[UPGRADE AVAIL.] Vulnerability in SIMPLEBOARD

brian · **Posted:** Thu Jul 13, 2006 10:02 pm

Google is your friend

"Secunia
Provides security advisories and information about patches.
secunia.com/"

Honestly how hard is it to search

muni · **Posted:** Fri Jul 14, 2006 9:51 am

Two of my sites had been hacked. Config.php had been replaced by a political message from the kurds/turks I think.
Thought that was all. But the next day I ralized two backdoor software had been installed in the modules folder of one site:

modules/haluk.php
modules/web.php

I deleted both. Is that enough? Now I don't know what I should do next. Replace all pwd's. Alert my service provider???? Chekc all folders??

So watch out.

RobS · **Posted:** Fri Jul 14, 2006 9:57 am

I would suggest talking to your service provider and ask them to check it out just to make sure nothing else funny has been added. It is much easier to do those things from a shell prompt than from a ftp session. Also, try getting them to turn of Register Globals for PHP while you have their attention as this tends to facilitate a lot of bugs making their effects once exploited much more damaging.

Changing your passwords might be a good idea too.

I don't suppose you kept a copy of those files for investigatory purposes? I would be interested in taking a look at them. I will add them to my collection. :laugh:

If you still have them you can PM them to me or email them to me, my email address is in my profile.

Peter Koch · **Joined:** Thu Aug 18, 2005 8:54 pm **Posts:** 367

muni wrote:

Two of my sites had been hacked. Config.php had been replaced by a political message from the kurds/turks I think.
Thought that was all. But the next day I ralized two backdoor software had been installed in the modules folder of one site:

modules/haluk.php
modules/web.php

I deleted both. Is that enough? Now I don't know what I should do next. Replace all pwd's. Alert my service provider???? Chekc all folders??

So watch out.

Besides the modified configuration.php we had these hacker tools and files after the simpleboard defacing:

cache/index.htm: Hacker message
media/index.htm: Hacker message
modules/mod_access.php: A backdoor program
modules/www.bankofamerica.com.zip: fraud software archive
modules/www.bankofamerica.com: fraud software installation
templates/3.php: Read out system information

There were some more files I dont remember right now.

Thats why I have blocked all IP's of the provider who is hosting these people.

muni · **Posted:** Fri Jul 14, 2006 10:41 am

Found other backdoor software that had been inserted through ext_calendar.(r57shell 1.31 and c99shell v1.0 pre-release build #16)
No, I have no backup copy.
I informed my service provider.

pdstein · **Joined:** Sat Jun 24, 2006 12:18 am **Posts:** 18

Elpie wrote:

Anybody that changed from simpleboard to Joomlaboard needs to make sure they have removed all simpleboard files from the site.
Simpleboard can be exploited even if it is unpublished and not showing on the site.

I upgraded from Simpleboard to Joomlaboard 1.1.2 a while ago. Do I just need to remove /components/com_simpleboard and /administrator/components/com_simpleboard to eliminate the security issue?

Deighardt1 · **Joined:** Thu Jul 13, 2006 7:39 pm **Posts:** 12

If I were to upgrade from simpleboard to joomlaboard how would I keep from losing all my current posts?

Or would it be wise just to start all over again?

infograf768 · **Posted:** Fri Jul 14, 2006 4:13 pm

Deighardt1 wrote:

If I were to upgrade from simpleboard to joomlaboard how would I keep from losing all my current posts?

Or would it be wise just to start all over again?

1. back-up your database (always do that anyway when you touch up your site).
2. do not uninstall simpleboard through Joomla back-end uninstaller, but by using ftp or CPanel and deleting the simpleboard folders (I do not know if uninstalling simpleboard through joomla may or may not delete your data, so this is a secure way not to, applicable to other extensions like ext_calendar)
3. Install joomlaboard and when asked to upgrade the database, just say OK.

