[NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked

antonin · **Posted:** Wed Jun 28, 2006 5:37 pm

http://www.joomlafrance.org hacked the 28-06-2006 :'(

mauri · **Joined:** Mon Aug 22, 2005 6:47 pm **Posts:** 59

Can you tell Joomla version ?

eyezberg · **Posted:** Wed Jun 28, 2006 7:54 pm

It seems it was updated to .10 already, we're waiting for Lexel's confirmation..
None of the other parts are affected so far luckily.
But it's still scary.

eyezberg · **Posted:** Wed Jun 28, 2006 8:01 pm

and what about Phil Taylors site, just a missing CSS or wrong link/ file name..?

PhilTaylor-Prazgod · **Posted:** Wed Jun 28, 2006 8:34 pm

I am currently working on my site - I am playing with a new CSS file - I must stress I AM DOING THIS I have NOT been hacked :-)

Thanks for looking out for me though :-)

eyezberg · **Posted:** Wed Jun 28, 2006 8:55 pm

Good!
Joomlafrance.org is fixed too.
Still waiting for lexel & hosting to tell us about this...

Elpie · **Joined:** Wed Aug 17, 2005 11:26 pm **Posts:** 869

Remote command execution and cross-site scripting Joe

They usually only deface the index file but I would check that the site is not running with register_globals ON.

I can tell you what to look for in your logs so please email me if you want more info.

I PM'd you the information.

eyezberg · **Posted:** Thu Jun 29, 2006 5:54 am

thx Elpie, will let Lexel know

thelightning · **Joined:** Thu Dec 01, 2005 9:36 pm **Posts:** 13

This d...g hacker group found something about joomla and mambo, they hack lots of sites with Joomla. When you look http://www.zone-h.org/component/option, ... ers/page,2 you can see nearly all these sites were joomla or mambo made

... and if this joomlafrance.org hacked after r1.0.10, then what will we do?
Really scared.

RobS · **Posted:** Thu Jun 29, 2006 10:08 pm

I don't think it has been confirmed that Joomlafrance.org was running Joomla 1.0.10 at the time it was hacked. 1.0.10 had been available for less than 48 hours when antonin posted that the website has defaced. Furthermore, just because the homepage was defaced does not necessarily mean that a vulnerability in the Joomla core was exploited, it could have easily come from a 3rd party component. I don't want to seem like I am doing the "Deny, Deny, Deny" act, but, we don't seem to have any information available on this attack. Freaking out is not yet justified.

Chips · **Joined:** Wed Sep 14, 2005 10:53 pm **Posts:** 13

RobS wrote:

1.0.10 had been available for less than 48 hours when antonin posted that the website has defaced.

If a vulernability isn't known and therefore fixed, then version number matters not, nor the time of release of the latest. I look forward to any further news though.

RobS · **Posted:** Thu Jun 29, 2006 10:18 pm

Chips wrote:

RobS wrote:

1.0.10 had been available for less than 48 hours when antonin posted that the website has defaced.

If a vulernability isn't known and therefore fixed, then version number matters not, nor the time of release of the latest. I look forward to any further news though.

I am not sure what you mean by that. Could you please clarify? Thanks in advance.

thelightning · **Joined:** Thu Dec 01, 2005 9:36 pm **Posts:** 13

Chips wrote:

If a vulernability isn't known and therefore fixed, then version number matters not, nor the time of release of the latest. I look forward to any further news though.

Yes, I'm surfing some hacking sites to find some clues about the vulnerability they used. May be they're using some vulnerabilities that we don't know yet.

Elpie · **Joined:** Wed Aug 17, 2005 11:26 pm **Posts:** 869

Almost all Patriotic Hackers attacks get in the same way - through using cross-site scripting in an url and managing to find a site that is running with register_globals ON. Most often they also use a file or directory that is set with full permissions of 777.

Of course Mambo and Joomla sites get hit - there are hundreds of thousands of them out there! The more popular a script is, the more chances there are for some installations of it to be left insecure. Simple.

The zone-h list is nothing more than a list of sites that have been reported as having been hacked. It does not say what version of any script the site was using when it was defaced, it does not say what the server setup was, nor what other scripts were being run on that site. Authoratative information comes from the security advisories and if you look at Secunia you will see that there have been very few confirmed vulnerabilities in either Mambo or Joomla over the lifetimes of these, and every single one of them has been fixed in later releases.

Edit: FWIW, Microsoft France was hit by a defacing attack from a Turkish cracker too this week - and they were NOT using Joomla!

eyezberg · **Posted:** Fri Jun 30, 2006 9:11 am

Lexel hasn't given us the final conclusion on this, but apparently they would have gotten in via one of the joomla or mambo demo sites with all and every 3rd party component installed, so not easy to tell; at least not via the main site running .10

thelightning · **Joined:** Thu Dec 01, 2005 9:36 pm **Posts:** 13

Elpie wrote:

Edit: FWIW, Microsoft France was hit by a defacing attack from a Turkish cracker too this week - and they were NOT using Joomla!

