Mobile app version of vmapp.org
Login or Join
Frith620

: Weird new users in Joomla user group "Administrator" I noticed today that 30 people or so registered to my Joomla site (I don't expose a registration/login form), most of them appear to be

@Frith620

Posted in: #Joomla #Security

I noticed today that 30 people or so registered to my Joomla site (I don't expose a registration/login form), most of them appear to be spammers/bots, somehow they must've found a way to register via hidden URLs. All of these users are disabled (the default) but what's bothering me is that some of these users are in the group Administrator.

Notably there are the users with emails assistent@rootfest.net, bagiteja@rootfest.net or dazofaw3@mail.ru. If you google for these addresses, you can find a bunch of sites - they seem to be other Joomla installations that have been hacked or something like that?

I am really not sure what to make out of this. The Enabled and Activated checkboxes in the Joomla admin panel are both disabled for all these, i.e. show red crosses. Can these users still do harm in any way? Should I be worried?

I wasn't sure whether to post this here, in the Joomla SE or security SE. Hope it's ok here.

10.03% popularity Vote Up Vote Down


Login to follow query

More posts by @Frith620

3 Comments

Sorted by latest first Latest Oldest Best

 

@Kaufman445

It's likely Joomla has not been patched to the latest version.

For example, a recent vulnerability fixed in the Joomla 3.6.5 update "allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments".

I recommend updating Joomla and third party extensions to the latest versions and deleting all suspect accounts.

It might also be prudent to run a commercial scanning service over the website such as myjoomla.com or sucuri.net to check for malicious files.

10% popularity Vote Up Vote Down


 

@Bryan171

Your installation seems to be hacked. People can programmatically apply new users to hacked sites, even sites are deactivated.


Backup your database.
Setup a folder protect for your Joomla installation folder with htpassword, if you want to clean it out.
Find compromised/changed files, using Google search or instructions like this or that.
replace them with not-compromised files
Or delete the installation folder.

10% popularity Vote Up Vote Down


 

@Michele947

A hacker has access to your Joomla instance with administrative rights, you should be worried: Your site is compromised.

This is probably due to not keeping the site with the latest updates, which Joomla has several security issues.

Also a new exploit in PHPmailer (Joomla's default) has been discovered recently that makes unpatched versions vulnerable.

You should use Two Factor Authentication, Joomla already supports it since J!3.2, check all your files for modifications and update to the latest version urgently.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme