Keyword

Possible hacker attack

  • Stefan Gagner
  • Stefan Gagner's Avatar Topic Author
  • Offline
  • New Member
More
3 years 10 months ago #175807 by Stefan Gagner
Possible hacker attack was created by Stefan Gagner
Hi,

I run a rather large K2 website whish recently have experienced repeated problems which seems like a hacker attack.

The problem starts with forward slashes are inserted on line 734 in the system plugin k2.php file. The file is written to every minute or so. Eventually K2 stops working due to these inserts or the whole file is cropped from the end by these insertions.

Have anyone experienced this on any other site?

I run both RSFirewall, Akeba AdminTools and external Auditing via Mysites.guru on the website without detecting any intrusions. It seems like PHP do the file writings.

Anyone with a solution? The site in question is www.husbilskompisar.se/

Stefan Gagner - Web8 Universal - Sweden

Please Log in or Create an account to join the conversation.

More
3 years 10 months ago #175818 by JoomlaWorks
Replied by JoomlaWorks on topic Possible hacker attack
Stefan, I can assure you that K2 is one of the most secure extensions ever built for Joomla. 2 low priority security issues that were EVER reported (the most recent 4 years ago) were resolved instantly.

The K2 system plugin is executed site-wide (that's what it's for), so there's a chance some other extension got hacked and that other extension allowed the attackers to upload a file (or files) on your server, which in turn modifies core K2 and most likely Joomla files.

Having all these "firewall" extensions is really not a guarantee that you can't get hacked. Entry points can be small modules or plugins without proper data validation, another compromised site using a different CMS on the same web space as your Joomla site or even the server itself if it's a shared hosting environment.

I would recommend hiring some security professional to troubleshoot the issue.

If you can't find one, you can contact us for paid assistance on the matter using this form: www.joomlaworks.net/support/get-help/contact (just make sure you reference this forum thread)

Fotis / JoomlaWorks Support Team
---
Please search the forum before posting a new topic :)

Please Log in or Create an account to join the conversation.

  • Stefan Gagner
  • Stefan Gagner's Avatar Topic Author
  • Offline
  • New Member
More
3 years 10 months ago #175830 by Stefan Gagner
Replied by Stefan Gagner on topic Possible hacker attack
Dear Fotis,
I have no doubt in the security in K2 itself. I maintain several other websites running K2 without any problems.
About hiring a professional, I am a professional myself with Joomla experience back to 2005. I am also translating K2 to Swedish language since many years.
I was more interestd in finding out if any one else on this forum have had the same experience as me with this hacker attempt.
I agree to that it is likely to be another PHP based application on the same account that cause this problem. We run a very old vBulletin forum on tghe same site and it is likely to be the source of problem.

/Stefan Gagner - Web8 Universal

Please Log in or Create an account to join the conversation.

More
3 years 10 months ago #175837 by JoomlaWorks
Replied by JoomlaWorks on topic Possible hacker attack
I meant a security professional that can use your server's terminal to investigate how these replacements in the code occur. And since you use vBulletin, well, it's most likely that this is the culprit.

So I would recommend moving the forum or the site to another system account (on your server) so these 2 sites can be isolated from others. This will make your debugging work easier. Just keep in mind that additional files may have been written inside your Joomla site's file structure and the problem may be hard to spot.

Fotis / JoomlaWorks Support Team
---
Please search the forum before posting a new topic :)

Please Log in or Create an account to join the conversation.


Powered by Kunena Forum