We've detected a compromise affecting Joomla!® installations. In this compromise, attackers installed a module called mod_administrator, which contains a file called config.php that lets the attacker add more bad files to the hosting account.
You can get more information about compromises and how to deal with them in My website was hacked. What should I do?.
Besides the signs mentioned in My website was hacked. What should I do?, you can tell your site's been affected by this specific compromise if your account contains the following files:
Remove the following files:
You should also:
group_id
of both 2
and 7
, as well as any other malicious users. For more information, see Checking Joomla! Databases for Malicious Users.Below is a stat of the file showing when the compromised file was last changed in the account:
File: 'config.php'
Access: 2014-01-10 16:32:55.441130000 -0700
Modify: 2013-12-27 07:01:55.206937000 -0700
Change: 2013-12-27 07:01:55.206937000 -0700
x.x.x.x - - [27/Dec/2013:07:01:47 -0700] "GET SampleSite.tld/administrator/index.php HTTP/1.1" 200 4526 "-" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" 0 "x-httpd-php" "/html/administrator/index.php" 1235209
x.x.x.x - - [27/Dec/2013:07:01:49 -0700] "POST SampleSite.tld/administrator/index.php HTTP/1.1" 303 225 "http://SampleSite.tld/administrator/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 1 "x-httpd-php" "/html/administrator/index.php" 537279
x.x.x.x - - [27/Dec/2013:07:01:50 -0700] "GET SampleSite.tld/administrator/index.php HTTP/1.1" 200 25876 "http://SampleSite.tld/administrator/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 2 "x-httpd-php" "/html/administrator/index.php" 1061024
x.x.x.x - - [27/Dec/2013:07:01:51 -0700] "GET SampleSite.tld/administrator/index.php HTTP/1.1" 200 25876 "-" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" 3 "x-httpd-php" "/html/administrator/index.php" 137735
x.x.x.x - - [27/Dec/2013:07:01:52 -0700] "GET SampleSite.tld/administrator/index.php?option=com_installer HTTP/1.1" 200 21415 "-" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" 4 "x-httpd-php" "/html/administrator/index.php" 579406
x.x.x.x - - [27/Dec/2013:07:01:53 -0700] "POST SampleSite.tld/administrator/index.php?option=com_installer&view_install HTTP/1.1" 303 509 "mainaadmin/administrator/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 5 "x-httpd-php" "/html/administrator/index.php" 1284326
x.x.x.x - - [27/Dec/2013:07:01:56 -0700] "GET SampleSite.tld/administrator/index.php?option=com_installer&view=install HTTP/1.1" 200 21687 "mainaadmin/administrator/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 6 "x-httpd-php" "/html/administrator/index.php" 165016
