Getting hacked... Almost Daily.

[chetanmadaan]

Hi -

we have a WHM/Cpanel server with a couple of Joomla installations on it... and we are getting hacked almost daily.

We have tried just about everything we can do prevent this... but it just keeps happening.

We have Tried:
- Reinstalling/updating Latest Joomla version.
- Changing all our Cpanel/Joomla backend passwords.


Happening:
- Hackers are able to upload all types of files which let's them put bank logins on our site.
- hackers are able to some how bypass the cpanel login and do what they want to do.

What needs to happen:
- Is there a setting/program we can enable/install that will keep track of all the files that are being uploaded to the site and what script is being upload to upload them.
- is there a setting/script that can notify us whenever a new file is uploaded to the server and how it is upload? based on a current system scan as the current set of files.

Thank you for anyone responding.

 

[quizknows]

One of your components or templates is likely trojaned or vulnerable. Most common joomla exploits I've seen in recent months target old versions of com_jce (check for malware in public_html/images/stories).

You need to enable archiving of raw access logs in the cPanel account, and contact your web hosting support or hire a security admin if you cannot clean it or the infections re-occur. I recommend sucuri at Sucuri Security — Protect Your Interwebs!

 

[storminternet]

Try Upload Guardian for preventing malicious files being uploaded into account.

 

[cPanelMichael]

You may also want to consider consulting with a system administrator/security specialist. There are several listing at:

cPanel Application Catalog - System Admin Services

Thank you.

 

[vlee]

You may want to also look into the following if not already have them installed on server

Mod Security
Config Server Firewall
SuPHP
Use PCI Compliance Settings

 

[robb3369]

I agree with Veldon but would also add in ConfigServer CXS:
ConfigServer eXploit Scanner (cxs)

 

[chetanmadaan]

Thanks Everyone. I will try my best.

 

[noori]

hi every one.
I had the same issued from many days and i dnt know whats going on.
My website that i never be edited from 5-6 month. one day the browser shows me the warning that malware detected. i login to my account and see that all the pages of my site is changed and malware code pointed to some other site is there in pages. i removed all the pages and upload the backup.after that i discovered that my facebook like and twitter tweets are increased too more than 2000 as previously they were not even 50. i knew my site was hacked and gain again it hacked. this is third time it is hacked and i had no idea what to do. any help is apreciated...

 

[cPanelMichael]

i knew my site was hacked and gain again it hacked. this is third time it is hacked and i had no idea what to do. any help is apreciated...

Have you reviewed any of the solutions offered on this thread? You may want to consult with a qualified system administrator or security expert if the solutions offered thus far have not been helpful.

Thank you.

 

[calebstephen]

Yes, definitely security is no.1 priority when dealing with servers.
I have built a server myself - so from experience, I have had a range of attacks from SQL injections to HTACCESS and onto DDoS attacks. Since moving servers onto the one I built - with its HIGH level of security, I have never had any attacks after that.
Another thing, is that I have heaps of Joomla sites on my server. Keeping the versions UP-TO-DATE is imperative. If you have J 1.0, 1.5 or any OLD versions of Joomla, UPGRADE to the latest 2.5 or 3.0 versions as the new ones HAVE security hot fixes and patches.
Make sure you also install the follwoing on your server if you have root access:
Mod Security
Config Server & Secuirty Firewall
SuPHP
CP Hulk

Additionally, get a qualified systems admin to troubleshoot, secure and protect your system.
Hope this advice helps.

 

[brianoz]

I'd be wanting to check your PC fairly carefully; my initial thought would be that they have your PC compromised and are stealing your saved password. To catch this, setup a special ftp account and save it on your PC. Don't save that anywhere else.

Scanning with a few recent antivirus packages is usually enough; sometimes just one by itself doesn't find these sort of trojan infections.

The other possibility is that they have compromised root on your server, or dropped a hacked file somewhere into your account and are using that to regain access. You'll need to scan the account for weird files using a combination of tools to find it; we use Configserver's cxs but maldet and other tools should be similar.

 

[noori]

brianoz thanks for your value able advices but my issue is there. Every day different malware are detected from my site. i think thats the responsibility of server now. as i had install 2 antiviruses and scan my computer thoroughly.

 

[sahostking]

Seeing as you stated joomla. Go through this page if you haven't already
Security - Joomla! Documentation

 

[24x7server]

Hello,

I will also suggest you to please install ConfigServer eXploit Scanner (cxs) on your server for the malware infection. It's good active scanner which is scanning the files while uploading on the server

Also scan your whole /home* directory through Linux Malware Detect | R-fx Networks and check if any CMD SHELL files are present in your user account.

Thanks

 

[cPanelNick]

Also you might consider trying out this addon: https://github.com/cpanelinc/addon_securityadvisor

 

[noori]

Thanks for your suggestions. i will surely install these.