Joomla! Forum - community, help and support

Hi,  one of my Joomla sites has been defaced twice in the last 24hours.  The script replaces the index.php and configuration.php with a html file which says "Site hacked by Musab Cyberwar has begun"

How it works is by dropping a php and .htaccess payload into any directory that has 777 permissions (like rs_gallery's upload folder).

What the payload does is two fold: 1: the .htaccess sets the 404 page for the folder to be the php payload (which has various names - such as 'contacts.php', download.php, links.php, package.php, remote.php) 2: once the php file is triggered by the .htaccess it downloads additional copies of itself and the defaced index.php from http://user9.mshtml.ru.

I replaced the defaced files from a backup - but missed some of the payload files so I got hit again.  Very annoying.

Hopefully this post can help others root this annoying script out of their servers.

Jeremy

update:  the full list of payload files is:
common.php
configs.php
contacts.php
create.php
date.php
guest.php
include.php
includes.php
messages.php
properties.php
remote.php
time.php
system.php
layout.php
finfo.php

Which I got from here: http://freebunch.linux-labs.net/?p=35 (which has a lot of useful info on removing this exploit).

Also this exploit has been discussed here previously - sorry for the repost - http://forum.joomla.org/index.php/topic,29169.0.html

RSGallery has been updated yesterday to cope with this:
http://rsgallery2.net/

I see that their site has been hacked..

Should rsgallery be removed from our sites?

Personally I say YES! as should com_Joomlaboard and com_extcalendar which are also not safe at the moment.

O poo.

Do we know if anyone is working on getting these up to scratch cause they are very popular components.

Check out the sites of the developers of those components, this situation is exactly why i started this;

http://forum.joomla.org/index.php/topic ... #msg391443

topic, I wish more people would join that discussion, maybe this new defacing/hacking spree will motivate more people though I would rather see it would motivate people without the need to.

Personally I think users of the mentioned components are in trouble if they want to keep using them for a.f.a.i.k. none of them are actively supported, even Joomlaboards development is very slow, well at least that's how I see it.

To be clear - JoomlaBoard is not affected by the recent security problems.

SimpleBoard does have a security issue and I believe the developers are working on an update (though if you are running Joomla!, you really should update to JoomlaBoard).

Extcalendar is not currently under development but we may be able to pull a patch together shortly.

david

the people who make joomlaboard cant even get their site working 

Is there a way to go over to another board with out losing everything?

davidrrm wrote: To be clear - JoomlaBoard is not affected by the recent security problems.

SimpleBoard does have a security issue and I believe the developers are working on an update (though if you are running Joomla!, you really should update to JoomlaBoard).

Extcalendar is not currently under development but we may be able to pull a patch together shortly.

david

I do not agree with that, I had Joomlaboard installed and it looks very likely they used that and extcallendar to hack and deface one of my sites, a friends site was hacked and defaced via simpleboard.

hvanleeuwen wrote:

davidrrm wrote: To be clear - JoomlaBoard is not affected by the recent security problems.

SimpleBoard does have a security issue and I believe the developers are working on an update (though if you are running Joomla!, you really should update to JoomlaBoard).

Extcalendar is not currently under development but we may be able to pull a patch together shortly.

david

I do not agree with that, I had Joomlaboard installed and it looks very likely they used that and extcallendar to hack and deface one of my sites, a friends site was hacked and defaced via simpleboard.

If you have ExtCalendar on your site, it would be hard to know whether or not JoomlaBoard had a vulnerability since we know ExtCalendar has a problem. Do you have the logfile from the attack? I'd be interested in looking at it as would the JoomlaBoard developers I'm sure. PM me if you have it.

We also know there is a simpleboard vulnerabilty which is not in JoomlaBoard.

The joomlaboard site is http://www.tsmf.net. It seems to be running fine right now.

david

hvanleeuwen wrote: Personally I say YES! as should com_Joomlaboard and com_extcalendar which are also not safe at the moment.

The simpleboard and extcalendar vulnerabilities are confirmed.

At same time investigations were done if joomlaboard is also affected, and it turned out not to be so. If you have real information such as a server log for proof that there is another exploit affecting joomlaboard, please make it available by PM so it can be reviewed.

jasonrhl wrote: the people who make joomlaboard cant even get their site working 

Is there a way to go over to another board with out losing everything?

I haven't seen a forum that supports import of joomlaboard data, but there could be one of course.

