Discuss: A long day...
- louis.landry
- Joomla! Ace
- Posts: 1380
- Joined: Wed Aug 17, 2005 11:03 pm
- Location: San Jose, California
- Contact:
Discuss: A long day...
Joomla Platform Maintainer
A hacker does for love what others would not do for money.
A hacker does for love what others would not do for money.
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Discuss: A long day...
A long day indeed... and night... hehe
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- louis.landry
- Joomla! Ace
- Posts: 1380
- Joined: Wed Aug 17, 2005 11:03 pm
- Location: San Jose, California
- Contact:
Re: Discuss: A long day...
Yes ... it is nearly 5am now ... and I am exhausted .... we will be working to bring back as much as we can in the next few hours.
Louis
Louis
Joomla Platform Maintainer
A hacker does for love what others would not do for money.
A hacker does for love what others would not do for money.
-
- Joomla! Enthusiast
- Posts: 142
- Joined: Wed Aug 17, 2005 3:19 pm
- Contact:
Re: Discuss: A long day...
As Louis says it has been a long day but I am glad the problem has been tracked down and isolated.
I think we are lucky that the particular component that was exploited is only used on the Joomla shop site and not by the community at large or this could be a much more serious problem.
You will see the main Joomla site coming up shortly and the others will follow not far behind. We are just sorting out the backups and then a final security sweep will be done before going live again.
- Chris
I think we are lucky that the particular component that was exploited is only used on the Joomla shop site and not by the community at large or this could be a much more serious problem.
You will see the main Joomla site coming up shortly and the others will follow not far behind. We are just sorting out the backups and then a final security sweep will be done before going live again.
- Chris
- Chris
- LorenzoG
- Joomla! Hero
- Posts: 2983
- Joined: Fri Aug 19, 2005 8:46 am
- Location: Stockholm, Sweden
Re: Discuss: A long day...
Thanks Louis and the rest of the team.
Nice to hear that it seems to be a custom component that is the culprit and not the core itself.
I also think it's important to stress that we never should post who did it or any references and in this way give those hackers and script-kids any credits.
Nice to hear that it seems to be a custom component that is the culprit and not the core itself.
I also think it's important to stress that we never should post who did it or any references and in this way give those hackers and script-kids any credits.
Industributik - http://www.industributiken.se
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Discuss: A long day...
Can't agree more!LorenzoG wrote: I also think it's important to stress that we never should post who did it or any references and in this way give those hackers and script-kids any credits.
When reporting such events, the best way to act is to propose to mods in the forum concerned to send a pm with the details if these are no more available.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- JacquesR
- Joomla! Enthusiast
- Posts: 183
- Joined: Tue May 19, 2009 3:00 pm
- Location: Cape Town, South Africa
- Contact:
Re: Discuss: A long day...
Thank you Louis for your open and frank announcement.
It does however still concern me that various other Joomla sites (mostly foreign language) were also defaced yesterday and today by the same person/group.
Since you state that the suspected component was (to your knowledge) never publicly released, was other exploits used for those sites, or do other components share a similar vulnerability?
regards,
Jacques
It does however still concern me that various other Joomla sites (mostly foreign language) were also defaced yesterday and today by the same person/group.
Since you state that the suspected component was (to your knowledge) never publicly released, was other exploits used for those sites, or do other components share a similar vulnerability?
regards,
Jacques
Jacques Rentzke
New Web Consulting
https://webconsulting.co.za/ -- https://twitter.com/JacquesRentzke
New Web Consulting
https://webconsulting.co.za/ -- https://twitter.com/JacquesRentzke
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Discuss: A long day...
Louis
Thanks for the prompt and detailed announcement, I am sure it will put a lot of peoples minds at rest.
Also, a massive thank you to those "at-the-coal-face" behind the scenes .....
Maybe we can take some good away from this unfortunate occurrence and take this opportunity to remind the Joomla! Community at large to be vigilant in their configurations and mindful of their sites' security.
