On October 25th, 2016 the Joomla team issued a security release for the 3.x series of Joomla. Joomla 3.6.4 fixes a high-severity security vulnerability that can allow remote users to create new accounts, modify existing accounts, and elevate their privileges to that of a Super Administrator on any Joomla site not patched.
These issues combined potentially give attackers enough power to get complete control of your Joomla website. The affected Joomla versions are from 3.4.4 through 3.6.3.
How do I know I've been hacked?
- Check your users for a user called db_cfg or other unauthorised ones
- Check for users with email ringcoslio1981[@]gmail.com
- Check logs for IPs 220.127.116.11; 18.104.22.168; 22.214.171.124; or 126.96.36.199
- Check your images and media folders for .pht files and other non-image files
With an exploit of this size, an unpatched Joomla system between 3.4.4 and 3.6.3 is likely to have been compromised already. We recommend updating your site as soon as possible, rebuilding from a backup from October 24th or before, and/or checking for new users in your Joomla administrator area.
If you have been compromised and are unable to rectify the matter yourself we can help you recover your Joomla system safely and implement a security strategy that will protect you going forward.
We sincerely hope this article helped you enough in securing your online business and becoming a happy customer here at Aussie Interconnect.
Until the next time