Zimbabwean websites hacked. Joomla fault or just poor security management?

L.S.M Kabweza Avatar

So every now and again we get tips about local websites that have been hacked, defaced or compromised in one way or the other. In the past few days, there was an increase in such tips as quite a number of websites, most of organisations very well known, were compromised. As has been the case in the many previous cases we’ve seen, it doesn’t look like these hackers maliciously  targeted these companies – just vulnerabilities random script kiddies come across.

The recent wave of compromise looks to have been targeting one particular vulnerability on Joomla powered websites. The hackers essentially uploaded malicious files in some directories on the websites. The hack itself (see example above in the case of the University of Zimbabwe) is not visible to visitors to the site, but demonstrates how malicious content that could potentially hurt visitors can be added to the site without the owner of the site knowing. We’re guessing a fix for that vulnerability was released but these websites just didn’t get patched.

Here’s a list of some of the websites we got to know of that got compromised. The links are to the screenshots we captured, so don’t be afraid to click through.

Seeing most of these websites use the Joomla CMS, do you think there’s anything inherently insecure about Joomla, or this’s just indicative of the platform many web developers locally use, and that naturally therefore more Joomla sites than other CMSs get hit if left unpatched?


  1. Scooby Doo

    Exploitation of some Joomla back door by soem hactivists coordinated by some Indoneasian Cyber Militants !

    1. Jeremy Hood

      The problem is the web dev’s and the system administrators of the servers don’t update their software. Patches and security updares are released all the time. There are scripts and programs used to scan for servers running exploitable, out of date software.

      Update your servers! Update all of your software!

  2. Raymond Swart

    Looks like a vulnerability on one component mainly jdownloads, so not really a Joomla / Developer fault.

    1. Jeremy Hood

      It is the hosting provider or system administrator of the server, or the developer’s fault ( which ever of them has permission to update ) unless whatever exploit you’re talking about hasn’t been patched.

  3. Farai

    These guys are hiring their friends who do website designing with no knowledge of security. Because he/she did some course at some college now they know it all. Also this shows that it could be the same company behind all these websites (paitwa chifesi) or freebie = money. Also lack of security updates and closing all the loopholes. But biggest disappointment is the UZ hack. Don’t we have any”geeks” left there?

    I had no idea City of Harare and Masvingo have websites…..rushing to join the online race?

    1. Jeremy Hood

      We need real developers, people who do everything from the command line, not from a point-and-click panel. Developers who use real editors like vim or emacs, and know BASH, KSH and other shells, all command line tools available for *NIX systems, can write in assembly, C, Lisp, Scheme and not just PHP, Python, Perl, HTML/CSS and Javascript.

      1. Anthony Somerset

        nothing wrong with GUI’s and good IDE’s as long as the user is highly competent in writing the code from scratch to start with… the issue is that too many “developers” in Zim are just buying or stealing skins/themes for Joomla and/or wordpress and then tweaking them barely slightly and selling to customers for obscene markups respective to the actual work done.

        thats partially the client’s fault for not being clued up enough to do basic due diligence and research before just hiring a friend to half bake the job

        1. tinm@n

          Ditto that!

      2. Gazprom

        Knowing command line isnt a solution here. You can code everything in command line and it will still be vulnerable. The Idea is to patch up update and employ some serious security features

  4. Dennis

    Its a great weakness of JDownloads not just Joomla…which was exploited

  5. tinm@n

    “Seeing most of these websites use the Joomla CMS, do you think there’s anything inherently insecure about Joomla, or this’s just indicative of the platform many web developers locally use, and that naturally therefore more Joomla sites than other CMSs get hit if left unpatched?”

    Shouldnt be what we think… but what we know.

    You seem to have the answer in your questions.
    – unpatched
    – incompetent staff or just zero maintenance

    Most of those are still on J1.5 which long reached its end of support

    We wouldnt blame WordPress if techzim gets hacked unless if its a just-discovered vulnerability.

    Why should we perpetuate the same question.

    Shouldnt we instead be pointing fingers at those organisations, their IT or web developers. Not blaming the product. You dont help in the way you put on an ignorant hat and say… its Joomla!!!

  6. joo

    The problem is company see a website purchase as something that should be done as cheap as possible and a one off payment. This mean the designers make use of the quickest and easiest cms. plugin, template etc to get the job done cheaply then there is no ongoing maintenance fee or contract to look after and patch the site. Until corporates take their web development and management seriously this will continue to happen.