- Joomla! Security Announcements
- Joomla! Security Forum
- Joomla! Administrators' Security Guide
- Joomla! Security and Performance FAQ's Index
- 3rd Party Extensions Security Forum
Thanks for the prompt and detailed announcement, I am sure it will put a lot of peoples minds at rest.
Also, a massive thank you to those "at-the-coal-face" behind the scenes .....
Maybe we can take some good away from this unfortunate occurrence and take this opportunity to remind the Joomla! Community at large to be vigilant in their configurations and mindful of their sites' security.
- Joomla! Security Announcements
- Joomla! Security Forum
- Joomla! Administrators' Security Guide
- Joomla! Security and Performance FAQ's Index
- 3rd Party Extensions Security Forum
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
-
- Joomla! Explorer
- Posts: 316
- Joined: Thu Nov 09, 2006 5:56 pm
Re: Discuss: A long day...
Now it is time to see these guys in jail.
I know Turkish Police Department has an efficient impact on hackers.
Most hackers are catch in 24-36 hours and put in to jail at least 2+ years.
Here some evidences to go hackers.
I http://forum.joomla.org/index.php/topic ... #msg954536
I have also contact phone numbers to help to reach these,
i can give them to joomla officials if needed.
I know Turkish Police Department has an efficient impact on hackers.
Most hackers are catch in 24-36 hours and put in to jail at least 2+ years.
Here some evidences to go hackers.
I http://forum.joomla.org/index.php/topic ... #msg954536
I have also contact phone numbers to help to reach these,
i can give them to joomla officials if needed.
Last edited by Kursat on Sun Aug 19, 2007 10:13 am, edited 1 time in total.
Generaldots.com
- Wendy
- Joomla! Ace
- Posts: 1893
- Joined: Tue Nov 22, 2005 5:20 pm
- Location: British Columbia, Canada
Re: Discuss: A long day...
Many thanks to you all for the work and time you are putting in to this.
Wendy Robinson
Joomla! Community Leadership Team member
Joomla! Community Leadership Team member
- louis.landry
- Joomla! Ace
- Posts: 1380
- Joined: Wed Aug 17, 2005 11:03 pm
- Location: San Jose, California
- Contact:
Re: Discuss: A long day...
I am sorry but I have no way of knowing what exploits may have been used to attack other sites. There is just no way for me to know. It does seem, however that the recent wave of vain and childish defacing is much bigger than just the Joomla! world. I am guessing that this is a concerted effort that has been planned.JacquesR wrote: Thank you Louis for your open and frank announcement.
It does however still concern me that various other Joomla sites (mostly foreign language) were also defaced yesterday and today by the same person/group.
Since you state that the suspected component was (to your knowledge) never publicly released, was other exploits used for those sites, or do other components share a similar vulnerability?
regards,
Jacques
These site owners have IPs and such in logs, they should contact the ISPs and file complaints. It is possible that nothing comes of it, probable in fact ... but it is something.
Louis
Joomla Platform Maintainer
A hacker does for love what others would not do for money.
A hacker does for love what others would not do for money.
- JacquesR
- Joomla! Enthusiast
- Posts: 183
- Joined: Tue May 19, 2009 3:00 pm
- Location: Cape Town, South Africa
- Contact:
Re: Discuss: A long day...
I appreciate that you cannot possibly know the cause of the other sites's hacking.louis.landry wrote: I am sorry but I have no way of knowing what exploits may have been used to attack other sites. There is just no way for me to know. It does seem, however that the recent wave of vain and childish defacing is much bigger than just the Joomla! world. I am guessing that this is a concerted effort that has been planned.
There does seem to be a focus by this person on Joomla sites, and even though we now know how access was gained to joomla.org sites, it is still not clear how the other sites was hacked, and therefore the real concern remains that more sites could follow using a possible similar exploit.
In trying to find a common exploit, I'm trying to help to prevent this person (or copy-cats) from affecting other Joomla-based sites.
