Chronoforms website Hacked

[jerseygirl]

Does anyone know how to get the status of the fix for Chronoforms? Their site (Chronoengine.com) has been blacklisted for a few days (according to Norton - says "malicious Javascript", Sucuri, etc.) I have been successfully using Chronoforms for a few years, and would hope this would get fixed.

Can't find any info on Facebook or Joomla! Extensions Directory page.

Any suggestions?

[sozzled]

I have noticed this too. Although the website is (from what I have observed) "safe", it is only when you try to access topics in the forum that the browser throws a "Reported Attack Page!" message in your face. It may also depend on which browser one uses, too. In my case, I see the message in Firefox but not in Google Chrome, Internet Explorer or Safari. So it might be a "false positive" and not a genuine problem.

As far as obtaining the status of the development of Chronoforums is concerned, development of this product seems to have ceased or the developer has abandoned it. [ redacted ]
Cheers

[anibal_sanchez]

Hi,

The extension is not reported as vulnerable in Joomla Vel: https://vel.joomla.org/

[jerseygirl]

How can I tell if development has ceased on an extension?

What criteria is used to determine an extensions is vulnerable? Guess I'll try reporting this one...

Norton SafeWeb says chronoengine.com is unsafe:
https://safeweb.norton.com/report/show? ... engine.com

And Google Safe Web agrees:
https://www.google.com/transparencyrepo ... engine.com

Also, until I turned the registration form (made with Chronoforms) off, confirmation emails had mostly stopped. But the records did get written to the database...

I don't think this is false positive - Google specifically lists some malicious looking redirects; yet they don't block the site - only Norton does? I don't get it.. Maybe they only block the specific pages, not the entire site.

[sozzled]

I do not know anything about Chronoforms, sorry; I can only speak about the development and use of Chronoforums. Even though—in my earlier reply to you— Toivo considered a link to my blog specifically about Chronoforums was "self-promoting" (and I won't argue whether or not it's appropriate to refer to one's experiences with certain products on this forum), I cannot comment otherwise on the development status of Chronoforms, sorry.

As far as I am aware, Chronoforms is not vulnerable as a Joomla extension. There are issues with parts of the developer's website, yes. Have you notified the developers at chronoengine.com and asked if they are aware of problems with their website?

Also, until I turned the registration form (made with Chronoforms) off, confirmation emails had mostly stopped. But the records did get written to the database...

I think that's something that the developers would be better able to respond to.

[bgrinter]

I notice Chronoforms has turned up on the VEL list and Google now advised the following

https://www.google.com/transparencyrepo ... engine.com

It looks like its their forums that have been compromised, I don't think its been abandoned as there appear to be recent announcement posts (I'm not going to click through for now...)

I'll check back on their site in a couple of days

Be a pity if it is abandoned - makes for a great contact form app.

Regards,
Brian

[fcoulter]

Chronoforms has been listed on the VEL on the grounds that the developer's site is infected with malware, so it is unclear whether anything downloaded from the site is safe. We are attempting to contact the developer to establish the status of the extension.

We are not aware of any recent reports regarding vulnerabilities in Chronoforms itself, but that does not mean that there are not any, simply that, if there are, they are not public knowledge. However it is possible that the extension itself remains safe to use for now, but with caution.

What I would suggest is that, if you are using Chronoforms, you monitor your site logs for attempts at an attack through the extension. If you do uncover something that looks like a new attack then the VEL would be interested to hear from you.

[anibal_sanchez]

Hi,

Chronoforms has been unpublished from JED (until VEL status is cleared).

Regards,

[mandville]

Hi,

Chronoforms has been unpublished from JED
,

i understand this was due to the linking of the extension from jed to an (multiple reported) infected site not the vel listing

[anibal_sanchez]

Yes, you are right. JED cannot redirect unwarned users to an infected site.

Regards,

[jerseygirl]

I downloaded Chronoforms a few months ago, long before this hacking incident (apparently - I guess you don't always know immediately when something happens...). As Fiona suggested, I checked my webhost error log and found this in the component/chronoforms error log - is it a routine PHP warning (and not evidence of an attempted hack)?

[27-May-2016 22:05:53 America/Denver] PHP Warning: PHP Startup: imagick: Unable to initialize module Module compiled with module API=20100525 PHP compiled with module API=20131226 These options need to match in Unknown on line 0

[27-May-2016 22:05:53 America/Denver] PHP Warning: PHP Startup: uploadprogress: Unable to initialize module Module compiled with module API=20100525 PHP compiled with module API=20131226 These options need to match in Unknown on line 0

Also, it looks like Max or someone is trying to fix it... I found this in a Google search but was afraid to click on it for the rest of the detail, since the forum pages on the Chronoengine.com site are supposed to be what was hacked:
chronoform website malware alert on google chrome - ChronoEngine.com
https://www.chronoengine.com/forums/pos ... 59928.html
May 31, 2016 - 9 posts
Yes, the site has been hacked, I have cleaned it twice now and, at the ... to the following dangerous websites: radiosvyazservis.myjino.ru.".