  7. Beatnyama

    The latest version of Joomla are usually very secure. Problems arise when web masters who might not have the necessary skills and knowledge to protect websites from malicious attacks are left to run public facing websites.

    This is also compounded by the fact that in an effort to add features to the core Joomla install, people turn to plugins and extensions and add these to their websites. It is through these untested and unverified extensions and plugins through which script kiddies run automated scans on websites and perform mass hackings and defacement.

    Searching for “jdownloads vulnerabilities” on Google returns a very large number of exploits available that target this extension. So any web master who uses this extension without modifying its code to remove the vulnerability is basically putting a sign that says “please some hack me”

    And as a general comment, most people do not take web security seriously, they just think “they do thega” when in actual fact security should be at the forefront of every webmaster’s mind

  8. UZ WebMaster

    Your article is inaccurate in many facets. UZ website hasn’t used jdownloads in many years. I am very sure that image is from someone else’s Virtual Server.

    Our website hasn’t been compromised in the last 5 years. It’s appropriate for you poor journalists to make proper investigations

    1. L.S.M Kabweza

      Someone else’s virtual server?? How is it even possible for someone else’s virtual server to resolve http://www.uz.ac.zw to their own version of the site?

      We do notice you have cleaned it up, which is good. But why try to be dishonest about it?

      1. Jeremy Hood

        Because he doesn’t want to get into trouble from his boss.

      2. zaniest

        Dont argue with this guy, Kabweza, he has a PHD!hahahhaha!!!

        1. Farai

          Good one !!

    2. Jeremy Hood

      Were you given a Computer Science degree by the way? Was it from UZ 🙂

    3. tinm@n

      TechZim isnt reputable for lying at all.

      There can be articles and sentiments we disagree with, like blaming the tool (Joomla) instead of the carpenter(UZ WebMaster)

      I still insist that it has nothing to do with it being Joomla but more to do with staff that simply neglect and do not maintain their website (pointing at you)

      1. Farai

        UZ Webmaster, this is a tech site that has a great reputation of publishing great, factual (? :D) tech articles. Though not perfect like every other media, the articles really tell us about the state of tech in Zim. Yes many errors have appeared but Kwabeza has fixed them. He is a not a Mr All in IT but sure as hell he brings out the best in everything. If your site was hacked, it was hacked. We know companies deny and point fingers else where when incidents like this happen. So instead of denying and accusing Kwabeza of being a poor journalist, why not do a thorough follow-up on the report with your colleagues, investigate if such happened and give us an explanation (if you want) of what may have caused it to happen or as you say a “virtual” server. The idea here is to learn and everybody wins. If it is something that you feel it can happen to others, tips and tricks will be appreciated. It happens to everyone, ask Econet and RBZ. Better still, read this article to show you how bad it is/was. Also the content on some of these sites is almost 5 years old, meaning nobody actually cares about maintaining them.


        Unless of course you are saying the UZ image was photoshoped…. 😛

        my 2c…(I am also poor!)

    4. UZ Student

      Liar. Site got hacked twice last year

  9. Anthony Somerset

    its not that Joomla is inherently insecure… well it is, just as much as any other web script out there

    its just so difficult (relative to other CMS systems) to update and is one of the most popular CMS systems out there – thats an easy target if you ask any hacker.

    Companies need to get serious about hiring competent developers to either use systems that are easier to maintain when handed over to them or to keep said systems up to date which keeps them protected protected from most (but not all) security exploits.

    90% of hacked sites are due to unpatched vulnerabilities in code that have more than likely already been fixed in present versions of the software

    it scares me how many PC’s are still running XP in the wild at the moment. for example i was in the CIMAS office just this week and there frontend machines are all using XP still – this is the next big hack issue thats going to happen (XP vulnerabilities)

    1. Mark Simko

      The newer versions of Joomla have 1 click update, and the administrator panel tells you when an update is available. Same for the extensions. What could be easier?
      As far as older versions, Updating was simple with running a patch.
      The only update issues for Joomla were when novices hacked the core, Joomla parlance for changing code where it shouldn’t be changed. Joomla is built in such a way that you can change the output by using the built in override system. If you did things right, it was always safe to upgrade. If you didn’t, an upgrade would overwrite your code. Those with invested time might not want to overwrite, and leave their web site vulnerable.
      Also, when vulnerablilities are discovered in extensions, and not corrected, the extensions get listed on a list of vulnerable extensions. These are extensions that should not be used. They are not listed in the Joomla Extension Directory.
      Keep informed
      Keep Updated
      Keep a backup

