Joomla! Discussion Forums

[mod note: After logs were sent, this was confirmed to be a hole in 3rd party component, not Joomla! Read below for the discussion]
Hy! Im an experienced joomla user, an user of and advaced users. Youre software is very esy to hack!!! Its an final waring.

Look AT MY SITE~! http://lammas.tservu.pri.ee/www/bss/
If you cant see, then i probably got it fixed (my site has been haced total by 3 times!?), so i post an image to

http://lammas.tservu.pri.ee/sercurityonline.JPG

So what can i tell you? It is always been hacced by mysql. My mysql password is streght with rated ultra good and it is 15 letters long wiht all that is needed inside.

These guis, also have tried to hack into my host, using morgan

My site gets by the way many intuson atemts, so youre soft isent a tatal mess, but still, not good.

My site was last time haced and overtaken in 26 august. I can acsess my admin panel.

What do they mean, admin pach youre site now and youre data is safe?

Moderator note; moving from Dev, Q&T1.0 >> Joomla, Security

As very first measure, once logs copied (the logs above don't show the intrusion), and site restored, ask your hoster to turn PHP register_globals to OFF (btw. it's PHP's default setting since 2 years!) and PHP gpc_magic_quotes to ON, as well as RG_EMULATION to OFF in file globals.php.

Make sure to subscribe to joomla security alerts ( http://forum.joomla.org/index.php/board,267.0.html ), as well as register to the sites of the components you use.
Update to Community Builder 1.0.1 if not already done, as there are vulnerabilities below. http://www.Joomlapolis.com emailed to all registered users 3 weeks ago about this problem when register_globals in ON...

Take also a look here on safe server installs:
http://forum.joomla.org/index.php/topic,81058.0.html

Joomla itself is secure on safely setup servers, runing up-to-date software...

Shortly upcoming joomla 1.0.11 will fix some vulnerabilities on badly setup servers.

Then, please print the server logs showing the intrusion, with full contact address of the isp to a local police office, and deposit a penal plaint against unknown. I don't know the local laws in your country but it's usually a simple process without cost associated, and should hopefully stop these hackers. In my past experience, it worked out most of the time, especially within EU.

hy!

i was using all the possible latest versions, community builder vs reinstalled only 4 h after reles,e and joomla was the latest avalible version.

btw: how can i restore my site? I have bacup of 15 aughst latest. and that does not include latest security updates, and component instals

btw2. i also have flood protection installed. Any ideas, why it did not help?

We need more logs, as the logs above do not show the intrusion requests ...sent you PM.

il email you the server logs as soon as possible. Meanwhile, when i log into joomla, theres what i get:


btw2. i also have flood protection installed. Any ideas, why it did not help?

btw3: Legend of visitors, in 26 aughust i had only 5 visitors, and the legend say that this was only from estonia. This is report wich i get from my domain suplyer, http://www.tk

btw4: as soon il get my server ogs, i wil let you know!

btw5: these hac0rs gave me a spare, so i had a bacup, made by them, but the question is, why does my site sai, no shuch page, plese select it from the menu, when i go to my homepage? How can i get it bac up en running again?

I think the idea of collecting the attack log and passing it to interpol/police is a good idea.
My attackers log led me to their base: http://www.zone-h.org/component/option, ... 43/page,15

They seem to attack anything...

Turkish Telecom should also be contacted as most of the attackers seem to be their clients .

Regards

news: the hac0r used some security bug in joomla to reach my server core files, and trought joomla they got into server, and had a control about 29 minutes, after that the security system was trigled and server made a locdown, and mayby thats why, they did not destroy my work totali. They also used morgan. Any ideas what it is?

WE NEED YOUR SERVER LOGS.

more than likely, this was NOT hacked via Joomla! but was hacked via server vulnerable settings or a 3rd Party Extension.

Please provide the logs via PM (do not post publicly here!)
PLEASE, send your raw access logs.

again, this was likely NOT joomla! (possible, but not likely)
again, if you have proof that the 'software is very esy to hack', please provide the proof (again, do not post publicly here, but PM).

Thought that I haven't received any emails from you yet. Checked in my spam-box, and found it.

Ok: the culprit is on the very first line of your log: it's a hole in a 3PD component, when you have PHP setting "register_globals" ON instead of OFF. You will find it's name in that line after: "components/com_" . It IS NOT JOOMLA itself.

Update that component (if new release available, I don't see any security update yet...) or switch to another. I will leave a message to the author.

Alternatively, and in all cases ask your hoster to change the PHP settings to:

register_globals OFF
gpc_magic_quotes ON

as basic security measures !

Moving to security-3rd party extensions

thank you wery much. As a question, i would like to ask, as this hac0r is an script kiddi, he also haced other estonian sites.

BTW: Scrip kiddi also atact our qoverment military homepages, scool pages and other sites. Using some bug, over 13300 joomla sites have been haced by zone-h logs. So, this realy is a BIG security bug.

As the server is a friend of mines, i asked him to turn of register globals. Enyway, thank you wery much. All sites, that have been haced in estonia, have been restored. Alsou, i would like to ask you one thing.

Plz make all bacup of youre joomla CORE files, it is VERY needed thing! Thank you!