Joomla! Discussion Forums

Dear All,

This week I noticed that something changed on my site. At the top menu bar I saw a space, what wasn't there before. Then I started investigating, because this week I made some minor updates to the website. Then I found something very interesting in my templates index.php file.

Instead of

Something/ somebody changed it to:

I also got a 'new' page: http://webforu.co.uk/?option=com_topmp3 (this has been removed now). After I deleted the index.hph and replaced it with an older one, I still have this page. How could I delete it?

To be honest I thought I'm protected and nothing like this could not happen to me, but it happened.

Could anybody help me track down this problem?

Thanks,
S

did you have a component names com_topmp3?


If not, you need to remove the component

Hi Alex,

Thank you for your fast reply.

I haven't had anything installed with mp3. On the backend I don't have any components installed with mp3. (strange)

Now I'm trying to make a comparison of an old mysql and the new mysql database to see if any changes have been done there.

Any help/ suggestions is welcome.
S

Check the Extensions > Install/Uninstall > Components to see if it's visible there. Also check /components/ and /administrator/components/ for com_topmp3. From the looks of it, com_topmp3 is actually a malicious component being installed on numerous sites.

Could you do me a big favor and send me a zip of any com_topmp3 folders you have? I'd like to take a look at them...

Hi Jeff,

I found the file. I will post it today and also details regarding the extension I used. Maybe we can find out how it got uploaded in the first place.

Are there any similar post around?

Thanks,
S

If you post, a mod may remove it (and for good reason, too). Feel free to PM me, or grab my email address from my blog, linked below...

EDIT: If there are topmp3 folders in both /components AND /administrator/components, please post if there was a file named /administrator/components/com_topmp3/topmp3.xml - I'm curious if this was a well-planted malicious file, or a crafted component...

Hi Jeff,

Please find attached the zip file with the com_topmp3. This has been placed in root/components/com_topmp3/topmp3.php.

I know that there was one mistake from my side, having the admin as Super Administrator. I've been meaning to change it, but never got around it. I fixed this, but sadly I think this isn't how they uploaded the file.

I would think one of the extension could be the problem. Please find below the extensions installed on the affected site:

BCA-RSS- Syndicator (version 1.5.5.4)
CK Forms (Version 1.2.1)
JCE (version 1.5.1)
Joomla Flash Uploader (version 2.10)
Jumi (version 2.0.3)
QContacts (version 1.0.5)

These are all the components installed.

People should be keep a lookout for this, since I wouldn't have noticed it if my template wouldn't got changed. (added a space in the top menu)

Hope to find out more. If there's any way I can investigate this further (mysql) or through Cpanle to find out how the file got on my server then please let me know how to do it

Thanks,
S

[Mod edit - file removed]

I just missed your previous post.

There was just one dir in root/components/

Cheers,
S

Well... that was disappointing.

What's interesting is the changing of the template's index.php coupled with this file. I'd recommend going through the security checklist, changing passwords, etc. Also, please run the post assistant above so we know what's up with your environment...

Sorry to disappoint you But that's all I've got, sadly more then I 'ordered'.

I've changed my Cpanel password and ftp account password as well. I know the dir and files have been uploaded 5 days ago 9/10/2009 20:25.

At the moment I've contacted my host and hopefully we can find the source or some help how I've received this present.

My hunch would be still the extensions ... but let's hope we get more hard evidence.

Cheers,
S

Do you have any permissions problems, like having to use 666/777 permissions? If so, that's a possibility... otherwise I'd start looking towards your components and FTP...

Here it is:



Hope it helps

Okay, that looks good so far (though let's still not count out your host - lots of privilege escalation exploits out for linux lately...)

Next up: check Apache logs for lots of strange requests (you'll want to search for weird params like "... UNION SELECT ...", etc.) Take special note of any POST request, and reference the IPs of any POST request to other connections.

Just received a reply from my host, and because it has been a 5 day breech the Apache logs aren't available anymore. They sad it's not a Cpanel or FTP access ... so that leaves with a nice investigation into the components that I have installed.

I'll remove the code, and hopefully it won't return. Also delete a few unused components.

S

We've seen this on at least 4 client sites - 3 we host on a dedicated machine and 1 that's hosted externally. On the 3 we host it looks like 2 were compromised and they're both Joomla 1.5.8 and one appears to have been unsuccessful that's 1.5.11. I believe the other that was compromised is 1.5.10.

I don't see anything from the ftp logs but on the compromised sites there are two suspicious posts in the apache logs:
site.org:95.24.31.136 - - [15/Sep/2009:14:20:24 -0400] "POST /index.php HTTP/1.1" 200 16213 "http://www.site.org" "Mozilla/5.0 (Windows; U; GoogleToolbar 2.0.111-big; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 WebMoney Advisor"
site.org:95.24.31.136 - - [15/Sep/2009:16:13:20 -0400] "POST /index.php HTTP/1.1" 200 12364 "http://www.site.org" "Mozilla/5.0 (Windows; U; GoogleToolbar 2.0.111-big; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 WebMoney Advisor"

These are the only entries for this IP address to this server though there are similar looking entries (POST to index.php) from other IPs with the same user agent signature before this one.

There's no entry for this component in the jos_components table so it looks like they just dropped this file in the components directory and altered the index.php in the template.

Same here john.

Could you please let us know what extensions you had installed on the 'hacked' sites?