      1. Anthony Somerset

        i’ve had to deal with the present version of Joomla and the updating is much better than previously but it could be so much better. just look at the approach wordpress is taking with auto security updates of core now.

        the days of patche files were just as horrific if you ask me, the majority of people left maintaining these sites wouldn’t know what to do in many cases, but at the time a step in the right direction!

        but your pretty much 100% right with the poor development standards causing majority of issues, its the same with WP and with Drupal to mention the other big 2 CMS

        if any developer “hacked” core components of a system when it has overrides or extensibility then i would be recommending to my superiors that we dropped said developers. I’m also looking at the developers that hack a free version of a plugin to hide a link back because they can’t be bothered to pay the $20 or so fee to “license” it which removes such link backs

  10. Rainman

    Why in this day and age would you be using Joomla. The actual act of using Joomla should be punishable by death in front of a firing squad or better yet design websites for internet explorer 6 or 7.

    1. Mark Simko

      You use Joomla because it is the most advanced of the most popular CMS systems.
      So advanced that other CMS systems are looking at Joomla code to copy functionality.
      So advanced that it is included in the Composer Project.

      Why would you use anything else?

      1. Anthony Somerset

        i wouldn’t say its the most advanced at all, just as much as i won’t say wordpress is the most advanced either

        all of the CMS’ main goal is not to be the most advanced at the core, its to be the most efficient and secure at getting its core things done (e.g. managing content) its the plugins and modules that makes the CMS more “advanced” – saying a CMS is “advanced” is all relative at the end of the day

        the reason people use joomla is that it gets specific jobs done, and makes them easier (just like WP or Drupal or any other CMS/Framework) you should always pick the CMS/Framework that best fits the project requirements rather than just through joomla at it.

        For example for a blog i would never use Joomla, if you ask me i would say its stupid to use anything other than WordPress here

        if i want to develop a custom site that is managing some custom data then i would probably use CodeIgniter or Symfony, perhaps Drupal at a stretch.

        The point is not, “don’t choose Joomla”. The point is, choose the best/right tool for the job and make sure its always sharpened, greased and ready to work at its optimum (updated regularly)

        IE is a different story, it should be burned at the stake (except perhaps the latest version)

      2. ndini

        a real developer would know that the most advanced cms is Drupal. people use WordPress because its very easy for blogging, and joomla because it is easier to set up for other functions other than blogging, but through plugins, whereas Drupal can offer you all that you may want, but means writing your own for plugins and additional custom features. that’s the part were fake developers get stuck, and where the site building demands more expensive resources.

    2. Gazprom

      Ha ha ha Wakasara seTarino if you still think IIS or Microsoft products are what drives IT, i mean server end,

  11. Zim Drupal Sites Hacked

    FOUND 3 DRUPAL SITES DEVELOPED BY QUATROHAUS CURRENTLY HACKED < <<< http://bata.co.zw/ , http://www.researchbiafrica.com/, http://www.povo.co.zw/

    1. Bayhaus

      Thanks for the heads up regards to POVO!

  12. no security in zim

    well what do you expect most companies think a firewall is a replacement for real security qualified personnel and dont understand that a website needs stringent controls. on one site for a large organisation in the error page it told me the architecture server type and datatbase connection it uses instead of returning a 404 error.

    1. joo

      404 is not found, it would return a 500 for a general server error. But your point still stands, they should have custom error pages which log the error for analysis but do not disclose anything to the public.

  13. timon

    Cry my beloved country,cry!

  14. Anonymous

    Code is vulnerable to hacking, the question is just how popular the code is in relation to relevance in the world. Joomla, WordPress are known to be the leaders in CMS as such are more prone to attacks by hackers with a point to prove. Companies and developers must share responsibility in maintaining websites.

  15. flint

    Who hosts these .zw sites anyways?

  16. lon

    Seriously……its time to abandon joomla and start using other CMS tool with better security. I have expressed my concern about the lack of security in Joomla on over 5 article published on this site. The problem is with the inexperienced developers who sell such crap products to companies. You guys are only lucky because there are no tight security compliance and regulations in zim yet. Countries that care about security are mandating the dumping of crap like Joonla. They are so easy to hack….yes very easy to hack.

  17. Hungwes

    The Y2K principle! As long as you do not program diligently and trust CUT&PASTE, you will fall into such pitfalls! The same applies to selection of service providers, CUT&PASTE don’t work!


    kkkklol u wil suffer