So, I decided to have a play with Joomla a couple of weeks ago as one of the first websites I ever built Cruelcard needed to be moved away from my Windows host and had to be rebuilt in something other than ASP. I’ve been wanting an excuse to play with Joomla and well, here it was. I built the site, put up the plugins I wanted, themed it and lo and behold had a brand spanking new website. Everything was good .. the sun was shining etc .. until last night ..
Last night I logged in to find that the site had been defaced. I should have taken a screenshot to show you, but I just overwrite the message with a “Will be back soon” message. I left everything as it was so that I could find out exactly how the hackers broke into my site. Today I had some time, so I went through my logs and this is what I learnt:
- The hacker was from Turkey. Well, I knew that as the defacement was in Turkish but his IP address (184.108.40.206) confirmed that.
- He was specifically looking for Joomla sites to target. The first referrer I have is: http://go.mail.ru/search?&q=Powered+by+Joomla%21.+Valid+XHTML+and+CSS&no_morph=n&sf=480. You can see exactly what he was looking for, but seeing I’m on page 49, he must have gone through quite a few other sites first.
- He gained access to the site by resetting the admin password. I actually found the exploit in Milworm (possibly this one anyway). This coupled by the fact that the sequence of commands were all placed in under a minute suggests that this was a scripted attack.
- Once the admin password was changed, the hacker went straight to the admin site and did whatever he needed to do.
- The hacker also seems to have uploaded some media using the Media Manager which suggests I need a proper rebuild of the whole thing.
It was pretty interesting to follow the hacker‘s footsteps. I will need to rebuild with a newer version of the software that blocks that hole, but I am partly responsible because I didn’t change the default administrator’s name. If I had done that, I might have had a bit of protection. I’m not going to abandon Joomla just because of this but it has certainly highlighted the importance of backups to me!
If anyone’s interested, you can read through the log: cruelcardcom-hack
Note to self: Read more about Milw0rm and don’t watch so much CSI
that happened to my site as well, I had to google and found this post. they left a file named back.pl in my html directory which was the exploit in link, thanks for writing about it!