Hi guys,

The other day my joomla sites got severely hacked, more than 20 of them. The modus operandi was was that malicious code was injected into to the .htaccess file, pointing users to other websites. Also malicious .htaccess files were added to folders up from public_html. The thing that made the hack so nasty, was that each time I would remove an .htaccess file, 10 minutes later a new malicious one would appear. I am on shared hosting, with about 600 other sites, and the infections started from my reseller account and affected all joomla installs on the server.

Now I have been working day and night with my host to restore the sites on a new more secure server. And I need to migrate these sites to 2.5, and a small number of them need to be upgraded first from 1.5.23 to 1.5.26 before the migration can take place. Now my problem is this:

I cannot really execute anything on the new secure server with standard joomla permissions (755 for folders and 644 for files.) And when I open all permissions to 777, which ticks my host off, I can write to these files, but then it won't let the joomla install do chmod or fopen. it is very restrictive and nearly unworkable.

Meanwhile the problem I have is in the communication with my host. He claims that the new server is a modern server that is set with all the default security features on. And he keeps complaining about joomla that it cannot run on a 'modern server environment'. But I think he is missing something, and I don't have the knowledge to tell him what. There must be a way, something that can be done, so that the server accepts the Joomla installation as a valid user that can be approached through the web browser, and perform the operations as intended while remaining secure. Is there anything that springs to your mind that he must be missing in his server administration, or something that I can do to resolve this?
Thanks for your thoughts and insights, blessings,
Jelmar

The whole bamboo crew shuddered when your email came through.

Sounds like a nightmare.

As far as I know if the Joomla needs the permissions to be 777 then it means there is a discrepancy between the owner of the files between the Joomla user and the server.

I assume this is not the case if you just use the file manager to upload and extract on. Ownership issues can popup if you use ftp to upload the files though.

The other is that Joomla works best when suPHP is enabled on the server. Do you know if this is the case? If suPHP is installed and configured properly you shouldn't have any issues.

There are certainly secure servers that specialise in Joomla installations and I would ldefinitely ook at getting a VPS at the least. Sometimes hacks on shared servers can come from other accounts.

Hope this helps and please let us know how you get on.

Anthony

Personally, I would be looking at walking from that host to one who does know how to run a Joomla site securely. Joomla has no problem running under 755 permissions when the server is configured correctly.

Hey guys, Thanks for your responses. I expect we will be 'seeing' a lot of each other is the coming time... And yes, the situation would be a nightmare, if only would get some sleepB)

First off, Anthony, the suPHP suggestion is probably spot on. It was running on the old server, but not on the new one. My host says, though, that people can do 'dirty things' with it and does not want to budge on the matter yet. I have also asked the joomla security guys from the forums, and maybe they say something which would convince him.

And about moving to another host, well, I have a lot invested in this guy. Years of ups and downs. Not someone I would easily walk away from. He has been helping me all through the night last night to get things running again and is a real nice guy in general. I would rather he learn.

Anyway, on to the fun stuff;)

I have decided to leave the hosting stuff where it is for the moment, and concentrate on getting the sites upgraded to 2.5 locally, and deal with the remote when we need to get to it. A lot of sites I co-created were made with the old zengrid template from 2009, and of course I never cared about overrides and such stuff (and I guess I never really did understand them.) And this is breaking me up at the moment.

To migrate from 1.5.26 to 2.5.6 I have bought the SP Upgrade extension, because I read it is the least painful way. It requires one to make a fresh 2.5 install, install the extension on this destination site, and then press transfer to transfer the content from the old site to the new. I have completed this process now with a test site locally, also it is supposed to help with third party extensions, but we will see about that.

After the transfer, the 2009 zengrid template failed epically, and I have installed the latest zengrid framework. This one urged me to install a template, and I did both the zengrid default and the zenblank. The results can be seen in the screenshots.

