The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.



Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 31 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Wed Nov 14, 2012 7:07 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 1:36 pm
Posts: 42
I am running a Joombah site (not listed as a vulnerable extension: http://docs.joomla.org/Vulnerable_Extensions_List) that was recently hacked. The hacker registered as a job seeker, then proceeded to upload files using the resumé upload feature. In my case the hacker uploaded a PHP script, using a JPG extension for the script, that he was then able to exploit using the PHP interpreter. My host has informed me that this is possible using other file extensions as well (.doc, .docx, etc), depending on how rewrite is implemented in htaccess (the htaccess file that was in place at time of attack is attached).

Edit: The hacker did upload a php script with a JPG extension, but that is not the complete story of how he did the hack. For security reasons, I am not going to post more about the actual exploit.

It appears that the hacker was then able to upload a separate PHP script that he used to send out spam.

I was running Joombah 1.3.3 and, admittedly, Joomla 2.5.4 (which I have since updated to 2.5.8). I have PM'd the Admin of the Joombah forums (approx 15 hours ago) and posted on their forums but still have not received a response.

Problem Description :: Forum Post Assistant (v1.2.3) : 14th November 2012 wrote:
Site hacked by uploading PHP script disguised as JPG or possibly DOC/DOCX file
Actions Taken To Resolve by Forum Post Assistant (v1.2.3) 14th November 2012 wrote:
Site taken offiline.
Upgraded Joomla from 2.5.4 to 2.5.8
Contacted (and still awaiting response) Joombah RE the hack
Forum Post Assistant (v1.2.3) : 14th November 2012 wrote:
Basic Environment :: wrote:
Joomla! Instance :: Joomla! 2.5.8-Stable (Ember) 8-November-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: WEBSITE (uid: 1/gid: 1) | Group: WEBSITE (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32.49-grsec | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/WEBSITE/www/www | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.17 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 20M | Max. Input Time: -1 | Max. Execution Time: 120 | Memory Limit: 80M

MySQL Configuration :: Version: 5.5.27-percona-sure1-log (Client:5.5.27-percona-sure1) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 17.36 MiB | #of Tables:  180
Detailed Environment :: wrote:
PHP Extensions :: Core (5.3.17) | date (5.3.17) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | pcntl () | standard (5.3.17) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | pspell () | Reflection ($Id: 593a0506b01337cfaf9f63ebc12cd60523fc2c41 $) | imap () | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | sureacct (0.1) | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:
Core Folders :: --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) | --protected-- (755) |

Elevated Permissions (First 10) :: --protected-- (775) | --protected-- (775) | --protected-- (775) | --protected-- (775) | --protected-- (775) |
Extensions Discovered :: wrote:
Strict Information Privacy was selected. Nothing to display.
Templates Discovered :: wrote:
_FPA_STRICT Information Privacy Nothing to display.


Additional log information below (with hacker's IP and my domain obfuscated)
Quote:
www-02.log.gz:12.345.678.90 - - [02/Nov/2012:21:58:50 -0400] "POST /jobs/index.php?option=com_jbjobs&task=checkuser HTTP/1.1" 200 14 "http://www.website.org/jobs/index.php?option=com_jbjobs&view=jobseeker&layout=regjobseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:21:59:34 -0400] "POST /jobs/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/index.php?option=com_jbjobs&view=jobseeker&layout=regjobseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:04:47 -0400] "POST /jobs/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/index.php?option=com_jbjobs&view=jobseeker&layout=regjobseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:04:56 -0400] "POST /jobs/component/jbjobs/jobseeker/index.php?option=com_jbjobs&task=checkuser HTTP/1.1" 200 69 "http://www.website.org/jobs/component/jbjobs/jobseeker/regjobseekernew" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:05:29 -0400] "POST /jobs/component/users/?task=user.login HTTP/1.1" 303 5 "http://www.website.org/jobs/component/users/?view=login" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:05:59 -0400] "POST /jobs/open-jobs/employer-logindashboard/jobseeker/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/open-jobs/employer-logindashboard/jobseeker/regjobseeker" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:06:28 -0400] "POST /jobs/open-jobs/employer-logindashboard/jobseeker/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/open-jobs/employer-logindashboard/jobseeker/editresume" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:06:43 -0400] "POST /jobs/open-jobs/employer-logindashboard/jobseeker/index.php HTTP/1.1" 303 5 "http://www.website.org/jobs/open-jobs/employer-logindashboard/jobseeker/editresume" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"

