Hackers sucks!!
I dont understand why they hack people giving away free software? Go hack microsoft.... 
| Joomla! http://forum.joomla.org/ |
|
| Expose Flash Gallery RC4 vulnerability http://forum.joomla.org/viewtopic.php?f=296&t=192172 |
Page 1 of 3 |
| Author: | rliskey [ Thu Jul 19, 2007 4:24 am ] |
| Post subject: | Expose Flash Gallery RC4 vulnerability |
If you have Expose Flash Gallery RC4 installed: 1. Remove the file, uploadimg.php from /administrator/components/com_expose. NOTE: NOT the uploadimage.php file. 2. Manually (via FTP or JoomlaXplorer) inspect the directory, /components/com_expose/expose/img. There shouldn't be any .php files in this directory. If there are, delete them and begin full site recovery. |
|
| Author: | devilman [ Thu Jul 19, 2007 9:50 am ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
Many thanks for that - I got hit overnight with a hack and the only thing that's new on my site is the Expose installation. Looks like that's what's caused my problems. |
|
| Author: | JoomlaJasper [ Thu Jul 19, 2007 11:35 am ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
Addition to point no 2: I found in the img-directory a "r.php.jpg". Perhaps heavy camouflage?! |
|
| Author: | doctorj [ Thu Jul 19, 2007 5:16 pm ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
I will work on a patch tonight. Thanks for the update. Please watch this page for updates: http://joomlacode.org/gf/project/expose/ |
|
| Author: | stephenvb [ Thu Jul 19, 2007 7:06 pm ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
I got hit this morning also. Thanks for highlighting the vulnerable file. I also noted the following files that were created (at least for my attack): /components/rr.php /cc.php /components/com_expose/img/aa.php.jpg /index.php (modified) Error logs located in root, /components, and /components/com_expose/img/ also indicate activity. |
|
| Author: | doctorj [ Thu Jul 19, 2007 9:35 pm ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
Fix is posted here: http://joomlacode.org/gf/download/frsre ... _patch.zip |
|
| Author: | JoomlaJasper [ Thu Jul 19, 2007 9:41 pm ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
Thanks for your work! |
|
| Author: | doctorj [ Thu Jul 19, 2007 9:43 pm ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
Hackers sucks!! I dont understand why they hack people giving away free software? Go hack microsoft....
|
|
| Author: | member1000 [ Thu Jul 19, 2007 10:06 pm ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
I´ve been defaced twice today. So many tks for the quick response with the patch. Tony |
|
| Author: | stephenvb [ Thu Jul 19, 2007 11:24 pm ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
I was hacked on one site and saw evidence (a very suspicious .php file in the img directory) of a pending hack on another site. Many thanks for the speedy response. |
|
| Author: | hud [ Fri Jul 20, 2007 12:36 am ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
IMPORTANT! The added php files found in the image directory MAY be php shell access scripts. The hacker, in our case, simply replaced the index.php file. However, the damage could have been much worse. In short, patching stops further hacks. But leaving these added php scripts means your entire install is vulnerable until all are removed. With hackers becoming smarter and sites with vulnerable files to be found easily using Google ... remember to backup your Joomla sites daily. |
|
| Author: | millsdo [ Fri Jul 20, 2007 1:02 am ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
Saw this too late and got hacked. Hackers do suck...it was caused by Expose... Lee |
|
| Author: | rliskey [ Fri Jul 20, 2007 6:05 pm ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
The beauty of GNU/GPL  1. July 18, 2007: Vulnerability discovered at ISP and quickly reported to the actual developer. 2. July 18, 2007, 09:24:54 PM: Full disclosure of vulnerability to the community. 3. July 19, 2007, 02:35:52 PM: Developer works overnight and releases a free patch. 4. Free patch is made available worldwide on a free community forum and a free developer forge. No... ...top-level marketing meeting to discuss damage control, ...poor fall guy chosen to absorb internal blamestorming, ...executive approval required for CYA of upwardly mobile, gutless, brown nosers before real action begins, ...FUD or delaying tactics, ...secret bug fixes added to expensive "upgrades" to be released "sometime soon." |
|
| Author: | millsdo [ Fri Jul 20, 2007 6:17 pm ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
Yeah, great stuff and nice work! |
|
| Author: | hlcno [ Fri Jul 20, 2007 8:10 pm ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
Great thanks. No offense to the Expose guys, but who the hell codes an upload php app and allows any file to go thru? especially php?? and doesnt even check image header info.. I mean come on guys.. |
|
| Author: | Tokapi [ Fri Jul 20, 2007 9:45 pm ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
... a piece of forgotten code from a earlier Joomla release... Since not often used (only at configuration) by expose, I recommend to remove this script (/administrator/components/com_expose/uploadimg.php), together with an old uploadimage.php until this part of the code has been reviewed. The hack places code in the /img folder and sometimes additional files in an album folder. |
|
| Author: | saj3n [ Fri Jul 20, 2007 11:53 pm ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
My site was hacked earlier this week, with another attempt today. The hackers had uploaded a cc.php file into my main web directory, allowing them to use the C99 shell, and browse freely through my server. I removed the file, and replaced the index.php. Up until now, I thought I had made everything secure and safe.... Checked my stats today, using statcounter, showed a hit to my site from Iasi Romania. The hacker was directed to my site after searching for the com_expose using the following search topic: search.live.com/results.aspx?q=%22option%2Ccom_expose%22 site%3Acom&first=181&FORM=PORE Unluckily for me, my site was #1. However, this time, they uploaded 2 php files, masked as jpg files, aa,php.jpg and adx.php.jpg. After downloading from server, and renaming to aa.php and adx.php, it was made clear that this was an attempt to hack my site, again, as adx.php is a web-based file manager. But now I'm stumped... I did not have the uploadimg.php or uploadimage.php files in my /administrator/com_expose/ folder, nor any other folder on my ftp..... any suggestions? Maybe they deleted the files after getting into the site? |
|
| Author: | doctorj [ Sat Jul 21, 2007 4:37 am ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
For now make sure you remove both the uploadimg.php and the uploadimage.php We have a full blown packae replacement going up again later tonight. I will also update the security package again tonight. Sorry for the hassle this caused anyone. Sometimes you just overlook the small things. 