Small note:
Patriotic Hackers are not Turkish hackers, they're Kurdish rebels. MS France was defaced by another group.

Elpie · **Joined:** Wed Aug 17, 2005 11:26 pm **Posts:** 869

I think you will find that "patriotic hackers" has become a generic term meaning all those crackers who hack sites to upload patriotic messages or deface them

I was using the expression iin the general term, not as one identifying any particular ethnic or idealogical group.

eyezberg · **Posted:** Fri Jun 30, 2006 7:18 pm

It appears they got in via on older Mambo demo and went from there.. .10 should be ok

Chips · **Joined:** Wed Sep 14, 2005 10:53 pm **Posts:** 13

RobS wrote:

I am not sure what you mean by that. Could you please clarify? Thanks in advance.

Certainly:

I misread what you posted slightly!

I thought you inferred that it couldn't be .10 as it was only released 48 hours before, not giving enough time to be hacked - hence my post.

Reading it again, it's quite clear you actually say ".10 has only been available for 48, so has the site may actually not have updated yet".

Sorry for the confusion, should read things a bit more carefully in future

RobS · **Posted:** Sat Jul 01, 2006 4:11 pm

Oh, okay. Thanks for clarifying!

speleo · **Joined:** Fri Oct 07, 2005 11:45 am **Posts:** 74

I'm running 1.0.10 and was hacked over the weekend by

Hacked By Neuromancer Maviates Hack Team
Tim : Neuromancer ,OsSie ,CyBeR-HiJacKeR ,NeGaTiFf ,Anatolian_Hacker

As far as my very quick initial investigation goes it looks like they just replaced the configuration.php with the code below. In retrospect I think that the file was 777 which wasn't too clever. It would be nice if there was some code which checked the security settings on a site and came back with recommendations. Should be pretty simple to check a load of files and directories for the correct rights.

Code:

<title> Hacked By Maviates Hack Team | Neuromancer </title>


<head>
<STYLE>BODY {
   scrollbar-face-color: #000000; 
   scrollbar-highlight-color: #000000; 
   scrollbar-shadow-color: #000000; 
   scrollbar-3dlight-color: #000000; 
   scrollbar-arrow-color: #CC0000; 
   scrollbar-track-color: #000000; 
   scrollbar-darkshadow-color: #000000;
}
.page
{
   background-color: #EDEDED;
   color: #41444C;
}
TABLE.bit {
border-right: 1px solid #CFCFCF;
border-left: 1px solid #CFCFCF;
border-bottom: 1px solid #CFCFCF;
<title> Hacked By MaviAtes Hack Team ' Neuromancer '

}

td
{
   font: 8pt verdana, geneva, lucida, 'lucida grande', arial, helvetica, sans-serif;
}
.alt1
{
   background-color: #F7F7F7;
   color: #41444C;
}
</STYLE>

<meta http-equiv="Content-Language" content="tr">
</head>

<BODY bgColor=#000000 onload=teclear();>

<p align="center"></p>
<p align="center"><font face="Times New Roman"><b>
<font color="#FFFFFF" size="7">Hacked By
   Neuromancer</font></b></font></p>

<p align="center"><b><font face="Times New Roman" size="7" color="#FF0000">
<span lang="en-us"> </span>"<span lang="en-us"> </span><span lang="en-us"></span>Maviates Hack Team "


<span lang="en-us"></span></font></b></p>

<p align="center"><b><font color="#FFFFFF" size="5" face="Times New Roman">
Tim : Neuromancer ,OsSie ,CyBeR-HiJacKeR  ,NeGaTiFf ,Anatolian_Hacker
</font></b></p>
<P align=center><SPAN class=style1><img src="http://home.earthlink.net/~monsterbox/newsite/Images/jpgs/skeletonwitch%20copy.jpg" width="350" height="255"></SPAN>
<p align="center">
<b><font color="#FFFFFF" face="Times New Roman" size="6">
Turkish Hackers Group ' Maviates Hack Team '</font></b></p>
<p align="center">
<b><font color="#FFFFFF" face="Times New Roman" size="6">
Benim Ülkemde  Ezan Susmaz ,Bayrak İnmez</font></b></p>

<EMBED src=http://www.ulkuocaklari.org.tr/muzik/mehter/14.asf width=20 height=15 hidden=true type=audio/mpeg true autostart="true" loop="-1">


