Hackers attack Joomla / Mambo sites!
Published by Evil Bee Friday, 22 February 2008 15:22
A storm of exploits has come over Joomla and Mambobased websites. Hackers try to replace the page content and also install backdoor or IRC scripts. The security problem of the sites is (normally) not Joomla! Of course, you should run your site with the latest Joomla / Mambo versions.Nearly all hacks are done through holes in 3rd party components. At the moment, every hour there is a new component found with security problems.
You have to do something:
- Backup your files from the server NOW
- Backup your database NOW
- Check your backup (!!!!!)
- check for the latest version of Joomla / Mambo and update if needed
- check if you have one of the components used to hack the sites installed (check here and search for mambo and joomla or read this thread)
- if you have one or more of them, you'll have to update them (if a fix is available), manualy fix the problem or delete the program
- be sure to delete the files via FTP.
- IT IS VERY IMPORTANT THAT THE FILES ARE DELETED FROM THE SERVER!!!!
- set as much directories as possible to read only
- set configuration.php in the root to read only
- check your server-logs for strings like "mosconfig" (indicates an attack - doesn't mean that you are hacked, but check if the called script exists on your server)
- check server settings for RegisterGlobals. This should be set "off" (none of the known hacks would work with this setting - unfortunately some scripts won't work with this setting. Think about deleting these scripts)
- try to "harden" your site through .htaccess rules (check this thread for examples)
This is of course no complete step-by-step solution!!! Every site may have different settings and different problems.
If you need help to make your site save or to bring your site back online, contact us! We helped a lot of our customers not to get hacked and brought many other sites back online.