www-02.log.gz:12.345.678.90 - - [02/Nov/2012:22:34:28 -0400] "POST /jobs/images/jbjobs/pf/p_259_1351908403.php HTTP/1.1" 200 358 "http://www.website.org/jobs/images/jbjobs/pf/p_259_1351908403.php" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"


MODS: I have a copy of the fake JPG file/PHP Script. If you would like I can PM the contents of it to you.

Any help/advice on where to go next to button this issue down would be greatly appreciated.


You do not have the required permissions to view the files attached to this post.


Last edited by robertsm on Mon Nov 19, 2012 12:18 am, edited 2 times in total.

Top
 Profile  
 
PostPosted: Wed Nov 14, 2012 8:38 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 1:36 pm
Posts: 42
Not sure if it matters (for use with extensions), but "Check MIME Types" is enabled in the media manager.


Top
 Profile  
 
PostPosted: Wed Nov 14, 2012 9:21 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12474
Location: The Girly Side of Joomla in Sussex
looking at your fpa results (please repost with extensions viewable) i was concerned over the use of the 775 folders - why?
the extension is two versions behind, assuming you are using the proper un nulled version.
the dev may need to include a htaccess similar to checklist 7 that prevents scripts running in folders

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Wed Nov 14, 2012 9:47 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 1:36 pm
Posts: 42
mandville - thank you for the reply. I really appreciate the help. I've created a new directory to work on an upgrade of this extension and I have run an FPA on the latest release. I will post that in the next response.
Here's an FPA without restrictions (only my domain changed).
Forum Post Assistant (v1.2.3) : 14th November 2012 wrote:
Basic Environment :: wrote:
Joomla! Instance :: Joomla! 2.5.8-Stable (Ember) 8-November-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: WEBSITE (uid: 1/gid: 1) | Group: WEBSITE (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32.49-grsec | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/WEBSITE/www/www | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.17 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 20M | Max. Input Time: -1 | Max. Execution Time: 120 | Memory Limit: 80M

MySQL Configuration :: Version: 5.5.27-percona-sure1-log (Client:5.5.27-percona-sure1) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 17.36 MiB | #of Tables:  180
Detailed Environment :: wrote:
PHP Extensions :: Core (5.3.17) | date (5.3.17) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | pcntl () | standard (5.3.17) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | pspell () | Reflection ($Id: 593a0506b01337cfaf9f63ebc12cd60523fc2c41 $) | imap () | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | sureacct (0.1) | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:
Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: administrator/components/com_jbjobs/elements/ (775) | administrator/components/com_jbjobs/elements/js/ (775) | administrator/components/com_jbjobs/language/ (775) | administrator/components/com_jbjobs/language/en-GB/ (775) | cache/Gantry/ (775) |
Extensions Discovered :: wrote:
Components :: SITE :: com_mailto (2.5.0) | com_wrapper (2.5.0) | Blackout (2.2.0) | Default (2.2.0) | Blueface (2.2.0) | Bubble (2.2.0) |
Components :: ADMIN :: com_search (2.5.0) | com_plugins (2.5.0) | Gantry (4.1.2) | com_joomlaupdate (2.5.0) | com_modules (2.5.0) | com_messages (2.5.0) | com_templates (2.5.0) | com_cpanel (2.5.0) | RokGallery (1.4) | com_checkin (2.5.0) | COM_FRONTENDUSERACCESS (4.0.0) | User - Frontend-User-Access (4.0.0) | System - Frontend-User-Access (4.0.0) | com_languages (2.5.0) | com_cache (2.5.0) | com_admin (2.5.0) | com_config (2.5.0) | com_banners (2.5.0) | com_users (2.5.0) | com_menus (2.5.0) | RokModule (1.1) | com_content (2.5.0) | com_login (2.5.0) | com_weblinks (2.5.0) | RokCandy (1.1) | com_media (2.5.0) | JomSocial (2.2.4) | com_categories (2.5.0) | com_redirect (2.5.0) | Akeeba (3.6.9) | com_newsfeeds (2.5.0) | COM_JBJOBS (1.3.3) | com_installer (2.5.0) | com_finder (2.5.0) |

