The Joomla! Forum ™

Hi, I run and own a number of sites one of which is repeatedly being attacked by a someone attempting to gain some leverage over a domain name.
Anti hack software has identified various attributes of the attack.
I believe the attacks are from the same source, possibly manual using a bot as an aid, and are motivated due to a fraudulent conflict over the domain name.

As you may be aware a number of people invest in area or locality based domain names and it was only after declining to purchase a similar .com that they wished to offload in an unsolicited marketing email, the attacks started both in the form of spam to my inbox and attacks to the domain name itself. Hoping I guess that I will surrender my domain name therefore giving their investment domain name value

I believe this may provide those interested in site security an opportunity to study the attacks which I believe will eventually prove successful in destroying the site as the perp. adapts his bot to attack in different ways.

If interested I can post security notifications that may shed some light not on the perp but more about what methods he is employing and what he is targeting. This may aid in providing better security in the future.

The site in question is a joomla 1.5 series site with sobi2 directory install and a number of plugins and modules. details to follow if interested.

So far there has been up to 12 attacks that I am aware of, on a fairly regular basis.

Care to discuss?
Is this opportunity worth taking up?

posting a bit more info than a sampler would be useful.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

I have run the Forum post assistant but unless requested will not post it here.
The site is a joomla 1.5.26 install that was rebuilt using a fresh joomla download after a major ht access hack some time ago.
It is a small business location directory site that was installed as a marketing experiment by myself. It has relatively low value other than that of a directory demo site, although the hacker doesn't know this and probably believes it to be a fully commercialised site with numerous users registered.

I have not altered any settings or removed any extensions other than log in credentials for the one user/member being my self. Since the attacks started after the rebuild. aproximately 3 months ago.

Unfortunately most of the attack notification messages have been discarded over time however today I realised that the situation may be an excellent way of gathering information about the attacks being made.

Currently I have one email notification with details of the attack generated by a popular security plugin available through the joomla extension directory. I am not sure whether to publish it here. I await to see if you guys are interested in running an observational, monitor type project or not.

I do not fully understand the notifications I recieve other than that they appear to be constantly changing the object and approach to their fishing expedition suggesting a hands on or somewhat manual instigation.
Ip addreses are set to be banned on every occasssion and of course they come back with new ones.
Innitially the attacks where as frequent as 2 to 5 per day. Currently they have tappered of to about 2-4 per week.

As to finding out who is launching the attacks, I am not all that concerned although it would be nice! but I thought the situation may prove rather usefull.
If you wish to proceed I can send you all the info in a PM and you can decide which would be the best way to handle the situation in the interests of forum members and joomla. I would prefer that the domain name in question be kept unpublished in the forum to avoid raising it's profile in "hack land" as this forum may be subject to monitoring.
If you are not all that interested, this is ok too, It is just an idea that may be worth something...

Never repeat never respond to anything you think may be spam, a solicitation, or decline an offer received in some email, you did not initiate. To do so will mark your email (and possibly domain) as live and subject to attack.

What you are likely seeing are bots that troll the web probing every site they run into with a huge variety of different probes. Any weakness found will be exploited, either right there on the spot or marked for later exploit.

If a website was exploited in the past, then it can generally be considered a better target for future exploits. This is due to several factors one of which is the fact that many sites are not properly cleaned after a hack. Backdoors, the original insecurity, backups containing the exploit used to repair the site, and the general fact that if the website was allowed to become insecure once it is liable to become insecure again.

If you are not understanding the reports the extension is sending, then go to the developers website forums or documentation and read and/or ask questions. If you are unsure how to read the raw server logs then there is a lot of info on how to read those from a Google search. If you are not understanding what the FPA results page is displaying, then we can help you understand that, but we need to know what it is is in the FPA you are not understanding.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

just to finish this thread.. It is rather ironic that the attacks on the web site in question have ceased since posting the thread to this forum...why this is so...hmm...who knows? Coincidence possibly...

Sorry but the suggestion even makes no sense and is bizarre imho. You did not even posted your URL so how could any person on this forum would know what website is involved and why on earth get afraid of you posting here and stop attacking you? My eyebrows are way up on this for sure

Leo

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---

Now why would I post the URL in public forum? I would have to be daft to do that as I would to post the FPA info. I offerred to give this information off-forum by PM as I wrote in the post [2 above this one] some time ago and there has been no active interest which is fine... I am not complaining if the offer was declined. and now it appears the attacks have ceased since posting here which to be honest is great news as far as I am concerned.

ozziemate - as indicated in the many topics you have been involved in, non mention how you resolved your previous attacks
april 20- x site infection
may 1 - mentions of previous attack
may 31 st mentions attack

If you look at the output of the fpa it will not show your url unless you wish it to (off by default)
as requested by phild if you are unwilling to post any of the fpa for your sites

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Firstly, as you are aware it is worth seriously considering that if a "hacker" wanted to focus on Joomla powered sites lurking at this forum looking for solutions to their malicious needs woud be the first thing they would do.
Secondly, over there on the left of this post is an avatar with my business name, so even a ten year old child hacker would be able to identify me with out a problem as that name, domain name, url, provides plenty of information about my Joomla participion and my personal situation.

Thirdly, posting a FPA or "hacker notification" details at this forum equips those potential lurkers with considerable advantage especially if they are able to link the business name with the domains and the server configuration they wish to target.

Finally, If the hacker organisation really wished to destroy the site in question it woud have been scrambled ages ago an dthe domain woud have been rendered useless with out much fuss on their part.

So I can conclude quite easilly that there is not enough financial return to warrant such an attack so te site remains intact [ on last inspection ] and of course given the nature of this situation, I can not guarrantee that the domain hasn't got a sleeper program installed or is in some other way compromised. It is impossible to know with complete confidence give the degree of skills some persons have and their motivations.

The previous "htaccess" attack was part of a gobal attack that featured many domains and my resolution involved about 100 hours of time spent rebuilding from scratch with fresh installs. A great learning experience but a costly one in time. Especially the issue of the Google bot and other search engine caching and how that appeared to be retriggerng the malicious programs left on the server. Fortunately my smal clientel was most tolerant of the situation and litigation was avoided.

The last attack occurred when a domain name invester realised his investment was compromised by my inadvertently purchasing a competitive domain. He wish to be able to monopolise a location here in the city of Melbourne, Australia holding that area to ransom by maintaining ownership on a series of domain names particuar to that area. [ a common enough practice ...yes? ]

His primary motivation , it appears, was to render the domain name I owned useless so that I would abandon the domain and allow him to continue his subtle extortion of the location with his own domain names.

Of course any attack is really futile because I can simply retain the domain name with out a site on it and register few more to further decrease his investments value. I could also analyse the industry he is in and do like wise with most of his invested domain names. [eh at what cost is reg. a dot com any way? $5aud.. pocket money. ] The vulberablility more in the bluff than in the reality and it is a bluff that can work both ways. As he is also vunerabe in a more signifcant way than I am.

The offer I made here on the board was motivated primarilly to give back a little to the Joomla organisation with the view that possibly studying this sort of low level attack may be of some use.

I was also motivated to a much lesser extent with the awareness that this forum would most likely be subject to monitoring by those seeking code advantage. Acknowledging, that managed information can be rather effective against someone who preys on peoples naivity for advantage.

Example strategies:
installing a pseudo and false list of member usernames, passwords, email addresses with special characters [so that the info when used by the hacker can be traced.] that can be the first achievement of the hacker can work to the sites advatage rather well. [for a hacking firm to have to sort out which email addresses are "special" would prove a night mare.]
[The site that was most recenty attacked for username/email addresses of course has a series of special data items to be stolen.]

Trapping the "ht access" attacker in his own game .. that sort of strategy. Making it expensive for hackers prior, during and after their attacks.

Being prepared with back up support to replace sites and change servers when necessary.
Building in indemnity into any client contracts [ eg. 7 day downtime per annum etc]
all help to keep a legitimate business alive.

I am aware you guys here are very busy and I accept that this offer may have been confused and possibly seen as trivial, certainy extraordinary. If a situation occurs again that is appropriate I will no doubt offer something similar again and I would suggest making it public that there is undisclosed attack monitoring and tracking strategies happening in the back ground could prove advantageous to Joomla security over all.

Hackers do after, all live in a world where they believe they are not vulnerable to tracking and that is something that can work to our advntage because they can be.

