: Weird new users in Joomla user group "Administrator" I noticed today that 30 people or so registered to my Joomla site (I don't expose a registration/login form), most of them appear to be
I noticed today that 30 people or so registered to my Joomla site (I don't expose a registration/login form), most of them appear to be spammers/bots, somehow they must've found a way to register via hidden URLs. All of these users are disabled (the default) but what's bothering me is that some of these users are in the group Administrator.
Notably there are the users with emails assistent@rootfest.net, bagiteja@rootfest.net or dazofaw3@mail.ru. If you google for these addresses, you can find a bunch of sites - they seem to be other Joomla installations that have been hacked or something like that?
I am really not sure what to make out of this. The Enabled and Activated checkboxes in the Joomla admin panel are both disabled for all these, i.e. show red crosses. Can these users still do harm in any way? Should I be worried?
I wasn't sure whether to post this here, in the Joomla SE or security SE. Hope it's ok here.
More posts by @Frith620
3 Comments
Sorted by latest first Latest Oldest Best
It's likely Joomla has not been patched to the latest version.
For example, a recent vulnerability fixed in the Joomla 3.6.5 update "allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments".
I recommend updating Joomla and third party extensions to the latest versions and deleting all suspect accounts.
It might also be prudent to run a commercial scanning service over the website such as myjoomla.com or sucuri.net to check for malicious files.
Your installation seems to be hacked. People can programmatically apply new users to hacked sites, even sites are deactivated.
Backup your database.
Setup a folder protect for your Joomla installation folder with htpassword, if you want to clean it out.
Find compromised/changed files, using Google search or instructions like this or that.
replace them with not-compromised files
Or delete the installation folder.
A hacker has access to your Joomla instance with administrative rights, you should be worried: Your site is compromised.
This is probably due to not keeping the site with the latest updates, which Joomla has several security issues.
Also a new exploit in PHPmailer (Joomla's default) has been discovered recently that makes unpatched versions vulnerable.
You should use Two Factor Authentication, Joomla already supports it since J!3.2, check all your files for modifications and update to the latest version urgently.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.