mod_jfbcfan hacked

Iveth,
We do security checks on every release of JFBConnect and follow all Joomla best-security practices. I truly don't believe that, if you were hacked, it was through the JFBCFan module. In over 2 years, we've never had a report of a severe security vulnerability which would let an intruder modify the local database or file-system, and we've never been listed on Joomla's Vulnerable Extension List (VEL).

The JFBCFan module itself doesn't write to your database and doesn't take any user-inputs at all (by using the query string or other). Both of these are common ways that can be used to hack a site if the extension is not coded properly.

Also, when any extension does have a vulnerability, it usually opens up your whole site for malicious activity. So, if extension "a" is vulnerable, it's very easily possible for a bad person to put a file in any directory on your site, including one that's part of JFBConnect. That doesn't necessarily mean that the location of the unwanted files is the source of the entry point.

With that said, some obvious things to check are:
* Do you have any extensions which are listed on the VEL? Please note that extensions are removed from the VEL about 6 months after any hole has been patched, so it's also best to visit any extension vendor's page that you're using to make sure that you're up to date. If not, check their changelog for security fixes between the release you have, and the most recent version:
docs.joomla.org/Vulnerable_Extensions_List

* Are any of your directories set to the permissions of 777? Definitely look at the /modules/mod_jfbcfan directory, but you should look at every directory on your site. If any directory has open permissions, then a bad script can be uploaded there. Once there, it can be executed and do anything, including copying files to other directories.

* Look through you filesystem for other unknown/unwanted files. They may be similar to the files in the mandt directory you mention above, but may not be. If you find any, you really should re-do your whole site. There's a lot of great instructions on how to do this (don't just restore an old backup), and the most recent and thoroguh post I've seen is:
forum.joomla.org/viewtopic.php?p=2508716#p2508716'

Finally, where did you get that message? Was that an email? I found Mandt Bank's webpage, but am curious if they provide any information about what they detected or what the know.
Also, I'm assuming there were files in that directory that you mentioned. Do you know anything about those files, and have you deleted them yet?

Hope this helps you get started, and if you have any indications, other than the directory, that the Fan module was involved in the intrusion, we'll be happy to help further.

Sure, we'll gladly take a look, but likely they won't be anything that will pinpoint the cause.. just the effects. Send them (zipped) to This email address is being protected from spambots. You need JavaScript enabled to view it..

Thanks,
Alex