[NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked
Posted: Wed Jun 28, 2006 5:37 pm
http://www.joomlafrance.org hacked the 28-06-2006 
Joomla! Forum - community, help and support
Joomla! Community, help and support.
https://forum.joomla.org/
[NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked
Page 1 of 2
Re: JoomlaFrance.org Hacked
Posted: Wed Jun 28, 2006 7:44 pm
Can you tell Joomla version ?
Re: JoomlaFrance.org Hacked
Posted: Wed Jun 28, 2006 7:54 pm
It seems it was updated to .10 already, we're waiting for Lexel's confirmation..
None of the other parts are affected so far luckily.
But it's still scary.
None of the other parts are affected so far luckily.
But it's still scary.
Re: JoomlaFrance.org Hacked
Posted: Wed Jun 28, 2006 8:01 pm
and what about Phil Taylors site, just a missing CSS or wrong link/ file name..?
Re: JoomlaFrance.org Hacked
Posted: Wed Jun 28, 2006 8:34 pm
I am currently working on my site - I am playing with a new CSS file - I must stress I AM DOING THIS I have NOT been hacked :-)
Thanks for looking out for me though :-)
Thanks for looking out for me though :-)
Re: JoomlaFrance.org Hacked
Posted: Wed Jun 28, 2006 8:55 pm
Good!
Joomlafrance.org is fixed too.
Still waiting for lexel & hosting to tell us about this...
Joomlafrance.org is fixed too.
Still waiting for lexel & hosting to tell us about this...
Re: JoomlaFrance.org Hacked
Posted: Thu Jun 29, 2006 1:57 am
Remote command execution and cross-site scripting Joe 
They usually only deface the index file but I would check that the site is not running with register_globals ON.
I can tell you what to look for in your logs so please email me if you want more info.
I PM'd you the information.
They usually only deface the index file but I would check that the site is not running with register_globals ON.
I can tell you what to look for in your logs so please email me if you want more info.
I PM'd you the information.
Re: JoomlaFrance.org Hacked
Posted: Thu Jun 29, 2006 5:54 am
thx Elpie, will let Lexel know 
Re: JoomlaFrance.org Hacked
Posted: Thu Jun 29, 2006 9:57 pm
This d...g hacker group found something about joomla and mambo, they hack lots of sites with Joomla. When you look http://www.[ ** removed hacker's list (kudos) **]/component/option, ... ers/page,2 you can see nearly all these sites were joomla or mambo made ... and if this joomlafrance.org hacked after r1.0.10, then what will we do?
Really scared.
... and if this joomlafrance.org hacked after r1.0.10, then what will we do?Really scared.
Re: JoomlaFrance.org Hacked
Posted: Thu Jun 29, 2006 10:08 pm
I don't think it has been confirmed that Joomlafrance.org was running Joomla 1.0.10 at the time it was hacked. 1.0.10 had been available for less than 48 hours when antonin posted that the website has defaced. Furthermore, just because the homepage was defaced does not necessarily mean that a vulnerability in the Joomla core was exploited, it could have easily come from a 3rd party component. I don't want to seem like I am doing the "Deny, Deny, Deny" act, but, we don't seem to have any information available on this attack. Freaking out is not yet justified.
Re: JoomlaFrance.org Hacked
Posted: Thu Jun 29, 2006 10:15 pm
If a vulernability isn't known and therefore fixed, then version number matters not, nor the time of release of the latest. I look forward to any further news though.RobS wrote: 1.0.10 had been available for less than 48 hours when antonin posted that the website has defaced.
Re: JoomlaFrance.org Hacked
Posted: Thu Jun 29, 2006 10:18 pm
I am not sure what you mean by that. Could you please clarify? Thanks in advance.Chips wrote:If a vulernability isn't known and therefore fixed, then version number matters not, nor the time of release of the latest. I look forward to any further news though.RobS wrote: 1.0.10 had been available for less than 48 hours when antonin posted that the website has defaced.
Re: JoomlaFrance.org Hacked
Posted: Thu Jun 29, 2006 10:30 pm
Yes, I'm surfing some hacking sites to find some clues about the vulnerability they used. May be they're using some vulnerabilities that we don't know yet.Chips wrote: If a vulernability isn't known and therefore fixed, then version number matters not, nor the time of release of the latest. I look forward to any further news though.
