Pharma spam hack

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
vito15
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Wed Aug 26, 2015 6:41 pm

Pharma spam hack

Post by vito15 » Thu Aug 27, 2015 5:35 am

Problem Description :: Forum Post Assistant (v1.2.4) : 27th August 2015 wrote:Pharma hack
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.4) : 27th August 2015 wrote:[26-Aug-2015 07:05:29 Europe/Ljubljana] PHP Warning: Invalid argument supplied for foreach() in /home/kksezana/public_html/components/com_komento/controllers/foundry.php on line 24
Actions Taken To Resolve by Forum Post Assistant (v1.2.4) 27th August 2015 wrote:password protected directories (took webpage offline)
Forum Post Assistant (v1.2.4) : 27th August 2015 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.26-Stable (senu takaa ama busani) 27-March-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: kksezana (uid: 1/gid: 1) | Group: kksezana (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.18-498.el5.lve0.8.80xen | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/kksezana/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.28 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: 26th August 2015 07:05:29. | Register Globals: 0 | Magic Quotes: | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 300M | Max. POST Size: 300M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 256M

MySQL Configuration :: Version: 5.5.42-cll (Client:5.5.42) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 10.49 MiB | #of Tables: 63
Detailed Environment :: wrote:PHP Extensions :: Core (5.3.28) | date (5.3.28) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | enchant (1.1.0) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | standard (5.3.28) | Phar (2.0.1) | posix () | pspell () | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | imap () | SimpleXML (0.1) | soap () | sockets () | exif (1.4 $Id$) | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | suhosin (0.9.33) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | ffmpeg (0.6.0-svn) | memcache (2.2.7) | timezonedb (2014.1) | SourceGuardian (9.0.4) | ionCube Loader () | Zend Guard Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: WF_LINK_SEARCH_TITLE (2.4.6) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.4.6) | WF_AGGREGATOR_[youtube]_TITLE (2.4.6) | WF_AGGREGATOR_VIMEO_TITLE (2.4.6) | WF_AGGREGATOR_VINE_TITLE (2.4.6) | WF_LINKS_JOOMLALINKS_TITLE (2.4.6) | WF_POPUPS_JCEMEDIABOX_TITLE (2.4.6) | WF_POPUPS_WINDOW_TITLE (2.4.6) | WF_FILESYSTEM_JOOMLA_TITLE (2.4.6) | WF_CHARMAP_TITLE (2.4.6) | WF_DIRECTIONALITY_TITLE (2.4.6) | WF_SEARCHREPLACE_TITLE (2.4.6) | WF_AUTOSAVE_TITLE (2.4.6) | WF_FULLSCREEN_TITLE (2.4.6) | WF_IMGMANAGER_TITLE (2.4.6) | WF_FONTCOLOR_TITLE (2.4.6) | WF_XHTMLXTRAS_TITLE (2.4.6) | WF_PREVIEW_TITLE (2.4.6) | WF_BROWSER_TITLE (2.4.6) | WF_FORMATSELECT_TITLE (2.4.6) | WF_PRINT_TITLE (2.4.6) | WF_CONTEXTMENU_TITLE (2.4.6) | WF_TEXTCASE_TITLE (2.4.6) | WF_STYLE_TITLE (2.4.6) | WF_LISTS_TITLE (2.4.6) | WF_SPELLCHECKER_TITLE (2.4.6) | WF_VISUALCHARS_TITLE (2.4.6) | WF_VISUALBLOCKS_TITLE (2.4.6) | WF_LAYER_TITLE (2.4.6) | WF_KITCHENSINK_TITLE (2.4.6) | WF_INLINEPOPUPS_TITLE (2.4.6) | WF_FONTSELECT_TITLE (2.4.6) | WF_FONTSIZESELECT_TITLE (2.4.6) | WF_MEDIA_TITLE (2.4.6) | WF_ARTICLE_TITLE (2.4.6) | WF_TABLE_TITLE (2.4.6) | WF_NONBREAKING_TITLE (2.4.6) | WF_LINK_TITLE (2.4.6) | WF_SOURCE_TITLE (2.4.6) | WF_CLEANUP_TITLE (2.4.6) | WF_STYLESELECT_TITLE (2.4.6) | WF_CLIPBOARD_TITLE (2.4.6) | WF_ANCHOR_TITLE (2.4.6) | Wrapper (1.5.0) | MailTo (1.5.0) | User (1.5.0) |
Components :: ADMIN :: Polls (1.5.0) | Newsfeeds (1.5.0) | Cache Manager (1.5.0) | Media Manager (1.5.0) | Content Page (1.5.0) | Menus Manager (1.5.0) | Banners (1.5.0) | Weblinks (1.5.0) | Template Manager (1.5.0) | JCE (2.4.6) | JCE (2.4.6) | Unknown (-) | Language Manager (1.5.0) | Mass Mail (1.5.0) | Komento (1.0.2843) | Trash (1.0.0) | Plugin Manager (1.5.0) | Control Panel (1.5.0) | User Manager (1.5.0) | Configuration Manager (1.5.0) | Search (1.5.0) | SimpleCalendar (0.8.13a) | Contact Items (1.0.0) | Messaging (1.5.0) | Module Manager (1.5.0) | Installation Manager (1.5.0) | Frontpage (1.5.0) | DJ Image Slider (1.2.4 stable) | JoomGallery (1.5.7.5) | Slovenian (1.0) |

