Joomla! Discussion Forums

I am a total newbie with Joomla.  I set up a site for a high school music program which was not really public yet.  The middle school wanted one too - so I was working on that but hadn't touched it in a couple of weeks.  I also had one Joomla site installed for practice. I had not touched any for at least a few days while working on a phpbb forum for the high school site. All three have files that don't belong.  Things were changed or added on 12-29-05 - within a few minutes of each other during a time I was not near the computer.

I have a shared hosting site.  I am relatively new to php.  I have no clue as to what these files do since I do not know what the code means.  I may very well have not changed permissions on files or directories back to whatever they should be when I changed them to edit them.  So I imagine this is my fault - or lack of experience.

So a couple of questions - one is there are good FAQs somewhere on how to be sure you have the site secured properly after you have finished setting things up.  Two - what do these files do - just take down your site, or something more malicious.

Here are some of the files added - I will include code for a few - but it is greek to me:





other files:
test.php
contacts.php
guest.php
package.php
links.php
create.php

Thanks for any info.  I apologize if this was addressed elsewhere - but I am not having a good week with my health - so the timing was bad.  I have tried looking around - but I am fried.  Sorry.

Tech support from my web host emailed and said they could do a restore dating back to the 26th.  So it can be fixed by them - but any info to prevent this again would help.

I love Joomla so far - so I guess this is good I am learning about security before the two sites "go live."

Feathered Wonders

Basically what's happened is someone has setup a file so that any false filename such as

http://www.your-domain.com/images/inser ... -here.html

will goto a search-page that has been setup by the hacker, this page is pay-per-click so
they'll get cash for any click-thru, you'll find google (and other engines) flooded with false
urls for your site (which will really affect your pagerank)

So yes your site has been hacked, it does appear to be due to a vunerability in mambo/joomla or phpbb (as theres posts concerning the same thing on mamboserver.com and phpbb.com) but I couldn't tell you what.. but delete the .htaccess, the finfo and other new files and contact google about the false linkspamming. and make sure you have the latest versions of any scripts your site uses installed..

Hope this Helps you some..

Hi - thank you for your response.  I think this is a bit beyond my knowledge.  Is there anyway to figure out where this is site they set up is so that I can report them directly to their webhost?  This site isn't really "out there" yet - so it should not be getting hits other than from me thankfully. However all that comes up as a parse error.

My web host has not put the files to a backup yet - so it looks like I will doing this myself - and will likely install the latest Joomla and rebuild. I am rather disgusted.

I have not even submitted the site yet to search engines since I was not finished.  Do I need to worry about Google and the rankings in light of this hacking since I was trying to stay off the radar until I was done?

So much for having this up and running by Jan 3.

Thanks again for your help.  I open to learning more if anyone can share about this also.  This is so new to me - I am torn by either researching all I can tonight about this kind of hacking or rebuilding the site.  Glad I chose not to have great plans for new years.

Feathered Wonders

The issue realtes to whether you set the right permissions on the files/folders.

When you install leave the section of file folders permissions as the default setting.

When you fist login go to the Site > Global Configuration and make any changes you need here and then tick the "make unwritable after saving" box.

Your host may/should be also able to assist you in ensuring thier settings assist with security.

This is an exploit of phpBB (search phpBB and finfo.php).
Upgrade to the most current version of phpBB.

OR

phpBB is unfortunately a common hacker target.
Consider changing to another forum software such as SMF which this forum runs on.

Thank you both, yerg and kenmcd!  I had to push - but I think my web host will be doing the restore of a backup before the hacking. I had been working on the site so much that I got off track on backups. 

I imagine Global Configurations was not made unwritable - and I am not sure what else.  I was in and out working on things so much - I bet I left that open. Lesson learned.

The sad thing is there were several things I was working on or practicing with - b2evolution, coppermine, php open chat (in a password protected directory), phpbb, and more. All were hit somewhat.  The work on my Joomla sites were destroyed the worst - and mattered more to me.  They not only added files, they changed so many files with things linking to Russia.  I found a base 64 decoder - that told me where these were going.

