Increase in Joomla Hack Activity in 2013

[FlashLight 4]

Hi Folks,

 

I'm sharing my experiences in hope that it will help another HawkHost user and save them a  lot of time and worry.

 

I have had 4 different Joomla 1.5 sites attacked since January, all with variations of the same hack.

 

According the the Joomla community there has been a spike in these 'Hmei7' attacks since January. I found some info here that might be helpful to others with the same problem:

 

There is info here on how to start the clean up:

http://www.joshpate.com/2013/01/how-to-fix-hacked-by-hmei7-on-joomla-web-site/

http://blog.cripperz.sg/2013/01/12/how-to-fix-hacked-by-hmei7%E2%80%B3-on-joomla-web-site/

Also, once it is cleared up and Joomla updated to 1.5.26 (for those running 1.5) there are three extensions that are useful and cost effective:

JHackGuard (free): protects against common hack attempts.
http://extensions.joomla.org/extensions/access-a-security/site-security/site-protection/13233

AdminToolsPro (small subscription required): adds a firewall and automatically blocks IPs etc.
https://www.akeebabackup.com/products/admin-tools.html

JSecure Lite (free): changes the default Admin login page to something of your choice:
http://extensions.joomla.org/extensions/access-a-security/site-security/login-protection/23080

The last one is particularly useful as after installing AdminToolsPro and setting it up to notify me with failed Admin logins I could see that some sites were getting hammered with password guessing scripts. This dealt with that problem immediately.

 

Hope this helps someone.

 

Thanks.

Andy

[Tony 545]

This is some excellent advice.  We see a lot of compromised accounts and lately it's been a lot of Joomla all running versions that are years old.  We try to block a lot of malicious requests every day but mod_security only goes so far without preventing a lot of users from accessing their sites.