The FacileForms site today also got defaced by somebody calling himself GokTurk, he replaced configuration.php.

We are running joomla 1.0.10. We were before running mambo 4.5.2 and never had any such problem.

From the server logs it could also be a vulnerability in com_docman instead of Joomla itself, but this is yet unconfirmed.

The offending IP was 85.108.211.155, belonging to TurkTelecom. All IP's of TurkTelecom have been locked out from the FacileForms for security, and I highly recommend every Joomla user to do the same until this security hole is fixed. Also make sure your configuration.php is write protected (chmod 444)

It would be extremely helpful if you could send me a copy of the relevant log information by PM or contact me by PM and I will give you my email address.  I have seen a couple of reports of an issue but have not seen any logs or indication as to what they are actually doing. 

Thanks

I personally helped someone yesterday who had Joomla 1.0.10 and got hacked - but it was a SimpleBoard hack and not a joomla hack

Yes well I posted a known vulnerability announcement in this forum about simpleboard sometime ago.

I cannot exclude simpleboard at this time, but I'm still anayzing the logs.

Correct, there have also been reports of another vulnerability in Simpleboard that we are investigating.  From what I understand, Simpleboard isn't maintained for Joomla anymore and was replaced by an offshoot Joomlaboard.  I have tried to go to the Simpleboard maintainer's website but it is having issues.  

Same problem at one of our sites this morning ... someone calling himself ENO7 TURKISH HACKER replaced the configuration.php with some html code displaying his message and a picture.

We are running joomla 1.0.10 since it was released, there was also phpBB2 component installed, but no simpleboard.

The process is currently under investigation.

Regards,

Mike

Is anyone on your server running php-Nuke Peter? This idiot has mainly gone after php-Nuke sites. GokTurk and the sanalkabus.org attacks have been from the same origin and so far, have relied on incorrect file permissions and register_globals ON to get in.
He is usually very obliging, and tells you which files have been defaced (usually index.php and configuration.php) and doesn't touch anything else. I hope your attack is nothing more than this.

Yes, it finally is simpleboard!

We were running simpleboard, allthough all in read-only as reference for old posts (we are on SMF since 2 months now)

This is the offending entry from the log file:

Code: Select all

Code removed for security.

I HIGHLY RECOMMEND EVERYBODY WITH SIMPLEBOARD INSTALLED TO DISABLE IT IMMEDIATELY BY RENAMING THE FOLDER /components/com_simpleboard UNTIL A FIX FOR THE PROBLEM IS FOUND. UNPUBLISHING IT WILL NOT HELP, EITHER RENAME AS ADVISED OR UNINSTALL COMPLETELY.

I saw an example with file_upload.php and not image_upload.php

We were made aware of the vulnerability in image_upload a day or two ago.  I have since attempted to contact the developers of SimpleBoard/JoomlaBoard but have not heard back as of yet.  They should be aware of both issues now. 

@Peter Koch,

Could you please PM me the relevant log.

Thankyou.

I am not sure how long ago the deviation occured but to be on the safe side, I would assume that it does.

Rob, I am preparing a complete log of all his activities and will PM it to you in short.

To be on the safe side, I've renamed my com_joomlaboard directories, but after reviewing the SimpleBoard and the JoomlaBoard code, I believe this is a SimpleBoard only problem. Unfortunately since the exploit has been edited from the forum and I'm not one of those people "in the know" I can't say for certain.

RobS (or anyone else) - If you need an extra hand investigating this, feel free contact me. I'm on the east coast of the US so my day is just starting.

david

Upon further investigation and a helpful suggestion by Elpie and Counterpoint at mamboguru.com who posted this http://forum.joomla.org/index.php/topic,75390.0.html

It seems that the problem that is facing both com_extcalender and com_simpleboard is a lack of valid component checking making it possible to call the php files for those components directly and additionally, include more PHP from a remote site into the code to execute.

I have checked Simpleboard 1.1.0 and it does have this problem however Joomlaboard 1.1.2 should NOT be affected by this problem.  You have a couple of options for dealing with this problem.  1.  Update your Simpleboard installations to Joomlaboard.  2. Manually insert the necessary code into all files installed by Simpleboard and com_ExtCalendar (Extended Calender 2) if you happen to be running that.

This code should be in all files installed by com_simpleboard and com_extcalender.  Basically, everything in /path/to/Joomla/components/com_extcalender,  /path/to/Joomla/administrator/components/com_extcalender, /path/to/Joomla/components/com_simpleboard, and /path/to/Joomla/administrator/components/com_simpleboard

Code: Select all

// no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );


Refer to this link for more information about extCalender: http://forum.joomla.org/index.php/topic,75390.0.html

TITLE:
Mambo SimpleBoard Component "sbp" File Inclusion Vulnerability

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
SimpleBoard 1.x (component for Mambo)
http://secunia.com/product/10318/

DESCRIPTION:
h4ntu has discovered a vulnerability in the SimpleBoard component for
Mambo, which can be exploited by malicious people to compromise a
vulnerable system.

Input passed to the "sbp" parameter in
components/com_simpleboard/image_upload.php isn't properly verified,
before it is used to include files. This can be exploited to include
arbitrary files from external and local resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability has been confirmed in version 1.1.0. Other versions
may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly verified.

Set "register_globals" to "Off".

PROVIDED AND/OR DISCOVERED BY:
h4ntu

ORIGINAL ADVISORY:
http://milw0rm.com/exploits/1994

Anyone can tell me where i should moderate the file?


EDIT: Topic merged

We are aware of the problem and have addressed it in other topics on this board. 

See: http://forum.joomla.org/index.php/topic,75390.0.html
And: http://forum.joomla.org/index.php/topic,75668.0.html

EDIT: Topic merged

Thanks for the update folks. Very helpful information.

I would like to know what is the effect to joomla if Global_regiser is OFF?

Need to do more research on this board I guess.

None, Joomla! does not require register globals.

RobS wrote:None, Joomla! does not require register globals.

thanks robs.

had the same issues. the css files werent loading either. then i renamed the simpleboard folder and its fixed itself. weird.

and i thought i was the only one to be effected.

CAn I respectfully suggest that people subscirbe to this forum for notifications of new posts.

I reported the vulnerability in simpleboard back on June 2

brian wrote:CAn I respectfully suggest that people subscirbe to this forum for notifications of new posts.

I reported the vulnerability in simpleboard back on June 2

You are pefectly right about the subscription.

However may I respectfully remark we are discussing here a new issue classified as highly critical in http://secunia.com/advisories/20981/, and not the  moderately critical issue you posted back in june.

Maybe so but the previous warning was still ignored.

brian wrote:Maybe so but the previous warning was still ignored.

I think it would be a wonderful new option for joomla to automaticly get a security warning when logging into the backend and one of the installed components has been detected as vulnerable. Joomla (and mambo) has all information such as component / mambot / module names and versions allready, and also all php / mysql / apache informations so nothing really stands against an implementation.

After all the latest security issues around joomla / mambo and its hundrets of add-ons there should be urgently something be done to improve security even for those ten-thousands of users that never visit a forum or ask secunia.

But I guess this is not the thread to discuss it.

You are right. Perhaps if there was an rss feed filter component written for the admin that would read secunia and this forum for security announcements filtered on the words joomla

brian wrote:You are right. Perhaps if there was an rss feed filter component written for the admin that would read secunia and this forum for security announcements filtered on the words joomla

I already have this set up in feeddemon :-)

Me too - mine's called "eyes"

Although, I have to say, with this latest crop of vulnerabilities I am spending some time hanging out with blackhats lately and find a quick daily check of proof of concept exploits has been very interesting.