I hope they succeed - I have used this extension for many years and always found the support from Max and Bob to be great.

[sozzled]

@jerseygirl: It's unfortunate that there are victims and consequences as a result of "something" that's infected the forum—and only the forum, from what I can tell—at chronoengine.com. As far as we know, there's nothing specifically wrong or vulnerable with any of the following products:

• Chronoforms;
• Chronoforums;
• ChronoConnectivity; or
• ChronoContact

The problem is that the owner's website was hacked and, as a result of it, we're now in a discussion that has the subject "Chronoforms hacked". Well, we just don't know if Chronoforms itself is at risk.

The further consequences of this discussion are that one of the abovementioned products has been de-listed from the JED. I understand the reasoning for doing it even though I think that it may have been the preremptory exercise of "justice". C'est la vie—it's a warning to all contributors to the JED: if a developer's support site finds its way into one of x blacklists in the world, developers can expect summary de-listing of their products from the JED.

I checked my webhost error log and found this in the component/chronoforms error log - is it a routine PHP warning (and not evidence of an attempted hack)?

It's evidence of a [minor] software issue with Chronoforms but not evidence of any attempted malfeasance.

Good luck with getting your problems with Chronoforms fixed but I suspect Bob and Max have their hands pretty full at the moment.

[fcoulter]

[27-May-2016 22:05:53 America/Denver] PHP Warning: PHP Startup: imagick: Unable to initialize module Module compiled with module API=20100525 PHP compiled with module API=20131226 These options need to match in Unknown on line 0

[27-May-2016 22:05:53 America/Denver] PHP Warning: PHP Startup: uploadprogress: Unable to initialize module Module compiled with module API=20100525 PHP compiled with module API=20131226 These options need to match in Unknown on line 0

Yes these are just minor issues, PHP will always output a few of these, nothing to do with a hack.

I am not part of the JED team, but I know that they would never take the decision to unpublish an extension lightly. It is not a 'preremptory exercise of "justice"', but simply down to the fact that ethically the JED cannot redirect users to an infected site. And let's be clear, the site did not just find its way onto some random blacklist, the developers themselves have stated that the site was infected, so I cannot understand why anyone would want to dispute the JED decision.

As I have said, the VEL know of no recent reports of vulnerabilities in Chronoforms. Of course it is not possible to 100% guarantee that it is safe, but the same is true of any software. What it does mean is that there is no need to panic if your site uses this extension. Just apply some common sense and keep an eye on your logs, make regular backups, ie do the stuff you really should be doing anyway.

As I mentioned, I have been trying to contact the developers to get some clarification of the situation but so far have had no response.

[anibal_sanchez]

Hi,

In addition to avoid redirecting unwarned users to an infected site, if the site remains compromised, we cannot be 100% sure of the hacking intentions or how extensive the modification has been.

If a software distribution channel is compromised, the package itself could also be tampered to further distribute the malicious code.

For instance, when you download a software package, you can check MD5 or SHA1 signatures, published in the author site, to verify changes in the middle. However, if the site is compromised, then signatures could also be modified.

At the end, there is no way to know and it is better to avoid it until the site and extension are restored.

Regards,

[jerseygirl]

I apologize for not being more careful when selecting a topic name at the beginning of this thread... thanks to moderator for correcting it. I have no evidence of any malware or redirects in the chronoforms file that I downloaded a few months ago.

Wish I had the expertise to help get the Chronoengine.com site back up and running, but alas, I do not.

[sozzled]

At the end, there is no way to know and it is better to avoid it until the site and extension are restored.

... and, I would add, a selective application of the rule of law in this case. Chronoforms is only one out of four extensions listed on the JED that are downloadable from an allegedly infected website.

I apologize for not being more careful when selecting a topic name at the beginning of this thread... thanks to moderator for correcting it. I have no evidence of any malware or redirects in the chronoforms file that I downloaded a few months ago.

Unfortunately that's ancient history now when topics, such as yours appear, in the Joomla! Official Sites & Infrastructure » Extensions.Joomla.org - Feedback/Information category—with subject wordings that inspire FUD—the JED team is swift to intervene even if there's only the hint of a suggestion that something is amiss in an extension's listing. The problem for extension developers whose products are summarily de-listed from the JED is that it often takes weeks for their products to be re-listed and to rebuild their damaged reputations because of experiences over which they had no control.

I'm not arguing with the experts here; I'm merely a diarist who's casually observing a minor train-wreck unfolding. Even though I haven't personally used Chronoforms myself (and I have my own opinions about the responsiveness of those who operate their forum), in a way I'm on the developer's side here as to who is ultimately the victim.

[fcoulter]

in a way I'm on the developer's side here as to who is ultimately the victim.

