The Joomla! Forum ™

Well, looks like I stepped away from my site for about a month and got hacked. I guess I'm posting because I'm hoping if someone looks at the page they can see the errors and maybe give a little hand.

I can't give much info, but can investigate. I had joomla 1.0.9 and had several components. I am not a master joomla user like some of the other threads I read about this. I'm just posting hoping it might get some questions that I can try and investigate and answer.

Here's my site, just happened in the last couple of days. I haven't checked in about a week.

http://www.prettymess.net/main/

Man, I really put a lot of work into this site and it was just about my recording studio. I guess I was naive to believe that I was not going to be targeted by someone with too much time on their hands. My mistake.

(I'm sure you can probably sense the defeat in my post, this really bums me out)

_________________
If you heard that...you should be the engineer!
http://www.prettymess.net

1. Please list all 3pd add-ons used on your site.
2. Look at the logs and search for the string "mosconfig", you will cerainly pinpoint there the target of the hacker.

Normally, your database should be safe. It will therefore be just a matter of reinstalling Joomla  (1.0.10 this time) and the right add-ons (updated to the new non-vulnerable versions obviously).

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group

Ext Cal, Joombook, and joomlaxplorer, I believe.

I do recall a little trouble with my ext cal first.

_________________
If you heard that...you should be the engineer!
http://www.prettymess.net

Not just reinstalling though.. make sure to REMOVE everything first.. or go through each directory and clean it.. I had at least a hundred malicious script files interspersed in my joomla folders AND the htaccess files were all hacked too..

_________________
Thanks!
Aaron

Right. 

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group

I believe there is an update for extcal available (forget where I read that...)

That announcement about the security update for ExtCalendar and links to download are here: http://forum.joomla.org/index.php/topic ... #msg402249

@jproducer - check your files via ftp to see the dates on which they were changed. Since you have been away it should be easy to spot files that were created or modified in the period you weren't doing any work on the site. In most cases, these crackers have not touched the database - a quick check through using phpMyAdmin or whatever you use for database management will tell you if your data has been compromised.  If its ok, the best thing to do would be to backup your database, backup your template folder to your PC (and check files carefully for any changes), then delete all files and do a clean install of Joomla 1.0.10.  If your template is fine its then just a matter of adding that back in and importing your database.

Before adding back any extensions, check the 3PD security forum to make sure you dont install something known to be insecure.

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

Okay, my web provider has blocked my site and given me just ftp access. Now, they said that my mysql database wasn't wrecked. Is it possible to back up my database, install joomla fresh, then put back the database to save what I had?

I know this is a newbie question, but is it possible?

_________________
If you heard that...you should be the engineer!
http://www.prettymess.net

Yip. Just remove and replace your Joomla files. You will loose any non-core components/modules etc etc though. You might want to ensure you know how to configure your configuration.php file though... once new files are in place, setup configuration.php to connect to database and you should be good to go.

_________________
Brad Baker - Follow me on Google+
http://www.rochen.com - Joomla! Hosting, the correct way.
http://www.joomlatutorials.com <-- Joomla Help & Tutorials
^Now with Joomla 2.5 and Joomla 3.0 Tutorials

I'm another victim of this pirate called MEFISTO. My website was "defaced" using the c99shell script. The attack apparently is related to com_securityimages component.

During the minutes prior to my web site being highjacked by this [EDit by mod: watch your language. Using such terms will not help solve your problems] I found multiples requests of the form

Mod Edit: Please don't paste log files to the forums.  Thank you. -RobS

To my surprise, this URL gives access to perform all kind of operations on the filesystem. MEFISTO then proceeded to overwriting the "configuration.php" with a simple HTML page.

I have now the following in my .htaccess for protection:



which will give a HTTP 403 error on any subsequent attempt to exploit the bug. This is admitedly not a permanent solution.

my site:

/index.php:



i find:

"/" added c99.php
"/components/com_jd-wiki/lib/tpl/default/" added .thumbs.php


in .thumbs.php:



in c99.php:



my site log in Attach:
[removed by moderator=--NEVER post vulneratble logs!]