x.x.x.x - - [27/Dec/2013:07:01:59 -0700] "POST SampleSite.tld/administrator/index.php HTTP/1.1" 200 21437 "http://SampleSite.tld/administrator/index.php?option=com_installer" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36" 7 "x-httpd-php" "/html/administrator/index.php" 544304
x.x.x.x - - [27/Dec/2013:07:02:01 -0700] "GET SampleSite.tld/administrator/index.php?option=com_installer&view_install HTTP/1.1" 200 21412 "-" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" 8 "x-httpd-php" "/html/administrator/index.php" 145839
x.x.x.x - - [27/Dec/2013:07:02:05 -0700] "GET SampleSite.tld/modules/mod_administrator/config.php, HTTP/1.1" 200 189 "-" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" 9 "x-httpd-php" "/html/modules/mod_administrator/config.php" 16822
You should also remove any of the following files if you find them on your hosting account:
11a__5mqlh.php | 11M.php | 124ji.php | 12fcFMdO.php | 13VeYa.php |
15bM.php | 15ZWVjaI.php | 18v.php | 18y5gyE.php | 19SE.php |
1A1nkeRI.php | 1b4lbTM.php | 1by.php | 1cmRiKOS.php | 1DDf.php |
1dvR_a6o_.php | 1E__X9__e.php | 1FfhfDW.php | 1FS__tNMqr.php | 1ge_ZtKNX.php |
1gldhze.php | 1gR5h.php | 1H6x.php | 1hoVRp7S.php | 1JQvtd.php |
1kXdMCSTI.php | 1L7fRQ5C.php | 1la__.php | 1l_oU6k6.php | 1lWyA.php |
1mR.php | 1MR.php | 1O__h.php | 1oNxMMCq.php | 1ow7DOrJF.php |
1OWOVF.php | 1pCmCdlrp.php | 1pt.php | 1qgAYtklc.php | 1qlaOsA.php |
1R9eIe2m.php | 1RVU8.php | 1SgewPrsh.php | 1tH46Em.php | 1TkUfbB.php |
1U__4T.php | 1uMBjA.php | 1VQL37V.php | 1wFuJkZ.php | 1Wq5ZAxOM.php |
1WseoLv.php | 1XhJVinc.php | 1Xvv.php | 1y__6ksoY6.php | 1YDE.php |
1YenY.php | 1Yu.php | 1YWa_.php | _1Z6qcJHf.php | 1ZehjH.php |
1Zl9.php | 1zon.php | 218_Gtr9.php | 21EFlIvMY.php | 21Ieum___.php |
23wAi1l.php | 24BV.php | 251aHB6.php | 25d4.php | 25hfn.php |
26rSSqS__.php | 27QDV.php | 27Y.php | 29eL.php | 29f.php |
29G.php | 29_vC__.php | 2aA1zHS.php | 2agcg1E.php | 2AJmq6D2.php |
2alZDqnQ4.php | 2aYUpBBkt.php | 2bxS2Nk.php | 2BYwJU.php | 2cDL5.php |
2cE1GCVB.php | 2Cnq.php | 2DJSkNWI.php | _2d.php | 2DupZx.php |
2EZ1QrU.php | 2F2b.php | 2fGFd.php | 2FnS_gX.php | 2FWLntVrd.php |
2Ge_VdbUr.php | 2GUrmPwKy.php | 2_Hez9.php | 2hJ.php | 2hVw4.php |
2IO.php | 2jBQsptj.php | 2Jfjkv_.php | 2Jui.php | _2Kw.php |
2L8f.php | 2MC.php | 2mLmqR__b.php | 2m__wo.php | 2Od.php |
2Q2Mo.php | 2rbSXBH.php | 2S6Qxna.php | 2SLUGa.php | 2SYq.php |
2tVJOv.php | 2UB95XglL.php | 2ujAbTM.php | 2UwTn.php | 2waaEPp.php |
2WAt1I4Ce.php | 2Wk9H6.php | 2XjlTXur.php | 2YQErI.php | 2__Z3DzY.php |
2ZEA1yZua.php | 2ZqB.php | _34.php | 358UgTz.php | 37_4Tw6U.php |
37Bo.php | 37RDkt.php | 38Xah.php | 39iyQp.php | 39w.php |
3AHm_.php | 3bPxgZVS.php | 3BS.php | 3cbex.php | 3cUIS14.php |
3Cy6iyiM.php | 3D1.php | 3dtqUrGX9.php | 3EGgAh.php | 3eXDAsRiQ.php |
3eZApPes.php | 3favXKXa.php | 3FENdYxuL.php | __3fPU.php | 3G999N1tF.php |
3gL5g.php | 3H6.php | 3i2kuYpqv.php | 3I_NOC.php | 3Isr.php |