<br />
<b>Warning</b>:  main(): open_basedir restriction in effect. File(/includes/version.php) is not within the allowed path(s): (/home/bertie/:/usr/lib/php:/usr/local/lib/php:/tmp) in <b>/home/bertie/public_html/includes/joomla.php</b> on line <b>71</b><br />
<br />
<b>Warning</b>:  main(/includes/version.php): failed to open stream: Operation not permitted in <b>/home/bertie/public_html/includes/joomla.php</b> on line <b>71</b><br />

<br />
<b>Fatal error</b>:  main(): Failed opening required '/includes/version.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in <b>/home/bertie/public_html/includes/joomla.php</b> on line <b>71</b><br />

speleo · **Joined:** Fri Oct 07, 2005 11:45 am **Posts:** 74

On further investigation it looks like I was hacked via an exploit in the ExtCalendar component. This replaced the configuration.php as listed above and added a ... directory to the component. This directory contained avi files for 5 films and a number of files (xh, http and error_log) which are idenitified by Symantec as hacking tools.

oplaza · **Joined:** Sat May 27, 2006 11:28 pm **Posts:** 12

Hi I have been hacked during the weekend, and today, and im still receiving attacks

its curious because the only affected is http://www.rinconconsolas.net which is joomla 1.0.10
in rinconportatil.net which is joomla 1.0.4 i havent received attack ... yet

any1 can help?

i hace deleted com_weblinks and dont have ext_calendar

plkease help

Peter Koch · **Joined:** Thu Aug 18, 2005 8:54 pm **Posts:** 367

oplaza wrote:

Hi I have been hacked during the weekend, and today, and im still receiving attacks

its curious because the only affected is http://www.rinconconsolas.net which is joomla 1.0.10
in rinconportatil.net which is joomla 1.0.4 i havent received attack ... yet

any1 can help?

i hace deleted com_weblinks and dont have ext_calendar

plkease help

You are running phpBB which is also targeted by the current attacks.

oplaza · **Joined:** Sat May 27, 2006 11:28 pm **Posts:** 12

Peter Koch wrote:

oplaza wrote:

Hi I have been hacked during the weekend, and today, and im still receiving attacks

its curious because the only affected is http://www.rinconconsolas.net which is joomla 1.0.10
in rinconportatil.net which is joomla 1.0.4 i havent received attack ... yet

any1 can help?

i hace deleted com_weblinks and dont have ext_calendar

plkease help

You are running phpBB which is also targeted by the current attacks.

yes, but is versio 21 of phpbb which is latest so i dont understand

i think is something related with error_log exploit

gaspero1 · **Joined:** Mon Jul 10, 2006 10:00 pm **Posts:** 6

"On further investigation it looks like I was hacked via an exploit in the ExtCalendar component. This replaced the configuration.php as listed above and added a ... directory to the component. This directory contained avi files for 5 films and a number of files (xh, http and error_log) which are idenitified by Symantec as hacking tools."

Speleo,

One of my clients' sites was attacked over the weekend as well, and it appears to be the same exploit. Unfortunately, the client's host lied to them about doing backups and they don't have redundant servers. Have you figured out how to solve the problem? I've been able to remove at least some of the malicious code, but I haven't been able to fully restore the configuration.php or get the site back up and running yet.

Any ideas would be greatly appreciated by me and my client.

Thank you in advance.

OskarMaria · **Joined:** Wed Sep 28, 2005 11:56 am **Posts:** 14

==>oplaza
It's not phpbb but the attachment-mod in the component.
See here:
http://www.joomlastuff.org/component/option,com_forum/Itemid,81/page,viewtopic/t,2937/

OM

oplaza · **Joined:** Sat May 27, 2006 11:28 pm **Posts:** 12

thanks !!

I have receibed today the error_log from my host...
and the error is in download.php as the post u sent says,
I have deleted the forum waiting for a solution.

thanks!!

ahwoogamac · **Posted:** Wed Jul 12, 2006 8:26 pm

I design sites and I have had 3 clients attacked this weekend. All three had ExtCalendar on them. Two of them didn't have the "Direct Access Denied" fix added to them, but one did. However, none of them had the .htaccess fix mentioned in another thread about hacking Extcalendar, so this may solve the problem. I have added both of these fixes on all my sites that use ExtCalendar.

For gaspero1:
It wasn't too hard at at all to restore the config file. I just used one from anther one of my sites and changed the information (or there should be a configuration.php-dist file in your root folder that has a list of empty settings for you to fill in) . As for the database info, I couldn't remember it, so I logged into cpanel, deleted the user, created a new username and password, and then gave them full permissions to the database. This allowed me to copy the new info into the config file. With all those changes made, the config file worked as good as new.

Cheetzy · **Joined:** Wed Aug 13, 2008 11:30 am **Posts:** 1

I have been hacked by this during the night and am not experienced at web hosting and wondering what to do. Can anybody guide me through this?

Joomla! Discussion Forums

[NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked

Quick reply

Who is online