1. Original
2. Zenblank
3. Zendefault

So I know already that I am stupid for not having used overrides. And given that I have no clue which files I have changed in the original, how would you suggest I proceed. Can I copy things to a folder that would make things better? How would I take the next step given this mess? Or am I getting off on the wrong foot and should I use a different method?
Thanks for your kind consideration. Blessings,
Jelmar

Hi Jelmar,

First of all, sorry to hear this happened to you on such a large scale.

I have dealt with instances of the pharma virus in the past (originaly targeted at wordpress sites but moved on to joomla).
It was similar to your situation where encoded htacess files were scatered around the site (actually htaccess.php files). On browsing to them I found a control panel more advanced than the hosting companys which gave me access to every file on the shared server.
So first of all this may not be down to an insecurity in your sites, rather another site hosted on the same server.

Regarding the use of suPHP, when configured correctly it is regarded as more secure than a standard handler, but when not set up correctly can be very insecure. That is the extent of my knowledge on that point. Joomla's ftp layer can help but unless you have a vps and ssh access it is far from ideal and not even ideal if you have that.

But moving on...

Migrating from 1.5 to 2.5 or just from one site to another, I have tried many things. So he is the solution I have found to be the cleanest-ish solution.
First, I have not tried spupgrade as there were many free solutions that people recommended.

First I tried j2xml exporter which seemed to cleanly take content from a 1.5 site to 1.7, but I tried this early on when it was just out and it wasn't quite enough.

A lot of people recommended Jupgrade which also had issues (the latest version seems to have the most) but I stuck with this for the first part of the process for a couple of reasons.

1. It keeps article and menu ids so internal links still work.
2. You can run it without affecting your current website.

The downside is that it uses the same database with the same prefix and copies over all your 1.5 extensions and can result in a mess of a database and file system (lots of old extensions hanging around in the background).

So my general upgrade process has come to be this:

1. Take a backup of the current site and make a local install.

2. Run jupgrade.

NB. The current version seems to have trouble downloading and installing a copy of 2.5, so I pre-install a copy and add the database prefix in the parameters and tell it to skip downloading and checks to get the old info into the new db.

3. Now I have a 2.5 site with original content plus a load of old rubbish. So I make a fresh install of joomla 2.5 with the same prefix as my migrated website.

4. I then go to the database of the jupgraded site and export the tables for content, categories, users and menus and then wipe those tables in the fresh install and import the new ones.

I then have a fresh site with my old content.

Next is to check which old plugins/components/modules the site was running and which ones I want to keep (if they have been upgraded) and install them.

Template and framework too.

The rest is really bits that are different between versions. Ie. metadata and page titles were added to articles and now they are added to menu otems which can be a long slog so sort out.
Also I check the urls of my old site and scan my new one using xenu (home.snafu.de/tilman/xenulink.html) and create 301 redirects in the htaccess file to make sure there are no 404's when people try to find a page from the old website.

That basically gives me the new site.

With your template css, it may well be that the css for the 2.5 version is different to the 1.5 version anyway and you would still have to tweek it to get everything looking as it was.
But you know that J templates have a custom css file system and now is the time to start using it!
I would install the template as is, and then check the bits that don't look right then go through your old css and add this to a custom file to keep it all in one place.

I'd like to say it's easy but unfortunately there are many trip ups along the way. My main suggestion is to try and get the cleanest 2.5 site you can from the whole upgrade path.

These are only my thoughts on the matter and maybe I have been doing it all wrong and someone can shed some light on it, but this is the way I have found to be best for me and trouble free in the long run.

Which ever path you choose, let us know how you get on. Maybe we can help, or maybe you can help us and others!

Regards,

Rob

Hi Rob,

Thanks so much for your elaborate response.

I am having trouble with this especially:

"But you know that J templates have a custom css file system and now is the time to start using it!
I would install the template as is, and then check the bits that don't look right then go through your old css and add this to a custom file to keep it all in one place."

I have the zen grid framework installed and the zenblank into it, that seems like a good place to start. But when I check the site in firefox, the css looks like i cannot do anything with it. And this is exactly the part i don't get. It does not seem to use the css in the zenblank theme at all.

