Today i've found my webserver with all files encrypted (index.php.encrypted)

December 30, 2015 2.9k views
PHP Security Joomla
RodrigoV
By:
RodrigoV

There is also heavy POST and GET registries in my log. Specially from an unkown php file called POSTipport.php

Any advice would be apreciated.

1 comment
  • SteveF December 31, 2015

    Sounds like your site has been hacked. IPPort.php is a function to parse a IPaddr:Port string into is constituent IP address and port.

    In some cases the perp contacts the victim demanding payment to have the site unencrypted. If they just want the site then your only recourse is to rebuild. Hope you had a backup. Also if you have access to logs you might be able to figure out how it was compromised so that any new or rebuilt site is patched.

Log In to Comment
1 Answer
eris MOD December 30, 2015

Hello,

I'm really sorry to be the bearer of bad news. Unfortunately it sounds like your webserver was compromised and fell victim to some ransomware. If that is the case, your best bet would be to restore from one of your backups, since you won't otherwise be able to unencrypt your files without paying the ransom.

Joomla has recently seen several security vulnerabilities and, like every web application, it is important that you keep Joomla up to date in order to prevent it from being compromised. The latest version of Joomla (as of making this post) is 3.4.8, so when you redeploy based on your backup, I highly recommend upgrading Joomla straight away.

Best,
Eris
Platform Support Specialist

Reply
  • RodrigoV December 31, 2015

    Thank you some much for your answer. I haven't heard anything from any possible hijaker but obviously i wouldn't pay anything.

    Do you think recomend joomla for future development? Is my IP secure or do i have to change my droplet to a fresh IP? I dont feel secure with a compromised IP.

    Thank you so much again for your answers and sorry for my bad english. (Not a native speaker)
    Happy new year Eris

    • eris MOD December 31, 2015

      Hey Rodrigo,

      As long as you keep Joomla up to date and don't install any vulnerable extensions (found on this list), you should have no issues sticking with Joomla. That goes for pretty much every CMS that you could choose from.

      Your IP should remain secure... The droplet was compromised, yes, but the IP itself has nothing to do with that. If you'd feel more secure with a completely fresh IP, there's no harm in that.

      Anyway, it's no problem, I'm always happy to help people where I can. Also, your English is great, I couldn't tell that it wasn't your first language.

      Happy New Year to you too. :)

      Cheers,
      Eris
      Platform Support Specialist

Have another answer? Share your knowledge.

Related Questions