Getting hacked... Almost Daily.

chetanmadaan

Active Member
Jun 18, 2010
38
6
58
Hi -

we have a WHM/Cpanel server with a couple of Joomla installations on it... and we are getting hacked almost daily.

We have tried just about everything we can do prevent this... but it just keeps happening.

We have Tried:
- Reinstalling/updating Latest Joomla version.
- Changing all our Cpanel/Joomla backend passwords.


Happening:
- Hackers are able to upload all types of files which let's them put bank logins on our site.
- hackers are able to some how bypass the cpanel login and do what they want to do.

What needs to happen:
- Is there a setting/program we can enable/install that will keep track of all the files that are being uploaded to the site and what script is being upload to upload them.
- is there a setting/script that can notify us whenever a new file is uploaded to the server and how it is upload? based on a current system scan as the current set of files.

Thank you for anyone responding.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
One of your components or templates is likely trojaned or vulnerable. Most common joomla exploits I've seen in recent months target old versions of com_jce (check for malware in public_html/images/stories).

You need to enable archiving of raw access logs in the cPanel account, and contact your web hosting support or hire a security admin if you cannot clean it or the infections re-occur. I recommend sucuri at Sucuri Security — Protect Your Interwebs!
 

noori

Registered
Feb 23, 2012
4
0
51
cPanel Access Level
Website Owner
hi every one.
I had the same issued from many days and i dnt know whats going on.
My website that i never be edited from 5-6 month. one day the browser shows me the warning that malware detected. i login to my account and see that all the pages of my site is changed and malware code pointed to some other site is there in pages. i removed all the pages and upload the backup.after that i discovered that my facebook like and twitter tweets are increased too more than 2000 as previously they were not even 50. i knew my site was hacked and gain again it hacked. this is third time it is hacked and i had no idea what to do. any help is apreciated...
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
i knew my site was hacked and gain again it hacked. this is third time it is hacked and i had no idea what to do. any help is apreciated...
Have you reviewed any of the solutions offered on this thread? You may want to consult with a qualified system administrator or security expert if the solutions offered thus far have not been helpful.

Thank you.
 

calebstephen

Registered
May 27, 2013
2
0
1
cPanel Access Level
Root Administrator
Yes, definitely security is no.1 priority when dealing with servers.
I have built a server myself - so from experience, I have had a range of attacks from SQL injections to HTACCESS and onto DDoS attacks. Since moving servers onto the one I built - with its HIGH level of security, I have never had any attacks after that.
Another thing, is that I have heaps of Joomla sites on my server. Keeping the versions UP-TO-DATE is imperative. If you have J 1.0, 1.5 or any OLD versions of Joomla, UPGRADE to the latest 2.5 or 3.0 versions as the new ones HAVE security hot fixes and patches.
Make sure you also install the follwoing on your server if you have root access:
Mod Security
Config Server & Secuirty Firewall
SuPHP
CP Hulk

Additionally, get a qualified systems admin to troubleshoot, secure and protect your system.
Hope this advice helps.
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
I'd be wanting to check your PC fairly carefully; my initial thought would be that they have your PC compromised and are stealing your saved password. To catch this, setup a special ftp account and save it on your PC. Don't save that anywhere else.

Scanning with a few recent antivirus packages is usually enough; sometimes just one by itself doesn't find these sort of trojan infections.

The other possibility is that they have compromised root on your server, or dropped a hacked file somewhere into your account and are using that to regain access. You'll need to scan the account for weird files using a combination of tools to find it; we use Configserver's cxs but maldet and other tools should be similar.
 

noori

Registered
Feb 23, 2012
4
0
51
cPanel Access Level
Website Owner
brianoz thanks for your value able advices but my issue is there. Every day different malware are detected from my site. i think thats the responsibility of server now. as i had install 2 antiviruses and scan my computer thoroughly. :(
 

24x7server

Well-Known Member
Apr 17, 2013
1,907
95
78
India
cPanel Access Level
Root Administrator
Hello,

I will also suggest you to please install ConfigServer eXploit Scanner (cxs) on your server for the malware infection. It's good active scanner which is scanning the files while uploading on the server

Also scan your whole /home* directory through Linux Malware Detect | R-fx Networks and check if any CMD SHELL files are present in your user account.

Thanks