When I inspect a heading 1 with firefox for example, I don't get a h1 specification and a fixed css file that it is in. But instead it says element.style {
color: #888888;} and the other css is an some sort of everchanging cache file:
http://localhost:8888/ngi_new/cache/zengridframework/css/css-d41d8cd98f00b204e9800998ecf8427e.php

I have had this trouble before and it is why I never touched the zen grid so much. How do I get these style specs to be in a real stylesheet that I can really edit. The complexity is just too much for me.

I really just need a simple: create a stylesheet that is called such and such, then place it in a folder called such and such and the set this and that option in the template to make the stylesheet override all others so I can make the changes.

Hi

Do you have css compression enabled in the template?

Its are under Extras tab > Performance in zen grid or in the new framework

Settings > performance

You could enable the custom_rename_to_custom.css stylesheet or drop a stylesheet in the user folder in the template

The user folder option is available in newer templates/framework

Thanks
Paul

Ahhh css compression *breathes out*, that makes things a lot better. Now getting somewhere:-) Thanks Paul.

I don't have a user folder, it seems

In order to now create the necessary changes, do I now for example copy the theme.css from templates/jbzenblank/css to templates/jbzenblank/layout?

And can I call it differently? like custom?

Also, I don't see a custom_rename_to_custom.css stylesheet when I search the installation.

Can you try dropping an empty stylesheet called custom.css into the template css folder first?

Then check the code source to see if the file appears

Paul

Dropped custom into templates/jbzenblank/css and it does appear in the output. When I adjust a rule, it also shows up, so that is great.

Is there anything else I should think about, meaning: are there any snags with this, some files it does not override or something?

And when I update from now on, it will leave this in place I assume?

As a rule I always backup before any template update using Akeeba Backup.

There shouldn't be an issue but I still backup

I've used this custom.css method myself on some zen grid sites and I've not come across any problems.

But I will check to confirm

Also just adding here that early next week I will be releasing 5 new starter themes to rival (and actually be alot better) than Zen Default.
You probably can't wait that long - but I have a beta version here of two of them that may suit.

Just wanted to let you know to avoid any pain when you see them released next week

Anthony

The custom.css loads after all of the other css files loaded by the template and framework so no need to worry there. Anything you put in there should override anything that comes before it in the source.

Actually if you install the template via the installer again it will likely overwrite this file. With v1 of the framework you can add a file to the user folder in the media/jblibrary/user and it will load ont he page as well.

Thanks

Okay great, thanks for all the support. I am making real good progress. I copied over all the template and theme css over into my custom file. The SPupgrader left the module postions intact, that that is great too. And there was just a discrepancy between the module width options of the old zengrid and the new template, but playing around with the options also fixed that. I am a having to learn things fast again, which is also kind of exciting.

Anyway, this is may be a joomla 2.5 thing, but there is a page title in pink that shows up over my article, and I have set everything to "hide" in the article parameters, like in the original. Any idea what / where this could be?

Attachments:
1. Original site
2. Destination site

I found it - this is from the menu item, it has an "article options" parameter which can show or hide the menu title. Do you happen to know if this can be set globally, would save me a ton of work.

Yes it can be set globally as well as in the article itself.

Very granular but potentially very complex.

Anthony

Yeah, I noticed it is very complex, and after reading about this stuff, it is even more confusing. It is weird that the article parameters are not overriding the menu article parameters. An unsuccessful attempt to simplify the trouble that was 1.5, it seems to me. At least there you could know, that if it was not in the article parameters it was in the cat's or section.
Here I still have not found a way to do this globally, even though the menu article parameter is set to follow global.
Wonder if there is another global I am not aware of.

Yes in the content manager - parameters area.

I agree that it's confusing and it took me soem time to come to grips with it.

Anthony

Not sure what you mean by content manager - all I can see is the Content menu item, and then the article manager in there. But setting those parameters does not affect Menus > (name of menu) > (name of menu item) > Article Options > Show Title > use global.