Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
Need help to troubleshoot mysqlnd_ms setup on PHP72 with php-fpm Question Question
doesn't work php session Question Question

Question

Today i've found my webserver with all files encrypted (index.php.encrypted)

Posted December 30, 2015 3.8k views
PHPSecurityJoomla

There is also heavy POST and GET registries in my log. Specially from an unkown php file called POSTipport.php

Any advice would be apreciated.

Add a comment
RodrigoV
By:
RodrigoV

Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
Need help to troubleshoot mysqlnd_ms setup on PHP72 with php-fpm Question Question
doesn't work php session Question Question
Add a comment
1 comment
  • SteveF December 31, 2015
    Reply Report

    Sounds like your site has been hacked. IPPort.php is a function to parse a IPaddr:Port string into is constituent IP address and port.

    In some cases the perp contacts the victim demanding payment to have the site unencrypted. If they just want the site then your only recourse is to rebuild. Hope you had a backup. Also if you have access to logs you might be able to figure out how it was compromised so that any new or rebuilt site is patched.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer
eris December 30, 2015

Hello,

I’m really sorry to be the bearer of bad news. Unfortunately it sounds like your webserver was compromised and fell victim to some ransomware. If that is the case, your best bet would be to restore from one of your backups, since you won’t otherwise be able to unencrypt your files without paying the ransom.

Joomla has recently seen several security vulnerabilities and, like every web application, it is important that you keep Joomla up to date in order to prevent it from being compromised. The latest version of Joomla (as of making this post) is 3.4.8, so when you redeploy based on your backup, I highly recommend upgrading Joomla straight away.

Best,
Eris
Platform Support Specialist

Reply Report
  • RodrigoV December 31, 2015

    Thank you some much for your answer. I haven’t heard anything from any possible hijaker but obviously i wouldn’t pay anything.

    Do you think recomend joomla for future development? Is my IP secure or do i have to change my droplet to a fresh IP? I dont feel secure with a compromised IP.

    Thank you so much again for your answers and sorry for my bad english. (Not a native speaker)
    Happy new year Eris

    Reply Report
    • eris December 31, 2015

      Hey Rodrigo,

      As long as you keep Joomla up to date and don’t install any vulnerable extensions (found on this list), you should have no issues sticking with Joomla. That goes for pretty much every CMS that you could choose from.

      Your IP should remain secure… The droplet was compromised, yes, but the IP itself has nothing to do with that. If you’d feel more secure with a completely fresh IP, there’s no harm in that.

      Anyway, it’s no problem, I’m always happy to help people where I can. Also, your English is great, I couldn’t tell that it wasn’t your first language.

      Happy New Year to you too. :)

      Cheers,
      Eris
      Platform Support Specialist

      Reply Report

Related

Looking for something else?

Ask a new question Search for more help