I was trying so hard to learn these programs so I could make a site for the our local high school music program to pump some energy into this underfunded and undervalued music program.  And then the middle school wanted one too.  So I have been a mom on a mission - LOL - to learn all this.  I guess what I forgot was to learn about security. As soon as I have stuff back up -I will upgrade Joomla and phpbb.  Then I will lock anything that should be locked.  Then I will check out SMF even though I had such fun modding the phpbb board.  Goodness in all the years I have had my html site - I never got hacked - and then I try something new - not even public yet - and this happens.

I hope anyone who reads this learns from my mistakes.  You can't leave doors unlocked.  Now I just have to figure out all the ways to get them locked tight.  I need to gather a checklist for myself I guess - what doors should I be sure are locked up when I finish an editing session for these programs.

Thanks again - and happy new year!

Feathered Wonders

I would suggest that you get rid of phpbb.

This has been the cause of the demise of a number of sites in the last month and caused thankless hours of work to restore servers and sites.

Never had phpBB at my site.
Nevertheless, I got hacked in similar fashion on th 17th Nov 2005 00:31
Dozens of files added with same names as mentioned above.

Had a very tedious job getting rid of those, some were owned by apache some were not.
I now set all folders and file non-writable.
That does not prevent Joomla working OK if one does not have to make changes etc.

Even if it's a phpBB Issue, telling him to switch forums won't necessarily remidy the underlying issue, the only phpBB versions that are affected by such things are older versions.  It's good practice to make sure with whatever software you use, to make sure you keep things up to date, wether it's installs of phpBB, or Joomla or whatever. 

-Surreal

I was finally able to get my backup/restore yesterday - took the web host long enough.  Sure enough I had left things open since I was in and out making changes - then forgot to make configuration.php and other things unwritable the last time I was in.  The Joomla site that really got nailed was the one I left open.  It was like leaving the front door wide open with a welcome sign I guess.  My mistake and lesson learned.  The other sites were not as badly affected and I could switch things back - but that one site was pretty well trashed until I was able to finally delete those hacked and added files via some changes from my web host.  The phpbb stuff really wasn't harmed - altho it did have some added files. It was not able to change my files and I could just delete it.

I will be making appropriate security upgrades as soon as I can - I had a pet bird die yesterday and I just locked all the stuff and put it aside for now.  But locking it is what I will do in the future.  It is probably the number one reason I got hacked - aside from the fact there are nasty and greedy people out there that will look for any advantage and opening they can find.

Just thought I would add this because I don't want to add to people's paranoia.  And I hope people take my experience and learn from it - instead of first- hand.

Thanks again for all the help and I will be reading here regularly to keep up on security issues.  I guess we all need to know how to best protect our sites.

Feathered Wonders

I just wanted to let everyone know that I experience the exact same problem today.  I don't have PHPBB installed, Therefore stating that it was phpBB that caused the leak is wrong.  No-one here even stated what really caused this and how it happened in the first place.  There is obviously a security leak here.  I have a relatively small community site.  Not even 20 people registered yet. 

How did they find my site?
How did they gain access to my file system?
How come only Joomla was effected?

I have other folders outside the joomla root. but still a child of www root. None of these files where effected.

It seemed to have attacked the following components:

com_comprofiler
com_zoom
com_joomlaboard
com_extcalendar

some, but not all templates where attacked.  Suprisingly it was not even the active one, in fact it targeted all the Joomlashack templates, and the "basic" template.  Not sure why. 

Image folders where effected

And any module that interfaced with the above components were also effected.

Joomla 1.0.5
CB RC2
Joomlaboard 1.1 stable
ExtCalendar 0.9.1
Zoom Gallery 2.5.1 RC1

I disabled public access completely unitl I find the root of issues.  All of those components allow user input.

drew was your config.php write disabled?

