Joomla 1.5.x Exploit – How to fix

Sites being hacked, friends calling me to ask to fix, and long explanations about why this is happening, just drove me a little bit stressed, so I have decided to write a small how to for fixing this issue.

There are 3 basic steps that you need to do to fix a hacked Joomla 1.5.x website. It’s very simple, but you will need access to a FTP of your website.

1st. Restore the index.php file that is currently on your website. There’s a good chance that it have been replaced to a hacked one. If you don’t have one backup of your website (big mistake) download a newer version from Joomla and copy the index.php to your website.

2nd. Fix or replace the /components/com_user/models/reset.php file. For fixing is simple:

After global $mainframe; on line 113 of reset.php, add:

if(strlen($token) != 32) {
	return false;

I have made a fix on this file and if you want to download it, be my guest, just hit here.

3rd. Ask for another password for your administrator user. For that you just need to write the site url and add this: index.php?option=com_user&view=reset.

The url will be something like this:

Note: before you do this, be sure that you have access as a super administrator of the site, otherwise you might have a bigger headache to take care of.

About mcloide

Making things simpler, just check: View all posts by mcloide

6 responses to “Joomla 1.5.x Exploit – How to fix

  • Joomla 1.5.x Exploit - How to fix

    […] Go to the author’s original blog: Joomla 1.5.x Exploit – How to fix […]

  • Kurt Cameron

    This is all very good. The fact that Joomla is so complicated means it was DESIGNED. And that DESIGN needs to have had a DESIGNER!!!

  • Joomla

    This advices are dangerous! Don’t fix your site by this manual!

    What about:
    – installed rootkits, mailscripts etc.
    – fixing the database (might by cracked too)
    – still installed vulnerable extensions
    – Joomla! update to the newest version
    – and, and, and

    So, DO NOT only follow these “simple” 3 steps. THAT IS NOT ENOUGH.

    Please, don’t stop giving such advices if you have no glue how to really fix a cracked site, because it’s dangerous for the users!

    • mcloide

      Well if you think about it, if you get to the point that you are doing these steps, this only means that you have already been hacked.

      When I created this post I have fixed about 10 sites in a period of 24 hours. A simple bug that allowed the pass of a token (any) and override the administrator password.

      This exploit for Joomla, widely known over the net, allowed any user to fully take over your site and do whatever he wanted.

      If you have already the newest versions, then no need to worry, probably is already fixed, but if not so, then consider an update.

      Anyway if you don’t consider that you site being hacked is enough to consider an update or, in the heat of the flame, do a quick fix, then… good luck.

  • Fred

    Have you ever considered creating an e-book or guest authoring on other websites?
    I have a blog based on the same ideas you discuss and
    would really like to have you share some stories/information.
    I know my subscribers would enjoy your work. If you are
    even remotely interested, feel free to send me an email.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: