This Help forum is for issues relates to the latest release (1.7.9). For issues related to beta or github version please use their own Help forum.
Before asking for help please read "How to request help" by clicking on that tab above here."
  • Page:
  • 1

TOPIC:

Hacking 1 year 7 months ago #1

  • aase48
  • aase48's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 57
My site jannesslaegt.dk/webtrees has ben hacked. I have reinstalled webtrees. It was
fine for a couple of days, but suddenly it was back. I have restored to the webhotels
Back up. Next morning it is there again.
Under index php I found this, and I can see line 2 line 4 and line 6 is wrong.
What do I do
How can I prevent it

Please Log in or Create an account to join the conversation.

Hacking 1 year 7 months ago #2

  • bertkoor
  • bertkoor's Avatar
  • Offline
  • Platinum Member
  • Platinum Member
  • Greetings from Utrecht, Holland
  • Posts: 2240
Is there any other PHP software installed on the same server? For instance popular CMS systems such as Joomla and Wordpress are popular targets for hacking. Once they are infected, it will keep on infecting other PHP files on the same server.

Note that just replacing the .php files with the cleaned version might not be enough to get rid of the infection. It's possible that the poisonous content is in the database. The infector could have posted a text comment somewhere on your site containing malicious javascript code that starts the infection every time the text is rendered onto a page. You might not even be aware how or where it is done, the hacker could have found a backdoor.

So you're looking for a needle in a haystack. Your best bet is to wipe clean the whole server: remove all scripts and database content, and build it up again. Next best, if there is a backup of the whole site (not only the scripts but also database content) known to be made prior to the very first infection (which might be weeks before you first noticed it) try to restore that one.

This all can be prevented if the user account owning the process that runs the PHP server has no right to modify the PHP scripts. That has a side-effect: the auto-upgrade feature of webtrees can't be used anymore. But upgrading is a simple matter of overwriting the files in the webtrees folder.

So there need to be two accounts on the server: one that owns the scripts and may update them (your FTP account) and another account for the PHP server that may only execute them. That's the best way to harden yourself against these types of hacking. This is how my hosting provider had set it up initially. I hope your hosting provider can support you with this matter. If they cannot cooperate, then this might be a good time to switch.
stamboom.BertKoor.nl runs on webtrees v1.7.13

Please Log in or Create an account to join the conversation.

Last edit: by bertkoor.

Hacking 1 year 7 months ago #3

  • aase48
  • aase48's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 57
Hey
I have Joomla installed and updated it after the first attack. I don’t know if I really need it or not, but I don’t know haw to get rid of it. Perhaps I should try to contact them

Please Log in or Create an account to join the conversation.

Hacking 1 year 7 months ago #4

  • bertkoor
  • bertkoor's Avatar
  • Offline
  • Platinum Member
  • Platinum Member
  • Greetings from Utrecht, Holland
  • Posts: 2240
Just updating Joomla is apparently not enough

JAVesey @ forum.joomla.org wrote:

ribo @ forum.joomla.org wrote: Here is a way to clean your joomla for sure
forum.joomla.org/viewtopic.php?t=946026


Semantics here (sorry!) but it's not "a" way, it's "the only" way to be sure that you've cleaned your site properly.


In short, the advise is to install Joomla again with a fresh empty database. So you loose all content. The infection is somewhere in the Joomla content, so there's no way around that.
stamboom.BertKoor.nl runs on webtrees v1.7.13

Please Log in or Create an account to join the conversation.

Last edit: by bertkoor.

Hacking 1 year 7 months ago #5

  • kiwi
  • kiwi's Avatar
  • Offline
  • Platinum Member
  • Platinum Member
  • Posts: 4986

aase48 wrote: Hey
I have Joomla installed and updated it after the first attack. I don’t know if I really need it or not, but I don’t know haw to get rid of it. Perhaps I should try to contact them


That would be sensible. Joomla and WordPress are the most hacked products. Plus, if you haven't been using it, it is probably not up to date and therefore even more vulnerable.

A couple of other things.

Restoring from your website backup was probably a waste of time unless you first confirmed it pre-dated when the intrusion happened. That could well have been weeks (or more) before you noticed it as they commonly inject a ”back-door” then come back later to use it. You must work with your web host to inspect logs and to work out how it happened, or do as Bert suggests and wipe the server and start over.

Finally ensure ALL passwords are changed immediately, especially those of anyone with credentials to access that server. Most intrusion is through stolen passwords.
Nigel

www.our-families.info

Hosted at:
Follow me at:

Please Log in or Create an account to join the conversation.

Last edit: by kiwi.

Hacking 1 year 7 months ago #6

  • bertkoor
  • bertkoor's Avatar
  • Offline
  • Platinum Member
  • Platinum Member
  • Greetings from Utrecht, Holland
  • Posts: 2240

aase48 wrote: I have Joomla installed and updated it after the first attack. I don’t know if I really need it or not, but I don’t know haw to get rid of it.


What do you mean?
You don't know whether you needed to update Joomla, or you don't know whether you need Joomla at all?

You should know what's hosted and used on your website. Just webtrees or also Joomla?
If you don't know whether you need Joomla, and you have the website for webtrees only, then the answer is probably no: you do not need Joomla. It might have been installed for you as a convenience when you got the web hosting. So then just remove everything in the Joomla folder.
stamboom.BertKoor.nl runs on webtrees v1.7.13

Please Log in or Create an account to join the conversation.

Last edit: by bertkoor.
  • Page:
  • 1
Powered by Kunena Forum