Modules :: SITE :: Iyosis Facebook Module (1.2) | Komento Comments (1.0.7) | Simplecalendar: Previous/Next (0.9.7) | Newsflash (1.5.0) | Archived Content (1.5.0) | Banner (1.5.0) | DJ Image Tabber (1.1.4 stable) | Poll (1.5.0) | Statistics (1.5.0) | Who\'s Online (1.0.0) | Wrapper (1.0.0) | Google Analytics Estime (1.5.0) | Custom HTML (1.5.0) | Search (1.0.0) | Footer (1.5.0) | Most Read Content (1.5.0) | Sections (1.5.0) | Latest News (1.5.0) | Simple Mp3 Bar (1.2) | Syndicate (1.5.0) | Menu (1.5.0) | Random Image (1.5.0) | Related Items (1.0.0) | Komento Activities (1.0.4) | Breadcrumbs (1.5.0) | Login (1.5.0) | Ultimate Content Display (1.1) | DJ Image Slider (1.2.4 stable) | Feed Display (1.5.0) |
Modules :: ADMIN :: Popular Items (1.0.0) | Logged in Users (1.0.0) | User Status (1.5.0) | Items Stats (1.0.0) | JCE File Browser (2.4.6) | Title (1.0.0) | Online Users (1.0.0) | Admin Menu (1.0.0) | Latest News (1.0.0) | Custom HTML (1.5.0) | Quick Icons (1.0.0) | Footer (1.0.0) | Admin Submenu (1.0.0) | Unread Items (1.0.0) | Toolbar (1.0.0) | Login Form (1.0.0) | Feed Display (1.5.0) |

Plugins :: SITE :: XML-RPC - Blogger API (1.0) | XML-RPC - Joomla API (1.0) | Search - Weblinks (1.5) | Search - Contacts (1.5) | Search - Categories (1.5) | Search - Newsfeeds (1.5) | Search - Sections (1.5) | Search - Content (1.5) | Editor - XStandard Lite for Jo (1.0) | Editor - JCE (2.4.6) | Editor - TinyMCE 3 (3.2.6) | User - Example (1.0) | User - Komento Users (1.0.0) | User - Joomla! (1.5) | Authentication - OpenID (1.5) | Authentication - Example (1.5) | Authentication - LDAP (1.5) | Authentication - Joomla (1.5) | Authentication - GMail (1.5) | Button - Readmore (1.5) | Button - Pagebreak (1.5) | Button - Image (1.0.0) | Content - Page Navigation (1.5) | Nurte Facebook Like Button (3.1.0.0) | Content - Example (1.0) | Content - Komento (1.0) | Content - Vote (1.5) | Content - Pagebreak (1.5) | Content - [youtube] (1.1) | Content - Load Modules (1.5) | Content - Email Cloaking (1.5) | Content - Code Highlighter (Ge (1.5) | System - Komento (1.0) | System - Debug (1.5) | System - Log (1.5) | System - Legacy (1.5) | System - Remember Me (1.5) | System - EU Cookie Directiva (1.0.9) | System - Backlinks (1.5) | System - Mootools Upgrade (1.5) | System - SEF (1.5) | System - Cache (1.5) |
Templates Discovered :: wrote:Templates :: SITE :: JA_Purity (1.2.0) | prunk (1.0) | rhuk_milkyway (1.0.2) | beez (1.0.0) |
Templates :: ADMIN :: Khepri (1.0) |
Top
auciker
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 145
Joined: Mon Feb 18, 2008 5:36 pm
Location: San Diego, CA

Re: Pharma spam hack

Post by auciker » Thu Aug 27, 2015 6:59 pm

If you're using Joomla 1.5, I'm surprised it took you this long to be hacked. There have been a LOT of security updates since 1.5. I would strongly urge you to migrate to the current version of Joomla and make sure you have a really secure server password.
Chris
Professional Custom Website Design & Development in San Diego
Top
User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:
Contact Bernard T

Re: Pharma spam hack

Post by Bernard T » Thu Aug 27, 2015 7:29 pm

I don't think it was the 1.5 core, most probably outdated extensions with known vulnerabilites:

http://vel.joomla.org/resolved/1105-eas ... nd-komento
http://vel.joomla.org/resolved/1645-jce ... d-previous
... check Live and Resolved lists on https://vel.joomla.org and compare with your installation.

Follow this to make a full cleanup http://forum.joomla.org/viewtopic.php?f ... 4#p2882538
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
Top
Locked

Return to “Security in Joomla! 1.5”