Modules :: SITE :: JoomBah Indeed.com (1.3.2) | mod_banners (2.5.0) | JoomBah Jobs Category (1.3.2) | RokTabs (1.5) | mod_search (2.5.0) | RokAjaxSearch (1.0) | RokStats (2.6) | JoomBah Latest Jobs (1.3.2) | JoomBah Latest Jobs Mini (1.3.2) | Login Register (1.5.6) | mod_languages (2.5.0) | mod_frontenduseraccessmenu (4.0.0) | mod_articles_news (2.5.0) | mod_random_image (2.5.0) | JoomBah Jobs Tags (1.3.2 - 04.10) | mod_articles_category (2.5.0) | mod_custom (2.5.0) | mod_whosonline (2.5.0) | mod_articles_latest (2.5.0) | Upcoming Events (2.0.0) | RokTwittie (1.4) | mod_feed (2.5.0) | JoomBah Jobs Search (1.3.2) | mod_stats (2.5.0) | mod_finder (2.5.0) | RokNavMenu (1.6) | mod_login (2.5.0) | RokGallery Module (1.4) | JoomBah Latest Resume (1.3.2) | mod_articles_archive (2.5.0) | RokNewsPager (1.1) | mod_users_latest (2.5.0) | mod_breadcrumbs (2.5.0) | mod_weblinks (2.5.0) | JoomBah Feeds (1.3.2) | mod_articles_categories (2.5.0) | mod_related_items (2.5.0) | mod_footer (2.5.0) | mod_wrapper (2.5.0) | mod_syndicate (2.5.0) | mod_menu (2.5.0) | JoomBah Jobs Statistics (1.3.2) | mod_articles_popular (2.5.0) |
Modules :: ADMIN :: mod_toolbar (2.5.0) | mod_title (2.5.0) | RokUserChart (2.6) | RokAdminAudit (2.6) | mod_status (2.5.0) | mod_latest (2.5.0) | mod_custom (2.5.0) | mod_submenu (2.5.0) | RokQuickLinks (2.6) | mod_feed (2.5.0) | mod_multilangstatus (2.5.0) | mod_quickicon (2.5.0) | RokUserStats (2.6) | mod_logged (2.5.0) | mod_login (2.5.0) | mod_version (2.5.0) | mod_menu (2.5.0) | mod_popular (2.5.0) |

Plugins :: SITE :: plg_captcha_recaptcha (2.5.0) | plg_extension_joomla (2.5.0) | plg_search_content (2.5.0) | plg_search_categories (2.5.0) | plg_search_weblinks (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_contacts (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) | plg_content_joomla (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_vote (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_geshi (2.5.0) | plg_content_finder (2.5.0) | Content - RokBox (1.1) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | Button - RokCandy (1.1) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_user_joomla (2.5.0) | User - Jomsocial User (1.8.1) | User - Frontend-User-Access (4.0.0) | plg_user_profile (2.5.0) | plg_user_contactcreator (2.5.0) | User - JoomBah Free Plan On Ex (1.3.2) | plg_finder_content (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_contacts (2.5.0) | Unknown (-) | My Contacts (2.0.0) | Walls (2.0.0) | Allvideo (2.0.0) | Invite (2.0.0) | Editor - My Photos (2.0.0) | Latest Photos (2.0.0) | Wordfilter (2.0.0) | System (2.0.0) | plg_editors_tinymce (3.5.4.1) | Editor - RokPad (1.2) | plg_editors_codemirror (1.0) | plg_authentication_joomla (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_gmail (2.5.0) | System - Jomsocial Facebook Co (1.0) | plg_system_cache (2.5.0) | plg_system_sef (2.5.0) | System - JoomBah Force Profile (1.3.2) | System - Frontend-User-Access (4.0.0) | System - Gantry (4.1.2) | System - JoomBah Jobs Redirect (1.3.2) | System - RokTracking (2.6) | System - RokExtender (1.0) | plg_system_log (2.5.0) | plg_system_highlight (2.5.0) | System - RokCandy (1.1) | plg_system_remember (2.5.0) | System - MaQma Social Menu (1.2) | System - Zend Lib (1.11.4) | plg_system_redirect (2.5.0) | System - MissionControl Suppor (2.6) | plg_system_debug (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_p3p (2.5.0) | System - JoomBah Feeds (1.3.2) | Jomsocial Update (1.5) | System - JoomBah Cron (1.3.2) | System - RokGZipper (1.0) | System - RokBox (1.1) | plg_system_logout (2.5.0) | plg_system_languagecode (2.5.0) | System - osolCaptcha (1.0.6b) | Azrul System Mambot For Joomla (3.3) |
Templates Discovered :: wrote:
Templates :: SITE :: beez5 (2.5.0) | beez_20 (2.5.0) | atomic (2.5.0) | rt_camber (1.1) |
Templates :: ADMIN :: hathor (2.5.0) | bluestork (2.5.0) | rt_missioncontrol (2.6) |


