]

Not sure what you mean about 'all I have left'. That's all I have left on the page when I try to login. It's a browser message like a 404 or whatever.

The site seems to work if I don't log in, but of course I can only access the open areas. I can log in to the admin backend no problem.

Once I'm able to log in, I intend to test components and replace any ones that have been reported risky with Joomla.

I've searched the forums and found a thread about people being unauthorized to view a resource, but I don't know if it's the same issue since resource isn't mentioned in my error message, just a page.

[Burbclaver]

I ran the diagnostics utility with the following results:

Compair file hashes against original
Filename Error Type
configuration.php File is corrupted or has been altered WARNING
diagnostics.php File is corrupted or has been altered WARNING
joomla_1.0.10.txt File is corrupted or has been altered WARNING

Created by Adam van Dongen - Joomla Diagnostics    © 2006 Adam van Dongen

I'm no further along with my problem.

[Burbclaver]

I just uninstalled Community Builder and now I can log in. My next move is to install the new version of community builder, and then to change Simpleboard and the Events Calendar, which I've read is a open to hackers.

Making progress!


...or so I thought. I get the error "Failed to move uploaded file to /media directory" trying to install Joomlaboard or Community Builder. The media directory is writeable.

...Now I've lost the forum altogether. I give up. RIP http://www.sandiegodslr.com. I have to get back to earning my living.

[absalom]

This should solve you regarding the /media directory issue:
http://forum.joomla.org/index.php/topic,34971.0.html
though it will require server reconfiguration.

The /media problem is to do with PHP limits as seen here

(You did make a backup of all the DBs before upgrading, right? )