The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

joomla website compromised. advise please

Discussion in 'Security' started by nagyosha, Apr 14, 2014.

  1. nagyosha

    nagyosha Member

    Joined:
    Mar 9, 2014
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi All.
    centos, and cpanel all upto date CENTOS 6.5 x86_64 kvm – titan
    WHM 11.42.1 (build 6) . rkhunter, lfd, modruid, suEXEC

    one of my clients accounts was compromised yesterday.
    he runs joomla 2.5.19 and virtuemart 2.0.18a

    they i assume got in thru his joomla install and from what i can see from tripwire modified file reports managed to install the following
    /public_html/images/.jindex.php
    and
    /public_html/components/com_users/3tsa5z.php"

    it was malware for sending out emails.. i was alerted by LFD telling me localhostrelay reports
    /public_html/components/com_users 3 args: /usr/sbin/sendmail -t -i

    i've cleaned what i can see has changed.. but am of course concerned as to how it was hacked and also want to ensure that they did not manage to hack from here to anywhere else.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    652
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You may want to review the domain access logs or the Apache access log for the time period it occurred to see if you can find additional details about how the account was exploited.

    Thank you.
     
  3. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    Go to an account backup and restore from backup - then make sure all Joomla and addon's are UP TO DATE - newest version!

    Nothing else you can do as it's not your problem if a user does not keep up his website.
     
Loading...

Share This Page