Top
 Profile  
 
PostPosted: Wed Nov 14, 2012 9:49 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 1:36 pm
Posts: 42
Here is an FPA, running the latest release of JoomBah Jobs 1.3.5 RC...

Forum Post Assistant (v1.2.3) : 14th November 2012 wrote:
Basic Environment :: wrote:
Joomla! Instance :: Joomla! 2.5.8-Stable (Ember) 8-November-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: WEBSITE (uid: 1/gid: 1) | Group: WEBSITE (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 0 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 1 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32.49-grsec | Technology: x86_64 | Web Server: Apache | Encoding: gzip,deflate,sdch | Doc Root: /home/WEBSITE/www/www | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.17 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: | Error Reporting: 22519 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: 1 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 20M | Max. Input Time: -1 | Max. Execution Time: 120 | Memory Limit: 80M

MySQL Configuration :: Version: 5.5.27-percona-sure1-log (Client:5.5.27-percona-sure1) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 6.00 MiB | #of Tables:  180
Detailed Environment :: wrote:
PHP Extensions :: Core (5.3.17) | date (5.3.17) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | pcntl () | standard (5.3.17) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | pspell () | Reflection ($Id: 593a0506b01337cfaf9f63ebc12cd60523fc2c41 $) | imap () | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | sureacct (0.1) | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:
Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: administrator/components/com_jbjobs/elements/ (775) | administrator/components/com_jbjobs/elements/js/ (775) | administrator/components/com_jbjobs/language/ (775) | administrator/components/com_jbjobs/language/en-GB/ (775) | cache/Gantry/ (775) |
Extensions Discovered :: wrote:
Components :: SITE :: com_mailto (2.5.0) | com_wrapper (2.5.0) | Blackout (2.2.0) | Default (2.2.0) | Blueface (2.2.0) | Bubble (2.2.0) |
Components :: ADMIN :: com_search (2.5.0) | com_plugins (2.5.0) | Gantry (4.1.2) | com_joomlaupdate (2.5.0) | com_modules (2.5.0) | com_messages (2.5.0) | com_templates (2.5.0) | com_cpanel (2.5.0) | RokGallery (1.4) | com_checkin (2.5.0) | COM_FRONTENDUSERACCESS (4.0.0) | User - Frontend-User-Access (4.0.0) | System - Frontend-User-Access (4.0.0) | com_languages (2.5.0) | com_cache (2.5.0) | com_admin (2.5.0) | com_config (2.5.0) | com_banners (2.5.0) | com_users (2.5.0) | com_menus (2.5.0) | RokModule (1.1) | com_content (2.5.0) | com_login (2.5.0) | com_weblinks (2.5.0) | RokCandy (1.1) | com_media (2.5.0) | JomSocial (2.2.4) | com_categories (2.5.0) | com_redirect (2.5.0) | Akeeba (3.6.9) | com_newsfeeds (2.5.0) | COM_JBJOBS (1.3.5 RC) | com_installer (2.5.0) | com_finder (2.5.0) |

