RodrigoV
By:
RodrigoV

Today i've found my webserver with all files encrypted (index.php.encrypted)

December 30, 2015 1.9k views
PHP Security Joomla

There is also heavy POST and GET registries in my log. Specially from an unkown php file called POSTipport.php

Any advice would be apreciated.

1 comment
  • Sounds like your site has been hacked. IPPort.php is a function to parse a IPaddr:Port string into is constituent IP address and port.

    In some cases the perp contacts the victim demanding payment to have the site unencrypted. If they just want the site then your only recourse is to rebuild. Hope you had a backup. Also if you have access to logs you might be able to figure out how it was compromised so that any new or rebuilt site is patched.

1 Answer

Hello,

I'm really sorry to be the bearer of bad news. Unfortunately it sounds like your webserver was compromised and fell victim to some ransomware. If that is the case, your best bet would be to restore from one of your backups, since you won't otherwise be able to unencrypt your files without paying the ransom.

Joomla has recently seen several security vulnerabilities and, like every web application, it is important that you keep Joomla up to date in order to prevent it from being compromised. The latest version of Joomla (as of making this post) is 3.4.8, so when you redeploy based on your backup, I highly recommend upgrading Joomla straight away.

Best,
Eris
Platform Support Specialist

  • Thank you some much for your answer. I haven't heard anything from any possible hijaker but obviously i wouldn't pay anything.

    Do you think recomend joomla for future development? Is my IP secure or do i have to change my droplet to a fresh IP? I dont feel secure with a compromised IP.

    Thank you so much again for your answers and sorry for my bad english. (Not a native speaker)
    Happy new year Eris

    • Hey Rodrigo,

      As long as you keep Joomla up to date and don't install any vulnerable extensions (found on this list), you should have no issues sticking with Joomla. That goes for pretty much every CMS that you could choose from.

      Your IP should remain secure... The droplet was compromised, yes, but the IP itself has nothing to do with that. If you'd feel more secure with a completely fresh IP, there's no harm in that.

      Anyway, it's no problem, I'm always happy to help people where I can. Also, your English is great, I couldn't tell that it wasn't your first language.

      Happy New Year to you too. :)

      Cheers,
      Eris
      Platform Support Specialist

Have another answer? Share your knowledge.