The Joomla! Forum™

In reference to: http://forum.joomla.org/index.php/topic,203290.0.html

Discuss here.

Thanks,

Louis

A long day indeed... and night... hehe 

Yes ... it is nearly 5am now ... and I am exhausted .... we will be working to bring back as much as we can in the next few hours.

Louis

As Louis says it has been a long day but I am glad the problem has been tracked down and isolated.

I think we are lucky that the particular component that was exploited is only used on the Joomla shop site and not by the community at large or this could be a much more serious problem.

You will see the main Joomla site coming up shortly and the others will follow not far behind. We are just sorting out the backups and then a final security sweep will be done before going live again.

- Chris

Thanks Louis and the rest of the team.

Nice to hear that it seems to be a custom component that is the culprit and not the core itself.
I also think it's important to stress that we never should post who did it or any references and in this way give those hackers and script-kids any credits.

Thanks everyone, for all the hard work!

LorenzoG wrote: I also think it's important to stress that we never should post who did it or any references and in this way give those hackers and script-kids any credits.

Can't agree more!
When reporting such events, the best way to act is to propose to mods in the forum concerned to send a pm with the details if these are no more available.

Thank you Louis for your open and frank announcement.

It does however still concern me that various other Joomla sites (mostly foreign language) were also defaced yesterday and today by the same person/group.

Since you state that the suspected component was (to your knowledge) never publicly released, was other exploits used for those sites, or do other components share a similar vulnerability?

regards,
Jacques

Louis

Thanks for the prompt and detailed announcement, I am sure it will put a lot of peoples minds at rest.

Also, a massive thank you to those "at-the-coal-face" behind the scenes .....


Maybe we can take some good away from this unfortunate occurrence and take this opportunity to remind the Joomla! Community at large to be vigilant in their configurations and mindful of their sites' security.

  - Joomla! Security Announcements
  - Joomla! Security Forum
  - Joomla! Administrators' Security Guide
  - Joomla! Security and Performance FAQ's Index
  - 3rd Party Extensions Security Forum

Now it is time to see these guys in jail.

I know Turkish Police Department has an efficient impact on hackers.
Most hackers are catch in 24-36 hours and put in to jail at least 2+ years.


Here some evidences to go hackers.


I http://forum.joomla.org/index.php/topic ... #msg954536

I have also contact phone numbers to help to reach these,
i can give them to joomla officials if needed.

Many thanks to you all for the work and time you are putting in to this. 

JacquesR wrote: Thank you Louis for your open and frank announcement.

It does however still concern me that various other Joomla sites (mostly foreign language) were also defaced yesterday and today by the same person/group.

Since you state that the suspected component was (to your knowledge) never publicly released, was other exploits used for those sites, or do other components share a similar vulnerability?

regards,
Jacques

I am sorry but I have no way of knowing what exploits may have been used to attack other sites.  There is just no way for me to know.  It does seem, however that the recent wave of vain and childish defacing is much bigger than just the Joomla! world.  I am guessing that this is a concerted effort that has been planned.

These site owners have IPs and such in logs, they should contact the ISPs and file complaints.  It is possible that nothing comes of it, probable in fact ... but it is something.

Louis

louis.landry wrote: I am sorry but I have no way of knowing what exploits may have been used to attack other sites.  There is just no way for me to know.  It does seem, however that the recent wave of vain and childish defacing is much bigger than just the Joomla! world.  I am guessing that this is a concerted effort that has been planned.

I appreciate that you cannot possibly know the cause of the other sites's hacking.

There does seem to be a focus by this person on Joomla sites, and even though we now know how access was gained to joomla.org sites, it is still not clear how the other sites was hacked, and therefore the real concern remains that more sites could follow using a possible similar exploit.

In trying to find a common exploit, I'm trying to help to prevent this person (or copy-cats) from affecting other Joomla-based sites.

I sent a link to RobS (though your site) for your info. (mailboxes are full)

regards,
Jacques

JacquesR wrote:In trying to find a common exploit, I'm trying to help to prevent this person (or copy-cats) from affecting other Joomla-based sites.

the answer:

Rochen wrote:I think we are lucky that the particular component that was exploited is only used on the Joomla shop site and not by the community at large or this could be a much more serious problem.

It's such a waist of time for everyone, this vandalism..... I hope you can all get some much deserved rest soon.

Thanks, Tom

I hope they will end up in jail.

Googling their names I found couple sites where they show their "success". WTF
They have also site and forum.
There must be way to find them and bring them to justice.

hornos wrote:

JacquesR wrote:In trying to find a common exploit, I'm trying to help to prevent this person (or copy-cats) from affecting other Joomla-based sites.

the answer:

Rochen wrote:I think we are lucky that the particular component that was exploited is only used on the Joomla shop site and not by the community at large or this could be a much more serious problem.

You may be miss-understanding what I'm saying here.

I won't post the link here that confirms what I'm trying to say, but the same cracker defaced various private sites (yesterday and today) using an unknown exploit. These sites are not related to the joomla.org sites, but are community sites that are built on Joomla.

Though limited in number (currently), it does seem to suggest that this incident is not confined to joomla.org and needs further attention/investigation.

regards,
Jacques

edit: added clarification

thanx for ur report and nice to hear thats not the joomla core..

Alright, the main sites are up now.  Yes, I know... not all of them.  I am absolutely exhausted, it is 5:30 in the morning and I am going to bed.  We will finish the other sites  in the morning later.