This is the most fundamental thing you must do.

---------------------------------

Surreal I have no problems with phpbb except owners of these forums have a responsibilty to keep the code up to date at a far more regular manner than any other.

Sorry but from many bitter experiences this one is targeted before any other. I've persoanlly had my sites on shared server bought down every timeby phpb issues. I've just had 10 marketing clients experience the same pre Christmas on an asp server... phpbb hack. Yes this applies to all but to phpbb more so.

I agree with you there Andrew. phpBB is a heavy target and the frequency of updates leaves many people exposed - particularly if they do not subscribe to the update announcements.  Having phpBB on a shared server exposes ALL domains sharing that server space to potential problems, which is why an increasing number of hosts do not allow phpBB to be installed.

Drew - you need to check your file permissions, but also, most importantly, your server logs.  Your logs should show you how they managed to get in. 

There are so many variables when it comes to server security. Just because Joomla files were defaced does not mean that the security breach was within Joomla.  There are so many scripts running on a server and any one of them could be the culprit.  What version of phpMyAdmin is on the server, for example? The version that was released in December has already been hit and vulnerabilities discovered (they dont apply to the pre-December versions). The only way to have a 100% secure site is to not have one at all.

There is also need of a patch to Joomlaboard if you are currently running on 1.1.0: http://developer.joomla.org/sf/frs/do/v ... oard_1_1_2.

Tonie,

I saw that there was a patch for JB a few minutes after I posted here.  I think this may have been where they got in.  These files that got planted, almost sound like a virus.  I mean could it be the same person doing this?  I don't think so, but These files seem to be circulated automatically.

Thanks.  I locked my config.  All file permissions are 644, and folders are 755.  Its just a pain to have to go in and change the permission every time I need to make a change, but I can take the inconvience.

the security issue in joomlaboard was NOT of the nature that it could have allowed hackers to execute code or upload files without permission, it would only allow people to make posts on your forum without permission, thought I'd make that clear

Yeah, I read that in the release note.  No blame was intented.

interesting...
I just received this in an email..
Does anyone know anything about mosIPN and if this is not a preferred method? Do I need to get an SSL and just use Virtuemart or something?

Huh?
This just looks like spam.
mosIPN is avaliable on a number of Russian warez sites and it sounds like these people are trying to entice you buy it via them.
The developer sells this component on his site.
Spam.

Once again ken is having an attack phil day - get over it ken.

mosIPN cannot be used to download files you have not paid for.  mosIPN does NOT use a direct link system to deliver files, files are delivered by email to addresses of registered paid customers only, there is no way to bypass that.

If your files are available on other sites then thats not the fault of mosIPN.

The fact that al of my components (Older versions) are on warez sites is because Zend Encryption was cracked a while ago and I provided Zend Encrypted Demo versions on my site (Now removed!).  Ken, thats how your friends got them.

mosIPN is used on http://www.phil-taylor.com and has been certified as hacker proof by ScanAlert every day this week, as have all our components insalled on our site.  ScanAlert's HACKER SAFE certification is the only security scanning technology recognized to meet both the U.S. government's benchmark FBI/SANS security test and the security standards of all major credit card companies - including Visa CISP and AIS, MasterCard SDP, American Express CID, and Discover Card DISC security audits.

see: https://www.scanalert.com/RatingVerify? ... taylor.com

Name me another Joomla Developer that takes security as serious as this?

Lets keep this peacefull guys....huh?

hmm, no it wasn't spam. He was simply pointing out that commercial templates are available on russian sites. I had a few conversations with the guy. He's legit.

Anyhow, I have located and contacted the server admin and they should be removed in 48 hours (along with some other template developer's stuff as well).

All I was asking is if the PayPal IPN approach isn't the safest method of transferring files. Nothing to do with mosIPN. mosIPN just communicates the PayPal API with mambo/joomla and I understand that. Noone was attacking you, Phil