joomla website compromised. advise please

nagyosha

Member
Mar 9, 2014
19
0
1
cPanel Access Level
Root Administrator
Hi All.
centos, and cpanel all upto date CENTOS 6.5 x86_64 kvm – titan
WHM 11.42.1 (build 6) . rkhunter, lfd, modruid, suEXEC

one of my clients accounts was compromised yesterday.
he runs joomla 2.5.19 and virtuemart 2.0.18a

they i assume got in thru his joomla install and from what i can see from tripwire modified file reports managed to install the following
/public_html/images/.jindex.php
and
/public_html/components/com_users/3tsa5z.php"

it was malware for sending out emails.. i was alerted by LFD telling me localhostrelay reports
/public_html/components/com_users 3 args: /usr/sbin/sendmail -t -i

i've cleaned what i can see has changed.. but am of course concerned as to how it was hacked and also want to ensure that they did not manage to hack from here to anywhere else.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello :)

You may want to review the domain access logs or the Apache access log for the time period it occurred to see if you can find additional details about how the account was exploited.

Thank you.
 

vincentg

Well-Known Member
May 12, 2004
160
4
168
new york
Go to an account backup and restore from backup - then make sure all Joomla and addon's are UP TO DATE - newest version!

Nothing else you can do as it's not your problem if a user does not keep up his website.