sibony88
for your questions, the server and the joomla are up to date and the ftp is now close to outside local only.
Just out of interest, were the various installs of Joomla "up to date" when the original hack occurred ?
Also was your server "up to date" when the original hack occurred ?
Also were ALL other apps or contribs (not just web apps/contribs) also "up to date" when the original hack occurred ?
Did you actually determine the exact nature of the attack, ie did you identify a vulnerability in Joomla, or PHP version or something else etc etc ? Was there published information about this vulnerability & what it does to systems ?
Keep in mind that one vulnerability may interact with another vulnerability to allow access to a hacker, so "all parts" of "everything" must be kept up to date.
As mentioned previously, the hacker(s) may have left numerous "back doors" on your system, so if you remove one problem (eg update Joomla), they can then use other exploits still on your system. These can be & usually are hidden in or amongst system files, so that is why it is important to reinstall your server OS and reinstall contribs etc.
If you can explain to me how or what is secured the ibays (eg against shared tmp folders cross hacking etc) ?
In particular the open base dir restriction issue where a common tmp folder is specified for all ibays & PHP contribs, but there may be other issues eg wrong permissions on folders & files, inappropriate settings (from a security point of view) both for the ibay & the contrib within the ibay, and ensure that ONLY strong passwords are used for ANY & ALL passwords on your system
http://wiki.contribs.org/PHP#Open_basedir_restrictionThere was a recent (in the last few weeks) forum thread discussion about pros & cons of the php tmp files, so check that, but essentially every contrib should use seperate php tmp files only within that contribs application files path & therefore not accessible to any other contrib or user etc. In my opinion the wiki article needs improvement as it specifies a common /tmp folder, been too busy to make any changes myself just yet.
think I will reinstall the server, my only concern is that the backup will be also hacked .
There is no magic answer here, finding out when the ORIGINAL hack occurred can give you a timeline to see if older backups were not affected (ie infected).
The hacker may have gained access before it became apparent to you as non functional sites etc, so you really need to go back in time and restore from a known good (ie clean) backup, assuming of course you have retained old backups (which is a highly recommended thing to do). Affa helps a lot in this regard, but it is really a function of your backup policy & regime.
It maybes best that you only partially enable all sites on your server, ie turn on one Joomla website only, and see if hacking or errant emails/spam still occurs. After a while (a day or two or three) turn on other sites (one by one, not all at the same time) and observe system behaviour.
If you restored some sort of exploit from a backup, then the above approach may help you identify it.
The problem is the hacker may have again corrupted your whole system with only one exploit being allowed to operate (ie coming from your restored backup).
In your current case it sounds like there is still an exploit residing on your repaired system.
You really have to be very careful in these situations, or you will just end up with another corrupted server and have to go through the whole process again.
It may be a a case of rebuilding your server slowly, one contrib at a time, and using selective restore, ie after reinstalling a fresh OS, then reinstall the Joomla contrib for one site into one ibay, restore (via dump or whatever) the database for that site from the backup, and then see if the new server and the first new site works OK. When all is good, do the same with the next site etc.
It will depend on your situation, whether you have older (known good) backups to restore from etc, BUT you MUST reinstall a clean OS (ie overwrite any existing install) and reinstall all contribs & apps etc, that's the only way to ensure a "clean" server.
5 Replies
1068 Views