Joomla! Module Security Compromise: mod_administrator

We've detected a compromise affecting Joomla!® installations. In this compromise, attackers installed a module called mod_administrator, which contains a file called config.php that lets the attacker add more bad files to the hosting account.

You can get more information about compromises and how to deal with them in My website was hacked. What should I do?.

Additional Signs You've Been Compromised

Besides the signs mentioned in My website was hacked. What should I do?, you can tell your site's been affected by this specific compromise if your account contains the following files:

  • /html/modules/mod_administrator/config.php
  • /html/plugins/user/sys09725827.php

Remedies

Remove the following files:

  • /html/modules/mod_administrator/config.php
  • /html/plugins/user/sys09725827.php
  • index.beta.php
  • index_old.php
  • egy.class.php
  • abg.php
  • kabe.php
  • x.txt

You should also:

  • Upgrade to the newest version of Joomla! Versions 1.6.x/1.7.x/2.5.0-2.5.2 contain a vulnerability that lets a malicious user become an Administrator on the website. To resolve this issue, Joomla! must be upgraded. You can find more information here.
  • Check your database for the username nekiua, users with a group_id of both 2 and 7, as well as any other malicious users. For more information, see Checking Joomla! Databases for Malicious Users.
  • Change your database password (more info).

Technical Info

Code Sample

Stat of File

Sample HTTP Logs

MD5Sums of Known Malicious Files

Additional Malicious Files