I sent a link to RobS (though your site) for your info. (mailboxes are full)
regards,
Jacques
Last edited by Anonymous on Sun Aug 19, 2007 10:16 am, edited 1 time in total.
Jacques Rentzke
New Web Consulting
https://webconsulting.co.za/ -- https://twitter.com/JacquesRentzke
New Web Consulting
https://webconsulting.co.za/ -- https://twitter.com/JacquesRentzke
-
- Joomla! Enthusiast
- Posts: 176
- Joined: Fri Aug 19, 2005 7:08 pm
- Location: France
- Contact:
Re: Discuss: A long day...
the answer:JacquesR wrote:In trying to find a common exploit, I'm trying to help to prevent this person (or copy-cats) from affecting other Joomla-based sites.
Rochen wrote:I think we are lucky that the particular component that was exploited is only used on the Joomla shop site and not by the community at large or this could be a much more serious problem.
- TomT
- Joomla! Ace
- Posts: 1324
- Joined: Thu Aug 18, 2005 5:50 am
- Location: Amsterdam
- Contact:
Re: Discuss: A long day...
It's such a waist of time for everyone, this vandalism..... I hope you can all get some much deserved rest soon.
Thanks, Tom
Thanks, Tom
- masterflafer
- Joomla! Apprentice
- Posts: 12
- Joined: Tue Aug 07, 2007 8:52 pm
Re: Discuss: A long day...
I hope they will end up in jail.
Googling their names I found couple sites where they show their "success". WTF
They have also site and forum.
There must be way to find them and bring them to justice.
Googling their names I found couple sites where they show their "success". WTF
They have also site and forum.
There must be way to find them and bring them to justice.
- JacquesR
- Joomla! Enthusiast
- Posts: 183
- Joined: Tue May 19, 2009 3:00 pm
- Location: Cape Town, South Africa
- Contact:
Re: Discuss: A long day...
You may be miss-understanding what I'm saying here.hornos wrote:the answer:JacquesR wrote:In trying to find a common exploit, I'm trying to help to prevent this person (or copy-cats) from affecting other Joomla-based sites.Rochen wrote:I think we are lucky that the particular component that was exploited is only used on the Joomla shop site and not by the community at large or this could be a much more serious problem.
I won't post the link here that confirms what I'm trying to say, but the same cracker defaced various private sites (yesterday and today) using an unknown exploit. These sites are not related to the joomla.org sites, but are community sites that are built on Joomla.
Though limited in number (currently), it does seem to suggest that this incident is not confined to joomla.org and needs further attention/investigation.
regards,
Jacques
edit: added clarification
Last edited by Anonymous on Sun Aug 19, 2007 10:28 am, edited 1 time in total.
Jacques Rentzke
New Web Consulting
https://webconsulting.co.za/ -- https://twitter.com/JacquesRentzke
New Web Consulting
https://webconsulting.co.za/ -- https://twitter.com/JacquesRentzke
- fw116
- Joomla! Ace
- Posts: 1373
- Joined: Tue Sep 06, 2005 11:18 am
- Location: Germany
Re: Discuss: A long day...
thanx for ur report and nice to hear thats not the joomla core..
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: Discuss: A long day...
Alright, the main sites are up now. Yes, I know... not all of them. I am absolutely exhausted, it is 5:30 in the morning and I am going to bed. We will finish the other sites in the morning later.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- masterchief
- Joomla! Hero
- Posts: 2247
- Joined: Fri Aug 12, 2005 2:45 am
- Location: Brisbane, Australia
- Contact:
Re: Discuss: A long day...
Thanks everyone involved for working the problem and sacrificing the better parts of you collective weekends for the benefits of all.
Andrew Eddie - Tweet @AndrewEddie
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.
-
- Joomla! Enthusiast
- Posts: 176
- Joined: Fri Aug 19, 2005 7:08 pm
- Location: France
- Contact:
Re: Discuss: A long day...
