joomla website compromised. advise please

nagyosha

• April 14, 2014 02:01

Hi All. centos, and cpanel all upto date CENTOS 6.5 x86_64 kvm " titan WHM 11.42.1 (build 6) . rkhunter, lfd, modruid, suEXEC one of my clients accounts was compromised yesterday. he runs joomla 2.5.19 and virtuemart 2.0.18a they i assume got in thru his joomla install and from what i can see from tripwire modified file reports managed to install the following /public_html/images/.jindex.php and /public_html/components/com_users/3tsa5z.php" it was malware for sending out emails.. i was alerted by LFD telling me localhostrelay reports /public_html/components/com_users 3 args: /usr/sbin/sendmail -t -i i've cleaned what i can see has changed.. but am of course concerned as to how it was hacked and also want to ensure that they did not manage to hack from here to anywhere else.

• 

  cPanelMichael

  • April 14, 2014 18:35

  Hello :) You may want to review the domain access logs or the Apache access log for the time period it occurred to see if you can find additional details about how the account was exploited. Thank you.

  0
• 

  vincentg

  • April 15, 2014 11:22

  Go to an account backup and restore from backup - then make sure all Joomla and addon's are UP TO DATE - newest version! Nothing else you can do as it's not your problem if a user does not keep up his website.

  0

Please sign in to leave a comment.