Joomla site hacked by Hmei7?

Joomla site hacked by Hmei7?

January 14, 2013 Joomla Security Security News & Information 0

Was your Joomla site hacked by Hmei7? This is a common hack on Joomla sites.  Typically you will find a  text file located in several directories named “x.txt”, that had “hacked by Hmei7” in it. After futher investigation, it appears that this attack is due to an outdated JCE plugin. If you are running JCE you need to either disable and delete it or upgrade it (http://www.joomlacontenteditor.net/downloads/editor) to fix the problem. You will also need to check out the following for remote php shells that have been uploaded to your site.

Remember, this isn’t an all exhaustive list, this is just some of the directories/files we located – each case is typically different, but it should help you to track down the issue:

images/x.txt
tmp/x.txt
x.txt
images/stories/x.php
images/stories/susu.php
images/stories/s.php
images/stories/a7a.php
includes/gacl_api_clss.php
libraries/databse.mysqli.php
templates/system/feedreator.class.php
xmlrpc/includes/fotter.php

Once you’ve cleaned your site, we recommend that you migrate from 1.5.x or 1.7 to the latest version, 2.5.x. This isn’t a simple upgrade as most of Joomla has been re-written so you should first set-up a staging area where you can test migrating your site. DO NOT
DO IT ON A LIVE PRODUCTION SITE.

The safest way is to make a backup of the site (files and database) AFTER having done all other steps mentioned, then do the update of Joomla in a test environment then upload the changed files and import the new database. Joomla provides detailed information here: http://docs.joomla.org/Migrating_from_Joomla_1.5_to_Joomla_2.5

If you aren’t technical and you need immediate assistance, we can reduce the impact and prevent further damage quickly – Now is your chance, we can have the typical site cleaned and secured in just a few hours. Check out our Pricing page for details on our professional, reliable malware removal services.