The Joomla! Forum ™

Download

Demo


Board index » Joomla! Older Version Support » Joomla! 1.5 » Security in Joomla! 1.5

Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  Page 1 of 1
  [ 5 posts ] 
  Print view Previous topic | Next topic 
Author Message
NiksaVel
PostPosted: Sat Aug 11, 2012 5:38 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Mon Apr 25, 2011 4:28 pm
Posts: 3
Problem Description :: Forum Post Assistant (v1.2.1) : 11th August 2012 wrote:
Several antivirus and sucuri online virus scanner are reporting trojan and malware on my website. Sucuri identifies it as blackhole exploit.
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.1) : 11th August 2012 wrote:
[08-Aug-2012 03:16:47] PHP Warning: getimagesize(pix/zajceva_mapa_daleko.gif) [<a href=\'function.getimagesize\'>function.getimagesize</a>]: failed to open stream: No such file or directory in /home/kbmerkur/public_html/libraries/tcpdf/tcpdf.php on line 3694
Actions Taken To Resolve by Forum Post Assistant (v1.2.1) 11th August 2012 wrote:
I have deleted all the files from the server, reinstalled joomla and components from clean install. Than copied attachments images and template directories over (there were also visually inspected on a linux computer and scanned with antivirus as clean). Site was working okay again with the same problem appearing again after 4 days.
I have also double checked that all the permissions are okay, changed all the passwords (admin/cpanel/mysql) and moved tmp and log directories outside the public_html folder.
Renamed htaccess.txt to .htaccess

I am at a loss on how to prevent this.
Forum Post Assistant (v1.2.1) : 11th August 2012 wrote:
Basic Environment :: wrote:
Joomla! Instance :: Joomla! 1.5.26-Stable (senu takaa ama busani) 27-March-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: kbmerkur (uid: 7585/gid: 7570) | Group: kbmerkur (gid: 7570) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32.59-grsec | Technology: x86_64 | Web Server: Apache | Encoding: identity,gzip,deflate | Doc Root: /home/kbmerkur/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.17 | PHP API: cgi | Session Path Writable: Unknown | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: 08th August 2012 03:16:47. | Register Globals: | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 10M | Max. POST Size: 12M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M

MySQL Configuration :: Version: 5.1.63-rel13.4-log (Client:5.1.63) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 4.96 MiB | #of _FPA_TABLE: 148
Detailed Environment :: wrote:
PHP Extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | session () | iconv () | standard (5.2.17) | json (1.2.1) | mbstring () | mcrypt () | mhash () | mysql (1.0) | SimpleXML (0.1) | posix () | pspell () | Reflection (0.1) | imap () | SPL (0.2) | mysqli (0.1) | soap () | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.8.11) | cgi () | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | imagick (3.0.1) | ffmpeg (0.6.0-svn) | SourceGuardian (8.2) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:
Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: None
Extensions Discovered :: wrote:
Components :: SITE :: MailTo (1.5.0) | Wrapper (1.5.0) | Default (1.0.0) | User (1.5.0) |
Components :: ADMIN :: Banners (1.5.0) | Akeeba (3.4.3) | Control Panel (1.5.0) | Installation Manager (1.5.0) | Template Manager (1.5.0) | Polls (1.5.0) | Mass Mail (1.5.0) | Admintools (2.2.10) | Contact Items (1.0.0) | Weblinks (1.5.0) | Messaging (1.5.0) | Frontpage (1.5.0) | Search (1.5.0) | User Manager (1.5.0) | Newsfeeds (1.5.0) | Menus Manager (1.5.0) | PhocaGallery (2.8.1) | Media Manager (1.5.0) | Trash (1.0.0) | Cache Manager (1.5.0) | Content Page (1.5.0) | Module Manager (1.5.0) | System - Show attachments in e (2.2) | Attachments - For Components P (2.2) | Content - Attachments (2.2) | Editor Button - Insert Attachm (2.2) | Search - Attachments (2.2) | Attachments - For Content (2.2) | Editor Button - Add Attachment (2.2) | Attachments (2.2) | Configuration Manager (1.5.0) | Language Manager (1.5.0) | Plugin Manager (1.5.0) |

Modules :: SITE :: Statistics (1.5.0) | Login (1.5.0) | Banner (1.5.0) | Random Image (1.5.0) | Breadcrumbs (1.5.0) | Footer (1.5.0) | Syndicate (1.5.0) | Feed Display (1.5.0) | Archived Content (1.5.0) | Menu (1.5.0) | Sections (1.5.0) | Related Items (1.0.0) | Most Read Content (1.5.0) | Custom HTML (1.5.0) | Latest News (1.5.0) | Poll (1.5.0) | Wrapper (1.0.0) | Search (1.0.0) | Newsflash (1.5.0) | Who\'s Online (1.0.0) |
Modules :: ADMIN :: Admin Tools Joomla! Upgrade No (revAE48DBE) | Items Stats (1.0.0) | Unread Items (1.0.0) | Login Form (1.0.0) | Quick Icons (1.0.0) | Title (1.0.0) | Logged in Users (1.0.0) | Online Users (1.0.0) | Popular Items (1.0.0) | Footer (1.0.0) | Feed Display (1.5.0) | Admin Submenu (1.0.0) | Admin Menu (1.0.0) | Toolbar (1.0.0) | Latest News (1.0.0) | Akeeba Backup Notification Mod (3.4.3) | Custom HTML (1.5.0) | User Status (1.5.0) |