Thanks everyone involved for working the problem and sacrificing the better parts of you collective weekends for the benefits of all.

JacquesR wrote:I won't post the link here that confirms what I'm trying to say, but the same cracker defaced various private sites (yesterday and today) using an unknown exploit. These sites are not related to the joomla.org sites, but are community sites that are built on Joomla.

Attacks were not directed to joomla based sites exclusively !!

As mentionned in the annoucement:

Of all of our sites, there was one that still had register globals emulation on.  Of all of our sites there was one that had the htaccess file missing and most importantly ... that one site has a remote file inclusion vulnerability

It just means that the guys in charge of http://shop.joomla.org didn't not follow security baselines :P : http://help.joomla.org/component/option ... temid,268/

Great work guys. Thanks for picking up the slack while I was busy this weekend.

this incident is not confined to joomla.org and needs further attention/investigation.

Yes. By the site owners. Who are probably (just like every doofus who comes to these forums bleating about a hack/crack) running any number of insecure components, incorrect chmod, globals on ( ), Joomla 1.0.4 (upgrade? why would I wanna do that) and God knows what else. I hope you'll be as diligent in your pursuit of their answers as you seem to be in hounding the Joomla! team.
There's only one sure-fire method of protecting yourself in these cases - backup - regularly and fully! Be ready to take the hit if you don't. And don't blame anyone but yourself!
And one other thing... what's with all of this "He's not a hacker... he's a cracker" crap that I've seen kicking around in the 6+ pages of posts. WTF??? It's almost like we're giving the scumbags recognised levels of professional qualification!
I've decided that, should I ever be a victim to a defacement of one of my sites, I will take this stance - I have NOT been "hacked" or "cracked" - I've been "SCUMMED". Seems a much more fitting term.  ;)

This morning i spoke with one officer friend at Turkish Police Dep. on joomla case.
He told me that if the attacked server (as a starting point) is staying in Turkey they examine the hacked server with website personel and pick attacker to jail in a few days.

If the server is at EU and USA, these countries police dept.s are in tight connection with Turkish PDs. In this case server (area attacked) is examined by those PDs and evidences
examined by Turkish PDs concurrently. Necessary action is taken to the attacker.

In these cases when website owner claims the police help, the case becomes a public case
in all these countries. So the attacker has no chance to live freely at least a few years of time.

Officer said that police help is a necessary to find attacker because website owners can only investigate their own servers and their ISP's helps, but police depts have power to control all the related routers, equipments, related other ISPs/networks information globally.

jmc wrote:

this incident is not confined to joomla.org and needs further attention/investigation.

Yes. By the site owners. Who are probably (just like every doofus who comes to these forums bleating about a hack/crack) running any number of insecure components, incorrect chmod, globals on ( ), Joomla 1.0.4 (upgrade? why would I wanna do that) and God knows what else. I hope you'll be as diligent in your pursuit of their answers as you seem to be in hounding the Joomla! team.

Not hounding anyone. Only attempting to gain better understanding of the defacement of various sites built on Joomla, yesterday and today (by a spesific individual/group).

The other sites are mostly in Russian or Italian, and I'm unaware if they have forums.

I ask the questions here, since it is a public forum for the Joomla community, and security issues would be of concern to us all.

There is no contradiction in sincerely thanking the Joomla team for all their efforts in restoring the joomla.org sites, and at the same time trying to figure out what commonality there may be between these defacements and those of the other sites.

The knowledge gained could prevent myself and others from falling victim to the same attacks.

I do agree with you that regular backups is a must, since no software or system can ever be 100% secure (mostly due to the human element).

regards,
Jacques

Thanks for the detailed information. Just a suggestion - should this announcement not also be posted in the security forum, so that those of use who registered for updates by email can receive it that way as well?

Thanks for all your hard work on this.

Cheers
Chris Hutcheson

That's a hard one. Neither Joomla nor an extension has been hacked, so this luckily has no consequence for websites running Joomla. In that regard I would probably not mention it there.

Tonie wrote: Neither Joomla nor an extension has been hacked, so this luckily has no consequence for websites running Joomla.

very nice for community
this is the best new of the day,

Tonie wrote: That's a hard one. Neither Joomla nor an extension has been hacked, so this luckily has no consequence for websites running Joomla. In that regard I would probably not mention it there.

I see what you mean,  in terms of making the announcement and of it being a hard call. I'm not much on the technical side, so a lot of what's gone on, beyond the fact that there was a potential issue I should be watching out for. In that sense it some sort of heads up would be good just to make me aware. Perhaps an announcement along the lines of "not a Joomla issue diretly, but could be a problem" might be a good thing.

Cheers
Chris

cbh wrote:

Tonie wrote: That's a hard one. Neither Joomla nor an extension has been hacked, so this luckily has no consequence for websites running Joomla. In that regard I would probably not mention it there.

I see what you mean,  in terms of making the announcement and of it being a hard call. I'm not much on the technical side, so a lot of what's gone on, beyond the fact that there was a potential issue I should be watching out for. In that sense it some sort of heads up would be good just to make me aware. Perhaps an announcement along the lines of "not a Joomla issue diretly, but could be a problem" might be a good thing.

Cheers
Chris

I posted this as sooon as we got the News concerning the solution of the problem.
http://forum.joomla.org/index.php/topic,203293.0.html