_________________
### Joomla! AutoIt! ###
Joomla! 中文交流平台  [Chinese GMT +8] http://www.autoit.cn

jd-wiki has been updated:
http://forge.joomla.org/sf/frs/do/viewR ... components

joomla_com_jd-wiki_v1.0.3:
http://forge.joomla.org/sf/frs/do/downl ... s6415?dl=1

You only need to update the template files though:
http://forum.joomla.org/index.php?topic=83724.new#new

_________________
We may not be able to control the wind, but we can always adjust our sails

There is no need to install the new version completly only unzip and replace the templates default and nucleus in /componets/com_jd-wiki/lib/tpl thats it if you only want to update.

If you have Register Global Off you are secure but to be sure also update the templates, the Remote Include Vulnerablility works only with RG = On.

_________________
The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team

thank all!

_________________
### Joomla! AutoIt! ###
Joomla! 中文交流平台  [Chinese GMT +8] http://www.autoit.cn

Just a bit of googling:

mefistofales@hotmail.com brings you a lot of sites that have been hacked by this ingenious fellow. But no info. Although there is a lot of Turkish around these pages, somehow...

Doing a search for mefistofales brings up more interesting stuff, amonst wich 3 profiles, one in chech, one in romania and this one, in turkish:

http://www.blogcu.com/mefistofales

how many people would use this nickname and speak turkish?

There is an email address: yardimciel@gmail.com And a profile page:

http://www.blogcu.com/mefistofales/profile/

with this info:

Blog: ve ve ve
her şeyi bulabileceğiniz bir yer olma umuduyla

• Ad Soyad: selcuk yardimciel
• Cinsiyet: Erkek
• Doğum Tarihi: Kasım 12, 1983 (Yaş: 22)
• Yer: ankara, Turkiye
• Blog Kategorisi: Diğer

Yazdığım Yazılar: 0 kayıt
Yazdığım Yorumlar: 0 yorum
Alınan Yorumlar: 0 yorum
Kayıt Tarihi: 10 Mayıs 2006
Son Giriş: 19 Mayıs 2006

Is there anyone who reads turkish? For example, what does Diger stand for?

The attack on my server, was performed using a script hosted under a yahoo account called sikat_pl. You can see the code here: http://geocities.com/sikat_pl/nenen.txt
Sikat btw seems to be a philipino word if you google for it.

The IP adress from where the attack was staged was 125.160.81.175. I cant trace that address, even with http://www.ripe.net, my ISP does not allow me to do traceroutes either.

The second hacker btw was By_CrueLKurt@hotmail.com, and he also seems to master the turkish language. I think he just started, because google does not reveal a lot of information about this fellow.

Do other people have similar logs?

BTW, this post blocked the attack: http://forum.joomla.org/index.php/topic,75376.0.html

I just went into the backend of my website. I have a statistics component running. and guess what? It shows the last visitor! And guess what? He is from Turkey! And guess what? He has an ADSL modem. It's happily located at

dsl.static8510111679.ttnet.net.tr

If you were also hacked by this Mefisto guy, you can send an email to his provider at musteridestek@ttnet.net.tr, asking for the guys name and address so that you can file a lawsuit against him. Given the fact that he seems to be relatively active, and Turkey really wants to show it is ready to join the EU, is expect they will answer positively to this request.

_________________
OpenSource from Africa
http://www.mountbatten.net

Yeah, there has to be some sort of security hole in joomla. I am on the latest 1.0.10 and 3 of my sites were hit.

Only the index.php was rewritten on each site(atleast all I could find)

Might be something to look into. I have not been able to find any c99.php script.. Only components are

joomlaxplorer(latest version)
my comment(this was installed the day it was hacked(latest version)
community builder(updated a week ago after the new security release)

Hope this helps you figure it out.

