Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
Sergei Nedder2014-09-11 08:06:18
Joomla
Sergei Nedder, 2014-09-11 08:06:18

Hacking a site on Joomla by an attacker, how to understand - where is the hole?

There are several sites on Joomla 2.5.6, recently I found that index.php and index.html were replaced with pages of some kutzhacker from Indonesia. I killed them, returned the old pages to their place, but the question arose - how was the hack carried out and how to close the hole?
The passwords are complex, and it looks like the sites themselves were not hacked, but somehow the attacker was able to delete my files from the root folder and upload his files there.
Are there any tools for such analysis?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
I
Ivan Kiselev, 2014-09-11
@homelessness

For starters, you should remember the date and time when those files were modified. Map ssh/ftp connections to the server at this time. If there is no obvious correlation, analyze recent POST requests to the server, select from them "unusual" ones for your site, and it is better to log POST requests with saving all the parameters passed.
For example, write the following script:

<?
if(isset($_POST) && count($_POST)>0){
        $data="";
        foreach($_POST as $key=>$val){
                if(is_string($val) && strlen($val)>2000 )
                        $val=substr($val,0,2000);
                $data.=$key."=>".$val."\n";
        }
        $fp=fopen("/path/to/log/dir/".$_SERVER['HTTP_HOST'].".log","a");
        fwrite($fp,date("Y-m-d H:i:s")." ".$_SERVER['REMOTE_ADDR']."\n".$data."---------------------------\n");
        fclose($fp);
        $data="";
        reset($_POST);
}

And add to apache:
Thus, in case of a repeated attack, having seen the change time of your index.php, you will be able to correlate the change time of index.php with a certain set of POST requests, thereby analyzing through which "holes" the attack on the site was carried out.

Report
B
Bako500, 2021-02-15
@Bako500

What is not working on my site, how can I fix it wrong?
https://rusboxing71.ru/administrator/
FTP
u0437785
37!WdC3y
public $dbtype = 'mysqli';
public $host = 'localhost';
public $user = 'u0437785_default';
public $password = 'lJpUL2U_';
public $db = 'u0437785_default';
public $dbprefix = 'tvu0z_';
public $live_site = '';
public $secret = 'drSfTlhij55QMHEt';
public $gzip = '0';
public $error_reporting = 'default';
public $helpurl = ' https://help.joomla.org/proxy?keyref=Help{major}{m... }';
public $ftp_host = '';
public $ftp_user = '';
public $ftp_pass = '';
public $ftp_root = '';
public $ftp_enable = '0';
public $offset = 'UTC';
public $mailonline = '1';
public $mailer = 'mail';
public $feed_email = 'none';
public $log_path = '/var/www/u0437785/data/www/rusboxing71.ru/administrator/logs';
public $tmp_path = '/var/www/u0437785/data/www/rusboxing71.ru/tmp';
public $lifetime = '15';
public $session_handler = 'database';
public $shared_session = '0';
public $memcache_persist = '1';
public $memcache_compress = '0';

Similar questions
V
Valentin Melnik2018-11-09 11:06:00
How to change date format in Joomla 3.x? 1Reply
P
Pyotr Kuzmichev2016-06-10 06:16:18
Apache at the same time as IIS 8.5 - how? 2Reply
C
ChugaRay2014-05-06 21:47:55
Why does the visual editor disappear on Joomla 1.5? 1Reply
P
po4emu4ka20202020-09-22 13:19:14
Where in Jshopping (Joomla) to catch the checkout event and hang a handler on it? 1Reply
N
Nikita Danilov2016-06-22 12:48:37
How to redirect a URL with a colon? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question