I had not seen this previously. Symptom was website displayd only ERROR and nothing error related in logs. Apache access log showed the access but nothing beyond that. After some head scratching I looked at the database, it had been purged and replaced with table WARNING containing instructions on where to send bitcoin. I restored database from backups, I could guess which old copy was still OK by comparing size of database dump. The cracked ones were tiny, the good one was the latest with bigger size. Then change all password for that website and database. I do not know how the cracker managed to do this. It may be by guessing the database user password, or foxcontact (both cracked Joomla sites had Foxcontact) had some security hole. Or some other Joomla add-on. The server runs ISPConfig, I posted on this forum since nothing ISPConfig related in this cracking issue.
I've seen this before, basically, the hacker got the MySQL database credentials of a website through a vulnerability in the cms or he was able to guess them or got them from another source like a hacked desktop system where they are stored to manage that site. As soon as he is able to upload code in the cms context, he has access to the database of that cms as well and can do with the database contents whatever he wants. So the hack is not different from a website sending spam, just a different business model of the hacker. The underlying security issues are the same, vulnerable cms systems.
had exactly the same type of hack this morning. this time on a site using the Laravel framework. albeit, the Laravel was a 2 1/2 year old version, been telling them for ages they needed to update it...…. at least now they might believe me.