Re: JoomlaFrance.org Hacked
Posted: Fri Jun 30, 2006 12:46 am
Almost all Patriotic Hackers attacks get in the same way - through using cross-site scripting in an url and managing to find a site that is running with register_globals ON. Most often they also use a file or directory that is set with full permissions of 777.
Of course Mambo and Joomla sites get hit - there are hundreds of thousands of them out there! The more popular a script is, the more chances there are for some installations of it to be left insecure. Simple.
The zone-h list is nothing more than a list of sites that have been reported as having been hacked. It does not say what version of any script the site was using when it was defaced, it does not say what the server setup was, nor what other scripts were being run on that site. Authoratative information comes from the security advisories and if you look at Secunia you will see that there have been very few confirmed vulnerabilities in either Mambo or Joomla over the lifetimes of these, and every single one of them has been fixed in later releases.
Edit: FWIW, Microsoft France was hit by a defacing attack from a Turkish cracker too this week - and they were NOT using Joomla!
Of course Mambo and Joomla sites get hit - there are hundreds of thousands of them out there! The more popular a script is, the more chances there are for some installations of it to be left insecure. Simple.
The zone-h list is nothing more than a list of sites that have been reported as having been hacked. It does not say what version of any script the site was using when it was defaced, it does not say what the server setup was, nor what other scripts were being run on that site. Authoratative information comes from the security advisories and if you look at Secunia you will see that there have been very few confirmed vulnerabilities in either Mambo or Joomla over the lifetimes of these, and every single one of them has been fixed in later releases.
Edit: FWIW, Microsoft France was hit by a defacing attack from a Turkish cracker too this week - and they were NOT using Joomla!
Re: JoomlaFrance.org Hacked
Posted: Fri Jun 30, 2006 9:11 am
Lexel hasn't given us the final conclusion on this, but apparently they would have gotten in via one of the joomla or mambo demo sites with all and every 3rd party component installed, so not easy to tell; at least not via the main site running .10
Re: JoomlaFrance.org Hacked
Posted: Fri Jun 30, 2006 9:18 am
Small note:Elpie wrote: Edit: FWIW, Microsoft France was hit by a defacing attack from a Turkish cracker too this week - and they were NOT using Joomla!
Patriotic Hackers are not Turkish hackers, they're Kurdish rebels. MS France was defaced by another group.
Re: JoomlaFrance.org Hacked
Posted: Fri Jun 30, 2006 9:47 am
I think you will find that "patriotic hackers" has become a generic term meaning all those crackers who hack sites to upload patriotic messages or deface them
I was using the expression iin the general term, not as one identifying any particular ethnic or idealogical group.
I was using the expression iin the general term, not as one identifying any particular ethnic or idealogical group.
Re: JoomlaFrance.org Hacked
Posted: Fri Jun 30, 2006 7:18 pm
It appears they got in via on older Mambo demo and went from there.. .10 should be ok
Re: JoomlaFrance.org Hacked
Posted: Sat Jul 01, 2006 1:04 pm
Certainly:RobS wrote: I am not sure what you mean by that. Could you please clarify? Thanks in advance.
I misread what you posted slightly!
I thought you inferred that it couldn't be .10 as it was only released 48 hours before, not giving enough time to be hacked - hence my post.
Reading it again, it's quite clear you actually say ".10 has only been available for 48, so has the site may actually not have updated yet".
Sorry for the confusion, should read things a bit more carefully in future
Re: JoomlaFrance.org Hacked
Posted: Sat Jul 01, 2006 4:11 pm
Oh, okay. Thanks for clarifying! 
Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked
Posted: Mon Jul 10, 2006 1:54 pm
I'm running 1.0.10 and was hacked over the weekend by
Hacked By Neuromancer Maviates Hack Team
Tim : Neuromancer ,OsSie ,CyBeR-HiJacKeR ,NeGaTiFf ,Anatolian_Hacker
As far as my very quick initial investigation goes it looks like they just replaced the configuration.php with the code below. In retrospect I think that the file was 777 which wasn't too clever. It would be nice if there was some code which checked the security settings on a site and came back with recommendations. Should be pretty simple to check a load of files and directories for the correct rights.
