Portal Home > Knowledgebase > Articles Database > sec-w.com hacked my joomla site


sec-w.com hacked my joomla site




Posted by ruba, 12-18-2012, 10:36 AM
they change my username to 'sec-w.com' then i cannot access in my site administrator. i am also hide joomla administrator directory but daily happened this. WHois sec-w.com and i see there is some security option located at http://sec-w.com/wl4b/ can i use this, its trusty?

Posted by BestServerSupport, 12-18-2012, 10:47 AM
They may have replaced index page of your Joomla website. Please have a check the code of your index page. Also, please have a check FTP logs and check if you see any suspicious IP address. Block those IP addresses in your server firewall.

Posted by ruba, 12-18-2012, 11:05 AM
can you check my index php, and having any wrong here? index php template index php

Posted by ruba, 12-18-2012, 11:07 AM
and how to check ftp logs? pls

Posted by simvic, 12-18-2012, 11:50 AM
You can ask your host to get the ftp logs for you

Posted by dpeacock, 12-18-2012, 12:56 PM
I would take a close look at your directory structure and files. It's possible they uploaded some sort of PHP shell as well that they have gained additional access. Your host may be able to help you with this.

Posted by ruba, 12-18-2012, 02:31 PM
my host not help me, because it maintenance myself

Posted by alucasa, 12-18-2012, 02:35 PM
Hire a sys admin then. Last edited by alucasa; 12-18-2012 at 02:49 PM.

Posted by Afterburst-Jack, 12-18-2012, 02:41 PM
hire* --10chars

Posted by JSHosts, 12-18-2012, 02:46 PM
Did you follow all the tips that were given in your other thread? Last edited by JSHosts; 12-18-2012 at 02:55 PM. Reason: Found OP runs latest version of Joomla according to their other thread.

Posted by alucasa, 12-18-2012, 02:49 PM
Yeah, my bad on that misspelling. To be honest though, I am not too surprised OP being hacked.

Posted by KMyers, 12-18-2012, 04:03 PM
Also, be sure to look for any strange entries in your .htaccess. I have seen .htaccess redirects in many of the later WordPress and Joomla exploits

Posted by Afterburst-Jack, 12-18-2012, 08:19 PM
If he had a sysadmin, might still have been accurate lol

Posted by nettiapina, 12-19-2012, 03:29 AM
To OP: you should probably hire a Joomla admin. Or someone with any PHP CMS background. I don't like Joomla, but it's easy enough to work with. If you want to compare the files, download the original packages. Do you have backups? Unfortunately, cleaning a hacked site might take some time, and if you're hiring outside help get quite expensive.

Posted by ruba, 12-19-2012, 05:07 AM
my joomla was 2.5.7, today i am updated with higher version (2.5.8) . now its running testing basis. if you have anymore suggestion, you can submit here, we will receive.

Posted by ruba, 12-19-2012, 11:18 AM
today again just my admin password. and nothing change other. but i am confuse, how they maintain everyday? is it run with cron job?

Posted by alucasa, 12-19-2012, 11:27 AM
No, that means your server is compromised. Or nulled scripts you use (if) might be giving a backdoor route. Who knows. Hire a sys admin or it will keep happening pretty much forever.

Posted by ruba, 12-20-2012, 10:33 AM
hey can you clear me how to check ftp log? where i will go?

Posted by BoardBoss, 12-30-2012, 07:28 AM
I don't intend to hijack this thread; however, I believe it better to post a reply here than create a new topic. If the admins disagree, then please move it to a new topic. A server of mine got hit with the so called sec-w.com hack yesterday. This thing is particularly nasty in what it does, and it did a lot of damage to almost every Joomla site on this server, and you'll understand why very shortly. First, it appears the exploit began on a site running Joomla 1.5.26 (please understand that I am not blaming Joomla, nor anyone else, I am just stating the facts). This site was also running older versions of JCE, JoomFish, PhocaGallery and Breezing Forms. It appears from examining the server logs that someone uploaded a file using an exploit in the older version of JCE. It turned out to be some nasty shell scripts that were able to scan all the accounts on the server, then proceeded to modify all Joomla accounts by first changing every username to "admin" and then changing every username to "sec-w.com", and the password hash indicates all password for all users are the same. Effectively, then any Joomla account and any (ALL) users are super users accounts and they all have the same password. I am now trying to figure out the best way to change all user names to random values, and all passwords to random values, and then email these new credentials to everyone after first sending out an explanation about what happened and what to do next. It doesn't hurt to ask, so here goes: Does anyone know how to stop this type of exploit from happening in the future? I know one thing is to make sure everything is current and updated; however, I can't personally confirm that on every site. Thanks!

Posted by dnki, 12-30-2012, 07:55 AM
Check the directory for malware/scripts that have been uploaded without your permission and delete them.

Posted by net, 12-30-2012, 08:25 AM
Moved > Hosting Security and Technology .

Posted by ssfred, 12-31-2012, 01:10 AM
Make a detailed scan for your account using malware detections tools like "maldet". Also ensure that your machine is safe by performing a detailed anti virus scan. Check for any reported vulnerability with the version of applications installaed on the account.



Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Servage.net down again (Views: 624)
LiveHost.net DOWN (Views: 634)