Hi - I think I have a serious problem with hacking

Earlier this week www.leadbetters.co.uk went down when the database password in configuration.php changed.

Yesterday I discovered pro-practice.tv was down, and that the database username and password had both changed.

Stupidly, I have been using the same password throughout all my sites.

First of all, is it possible for me to have inadvertently changed these values anywhere in Joomla global config? And if so how?

If not, has anyone any ideas which route a hacker might have taken to change these values? I feel it's probably either ftp or cPanel.

My brain seems to have seized up right now, so any thoughts or suggestions on where to start, and my best way forward would be much appreciated.

Thanks

Ian

database details can be changed in global configuration. It might have been a browser auto-complete but only you can decide if that is the case by what the details had changed to and if you recognise them.

As the information is stored in the configuration file, any script on the site inserted by a hacker could potentially be used to modify files in the account.

Hi Rob - thanks for getting back to me.

One of the usernames was changed to 'root' and the other to Ian Norton, so it could have been autofill.

However, I haven't touched the back end of one of the sites for months, so I don't think it was.

I do have Akeeba admin tools installed on all my Joomla sites so I imagine any new php files would have been spotted…

Would the host be able to recognise any intrusive scripts?

I am changing all my cPanel passwords anyway, but if there is a script somewhere that might not do much good.

Any thoughts?

Thanks

Ian

Hi Ian,

I think you need to run the php file change checker manually in admintools. It doesn't run automatically.

Your host might be able to give you a list of recent file changes by checking the file modification dates. Some will also scan for known malicious scripts but that is something you would need to discuss with them.

There are some scripts which will check for malicious files but they generally bring up lots of false positives so can take a lot of work.

github.com/btoplak/Joomla-Anti-Malware-Scan-Script--JAMSS-

If the passwords in the configuration files match your passwords for those usernames then I would have thought it would be autofill happening on the fields in global admin, probably getting filled without you knowing it as you edit something else.
I used to find the ftp fields filled with my site login quite often.

Rob

Hi Rob - thanks for this, and sorry for the slow reply.

I must admit I'm a bit boggled by what's happened. Quite possibly it's all down to user error on my part/autofill or something else.

Whatever, it's shaken my complacency and made me take a hard look at security.

I've run a program called mal det on my servers via ssh, and a couple of files on one of them were quarantined, so they may have been causing a problem.

I'm also changing all cPanel root and domain passwords and my server root passwords to unique random strings which I'm logging in an excel file which I'll print out and keep in a safe place.

Other than that I suppose I'll have to keep my fingers crossed and hope nothing horrible has been left in any of the websites.

Thanks again to you and Paul for your support on this.

Best wishes

Ian

Best wishes and good luck

I have been there with hacking so know how you feel

Cheers
Paul

Thanks Paul

Ian

Good luck