Personally I decided to go for a more generic and more well known forum and am trying http://www.simplemachines.org now. There is a bridge to have it integrated with Joomla that works just fine.

My theory behind this choice is that a forum is a much used item and should be safe and full of features. If in a worse case scenario when for instance the bridge is broken or no longer developed I can always wrap the forum until there is a better solution. If that better solution turns out to be that I should switch to another forum, I would like it if my forum is well known enough that it is possible to import my data into the new forum via some kind of conversion system.

I think Simplemachines might just be the right choice for me.

All my log files have already been sent to Joomla security yesterday.

Peter Koch wrote:

hvanleeuwen wrote: Personally I say YES! as should com_Joomlaboard and com_extcalendar which are also not safe at the moment.

The simpleboard and extcalendar vulnerabilities are confirmed.

At same time investigations were done if joomlaboard is also affected, and it turned out not to be so. If you have real information such as a server log for proof that there is another exploit affecting joomlaboard, please make it available by PM so it can be reviewed.

Whether you agree with it or not hvanleeuwen, David's comment just happens to be true. I have run the current exploits against Joomlaboard and failed to get in. (Before you ask, yes, I do know how to use the exploits).

RSGallery2 1.11.4 has been out for two weeks and there were security announcements on many sites to alert users of the need to upgrade. RSG found the vulnerabilities before they became exploits, so acted quickly and responsibly. Sure, their site has been hacked, but nobody should be jumping to any conclusions about how it was hacked.

I appreciate your concern over what you feel are discontinued extensions, however, this is open source and all code is developed and given to the community voluntarily. What may appear to someone as an abandoned extension may be some developers contribution that just has to take a step into the background while real life goes on. One sure way to guarantee that it becomes abandonware is if the projects are removed from the forge because no dev is going to bother coming back to work on something that has been thrown away.

Thanks for everyones responses. It has put me at ease for now. I hope to see what the problem was with the rsgallery site and that they get on their feet again.

Thankyou

I have no intention to question your capabilaties Elpie, I am not hostile.

I am fully aware that developers have a life and thank god for that hehehe I don't want to go into the discontinued discussion here for I started that discussion with another forum topic already a while back.

I decided to remove Joomlaboard not only on the basis of this exploit only, if I happen to be wrong about Joomlaboards safety I truly apologize, at the moment I simply don't trust it and will only keep it running on two of my sites that are very low profile.

Elpie wrote: Whether you agree with it or not hvanleeuwen, David's comment just happens to be true. I have run the current exploits against Joomlaboard and failed to get in. (Before you ask, yes, I do know how to use the exploits).

RSGallery2 1.11.4 has been out for two weeks and there were security announcements on many sites to alert users of the need to upgrade. RSG found the vulnerabilities before they became exploits, so acted quickly and responsibly. Sure, their site has been hacked, but nobody should be jumping to any conclusions about how it was hacked.

I appreciate your concern over what you feel are discontinued extensions, however, this is open source and all code is developed and given to the community voluntarily. What may appear to someone as an abandoned extension may be some developers contribution that just has to take a step into the background while real life goes on. One sure way to guarantee that it becomes abandonware is if the projects are removed from the forge because no dev is going to bother coming back to work on something that has been thrown away.

Letterman has same problem. My site was hacked using same exploid in letterman component

Letterman has good suport, i'm sure the developer will help you out, you should at least tell him about it.

I am still getting hack attempts on extcalendar but they are useless because I have removed that component and am looking for a good replacement.

The other attempts I get are on com_pollxt, but they won't work since the developer already updated his component to deal with this exploit, praise for him!!

I have now switched the Register Globals off and applied the htaccess rules as explained in the security section of this forum, and have a strong feeling that so far I have done everything I can to prevent easy script kiddy defacements.

After a better look I'm not sure if was by letterman.
I've found the .htacess files on letterman, JCE, mambots (on jce editor related folders) , and flash rotator (witch needs 777 CMOD on images folder)
So might be hard to find where this starts.

Any way ... Huston we got a problem

how do hacker know this stuff? its astonishing.

hello ..

I Read All Replies ,, But I Do Not Understand Somethings..

My Site hacked Last Week .. And I have Rs gallery 2 Com ...

I Do Not Know How TO Update It ? And Is It Not Secure Or Not ?

I Can Not Open My Site Again .. The Hacker Cause Many Problems To My site .. I Do NOt Know What To DO