Attacks were not directed to joomla based sites exclusively !!JacquesR wrote:I won't post the link here that confirms what I'm trying to say, but the same cracker defaced various private sites (yesterday and today) using an unknown exploit. These sites are not related to the joomla.org sites, but are community sites that are built on Joomla.
As mentionned in the annoucement:
It just means that the guys in charge of http://shop.joomla.org didn't not follow security baselines :P : http://help.joomla.org/component/option ... temid,268/Of all of our sites, there was one that still had register globals emulation on. Of all of our sites there was one that had the htaccess file missing and most importantly ... that one site has a remote file inclusion vulnerability
Last edited by hornos on Sun Aug 19, 2007 11:18 am, edited 1 time in total.
- brad
- Joomla! Master
- Posts: 13272
- Joined: Fri Aug 12, 2005 12:38 am
- Location: Australia
- Contact:
Re: Discuss: A long day...
Great work guys. Thanks for picking up the slack while I was busy this weekend.
Brad Baker
https://xyzuluhosting.com
https://xyzuluhosting.com
-
- Joomla! Guru
- Posts: 682
- Joined: Thu Aug 18, 2005 9:10 pm
- Location: Hey! I'm in Hartlepool! We hang monkeys!!!
- Contact:
Re: Discuss: A long day...
Yes. By the site owners. Who are probably (just like every doofus who comes to these forums bleating about a hack/crack) running any number of insecure components, incorrect chmod, globals on ( ), Joomla 1.0.4 (upgrade? why would I wanna do that) and God knows what else. I hope you'll be as diligent in your pursuit of their answers as you seem to be in hounding the Joomla! team.this incident is not confined to joomla.org and needs further attention/investigation.
There's only one sure-fire method of protecting yourself in these cases - backup - regularly and fully! Be ready to take the hit if you don't. And don't blame anyone but yourself!
And one other thing... what's with all of this "He's not a hacker... he's a cracker" crap that I've seen kicking around in the 6+ pages of posts. WTF??? It's almost like we're giving the scumbags recognised levels of professional qualification!
I've decided that, should I ever be a victim to a defacement of one of my sites, I will take this stance - I have NOT been "hacked" or "cracked" - I've been "SCUMMED". Seems a much more fitting term. ;)
When all of your wishes are granted, many of your dreams will be destroyed...
-
- Joomla! Explorer
- Posts: 316
- Joined: Thu Nov 09, 2006 5:56 pm
Re: Discuss: A long day...
This morning i spoke with one officer friend at Turkish Police Dep. on joomla case.
He told me that if the attacked server (as a starting point) is staying in Turkey they examine the hacked server with website personel and pick attacker to jail in a few days.
If the server is at EU and USA, these countries police dept.s are in tight connection with Turkish PDs. In this case server (area attacked) is examined by those PDs and evidences
examined by Turkish PDs concurrently. Necessary action is taken to the attacker.
In these cases when website owner claims the police help, the case becomes a public case
in all these countries. So the attacker has no chance to live freely at least a few years of time.
Officer said that police help is a necessary to find attacker because website owners can only investigate their own servers and their ISP's helps, but police depts have power to control all the related routers, equipments, related other ISPs/networks information globally.
He told me that if the attacked server (as a starting point) is staying in Turkey they examine the hacked server with website personel and pick attacker to jail in a few days.
If the server is at EU and USA, these countries police dept.s are in tight connection with Turkish PDs. In this case server (area attacked) is examined by those PDs and evidences
examined by Turkish PDs concurrently. Necessary action is taken to the attacker.
In these cases when website owner claims the police help, the case becomes a public case
in all these countries. So the attacker has no chance to live freely at least a few years of time.
Officer said that police help is a necessary to find attacker because website owners can only investigate their own servers and their ISP's helps, but police depts have power to control all the related routers, equipments, related other ISPs/networks information globally.
Last edited by Kursat on Sun Aug 19, 2007 11:52 am, edited 1 time in total.
Generaldots.com
- JacquesR
- Joomla! Enthusiast
- Posts: 183
- Joined: Tue May 19, 2009 3:00 pm
- Location: Cape Town, South Africa
- Contact:
Re: Discuss: A long day...