Another example strategy:
If every Jooma site owner had preinstalled sets of trackable email addresses then down the line when those email addresses are used for spamming or other malicious uses IT Forensics can back track the purchasing process all the way to the original theft.
Imagine:
You recieve a spam attack using a special email address stolen from a web site 10 years ago...You can identify the theft and method, you can identify the later use...you can identify it's transfer across the net etc etc...
and it is so easy to organise a data base of pertinant information for analysis.
So the legitimate industry "baits" the web and sits back to see what happens...
I wonder how many of the data items stolen in the recent credit card hander theft [ 2 million + items or there abouts] where "special" forensic items.
Probably none...

There are many that do, they don't worry about the importance of the data on the site, they just get a kick out of ruining things for others.

_________________
http://weblinksonline.co.uk/joomla-faq.html

yes... envy of someone elses legitimate acheivement is a global issue.

I guess from a more over view perspective one could consider the entire internet web as one giant software package as one large program with all attributes such as computers, servers and web platforms, personal and corporate, all emmeshed in one giant electronic high speed relationship.

Like a massive video game you might play on a PS3 it has to be considered seriously that there is no abiity to be entirely confident of a hacker free situation.
So when one launches a web platfrom they have to presume a certian risk is involved not unlike a person getting behind the wheel of a car has to. Knowing that your life is dependant on the capacity of others to drive safely.
Basically it comes down to : "if you are not prepared to play the game then don't go online".

And learning to play the game in a way that maximises [ not guarrantees ] your long term success is what we all need to do if we wish to survive into the next generation of hackers and persons with a desire to exploit the naivity of their victims.

IMO baiting the web with deliberate false data for a hacker to steal and sell to a buyer if succesful in penetrating your site, means that the hacker will eventually go out of business as HIS customers loose confidence in the Hackers ability to secure useful products. Certainly the impossibility of sifting through data to find special items makes the data nothing more than trash to the criminal organisation buyer because being traced is their greatest fear.
......any ways just some thoughts...

I think it's best to scan both your site and your computer for viruses and malware. Some malware will upload itself to the site when you're connected to ftp. Use an online scanner to do this and than make sure you set read-only on all the folders of the site.

_________________
New gadgets and gadget reviews http://www.newgadgetz.com
Tech news and latest updates from the tech world http://www.techiesaves.com

It appears I may have been overly optimistic.
below is a copy of the email notification of yet another attempt on the site I mentioned earlier:

what version of aicontact?

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

.... as would a number of whitehats on hack sites.

being traced is not a big fear, it is unlikely you can actually trace back to the actual ip address for any but the most dumb.

Your typical query strings are just that typical of a robot trying different methods. Take a look at your actual site access and error logs. They will give you much more info. The bot is looking for a vulnerable version of com_aicontactsafe. If you don't use the extension, then nothing to worry about, if you do, then make sure it is updated to the latest.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

the site has been left deliberately un-updated since the attacks began, except for super admin credentials. [ which are currently being changed after every attack]
The version of aicontact that is installed is v2.0.8 stable.

The site site "appears" unaffected by this attack.
If you wish for the site url or further info, including the PA I can send it to you in a PM

good advice ... thanks...
I believed that the bot is "fishing" for a way in...
note: This attack MAY NOT be associated with the previous attacks which were a catalyst for this thread topic.

Checking server logs and it appears a Yandex bot may be involved. [naive opinion only]
google reveals an interesting article:


c/o http://brainshavings.com/2010/06/retaliation-against-the-yandex-bot/

and I believe that this opinion held by the hacker is our greatest advantage if used correctly.

As you know the web is a great place for storing data and great for long term storage of forensic data. Sure, today we may not be able to trace the activities but tomorrow we may be able to.
The hacker may get a surprise visit in 10- 20 years time from his hack or sooner and wonder how he was found...
Imagine: a central attack data registry that kept all relevant data indefinitely and add to that a central "stollen data use" registry etc ....
who knows how IT forensics will develop in 5 years or so... it certainly is gaining momentum even now as the world gears up for the anticipated hacker onslaught against mobile phones and other portable devices. esp. regards online banking - ecommerce etc.

Possibly the weakest link [IP address allocation] could also be to our advantage.

c/o wiki

so the world wide web regulates IP address allocation better...registry of machines and owners of some sort... hmmmmm...would be so easy when you think about it