Identify a hacker

[NucleusKore]

Hi all
My site was taken down today
I have temporarily redirected my site to my blog. I was going through the logs of my site to see how the hack was successful. I am enclosing the same in this post.
Any analysis and advice will be much appreciated. I thought this one IP looked suspicious 78.183.221.32
Will check back for your replies tomorrow morning.
Goodnight

[Ecko]

Unable to download logs
Achieve Corrupt
Seems to me a job of windows fan

[NucleusKore]

Ok I have uploaded the logs again

http://www.mediafire.com/?n2lo5zettzb

[victor_rambo]

Did you check your folder and file permissions? Is the joomla15 dir and index file writable by non-privileged users?

Did you perform a recent upgrade?
-There could be a fair possibility that at the end of the upgrade process, the file permissions were not changed and left vulnerable to attacks.

Do you have the recent version(of main joomla as well as modules) with all security fixes?

Have you seen if some others using the save version(exactly as yours) have been defaced?

It could also be a server security issue!(in that case, other sites hosted on the same server as yours are also at risk! so report the mater to your webhost immediately!)

Also, finding IP is not enough as they use proxies and are masters is cleaning their traces!

[NucleusKore]

Quote:

Originally Posted by rohan_shenoy

Did you check your folder and file permissions? Is the joomla15 dir and index file writable by non-privileged users?

I installed with default permissions on the server. I did not have to chmod anything

Quote:

Originally Posted by rohan_shenoy

Did you perform a recent upgrade?
-There could be a fair possibility that at the end of the upgrade process, the file permissions were not changed and left vulnerable to attacks.

No

Quote:

Originally Posted by rohan_shenoy

Do you have the recent version(of main joomla as well as modules) with all security fixes?

Yes

Quote:

Originally Posted by rohan_shenoy

Have you seen if some others using the save version(exactly as yours) have been defaced?

Don't know. See I have three domains on the server, one points to the root of my account, and the other to subfolders containing the data. Curiously, the files in the folder which points to neville.in was not touched, except its feedback form, which is linked to a php file?? It is online right now. May I point out that I had a forum on phpbb which I set up two days back exactly as they have mentioned in their instructions, and a Joomla site which has been around for a month or so.

Quote:

Originally Posted by rohan_shenoy

It could also be a server security issue!(in that case, other sites hosted on the same server as yours are also at risk! so report the mater to your webhost immediately!)

I have, and it's now twelve hours up and no response. In fact I just redirected my address from cpanel as I did not want to disturb anything there.

Quote:

Originally Posted by rohan_shenoy

Also, finding IP is not enough as they use proxies and are masters is cleaning their traces!

Yes you're right

Thank you for your time

[victor_rambo]

phpBB? phpBB is not that good at security issues. There are have been numerous instances of phpBB boards getting hacked! I can't say for sure but there is a possibility.

[NucleusKore]

Is there any other OSS alternative better than phpBB? Joomla too? If this is the case I'll find myself back with plain old html

[Cool Joe]

Wordpress is better than plain HTML!!!!

[NucleusKore]

Quote:

Originally Posted by rohan_shenoy

Have you seen if some others using the save version(exactly as yours) have been defaced?

Many hacked by same Turkish fellows, I checked in Joomla! forums