__3I__Vmt4j.php | 3LDLAs_.php | 3m7mZC.php | 3mqO7cTe.php | _3Mw12DU8.php |
3MXaU67.php | 3NZxs_oN.php | 3_O5v.php | 3O8_.php | 3oa.php |
3oG.php | 3oQo4g.php | 3ouoSR7A.php | 3pAYJC.php | 3qe.php |
3qiR.php | 3rd.php | 3__R_.php | 3rr2o.php | 3S8iIOrnV.php |
3Si9TVP6.php | 3t3Jne.php | 3tiR9B.php | 3TnJIM8r.php | 3U3.php |
3veVTQKtx.php | 3WIth.php | 3wQujkpA.php | 3X6cuGc7o.php | 3XIB5LiNd.php |
3xjHKDid.php | 3XoPB.php | 3XO.php | 3XUt2p__Y.php | 3XvlV.php |
3y7dyO.php | 3y7mZm.php | 3YgObJ4.php | 3yjCHSp.php | 41Po.php |
41X5RTQ.php | 424bUDxk6.php | 42S9.php | 42YWEc.php | 44ZyOvoP.php |
478sV.php | 47Uul.php | __47ux4in.php | 47YW_3eDB.php | 49A_.php |
49j9Pg.php | 49Z___bQfC.php | 4Au8wM3fF.php | 4B2X.php | 4c4LAI4.php |
4CCt.php | 4cMsLaM.php | _4d71c9J.php | 4DPKgT.php | 4Eatu1Qy.php |
4eL.php | 4EPI.php | 4F4Abi.php | 4FeIDXjw.php | 4gFnWQg.php |
4GVX7f.php | 4Hgo.php | 4HoC.php | 4I9.php | 4ikns_lh.php |
4Irta8.php | 4j2J.php | 4JLX.php | 4JRYQ9.php | 4JUavBKA.php |
__4jY1.php | 4KFyW9tPF.php | 4KXE.php | 4k__z9v__TC.php | 4kZU.php |
4LBv2__fO.php | 4ld.php | 4LGgL9d.php | 4LLw.php | 4lnsRe.php |
4M6CkbVQ4.php | 4mcJ.php | 4o7rTs1.php | 4oaz5fesP.php | 4OBq.php |
4OlaT__y.php | 4OwyT.php | 4Oxivmh.php | 4__pqNkDy.php | 4pSza.php |
4PzV7yu.php | 4qsU99.php | __4r8N.php | 4rJlXAuwD.php | 4rlfVL.php |
4rM.php | 4rtu.php | 4siGUTFZZ.php | 4SYZRKy.php | 4UEZ.php |
4uSZ9wFz.php | 4Vc.php | 4vWFik2H_.php | 4v__ynsp.php | 4xzSak.php |
4YcQA.php | 4YD.php | 4zqPO.php | 4zvar.php | __51NVKjJy.php |
51R_Lb.php | 51rTJqPSr.php | 51t5qciK.php | 51TAMqrzZ.php | 52dJK.php |
54j9By.php | 54mB9_r.php | 55vnivkE.php | 56b.php | 56z__.php |
57KccI.php | 57oijeAI9.php | 58oQ3zpY.php | 59J8cHIZ.php | 5aRUNPsk.php |
5biTrMq.php | 5BSLpa.php | 5CJLhS1ll.php | 5CRdqPC.php | 5d1U9.php |
5D5VaBO4j.php | 5dhcRs.php | 5EIgNaoL9.php | 5FtpLy.php | 5glqTekW4.php |
5GpwfNdz.php | 5h6__5d.php | 5H6X__vFow.php | _5hXrkj.php | 5HZXe.php |
5Ia.php | 5iQNvK6D7.php | 5__Ke.php | 5l__d2MA.php | 5lkecKpp.php |
5MCVPbPXc.php | 5mokC.php | 5nGHT.php | 5OPEDE1m.php | 5p1ElJ6.php |
___5.php | 5pkHL.php | 5PprRdbJ.php | 5qAY.php | 5QKMVK.php |
5RGEt.php | 5ROW9xl7A.php | 5s4M6.php | 5S5U37Wcj.php | __5sfDW.php |
5sFnKUvx.php | 5Taw7nJm.php | 5TBX.php | 5UUAsly.php | 5vAn.php |
5VYToVmzw.php | 5XvM8c.php | 5ZwY.php | 6__27__hno.php | 628gR.php |
62RJH.php | 64GqMS.php | 64UZO.php | 65fkqQ.php | 65ot.php |
66x.php | 6_7EC.php | __68IAXKp.php | 68Y6F9P.php | 6981I4.php |
69RhaSXlO.php | 6aOjc2mRy.php | 6AX9Aanx.php | 6axGxO7.php | 6BTXMYm.php |
6BU.php | 6c2Cf.php | _6C.php | 6DgfsQuVr.php | 6diNJ2.php |
6DOv5eW.php | 6_epe.php | 6EZoon8.php | 6Fomqe.php | 6FUp.php |
6FxRo5u.php | 6goqNLp8.php | 6hEWBw.php | 6_i1f5.php | 6ideCOG.php |
6IR.php | 6iUNb.php | 6J7Zj.php | 6jOGH_.php | 6K6Tgb.php |
6Lc.php | 6Lre.php | 6Mq.php | 6mT.php | 6mX5C_.php |
6nh1vLeE.php | 6NP.php | 6NvDQln.php |