Joomla! Forum - community, help and support

My site was hacked by ENO7 this morning and it seems he got in through VIRTUEMART.  All of the .php files from this component lacked the line of code below, once added - my site is back online.
I post this in a new thread to alert other users of this component in particular.

Thank you and good luck

Having read your post I hurriedly went and checked my virtuemart, however my files have the defined( '_VALID_MOS' ) or die( 'Restricted access' );  what version of virtuemart are you running?

EEK!  I am outdated.  I am running 1.0.1, and updating now.

Thanks for making me look.
C

Hello,

how did you come to the conclusion that "[...] it seems he got in through VIRTUEMART[...]" ?

I'm the author of this software and would like to know, which file you have found to not to include this "defined('_VALID_MOS' )..." line.

To clarify the information about this line: it is NOT needed in any file. If you have a PHP file that only contains a class and nothing more, no code is executed. That means that you can include the _VALID_MOS line, but it is no security hole if it's not there.

ciao, Soeren

oMama
If you find in your server logs that ' he got in ' 
PM to robs with details (and to soeren)
http://forum.joomla.org/index.php?actio ... le;u=14243
http://forum.joomla.org/index.php?action=profile;u=2572

I think Your server host can search logs too.

Just one day after I set up SMF, my site was hacked. My host told me that I had several dirs chmoded to 777. All were in SMF directory. I found several files that the hacker put in there. I've deleted everything, reinstalled and changed permissions.
Today I was going to setup Gallery2. It asked me to chmod the images storing directory to 777! I don't want to that and the setup won't proceed without it. What should I do? Thanks.

Soren,

I am running VM 1.0.1 and when I looked at each of my components' .php files, I saw that the valid_mos line was not included in any of them with VM. So, to answer your question, all of the .php files included with the component lacked this line of code.  I added that line of code in the .php files associated to VM as directed in another thread. The problem of the site hack went away, my site was restored, and so I have to think the issue had to do with the line of code that I changed - as I made no other changes.

To clarify the information about this line: it is NOT needed in any file. If you have a PHP file that only contains a class and nothing more, no code is executed. That means that you can include the _VALID_MOS line, but it is no security hole if it's not there.

I don't know enough to debate the finer points about the code language... but my experience tells me that the hacker problem was solved once I made this change.

I think VM is terrific and did not mean to offend you by sharing my experience.  I know the distress I felt when I found that my beautiful site was hacked was incredible, and I wanted to do my part to share my "fix" with the community.

Sincerely,
Corinne

Unfortunately for people to upload images the directory has to be write enabled, if you are not going to allow uploads accept the 777 while you install and then change it afterwards.

I also do not understand the validity of that particular line.  However, I was hacked yesterday by the same idiot through another component.  I promptly added 'that' line as recommended, restored the site and since that time I had numerous attempts of hacking (as seen in the log files), but somehow that particular line solved the problem and is restricting the access.

Perhaps this is a band-aid solution and there is another more elegant fix, but if it works for now and I'm not in the position to argue.

By the way, thank you to everyone that helped with restoring my site.

Anna

Thanks gws. I've done as you said. The problem now is that users won't be able to upload images.
This security issue makes me wonder.. aren't the developers fo SMF and G2 aware of this? There're people who've encountered the same problem as I did. I've posted a reply in a thread about this at SMF's forums.

Well... i found my logs and it seems that I am incorrect in thinking it was a virtuemart problem.  It looks like I too was a victim through SMF. 

I can't explain why it was only after the VM .php files were edited and put back up to the server that my site was fixed, but I do understand that I owe Soeren an apology for raising the alarm about VirtueMart.  My log shows that this hacker didn't go near VirtueMart, but in fact only com_smf/smf.php

Soeren, my apologies... I am editing the title of this thread so it no longer states the vunerability as a fact.

I hope you can accept my apology.
Sincerely,
Corinne

oMama, O mama 
Great news from you. We all VM users thanks to you ,that you find the real hacking reason.

Ask your host (ISP) if they changes register_globals = OFF

Can you explain that another way?  Should register globals be set to off or on?

I recently upgraded to joomla 1.10 and noticed that all of the global settings are the old default and have to go change them.  I don't know a lot about how this is all related, so if you would educate me on the purpose of "register globals" I would really appreciate that.

I am glad that I was wrong... I only regret that I sounded the alarm without all the facts.
Corinne

register_globals is in PHP(server). Don´t edit Joomla 1.0.10 files !
You can check you server PHP settings - Login Joomla backend(administrator) - go system -> system info.
There  is row Register Globals:    .If it´s OFF , all is OK,
but if there is ON You may ask to you ISP (server host) to put  Register Globals:  OFF .

Hi,

The vulnerability has been confirmed: http://secunia.com/advisories/21079/

This is really crazy. Please, all SMF Bridge users: secure your smf.php.

If this file is missing this line, please add it:
at the very beginning of the file

/components/com_smf/smf.php

I hope this storm of exploits is over soon.

ciao, Soeren

My copy of smf.php did already have that line: The problem was related to permissions (777).

Would my site have been safer if I did not have the forum registration bridge in place?  Or was it doomed no matter what?

Curious.
Corinne

oMama wrote: Would my site have been safer if I did not have the forum registration bridge in place?  Or was it doomed no matter what?

Curious.
Corinne

Maybe , maybe not. That's the question

Be sure you have updated all your components.
I think you should ask to your ISP if they lookup the server and outgoing transfer, if there are something illegal.
And ones again , register globals OFF 

Strange things happening here. Yesterday, I saw there was a thread that had the same title as the one I started. Although it wasen't there when I posted mine. I figured it out that Omama had renamed her thread to have the same name as mine.. Now the threads got merged together althoug it's not the same issue they talked about.. Now my problem got lost and I still didn't get the response I was hoping for. No reactions at all about this (new?) vulnerability which is the exploit of directories chmoded to 777 by hackers.

I was wondering that too  How they can post middle of topic.

Start new thread * *****

He he.. well, it's ok. I'm going to start a new thread after all. I think I'm being under attack again or something.