The Joomla! Forum ™

Download

Demo


Board index » Joomla! Older Version Support » Joomla! 1.5 » Security in Joomla! 1.5

Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  Page 1 of 1
  [ 2 posts ] 
  Print view Previous topic | Next topic 
Author Message
aatish3
PostPosted: Fri May 11, 2012 6:25 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Mar 06, 2011 12:01 pm
Posts: 15
Today I've received this email from my shared webhost Hostgator about brute force attack and success in placing some php files. I'd like to know what kind of attack/exploit it is:

Quote:
Hello,

We have received complaints of malware on your site as referenced below, and upon inspection we found that malware had indeed been injected into your account. Upon further investigation we found that your account is running outdated scripts or plugins which have been exploited. This allowed a PHP shell to be injected to your account, which then lead to malware being inserted into your site(s). The vast majority of injections are done by malicious users who have found exploits in scripts previously (and legitimately) installed on the account. We have taken the below actions to prevent further malicious activities. Please make sure to update your password, and to update all the scripts/plugins on your account to the latest version.

The following malware was found and removed from this account:

/home/chicago7/public_html/downloadformsindia .com/images/test.php: HG.PHP.shell.774.UNOFFICIAL FOUND
/home/chicago7/public_html/downloadformsindia .com/images/echo.php: HG-PHPSHELL.ENCODED.MD5.AA.263.UNOFFICIAL FOUND


Of the above, the oldest was:

File: /home/chicago7/public_html/downloadformsindia .com/images/echo.php
User: chicago7, Group: chicago7
Size: 44348
Modify: Sat, 08 Jan 2011 10:03:44 -0600 (1294502624)
Change: Wed, 09 May 2012 06:36:01 -0500 (1336563361)

The file was uploaded as the result of a brute force attack on the site. Between 02/May/2012 at 15:16 and 09/May/2012 at 06:35 there were 931 total attempts to infiltrate the site from the same IP address: 91.121.1.85, which is located somewhere in France. Please check the membership on the site, as many of these attempts may have been successful. Unfortunately, we have no way of knowing how many were.

/home/apachelogs/chicago7/forum.indiaconsumercomplaints .org-May-2012.gz: 91.121.1.85 - - [09/May/2012:06:35:40 -0500] "POST /member.php HTTP/1.0" 200 22129 "http://forum.indiaconsumercomplaints .org/member.php?action=register" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"



Please update the following Vulnerable Applications. The longer that old and vulnerable software, like that running on this account, is exposed to the Internet, the greater the chance that eventually the account will be compromised. Keeping software updated greatly improves security and also performance:

====================================
--=== VERSION DETECTION REPORT ===--
====================================

<removed>


Last edited by mandville on Fri May 11, 2012 8:05 am, edited 1 time in total.
broke link to HACKED website


Top
 Profile  
 
mandville
PostPosted: Fri May 11, 2012 8:07 am 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 11644
Location: The Girly Side of Joomla in Sussex
[ ] Download and RUN the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Post the generated results in your security/been hacked topic.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file. Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory), and fresh copies of extensions and templates used. Upload the copy of your configuration file. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories More detail can be found in the security Checklist 7 link below.

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 and 755 and 444 for the configuration.php file.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 2 posts ] 


Board index » Joomla! Older Version Support » Joomla! 1.5 » Security in Joomla! 1.5

Who is online

Users browsing this forum: No registered users and 22 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group