Hacked...2nd time - Joomla! Forum - community, help and support
hello,
i on shared server. second time site hacked. , yes, have followed security measures outlined on board, before, during , after installation including 3rd party extentions.
my domain(s) not ones hacked on server. hacker seems targetting joomla installations across board.
i have contacted host tech support, haven't gotten me yet (36 hours yikes!). wanted pose question here in hopes unix/apache person tell me if looks right.
i went browsing after hack , found curious user name in /bin/ , /usr/xxx/xxx folders. here small sample.
xxxxxxxxxx.com / bin
.. 4.00 kb dec 13, 2004 root root
bash 572 kb aug 18, 2004 jagilki psacln rwx r-x r-x
cat 14.2 kb aug 12, 2003 jagilki psacln rwx r-x r-x
cp 48.3 kb aug 12, 2003 jagilki psacln rwx r-x r-x
du 30.9 kb aug 12, 2003 jagilki psacln rwx r-x r-x
false 9.7 kb aug 12, 2003 jagilki psacln rwx r-x r-x
i not computer geek, not novice. user appearing on other domain names virtual host , in same directories if domain not using joomla, php, java, etc..
on first hack, 3 domains running joomla install. 2 hacked/trashed. changed 1 html based while fixed hacked/trashed joomla install.
on second hack, remaining 2 joomla installs hacked 1 trashed. seems other hack didn't "take", can see defacements in source of few index.html files.
my question is, jagilki supposed user on files? logic tells me should user name owner or root or apache or that.
also strange happenings when attempt remove of defaced folders. won't allow me in ftp or control panel. seems 3rd party extentions affected joomlaexplorer, jce, deep pockets , !jcomment.
example warning: unable remove file /httpdocs/site/administrator/components/com_joomlaxplorer/.config: filemng rm -rf failed: rm: cannot remove `/home/httpd/vhosts/xxxxxxx.com/httpdocs/site/administrator/components/com_joomlaxplorer/.config': permission denied filemng: error occured during /bin/rm command.
what thinking server commandeered through shell since not user affected. root permissions changed causing errors in /bin/rm command?
i reinstalled joomla on 1 of sites morning. afterwards, when browsed files in control panel permissions on affected extensions added in automatically set owner apache user apache --- not---- owner me user psacln other joomla files. wasn't allowed set/change permissions (or delete, rename, etc) on affected files/folders.
i hope did not ramble , clear in tried say.
thanks thoughts on this.
melanie
mcgyver45
i on shared server. second time site hacked. , yes, have followed security measures outlined on board, before, during , after installation including 3rd party extentions.
my domain(s) not ones hacked on server. hacker seems targetting joomla installations across board.
i have contacted host tech support, haven't gotten me yet (36 hours yikes!). wanted pose question here in hopes unix/apache person tell me if looks right.
i went browsing after hack , found curious user name in /bin/ , /usr/xxx/xxx folders. here small sample.
xxxxxxxxxx.com / bin
.. 4.00 kb dec 13, 2004 root root
bash 572 kb aug 18, 2004 jagilki psacln rwx r-x r-x
cat 14.2 kb aug 12, 2003 jagilki psacln rwx r-x r-x
cp 48.3 kb aug 12, 2003 jagilki psacln rwx r-x r-x
du 30.9 kb aug 12, 2003 jagilki psacln rwx r-x r-x
false 9.7 kb aug 12, 2003 jagilki psacln rwx r-x r-x
i not computer geek, not novice. user appearing on other domain names virtual host , in same directories if domain not using joomla, php, java, etc..
on first hack, 3 domains running joomla install. 2 hacked/trashed. changed 1 html based while fixed hacked/trashed joomla install.
on second hack, remaining 2 joomla installs hacked 1 trashed. seems other hack didn't "take", can see defacements in source of few index.html files.
my question is, jagilki supposed user on files? logic tells me should user name owner or root or apache or that.
also strange happenings when attempt remove of defaced folders. won't allow me in ftp or control panel. seems 3rd party extentions affected joomlaexplorer, jce, deep pockets , !jcomment.
example warning: unable remove file /httpdocs/site/administrator/components/com_joomlaxplorer/.config: filemng rm -rf failed: rm: cannot remove `/home/httpd/vhosts/xxxxxxx.com/httpdocs/site/administrator/components/com_joomlaxplorer/.config': permission denied filemng: error occured during /bin/rm command.
what thinking server commandeered through shell since not user affected. root permissions changed causing errors in /bin/rm command?
i reinstalled joomla on 1 of sites morning. afterwards, when browsed files in control panel permissions on affected extensions added in automatically set owner apache user apache --- not---- owner me user psacln other joomla files. wasn't allowed set/change permissions (or delete, rename, etc) on affected files/folders.
i hope did not ramble , clear in tried say.
thanks thoughts on this.
melanie
mcgyver45
you might not able remove files due them having different owner user account trying delete them....
in first instance, if server might have been compromised, looks plesk control panel , unfortunately don't use plesk more, not 100% sure owner name showing, group looks plesk user, if remember correctly.
i chasing host on machine, assuming vps or dedicated machine, , need/want know if there compromised machine on network.
in first instance, if server might have been compromised, looks plesk control panel , unfortunately don't use plesk more, not 100% sure owner name showing, group looks plesk user, if remember correctly.
i chasing host on machine, assuming vps or dedicated machine, , need/want know if there compromised machine on network.
Comments
Post a Comment