Not hounding anyone. Only attempting to gain better understanding of the defacement of various sites built on Joomla, yesterday and today (by a spesific individual/group).jmc wrote:Yes. By the site owners. Who are probably (just like every doofus who comes to these forums bleating about a hack/crack) running any number of insecure components, incorrect chmod, globals on ( ), Joomla 1.0.4 (upgrade? why would I wanna do that) and God knows what else. I hope you'll be as diligent in your pursuit of their answers as you seem to be in hounding the Joomla! team.this incident is not confined to joomla.org and needs further attention/investigation.
The other sites are mostly in Russian or Italian, and I'm unaware if they have forums.
I ask the questions here, since it is a public forum for the Joomla community, and security issues would be of concern to us all.
There is no contradiction in sincerely thanking the Joomla team for all their efforts in restoring the joomla.org sites, and at the same time trying to figure out what commonality there may be between these defacements and those of the other sites.
The knowledge gained could prevent myself and others from falling victim to the same attacks.
I do agree with you that regular backups is a must, since no software or system can ever be 100% secure (mostly due to the human element).
regards,
Jacques
Jacques Rentzke
New Web Consulting
https://webconsulting.co.za/ -- https://twitter.com/JacquesRentzke
New Web Consulting
https://webconsulting.co.za/ -- https://twitter.com/JacquesRentzke
- cbh
- Joomla! Apprentice
- Posts: 39
- Joined: Sun Aug 28, 2005 11:20 pm
- Location: Toronto, Ontario, Canada
Re: Discuss: A long day...
Thanks for the detailed information. Just a suggestion - should this announcement not also be posted in the security forum, so that those of use who registered for updates by email can receive it that way as well?
Thanks for all your hard work on this.
Cheers
Chris Hutcheson
Thanks for all your hard work on this.
Cheers
Chris Hutcheson
- Tonie
- Joomla! Master
- Posts: 16553
- Joined: Thu Aug 18, 2005 7:13 am
Re: Discuss: A long day...
That's a hard one. Neither Joomla nor an extension has been hacked, so this luckily has no consequence for websites running Joomla. In that regard I would probably not mention it there.
-
- Joomla! Explorer
- Posts: 316
- Joined: Thu Nov 09, 2006 5:56 pm
Re: Discuss: A long day...
very nice for communityTonie wrote: Neither Joomla nor an extension has been hacked, so this luckily has no consequence for websites running Joomla.
this is the best new of the day,
Generaldots.com
- cbh
- Joomla! Apprentice
- Posts: 39
- Joined: Sun Aug 28, 2005 11:20 pm
- Location: Toronto, Ontario, Canada
Re: Discuss: A long day...
I see what you mean, in terms of making the announcement and of it being a hard call. I'm not much on the technical side, so a lot of what's gone on, beyond the fact that there was a potential issue I should be watching out for. In that sense it some sort of heads up would be good just to make me aware. Perhaps an announcement along the lines of "not a Joomla issue diretly, but could be a problem" might be a good thing.Tonie wrote: That's a hard one. Neither Joomla nor an extension has been hacked, so this luckily has no consequence for websites running Joomla. In that regard I would probably not mention it there.
Cheers
Chris
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Discuss: A long day...
I posted this as sooon as we got the News concerning the solution of the problem.cbh wrote:I see what you mean, in terms of making the announcement and of it being a hard call. I'm not much on the technical side, so a lot of what's gone on, beyond the fact that there was a potential issue I should be watching out for. In that sense it some sort of heads up would be good just to make me aware. Perhaps an announcement along the lines of "not a Joomla issue diretly, but could be a problem" might be a good thing.Tonie wrote: That's a hard one. Neither Joomla nor an extension has been hacked, so this luckily has no consequence for websites running Joomla. In that regard I would probably not mention it there.
Cheers
Chris
http://forum.joomla.org/index.php/topic,203293.0.html
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group