Hello everyone!
recently suddenly encountered the hacker to enter the event site, I feel very special
to share with you.
 
 
 
discovery:
I suddenly found that I can not access my website background, I feel very strange (foreground as usual), so I went to look at the database, the password is found to be actually changed! I also found that he actually changed the password MD5 format, the format is not generally joomla password MD5 format, but joomla allow MD5 format password (in fact, this can be considered a flaw), so permission to modify the database after hackers made, changed the password and account, and then sign in the background.
 
Thoughts:
 
... that is how hackers get your password it? How to change the password to connect DB? In joomla program in, DB password is recorded in the configuration.php inside, how he is to obtain the contents of the file it?
To know the hacker's technique, it is necessary to look at the LOG.
 
I found a message in the server access LOG
 
38.130.96.86 - - [11/Jul/2016: 05: 15: 06 +0000] "GET/HTTP/1.1" 301 20 "http://URL is hacked /templates/wpmass.php?do=pass_change "" Mozilla/5.0 (Windows NT 10.0; WOW64; rv: 47.0) Gecko/20100101 Firefox/47.0 "
 
That is, someone from my side site 301 Redirect Go
http://URL is hacked /templates/wpmass.php?do=pass_change
passed here!
(in order to protect the parties, not published by hackers website)
 
Then I went to access the http://URL is hacked/
found to be a hack (! Save Syria into the page ... )
and
http://URL is hacked /templates/wpmass.php?do=pass_change
into a hacker tool web
Obviously you can see, in fact, it is an attack against CMS packages do here is not to say bad CMS package, but said that no matter what framework or CMS system, attention must be paid attention to and whether there are loopholes in the news, and fix them.
 
And in fact, he also has this program online, we can refer here:
http://www.unphp.net/decode/f0ee22712b766b4a32fa52713eece2e7/
 
techniques:
This site is actually very amazing is that his side had been made to modify the file permissions and database passwords, so we can understand the way a hacker
1. Invasion website (guess passwords or use loopholes)
2. Upload hacker program (using techniques within the program, such as installing files or modifying templates)
3. attack on the same server all sites
4. Modify DB password, login to your website background
5. Repeat Step (leaving the back door, even after the file restoration, some did not pay attention to the site can still use the back door)
is a website successful, the bid will be the same server==
 
resolve:
1 reduction ratio of the program or app. (! Make sure the correct file)
.
2 Change Password and Account (avoid the use of this site or admin account)
.
3 bug fixes to enhance security (for example, I'm writing a plug-in to change the password after Prohibition sign in the background)
 
For other vulnerabilities, the server must be in line with the service providers to help, for example: PHP prohibit access to non other than Ben domain folder , the concept of security of the host's some comparison ... ... still learning.
 
The above is my experience of being hacked, your reference Hello!
Thanksgiving! Have a problem, we can discuss together.