Elpie · **Joined:** Wed Aug 17, 2005 11:26 pm **Posts:** 869

pdstein wrote:

I upgraded from Simpleboard to Joomlaboard 1.1.2 a while ago. Do I just need to remove /components/com_simpleboard and /administrator/components/com_simpleboard to eliminate the security issue?

Yes, ALL old unused simpleboard files must be removed. Having them sitting on your server is a security risk.

pdstein · **Joined:** Sat Jun 24, 2006 12:18 am **Posts:** 18

Elpie wrote:

pdstein wrote:

I upgraded from Simpleboard to Joomlaboard 1.1.2 a while ago. Do I just need to remove /components/com_simpleboard and /administrator/components/com_simpleboard to eliminate the security issue?

Yes, ALL old unused simpleboard files must be removed. Having them sitting on your server is a security risk.

Thanks for your reply. What I'm asking, though is whether removing those two directories and their contents will eliminate this security risk or are there other things that need to be done?

Edenapple · **Joined:** Sun Oct 02, 2005 8:05 am **Posts:** 78

Can someone just clarify for me - In regard to Simpleboard/Joomlaboard - Is this JUST A Simpleboard exploit or also Joomlaboard?

As normal, the information on TSMF is very vague and unhelpful.

Thanks,

RobS · **Posted:** Tue Jul 18, 2006 5:43 am

At first we thought it was just SimpleBoard but it turns out that older versions of Joomlaboard were vulnerable <=1.1.1. JoomlaBoard 1.1.2 should be safe.

MX-Skane · **Joined:** Tue Jul 18, 2006 11:04 pm **Posts:** 93

Hi!
I am reading all this scary stuff. My site was hacked the 17 july. The indexfile was changed for some turkey page...
I did get it to work again but now when i am writing something in the forum it says "Youre file did not upload. Please try again".
I do believa that there is a file somewhere, but where sould i look?
My site is "www.mx-skane.net"

Regards...
Peter

infograf768 · **Posted:** Wed Jul 19, 2006 5:50 am

You are using simpleboard 1.1.0 version.

Move to Joomlaboard 1.1.2.
Backup your db.
Delete all simpleboard related files by ftp.
Install Joomlaboard.
Update db if asked to.

MX-Skane · **Joined:** Tue Jul 18, 2006 11:04 pm **Posts:** 93

I can do this even that i am using Mambo and not Joomla? Maybe a stupid question but i want to be shure..

Thanx in advance!!!!!

MX-Skane · **Joined:** Tue Jul 18, 2006 11:04 pm **Posts:** 93

2 questions...
1. Is there any languagefiles for Joomla?
2. It is still asking for a file when i press "Post". Where can that be??

MX-Skane · **Joined:** Tue Jul 18, 2006 11:04 pm **Posts:** 93

MX-Skane wrote:

2 questions...
1. Is there any languagefiles for Joomla?
2. It is still asking for a file when i press "Post". Where can that be??

Btw...
It ask the same question 2 times... first it ask for a img-file and second for a file it does that 2 times...

MX-Skane · **Joined:** Tue Jul 18, 2006 11:04 pm **Posts:** 93

Sorry to "spam".

But, after my hacked site i did install, joomlaboard. That was no problem at all. But, as i wrote there comes this alert that the file did not load.
I do have "Little Snitch" installed and that application checks the connections.

Now when i log in on my profile i do get this mess from Little Snitch http://mx-skane.net/img_from_site/img.gif
I have no idea what this is but my guess is that the file that the forum asks for is on tis site.

Please help me. Should i look in the scriptings for this or what???
Maybe its placed in the CB-files.

