So far this month, we have had 5 cases where all the users in a Joomla website had their usernames and passwords updated to the same value. In other words, all the usernames in those Joomla websites were set to admin, and all the passwords were set to an identical, md5 value.
This type of hack, of course, creates a huge problem, especially with community based Joomla websites (e.g. where the website has many registered users), since the website, post-hack, will technically have just one user, and most likely that user will not be able to login because his password was changed.
So, how did this happen?
Well, after investigating the 5 websites we have worked on this month so far, we came out with a pattern on how this hack happened:
- The attacker exploited a loophole in Joomla and uploaded a PHP file to the images folder.
-
The file contained the following SQL statement (in base64 encoded format):
UPDATE #__users SET username='admin', password='[MD5 value]'
-
The PHP file was executed from the attacker’s machine/server using CURL.
-
The query ran successfully, and the usernames and passwords for all the users were set to the same value.
We think that the attacker intended to just update one row (instead of them all) and the aim was to gain access to Joomla’s backend – but he was so lazy that he didn’t add a condition to the query to make it update just the first row!
What did we do to fix the problem?
The first thing that we did was that we removed the malicious file (the one containing the query), we then secured the website (especially the images folder), and finally we have reverted back to a previous backup of the #__users table. That fixed the problem.
We know, it seems that there’s a new type of hack every day, and that’s why it’s critical to keep your website protected. If you need help doing that, or if you need help cleaning up your hacked Joomla website, then you’re at the right place. Just contact us and we’ll ensure that your website is clean and secure in no time and for a very little cost.