Information about our hosting security issue!

Mikkel wrote:

4. We can assure that your sites are still safe. However, we advice that you change super admin account (and FTP account) of your site.

You can assure that we are safe, yet you tell us to change our passwords, how does that give any sense?

It's called being cautious and not assuming until all of the analysis is complete... and he would be irresponsible not to suggest that, just as it would be irresponsible for you not to take that step.. I'm fully confident nothing serious was compromised by way of our user details, but it's just the smart thing to do .. never assume ..

Any time you have a security scare like this it's always a good idea to change your password... in fact I recommend changing passwords on a semi regular basis.. I enforce a password change every week at my company for our employees.

We host Joomla sites and I have a whole host of security systems in place, many of which I wrote myself that monitor our web server logs for brute force attempts or other suspicious behavior.. you can't take security lightly.

Edit:

Just to add to that.. you'd be amazed how many times we've been asked to do work on someone elses Joomla site that's hosted by a third party only to find so many PHP shells scattered throughout the site.. these script kiddies ( usually ) hide their shells in the images folder, or they will hide them in one of the Joomla Framework folders... or append themselves to the top of existing PHP files... cleaning a site up after a hack can be tricky business.. I got a copy of a university's website the other day that ran Joomla for one of their sub sites... just extracting it to my desktop set off microsoft security essentials like crazy.. MSE does detect quite a few PHP shells.. people just do not always do a great job at securing their installations.

Thanks for the update. You guys are great! The "hacker", well, I can't say much for him.

pepperstreet wrote: Thanks for the infos and clarification.
Actually, we might even thank the "hacker" for revealing the security hole on that server... and for NOT spreading the complete addresses. It seems to be a very "polite hack" and promotion for india based developers, IMHO.
At the end, JoomDonation gets a more secure server environment. Neat side-effect, isn't it?!

This wasn't a polite hack, I suspect it might have been a way to try to get money out of the developer.. ( we'll see ) .. I've seen some polite hacks in my day... one defaced the front page but didn't destroy any files.. they even left instructions on how to prevent what it was they did .. that's more of a polite hack.. even if it was embarrassing to the owner of the site.

But I personally advise caution.. don't assume you're safe ... back up your site daily and watch over it for the next few days.. I am suspecting nothing will happen.. but if it does.. stay calm, restore your site from back up ( Akeeba Backup is great and free ) .. once it's restored, remove the extension and wait for a fix.

IF by some off chance you have to restore... go into FTP and delete EVERYTHING from your web root first .. if you use Akeeba backup then it's pretty simple.. I would also clear your database but that may not be necessary.. Akeeba may drop the tables prior to restoring them.

1. Clear your web root,
2. Install Akeeba Backup Core
3. Run a backup
4. DOWNLOAD the JPA file to your desktop and hang on to it
5. IF you need to restore.. upload the JPA to your cleaned web root
6. Download the Akeeba Kickstart Core, extract the contents and upload them along with your JPA file
7. Go to www.whateveryoursiteis.com/kickstart.php and follow the instructions

Once done... your site is back, just login and uninstall the extension until we know more..

These are just precautionary instructions... I'm creating a new backup and downloading it every day until this passes.

Thanks for the update Tuan. I am sorry that you are having to deal with this and will continue to support you through using your extensions.

Michael

Keep up with your excellent work and do not worry too much about these "funny" guys, let them play around while you stick to your core business.

Cheers !

I'm very impressed with your product and your support. Thanks for doing a great job.

Just as I suspected, it's related to web hosting. Thanks for assuring, you're already moving to another provider.

The responses I got from my support tickets proved that JoomDonation is listening and strives to make their extensions better for their customers. Good job and I have full confidence in you.

You can try A Small Orange's VPS. They're pretty reliable.

Best Regards

Julian

Tuan,

for what it's worth I would highly advise either a) getting a hosting server that you can install ASL (Atomic Secure Linux), or b) find a hosting provider that uses this. I installed it on my dedicated server over a year ago because of several customer websites that were compromised. I have since had no problems whatsoever despite having a couple of customers that are running Joomla 1.0x sites and many that are running 1.5x. As a side note, it is a very 'eye opening' experience to look at all of the SQL injection attempts and other attempts to hack sites from the ASL dashboard, it is not unusual for me to see over 100 compromise attempts every hour.

Hi Scott

Thanks for your suggestion. The site is now moved to rochen, the hosting provider behind joomla.org, so we are on a secure hosting now.

We will be providing full information about this issue later today (just completed moving the site to new hosting provider last night)

Regards,

Tuan

Hi

Please see joomdonation.com/forum/questions/45092-o...ty-announcement.html for our final announcement about this issue

Regards,

Tuan