_________________
~Chilifrei64
http://www.chilifrei.net
http://www.lazynetworkadmin.com

Whoever this Mefisto is, he's nothing but a low-life hacker wannabe, any real hacker with any shred of dignity wouldn't stoop to something as low as trashing your website..

_________________
Find your dryer parts the easy way...

There are the details of this hackers website: http://WWW.ROOTHACKER.ORG and

His e-mail is: Mefisto@HackerMaiL.Com

Domain ID: D122651965-LROR
Domain Name: ROOTHACKER.ORG
Created On: 18-May-2006 21:19:50 UTC
Last Updated On: 21-Aug-2007 21:57:20 UTC
Expiration Date: 18-May-2008 21:19:50 UTC
Sponsoring Registrar: Directi Internet Solutions d/b/a PublicDomainRegistry.Com
(R27-LROR)
Status:OK
Registrant ID: DI_4725324
Registrant Name: Neo Anderson
Registrant Organization: A.S
Registrant Street1: Kadikoy iskele caddesi no:12
Registrant Street2:
Registrant Street3:
Registrant City: kadikoy
Registrant State/Province: Istanbul
Registrant Postal Code: 06000
Registrant Country: TR
Registrant Phone: +212.5555555

The same info for Admin and Technical contact.

His name is probably false [ref: Matrix] , but you never know. The address seems a legit personal home address.

The IP for these nameservers is: 80.93.221.97

The name servers are:
ROOT.ROOTHACKER.ORG
DAMAR.ROOTHACKER.ORG

Address DN                      Type    Value
97.221.93.80.in-addr.arpa  name    host-80-93-221-97.teklan.com.tr 

He has had 22 unique nameserver changes for this domain within the last year.


Other domian associations: hackturkiye.net as well as hackyurkiya.com


As his website contains illegal material, his illegal activity is atrributable with a Google search and he seems to be hosting the site at home I'd complain to Domain Name Regsitrar of .org domains and complain to the registering agent: Directi Internet Solutions, who are based in the USA, requesting deletion of the domain name.

Some news - this person was behind the organisation many joomla hackers came from including MEFISTO...

http://thebellwetherdaily.[URL banned].com/2008/03/fbi-probing-ohio-based-computer-hacker.html

Sunday, March 02, 2008
FBI Probing Ohio-based Computer Hacker: European Webhost Targeted From Cincinnati Surburb?

CINCINNATI (TDB) -- The FBI's computer crimes squad is on the trail of an Ohio hacker suspected of defacing Internet sites that use a company in Finland, Scene Group Oy, as their webhost. One of the targeted 'net sites reportedly was BahiaNetStore.com, which markets Brazilian-themed women's apparel. A federal magistrate authorized a search warrant last week for a Butler County home near Cincinnati where the hacker may have operated under the online screen name, or hacker tag, "Evilthoutz." No charges have been filed.

Scene Group is a private firm based in Pori, a city of more than 100,000 residents that is the 10th largest in Finland. A company official, Mikko Kivinen, is identified in a federal court affidavit obtained by The Daily Bellwether as first reporting the hacking incidents last November 28. Kivinen later traced the suspected hacker to an online bulletin board and a page on MySpace. Kivinen told the FBI his company was a target:

"Kivinen also stated that Evilthoutz was successful in hacking into the company's server and forwarding several e-mails to the e-mail address *****. During the hack, Evilthoutz tried to change the root password of the server and was unsuccessful. Evilthoutz then called the company hosting the servers, located in Texas, in an attempt to socially engineer the root password. Again, Evilthoutz was unsuccessful in changing the root password. Kivinen noted that the last website defacement occurred on December 27, 2007. Kivinen had no idea why Evilthoutz targeted his company."

The FBI said a confidential informant has contacted the suspected hacker online and discussed website defacements. Other records about Evilthoutz were subpoenaed from Microsoft and Cincinnati Bell, which operates a highspeed Internet service called Zoomtown.