Hacked By Neuromancer Maviates Hack Team
Tim : Neuromancer ,OsSie ,CyBeR-HiJacKeR ,NeGaTiFf ,Anatolian_Hacker
As far as my very quick initial investigation goes it looks like they just replaced the configuration.php with the code below. In retrospect I think that the file was 777 which wasn't too clever. It would be nice if there was some code which checked the security settings on a site and came back with recommendations. Should be pretty simple to check a load of files and directories for the correct rights.
Code: Select all
<title> Hacked By Maviates Hack Team | Neuromancer </title>
<head>
<STYLE>BODY {
scrollbar-face-color: #000000;
scrollbar-highlight-color: #000000;
scrollbar-shadow-color: #000000;
scrollbar-3dlight-color: #000000;
scrollbar-arrow-color: #CC0000;
scrollbar-track-color: #000000;
scrollbar-darkshadow-color: #000000;
}
.page
{
background-color: #EDEDED;
color: #41444C;
}
TABLE.bit {
border-right: 1px solid #CFCFCF;
border-left: 1px solid #CFCFCF;
border-bottom: 1px solid #CFCFCF;
<title> Hacked By MaviAtes Hack Team ' Neuromancer '
}
td
{
font: 8pt verdana, geneva, lucida, 'lucida grande', arial, helvetica, sans-serif;
}
.alt1
{
background-color: #F7F7F7;
color: #41444C;
}
</STYLE>
<meta http-equiv="Content-Language" content="tr">
</head>
<BODY bgColor=#000000 onload=teclear();>
<p align="center"></p>
<p align="center"><font face="Times New Roman"><b>
<font color="#FFFFFF" size="7">Hacked By
Neuromancer</font></b></font></p>
<p align="center"><b><font face="Times New Roman" size="7" color="#FF0000">
<span lang="en-us"> </span>"<span lang="en-us"> </span><span lang="en-us"></span>Maviates Hack Team "
<span lang="en-us"></span></font></b></p>
<p align="center"><b><font color="#FFFFFF" size="5" face="Times New Roman">
Tim : Neuromancer ,OsSie ,CyBeR-HiJacKeR ,NeGaTiFf ,Anatolian_Hacker
</font></b></p>
<P align=center><SPAN class=style1><img src="http://home.earthlink.net/~monsterbox/newsite/Images/jpgs/skeletonwitch%20copy.jpg" width="350" height="255"></SPAN>
<p align="center">
<b><font color="#FFFFFF" face="Times New Roman" size="6">
Turkish Hackers Group ' Maviates Hack Team '</font></b></p>
<p align="center">
<b><font color="#FFFFFF" face="Times New Roman" size="6">
Benim Ülkemde Ezan Susmaz ,Bayrak İnmez</font></b></p>
<EMBED src=http://www.ulkuocaklari.org.tr/muzik/mehter/14.asf width=20 height=15 hidden=true type=audio/mpeg true autostart="true" loop="-1">
<br />
<b>Warning</b>: main(): open_basedir restriction in effect. File(/includes/version.php) is not within the allowed path(s): (/home/bertie/:/usr/lib/php:/usr/local/lib/php:/tmp) in <b>/home/bertie/public_html/includes/joomla.php</b> on line <b>71</b><br />
<br />
<b>Warning</b>: main(/includes/version.php): failed to open stream: Operation not permitted in <b>/home/bertie/public_html/includes/joomla.php</b> on line <b>71</b><br />
<br />
<b>Fatal error</b>: main(): Failed opening required '/includes/version.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in <b>/home/bertie/public_html/includes/joomla.php</b> on line <b>71</b><br />
Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked
Posted: Mon Jul 10, 2006 4:24 pm
On further investigation it looks like I was hacked via an exploit in the ExtCalendar component. This replaced the configuration.php as listed above and added a ... directory to the component. This directory contained avi files for 5 films and a number of files (xh, http and error_log) which are idenitified by Symantec as hacking tools.
Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked
Posted: Mon Jul 10, 2006 9:57 pm
Hi I have been hacked during the weekend, and today, and im still receiving attacks
its curious because the only affected is http://www.rinconconsolas.net which is joomla 1.0.10
in rinconportatil.net which is joomla 1.0.4 i havent received attack ... yet
any1 can help?
i hace deleted com_weblinks and dont have ext_calendar
plkease help
its curious because the only affected is http://www.rinconconsolas.net which is joomla 1.0.10
in rinconportatil.net which is joomla 1.0.4 i havent received attack ... yet
any1 can help?
i hace deleted com_weblinks and dont have ext_calendar
plkease help
Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked
Posted: Mon Jul 10, 2006 10:00 pm
You are running phpBB which is also targeted by the current attacks.oplaza wrote: Hi I have been hacked during the weekend, and today, and im still receiving attacks
its curious because the only affected is http://www.rinconconsolas.net which is joomla 1.0.10
in rinconportatil.net which is joomla 1.0.4 i havent received attack ... yet
any1 can help?
i hace deleted com_weblinks and dont have ext_calendar
plkease help
Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked
Posted: Mon Jul 10, 2006 10:02 pm
yes, but is versio 21 of phpbb which is latest so i dont understandPeter Koch wrote:You are running phpBB which is also targeted by the current attacks.oplaza wrote: Hi I have been hacked during the weekend, and today, and im still receiving attacks
its curious because the only affected is http://www.rinconconsolas.net which is joomla 1.0.10
in rinconportatil.net which is joomla 1.0.4 i havent received attack ... yet
any1 can help?
i hace deleted com_weblinks and dont have ext_calendar
plkease help
i think is something related with error_log exploit
Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked
Posted: Mon Jul 10, 2006 10:15 pm
"On further investigation it looks like I was hacked via an exploit in the ExtCalendar component. This replaced the configuration.php as listed above and added a ... directory to the component. This directory contained avi files for 5 films and a number of files (xh, http and error_log) which are idenitified by Symantec as hacking tools."
Speleo,
One of my clients' sites was attacked over the weekend as well, and it appears to be the same exploit. Unfortunately, the client's host lied to them about doing backups and they don't have redundant servers. Have you figured out how to solve the problem? I've been able to remove at least some of the malicious code, but I haven't been able to fully restore the configuration.php or get the site back up and running yet.
Any ideas would be greatly appreciated by me and my client.
Thank you in advance.
Speleo,
One of my clients' sites was attacked over the weekend as well, and it appears to be the same exploit. Unfortunately, the client's host lied to them about doing backups and they don't have redundant servers. Have you figured out how to solve the problem? I've been able to remove at least some of the malicious code, but I haven't been able to fully restore the configuration.php or get the site back up and running yet.
Any ideas would be greatly appreciated by me and my client.
Thank you in advance.
Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked
Posted: Wed Jul 12, 2006 11:43 am
==>oplaza
It's not phpbb but the attachment-mod in the component.
See here:
http://www.joomlastuff.org/component/op ... ic/t,2937/
OM
It's not phpbb but the attachment-mod in the component.
See here:
http://www.joomlastuff.org/component/op ... ic/t,2937/
OM
Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked
Posted: Wed Jul 12, 2006 6:50 pm
thanks !!
I have receibed today the error_log from my host...
and the error is in download.php as the post u sent says,
I have deleted the forum waiting for a solution.
thanks!!
I have receibed today the error_log from my host...
and the error is in download.php as the post u sent says,
I have deleted the forum waiting for a solution.
thanks!!
Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked
Posted: Wed Jul 12, 2006 8:26 pm
I design sites and I have had 3 clients attacked this weekend. All three had ExtCalendar on them. Two of them didn't have the "Direct Access Denied" fix added to them, but one did. However, none of them had the .htaccess fix mentioned in another thread about hacking Extcalendar, so this may solve the problem. I have added both of these fixes on all my sites that use ExtCalendar.
For gaspero1:
It wasn't too hard at at all to restore the config file. I just used one from anther one of my sites and changed the information (or there should be a configuration.php-dist file in your root folder that has a list of empty settings for you to fill in) . As for the database info, I couldn't remember it, so I logged into cpanel, deleted the user, created a new username and password, and then gave them full permissions to the database. This allowed me to copy the new info into the config file. With all those changes made, the config file worked as good as new.
For gaspero1:
It wasn't too hard at at all to restore the config file. I just used one from anther one of my sites and changed the information (or there should be a configuration.php-dist file in your root folder that has a list of empty settings for you to fill in) . As for the database info, I couldn't remember it, so I logged into cpanel, deleted the user, created a new username and password, and then gave them full permissions to the database. This allowed me to copy the new info into the config file. With all those changes made, the config file worked as good as new.
Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked
Posted: Wed Aug 13, 2008 11:31 am
I have been hacked by this during the night and am not experienced at web hosting and wondering what to do. Can anybody guide me through this?