I think your assumption that the JED and presumably others such as myself are not on the developer's side is objectionable. Many of the JED team are developers themselves, as am I. I know from personal experience what it is like to have your site hacked (thankfully not recently): it sucks like a great big sucky thing.

But that is part of the life of being a developer, sometimes bad things like that happen, you have to deal with the consequences, and not blame the JED or the VEL for them, or the users who report it for that matter. Which, to be fair, the developers of Chronoforms don't appear to be doing, it just seems that some others are determined to do so on their behalf.

As far as I am concerned, we are all on the developer's side. I would like nothing better than to see this resolved quickly.

[Vimes]

If a software distribution channel is compromised, the package itself could also be tampered to further distribute the malicious code.

Agreed, and it's why the site should be unpublished until the whole problem is resolved.

[sozzled]

@fcoulter: I totally agree with everything you wrote. I fully agree with one's raising objections against people who allege blame on the JED or the VEL teams. The only problem I have with your response was that I made no such allegations; I hadn't made the assumptions that I suspect I'm being accused of. I was expressing my feelings and, in spite of my several handicaps—the fact I'm a product of genetics and we blokes have difficulty expressing our feelings—I'm actually a reasonably sensitive guy ... even if I lack the requisite diplomacy in how I choose to write.

It's good to see we're all on the developer's side.

[haralake]

Is there anyone have tcpdf.zip actions file for chronoforms v5? because in chronoforms site is infected?? Thank you.

[TheRam]

I have the file, but since the update I've not been able to edit the actions.
Let me have your email and I can send it this afternoon, may just be me.

[bgrinter]

I emailed the developer via the contacts page on the site and got a reply straight away - the forums on the site were hacked by since cleaned up, they're still trying to get removed from the Google vulnerabilities page

[GreyHead]

An update,

The site was hacked - through a sub-domain as far as I can tell. It was cleaned up within a couple of days.

Max, the owner and developer, has been travelling and unable to access the site fully and I only have limited access. With some help I have been able to get both Google and, more recently, Norton to re-check the site. Google gave it an 'all-clear' this morning. I've requested an update on VEL and re-publishing in JED.

The hack took the form of injections in the template index.php files - all my checks on the downloads have been clean.

@haralake : I've sent you a PM with a link to the TCPDF action

[sozzled]

@GreyHead: congratulations and best wishes for the future.

I've requested an update on VEL and re-publishing in JED.

I see that Chronoforms is back again on the JED. Well done! Many of us developers have to wait weeks (sometimes months) before our job tickets receive a reply.

[mandville]

due to totally unusual nature of the reason why this extension was "suspended" from the JED. then the usual process was not in place.
the fact it was linking to a hotlisted website , the vel team investigated and advised the JED who suspended the site from the JED to prevent users visiting it. . The developer and his team were advised and fully aware and agreed with the reasons.
When the site came back clean (today) then the JED were advised and the listing un suspended.

As said before , this was not a normal case of a vulnerable extension, the JED team when informed of the clean report who decided and where and how to republish the extension. Please don't confuse this with a case of any other type of extension issues.
the VEL team will always work to protect the end user and often work with the developer (in this case Bob & Max) to resolve issues.

[jpbhcom]

@GreyHead REALLY glad to see this post! I'm a big fan of ChronoForms, I've been waiting with bated breath ever since seeing the blacklist notices.... So glad to see you've gotten it taken care of!

[jgsaw]

Hi,

Today I started getting this warning on chronoengine.com:

This web page contains potentially dangerous content.
Threat: JS/TrojanDownloader.FakejQuery.A trojan
Access to it has been blocked. Your computer is safe.

The offending code looks to be in the main template. You can see the call here (this is a source code viewing tool) http://www.iwebtool.com/code_viewer?dom ... engine.com @ line 96 - the line starts with a script tag, a timeout, and a call to jquery.min.php on a co.th domain.

You may want to again warn users visiting this site (or remove from the index).

Please pass this onto the developer.

[sozzled]

You may want to again warn users visiting this site (or remove from the index).

I think it would probably be better to contact the developers yourself. They have a forum and I am sure they will be interested in what you have discovered.

[jgsaw]

I think it would probably be better to contact the developers yourself.

I would love to, except that their entire site is compromised - including their forums and contact us page.

I also can't find an email address for them nor can I PM anyone on here (such as GreyHead above) because my joomla forum account is too new.

If you have a contact for them I would gladly do so.

[sozzled]

Although I am sure you have some evidence that the Chronoengine site may be compromised (indeed, I had a quick look myself and discovered a hidden link to "buy Am*** online legally"—not that I'm interested), I don't have the kind of information that you have.

I ran site checks through Sucuri, Google and Norton and none of these report any issues.

I don't personally have any interest in Chronoengine products these days. I just don't like seeing any developer's product(s) being discussed in another forum without giving them the benefit of their right of reply. Thank you for your concerns nevertheless.