Thanks,
siki

Site 1:
JCE 1.5.6
Jumi 2.0.1
sh404sef 1.0.16_Beta
Xmap 1.2

Site 2:
EventList 1.0 RC
JCE 1.5.0 Stable
JM Sitemap 2.2 BETA
JomComment 3.0 Build 562
Joo!BB 0.7.6
JoomGallery 1.5 RC2, BUILD 20090222
Jumi 2.0.1 December 2008
My Blog 2.0.1 Build 282
VirtueMart 1.1.3

Site 3: (not compromised)
comprofiler 1.2.1
JCE 1.5.6
Jumi 2.0.3
sh404sef 1.0.20_Beta
VirtueMart 1.1.3
Xmap 1.2.1

Is there nothing more we can do to investigate this? A quick google search shows at least 80 sites that are or were affected by this. If there's a Joomla vulnerability here that's being exploited we should know because while these guys didn't do anything too destructive the same vulnerability could be used to cause far worse damage.

siki - have you seen them back at your site? I haven't seen any repeat attempts to compromise the sites that had been affected but cleaned. I almost wish they were still trying so we could track what avenue they were using to compromise the sites.

Hi John,

I have to completely agree with you. Would be nice to determine how they managed to place the files on our servers. Sadly my apache logs have been deleted by the time I contacted my provider.

Since then I have upgraded all the extensions, and haven't received any threats anymore.

Hope to see more developments.

Cheers,
S

Hi there!

One of my sites was also compromised with this pseudo-component called com_topmp3. Though the index.php template file wasn't changed in any way.

I found out that the component was somehow installed in the folder components/com_topmp3, as well as another component in the folder components/com_bdpoll. None of these pseudo-components were visible in the administration backend (installed components list).

The first one (com_topmp3) contained a .php file called "topmp3.php". This file contained several HTML links that pointed to the attacker's site and nothing more.

The second one (com_bdpoll) contained a .php file called "bdpoll.php". This file contained the following code in PHP:

I think the attacker found a vulnerability in the Jumi component (version 2.0.2) which was installed on my site and used some code to copy his own files in the components folder.

Actions Taken:
1. Deleted both folders containing the pseudo components.
2. Updated to latest Jumi version.

I have the same issue with Two Sites both have Jumi

I noticed this

Is the vulnerability with Jumi?

What else do It need to do after deleting the folder. Should I check the database? and also change the Server details?

I would think that if you delete the files as Valandis did and update to the latest Jumi (2.0.4) then that should solve the problem.

It looks very much to be the old Jumi component what compromises our sites. Keep on updating.

Cheers,
S

well,

as you can find in the forum, if your would use search, there is a good chance, that your windows PC is infected
with some crappy software , which use your FTP account in case you connect to your site and infects your site via your own FTp account.

so as i wrote for some time:

IF you are useing a anti virus scanner on your windows PC and windows is UP and RUNNING,
the anti virus scanner ist useless. because IF your system was compromised, the crcker is able to chnage your anti virus software, so it cannot detect the crap software.

so what does this mean ?

grap a clean boot cd (windows or linux) with anti virus software installed on it, reboot your PC , the anti virus software on cd must upate via internet.

and after that, if those scanners dont find anything THEN , your PC MIGHT be free from crapware. but not before... and also this is not a 100% sure...

PLZ ALSO CHECK THIS! this is also a reason why we have so many hacked sites !

I agree with fw116, but I'm quite sure that this time it's not the case.

S

@silent_thunder:
no unknown tables whatsoever have been found in the site's database; the best thing to do is to update (or remove) the vulnerable components (in this case Jumi), update Joomla to latest version (as always), and probably extra secure the administrator folder with a password (using cpanel for example).

@fw116:
I will also agree with you having your own computer first of all secured, otherwise that would compromise other logins too (except Joomla's) ie. eBanking etc! ..But in our case is something totally different; the attacker found a vulnerability of a Joomla 3rd party component (in this case Jumi) and used it to inject his own code into our sites.

This response is totally out of place and quite rude. As people have pointed out in this thread this is not an FTP issue. If you bury your head in the sand and assume that all hacked sites are because people have spyware on their PC you're just being ignorant and exposing you and people who listen to you to further attacks. It's pretty clear that this is a vulnerability in either Joomla! or one of the installed components. No amount of scanning your PC for "crappy software" is going to help.

In this case all fingers really do point toward Jumi. I don't think there's a site that's been affected that doesn't have Jumi installed and given Jumi's capabilities it would be a logical place to attack.

I do wish I knew a bit more about the attack because I'm not sure that even the most recent version of Jumi isn't vulnerable. I took a look at the Jumi change logs a while back and didn't see anything that would indicate that the developers were aware of or had fixed a vulnerability like this.

Actually they did state at their page at Joomla Extensions Directory that they fixed some vulnerability issues. Take a look there and you will see; they also have released a new beta version of Jumi 2.1.0.

Anyway, if someone doesn't need Jumi's functions so bad, it would be better in my humble opinion not to install such a powerful, yet vulnerable to attacks component.

The security vulnerability that Jumi fixed was an SQL injection vulnerability. There's quite a way between SQL injections and altering/uploading files. Specially since this particular topmp3 business didn't alter the db in any way.

Well they don't actually say exactly what vulnerability issue they fixed..but ofcourse if it was an SQL inj. is something different than PHP code inj. Whatever it is, I hope they fix it as soon as possible.

The vulnerability is described here (among other places):
http://www.f-secure.com/vulnerabilities/SA200902769

The jumi developer describes the fix here:
http://jumi.vedeme.cz/index.php?option= ... l&Itemid=1

It's described as an SQL injection and the fix appears to only fix an SQL injection but I haven't combed through all the code to verify this.

Edit: The big reason I think it's likely a Jumi vulnerability is that Jumi appears to be about the only component in common with all the sites that have been hit and by its very nature Jumi is going to be able to run php which can be used to alter/insert files. It's possible that it's not a Jumi issue at all but rather a Joomla! core issue but I think that's less likely.