Plugins :: SITE :: XML-RPC - Joomla API (1.0) | XML-RPC - Blogger API (1.0) | Editor - TinyMCE 3 (3.2.6) | Editor - XStandard Lite for Jo (1.0) | System - SEF (1.5) | System - Remember Me (1.5) | Akeeba Backup Lazy Scheduling (3.3) | System - Legacy (1.5) | System - Backlinks (1.5) | System - Log (1.5) | Google Maps (2.17) | System - Admin Tools (2.2.9) | System - Mootools Upgrade (1.5) | System - Show attachments in e (2.2) | System - Debug (1.5) | System - Cache (1.5) | Authentication - Joomla (1.5) | Authentication - LDAP (1.5) | Authentication - Example (1.5) | Authentication - OpenID (1.5) | Authentication - GMail (1.5) | Content - Load Modules (1.5) | Phoca Gallery Plugin (2.7.7) | Content - Vote (1.5) | Content - Email Cloaking (1.5) | Content - Code Highlighter (Ge (1.5) | Content - Example (1.0) | Content - Attachments (2.2) | Content - Pagebreak (1.5) | Content - Page Navigation (1.5) | Editor Button - Insert Attachm (2.2) | Editor Button - Add Attachment (2.2) | Button - Image (1.0.0) | Button - Readmore (1.5) | Button - Pagebreak (1.5) | Attachments - For Components P (2.2) | Attachments - For Content (2.2) | User - Joomla! (1.5) | User - Example (1.0) | Search - Categories (1.5) | Search - Weblinks (1.5) | Search - Newsfeeds (1.5) | Search - Attachments (2.2) | Search - Contacts (1.5) | Search - Sections (1.5) | Search - Content (1.5) |
Templates Discovered :: wrote:
Templates :: SITE :: beez (1.0.0) | rhuk_milkyway (1.0.2) | JA_Purity (1.2.0) | siteground-j15-19 (1.0.0) |
Templates :: ADMIN :: Khepri (1.0) |


Top
 Profile  
 
NiksaVel
PostPosted: Mon Sep 24, 2012 11:59 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Mon Apr 25, 2011 4:28 pm
Posts: 3
Hrmm.. no replies at all...

in any case, I am bringing the topic back to life because not a month after cleaning the site completely, the security checks report my site as being infected with trojans again. I have followed the steps to completely clean the site exactly, and here I am again...

Sucura reports:

Description: Web site identified with Blackhat SEO Spam. This often means that it was hacked and the attackers inserted links to their own sites to increase their page rank on search engines.



Any ideas on what to do?
Thank you!
Top
 Profile  
 
bassrehab
PostPosted: Mon Sep 24, 2012 12:59 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sat Sep 03, 2011 2:29 am
Posts: 37
Check if your FTP/SSH credentials are compromised. Ask your webhost to run a file system check. Try to get the actual logged files that are generating the reports.
Top
 Profile  
 
Slackervaara
PostPosted: Mon Sep 24, 2012 4:57 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Sat Aug 13, 2011 6:27 am
Posts: 299
If the case seemed hopeless, I would pay Sucuri to clean the site from malware for one year. I think it costs 90 USD. Then I would install the security extension eyesite that checks the site for new or changed files. With such a tool Sucuri would not be needed after a year.

http://www.lesarbresdesign.info/extensions/eyesite
Top
 Profile  
 
PhilD
PostPosted: Mon Sep 24, 2012 5:39 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2694
Location: Wisconsin USA
@Slackervaara
Are you affiliated with EyeSite? You sure promote the use of it heavily.

@In general
The use of extensions for security will not keep your site safe from hacks, prevent them from occurring, relieve one from taking proper security measures, or applying security updates to keep extensions and Joomla secure. Many illicit ways into a site will never invoke any response from Joomla, any extension, or even be detected as anything other than a legitimate request. Depending upon how the hack is crafted and what weak spot is used for the exploit the hack may even bypass added password (htpasswd) protection on the administration directory.

@NiksaVel
When you cleaned your site did you also look for added subdomains, added cron jobs, anonymous ftp access, added ftp users, and anything such as added files outside of the public_html area that should not be there (a copy of a hacked htaccess file is a common one)?

The way many hacks work and look to an antivirus scan; they will not be picked up by an antivirus scan of a directory so manually looking within the directory is best. Won't take that long unless you have 46,000 files in one directory.

I would make sure your extensions, plugins etc are up to date and you are not using any versions that appear on the VEL http://docs.joomla.org/Vulnerable_Extensions_List

Do not keep any site backups within a public area and remove any extra files you don't need.

You can set up a cron job with results to be emailed to the account owner with the command listed under chmod and cron in the checklist 7
http://docs.joomla.org/Security_Checkli ... d_and_cron
It is the paragraph that begins with "To check for recent file changes within the last day on your system...." It is very effective in detecting changes and added files. The drawback is cache files get included, but you have to scan the cache directory for added files anyway as it is a somewhat common place to put hack files.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 5 posts ] 


Board index » Joomla! Older Version Support » Joomla! 1.5 » Security in Joomla! 1.5

Who is online

Users browsing this forum: No registered users and 29 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group