Urgent need help my server is hacked !!!!

[zinovsky]

Hi,
My server is now hacked 2 times in 2 weeks, today again was hacked, i have alll the ports closed , i closed ftp 21 ,also ssh22 ,but even that they could enter to the server and hack my webpage , i use joomla for building the webpage can be the reason ? or that i have the firewall off because of selinux is desables.
this are my configurations :
ISPconfig
centos 5.2 i used perfect server tutorial of falco
I have all unecessery ports closed even FTP - 21 and SSH 22

Thank you in advance for your help.

[bernholdt]

Well i was unlucky to get my site hacked aswell.
I found a rs57 shell on my server that was uploaded trough a image uploading function.
look trough you web folder and see if you can find any wierd looking scripts.

If i were you i would backup my joomla database and template folder reinstall the server and start over with a fresh joomla. (remember to backup userfiles images etc.etc.

I can recomend you to install OSSEC wich is a intrusion detection system then you can get noticed of all scan attacs. And it would most certain warn you if someone is trying to exec a shellscript. I installed OSSEC after my own server got hacked and i enjoy open my mail and be noticed of everything unsual happening on my server.

[marpada]

Joomla can be a PITA, but you can keep it secure if:

Use the recommended php settings ( open_basedir, fopen_url)
Use the recommended folder permissions (not chmod 777 all forlder)
Just install well-known, active modules
Keep your joomla core and modules updated.
mod_security and suhosin are also very helpful
________
VAPORIZER SOLDERING VS VAPO BULB
________
Gm foods

[touchtecservers]

You could also create a bash script that is run hourly or daily by cron that searches for all executable files in paths that you know can be uploaded to. It could then either email you these as a list, or archive them, or delete them.