I've Been Hacked -

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
hmoran
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Fri Jul 18, 2014 4:46 pm

I've Been Hacked -

Post by hmoran » Fri Jul 18, 2014 4:59 pm

Problem Description :: Forum Post Assistant (v1.2.4) : 18th July 2014 wrote:Site has been hacked 3 times in the last 4 months
Actions Taken To Resolve by Forum Post Assistant (v1.2.4) 18th July 2014 wrote:files cleaned up everytime and joomla updated to latest version.
Forum Post Assistant (v1.2.4) : 18th July 2014 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.26-Stable (senu takaa ama busani) 27-March-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: 64980 (uid: /gid: ) | Group: 65533 (gid: ) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 0
Top
itoctopus
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4025
Joined: Mon Nov 25, 2013 4:35 pm
Location: Montreal, Canada
Contact:
Contact itoctopus

Re: I've Been Hacked -

Post by itoctopus » Fri Jul 18, 2014 7:39 pm

Joomla 1.5.26 is exploitable. The best thing that you can do is switch from suPHP to DSO, set all the file ownership to root, and lock down the permissions.
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter
Top
User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:
Contact Bernard T

Re: I've Been Hacked -

Post by Bernard T » Sat Jul 19, 2014 12:13 am

@hmoran: If you want help, please post the whole FPA output for forum.

@itoctopus: I'm not aware of the active exploit on core 1.5.26 ?
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
Top
hmoran
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Fri Jul 18, 2014 4:46 pm

Re: I've Been Hacked -

Post by hmoran » Tue Jul 22, 2014 8:55 pm

@itoctopus: Thanks for the help. I can take care of the file permissions. But How do I set the file ownership to root?
Top
User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:
Contact Bernard T

Re: I've Been Hacked -

Post by Bernard T » Tue Jul 22, 2014 8:58 pm

For that you should be the "root" user on the server

Why are you ignoring our requests for more details disclosure?
BernardT wrote:@hmoran: If you want help, please post the whole FPA output for forum.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
Top
hmoran
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Fri Jul 18, 2014 4:46 pm

Re: I've Been Hacked -

Post by hmoran » Tue Jul 22, 2014 9:15 pm

@BernardT: thanks! not ignoring the request for more info. When I ran the FPA script i posted everything that was in the results. It's what you see in this forum. I would love it if there was more because we really want to find out how to prevent this from happening. I actually just cleaned up the root folder again as it had uploaded malicious files once again.
Top
hmoran
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Fri Jul 18, 2014 4:46 pm

Re: I've Been Hacked -

Post by hmoran » Tue Jul 22, 2014 9:19 pm

@BernardT: just ran the FPA again and this is what I got
Problem Description :: Forum Post Assistant (v1.2.4) : 22nd July 2014 wrote:Site has been hacked
Actions Taken To Resolve by Forum Post Assistant (v1.2.4) 22nd July 2014 wrote:root folder has been clean up and also subfolders
Forum Post Assistant (v1.2.4) : 22nd July 2014 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.26-Stable (senu takaa ama busani) 27-March-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: 64980 (uid: /gid: ) | Group: 65533 (gid: ) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite:[/b
Top
User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:
Contact Bernard T

Re: I've Been Hacked -

Post by Bernard T » Tue Jul 22, 2014 9:50 pm

You are obviously not copying all of the generated post code using FPA, select all the text generated in "FORUM POST ASSISTANT POST DETAIL" box.
Then copy and paste it here using a "FULL EDITOR" button under the post (not just small Quick Reply box) , or just click "Post Reply" button. But you have to see the "Post Editor"
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
Top
User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 30937
Joined: Mon Oct 27, 2008 9:27 pm
Location: Romerike, Norway

Re: I've Been Hacked -

Post by Per Yngve Berg » Tue Jul 22, 2014 9:54 pm

1.5.26 is not safe.

1. Remove the swf uploader.
2. Install the Post 1.5.26 patch package.

Check for vulnerable extensions.
Top
hmoran
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Fri Jul 18, 2014 4:46 pm

Re: I've Been Hacked -

Post by hmoran » Tue Jul 22, 2014 10:32 pm

@Per Yngve Berg: thanks i already had installed the post 1.5.26 patch. But was not aware of the SWF [issuu]. I have removed the SWF uploaded. Thanks!
Top
Locked

Return to “Security in Joomla! 1.5”