|
|
| Author: | axl_fugazi [ Sat Jul 21, 2007 4:53 am ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
hi so my site got hacked as well. am using expose. i removed the .php and one .jpg file from the components/com_expose/expose/img directory and replaced the index.php file (as mentioned above). but i notice a fix was posted with a link. that link does not work. what else do i have to do to prevent a repeat of this problem? thanks - i'm not a experience web manager so i appreciate any help. |
|
| Author: | aravot [ Sat Jul 21, 2007 6:42 am ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
I got hacked too. Question, on same account as my expose domain I have 8 other domains hosted do you think they are effected too? |
|
| Author: | JoomlaJasper [ Sat Jul 21, 2007 11:25 am ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
Another domain, on which I use expoxé as well, was infected too. But fortunately the problem is solved now. I recommend immediate checkup of all domains where you use exposé. |
|
| Author: | doctorj [ Sat Jul 21, 2007 4:52 pm ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
axl_fugazi wrote: hi so my site got hacked as well. am using expose. i removed the .php and one .jpg file from the components/com_expose/expose/img directory and replaced the index.php file (as mentioned above). but i notice a fix was posted with a link. that link does not work. what else do i have to do to prevent a repeat of this problem? thanks - i'm not a experience web manager so i appreciate any help. The link is here http://joomlacode.org/gf/download/frsre ... 7.2007.zip it is best to always watch the root here: http://joomlacode.org/gf/project/expose/frs/ , the link changes every time I update the package. My apologies for that. |
|
| Author: | yazeft [ Mon Jul 23, 2007 12:50 pm ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
i've done everthing as explained and still seems the same... what i've done: removed all .php files in 'img' directory removed the two .php files >uploadimg.php & uploadimage.php installed the patch (overwrote the 4 files in the zip file) removed old 'index.php' and uploaded a new one from the joomla download I've done all the above and i still can't access my site, please help me. |
|
| Author: | doctorj [ Mon Jul 23, 2007 4:28 pm ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
You might want to try to use JoomlaXplorer but chmod the main administrator/components/com_expose folder to 777 and check the box to recurse into sub-directories. Sometimes (depending on how your hosting provider configured the server) the files are upload and owned by "nobody" or "httpd" instead of your user account so you can remove them. After you delete the files make sure you set the directory back to 755 and the files inside the folder to 644. If this doesnt work contact your hosting provider and someone with root access can remove them for you. |
|
| Author: | Neorun [ Mon Jul 23, 2007 4:41 pm ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
I can't change the CHMOD via ftp "550 admin.expose.html.php: Operation not permitted" I cannot connect to my site: www.wanderfreunde-edelweiss.net to use the joomlaexplorer... I ve got a full Backup of the FTP Data - what files do I need to replace in order to get access to the site again? |
|
| Author: | doctorj [ Mon Jul 23, 2007 4:43 pm ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
At this point you will need to contact your hosting provider so they can delete it using root access. JoomlaXplorer only works when you have Joomla =( Sorry for the hassle. |
|
| Author: | Neorun [ Mon Jul 23, 2007 4:46 pm ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
nope im lucky - I had to replace my configuration.php & index.php For all noobs like me - the CH MOD of the configuration.php needs to be set to: 444 |
|
| Author: | doctorj [ Mon Jul 23, 2007 5:00 pm ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
I would just make sure you dont have any other files (as mentioned above) laying around. If the infected file is still there you could be in a world of pain. I had this same issue with 3 other components. It sucks, but free software cant be perfect. Let me know if you need anything. -Josh |
|
| Author: | tomhay [ Tue Jul 24, 2007 12:10 am ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
Hi all, I have applied the patch, deleted the two .php files, replaced the configuration.php and index.php and now the site is showing this error. Warning: require_once(W:/www/louise/includes/version.php) [function.require-once]: failed to open stream: No such file or directory in /home/.ouida/tomhay/onelou.com/includes/joomla.php on line 71 Fatal error: require_once() [function.require]: Failed opening required 'W:/www/louise/includes/version.php' (include_path='.:/usr/local/php5/lib/php:/usr/local/lib/php') in /home/.ouida/tomhay/onelou.com/includes/joomla.php on line 71 I am a bit new to this so any help would be most appreciated. Tom |
|
| Author: | yazeft [ Tue Jul 24, 2007 12:21 am ] |
| Post subject: | Re: Expose Flash Gallery RC4 vulnerability |
i've done everthing as explained and still seems the same... what i've done: removed all .php files in 'img' directory removed the two .php files >uploadimg.php & uploadimage.php installed the patch (overwrote the 4 files in the zip file) removed old 'index.php' and uploaded a new one from the joomla download I've done all the above and i still can't access my site, please help me. |
|
| Page 1 of 3 | All times are UTC |
| Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |
|