When i copy the html-code an paste it in a Dremweaver doc the same mess from Little snitch shows up.

brasil.se · **Joined:** Sat Apr 01, 2006 3:57 am **Posts:** 30

just re-instal the Joomlaboard aftert many problems..now is working ok but..........the pretty icons/images from it..has disapear!
I instal the orange template and still nothing shows...tale a look.

zuze · **Posted:** Tue Aug 08, 2006 3:46 pm

vokaldesign wrote:

I've installed joomlaboard and was surprised how easy it all went - all of my forums and settings from simpleboard were integrated right away! :-*

Now I've removed the simpleboard component + modules and tjecked via ftp that every thing has gone...

Where can I get to download the upgrade, please point me the right direction.

Thank you!

ot2sen · **Posted:** Tue Aug 08, 2006 3:52 pm

zuze wrote:

Where can I get to download the upgrade, please point me the right direction.

Thank you!

Have a look at the forge project for joomlaboard:
http://forge.joomla.org/sf/frs/do/viewS ... eboard/frs

zuze · **Posted:** Tue Aug 08, 2006 6:57 pm

I just want to clarify this, since there are different mentions of it: to replace Simpleboard I need to FTP the unzipped com_Joomlaboard 1.2 in components directory, correct?

Or should I use uninstall/instal from the back end admin?

globule · **Posted:** Tue Aug 08, 2006 7:35 pm

Why on earth don't you search the forum or vivt the editor's site : tsmf.net ?
Uninstall old version and install the new the upgrade the table from the JoomlaBoard backend...

zuze · **Posted:** Tue Aug 08, 2006 7:52 pm

globule wrote:

Why on earth don't you search the forum or vivt the editor's site : tsmf.net ?

I did...3 x...it forwards to a blank page here http://jigsnet.net/suspended.page/

globule · **Posted:** Tue Aug 08, 2006 8:03 pm

Is Jigsnet your hoster?

zuze · **Posted:** Tue Aug 08, 2006 8:20 pm

no. we have our own server.

Does that site opens up for you? I went to it through the JoomlaBoard as well as SimpleBoard control panel. seems that their account has been suspended.

I uploaded Joomla Board, but I still get the same issue as with Simple Board. Can not add a post. When I click on "Post New Topic"
page opens, showing only the following links:

Forum Name

Home | My profile | help | rools

footer

Nothing else.

globule · **Posted:** Wed Aug 09, 2006 8:41 pm

If you want to go to the website of JoomlaBoard editor ( http://www.tsmf.net ) you will see the same screen.

Is there any moderator to tell us what's happening with TSMF and its Joomlaboard?

Coming back to your problem, I hope you have a backup because ...

progster · **Posted:** Wed Aug 09, 2006 11:10 pm

it's up again, see http://forum.joomla.org/index.php/topic ... #msg431073

hfhs72 · **Joined:** Thu Aug 17, 2006 12:16 pm **Posts:** 2

Quote:

This code should be in all files installed by com_simpleboard and com_extcalender. Basically, everything in /path/to/Joomla/components/com_extcalender, /path/to/Joomla/administrator/components/com_extcalender, /path/to/Joomla/components/com_simpleboard, and /path/to/Joomla/administrator/components/com_simpleboard

Code:

// no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );

Quote:

Refer to this link for more information about extCalender: http://forum.joomla.org/index.php/topic,75390.0.html

Quote:

Just checking to see if I get this right: every single file in those folders +subfolders have to be opened and edited..? (really hoping that I'm wrong on this..!) :'(

I am using Mambo 454 with Simpleboard 1.1.0 stable and this proceedure does not work. It just crashes SB. Besides, almost all the files already have this:

// MOS Intruder Alerts
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

Any other suggestions?

Tonie · **Joined:** Thu Aug 18, 2005 7:13 am **Posts:** 13255

Isn't Mamboboard a better option for you? That is supposed to be (I never used it) the Mambo offshoot of Simpleboard. Simpleboard development has been stopped, so sooner or later you will run into troubles.

Joomla! Discussion Forums

[UPGRADE AVAIL.] Vulnerability in SIMPLEBOARD

Quick reply

Who is online