Modules :: SITE :: JoomBah Indeed.com (1.3.5) | mod_banners (2.5.0) | JoomBah Jobs Category (1.3.5) | RokTabs (1.5) | mod_search (2.5.0) | RokAjaxSearch (1.0) | RokStats (2.6) | JoomBah Latest Jobs (1.3.5) | JoomBah Latest Jobs Mini (1.3.5) | Login Register (1.5.6) | mod_languages (2.5.0) | mod_frontenduseraccessmenu (4.0.0) | mod_articles_news (2.5.0) | mod_random_image (2.5.0) | JoomBah Jobs Tags (1.3.2 - 04.10) | mod_articles_category (2.5.0) | mod_custom (2.5.0) | mod_whosonline (2.5.0) | mod_articles_latest (2.5.0) | Upcoming Events (2.0.0) | RokTwittie (1.4) | mod_feed (2.5.0) | JoomBah Jobs Search (1.3.5) | mod_stats (2.5.0) | JoomBah Jobs Top Employer (1.3.5) | mod_finder (2.5.0) | RokNavMenu (1.6) | mod_login (2.5.0) | RokGallery Module (1.4) | JoomBah Latest Resume (1.3.5) | mod_articles_archive (2.5.0) | RokNewsPager (1.1) | mod_users_latest (2.5.0) | mod_breadcrumbs (2.5.0) | mod_weblinks (2.5.0) | JoomBah Feeds (1.3.5) | mod_articles_categories (2.5.0) | mod_related_items (2.5.0) | mod_footer (2.5.0) | mod_wrapper (2.5.0) | mod_syndicate (2.5.0) | mod_menu (2.5.0) | JoomBah Jobs Statistics (1.3.5) | mod_articles_popular (2.5.0) |
Modules :: ADMIN :: mod_toolbar (2.5.0) | mod_title (2.5.0) | RokUserChart (2.6) | RokAdminAudit (2.6) | mod_status (2.5.0) | mod_latest (2.5.0) | mod_custom (2.5.0) | mod_submenu (2.5.0) | RokQuickLinks (2.6) | mod_feed (2.5.0) | mod_multilangstatus (2.5.0) | mod_quickicon (2.5.0) | RokUserStats (2.6) | mod_logged (2.5.0) | mod_login (2.5.0) | mod_version (2.5.0) | mod_menu (2.5.0) | mod_popular (2.5.0) |

Plugins :: SITE :: plg_captcha_recaptcha (2.5.0) | plg_extension_joomla (2.5.0) | plg_search_content (2.5.0) | plg_search_categories (2.5.0) | plg_search_weblinks (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_contacts (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) | plg_content_joomla (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_vote (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_geshi (2.5.0) | plg_content_finder (2.5.0) | Content - RokBox (1.1) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | Button - RokCandy (1.1) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_user_joomla (2.5.0) | User - Jomsocial User (1.8.1) | User - Frontend-User-Access (4.0.0) | plg_user_profile (2.5.0) | plg_user_contactcreator (2.5.0) | User - JoomBah Free Plan On Ex (1.3.2) | plg_finder_content (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_contacts (2.5.0) | Unknown (-) | My Contacts (2.0.0) | Walls (2.0.0) | Allvideo (2.0.0) | Invite (2.0.0) | Editor - My Photos (2.0.0) | Latest Photos (2.0.0) | Wordfilter (2.0.0) | System (2.0.0) | plg_editors_tinymce (3.5.4.1) | Editor - RokPad (1.2) | plg_editors_codemirror (1.0) | plg_authentication_joomla (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_gmail (2.5.0) | System - Jomsocial Facebook Co (1.0) | plg_system_cache (2.5.0) | plg_system_sef (2.5.0) | System - JoomBah Force Profile (1.3.5) | System - Frontend-User-Access (4.0.0) | System - Gantry (4.1.2) | System - JoomBah Jobs Redirect (1.3.5) | System - RokTracking (2.6) | System - RokExtender (1.0) | plg_system_log (2.5.0) | plg_system_highlight (2.5.0) | System - RokCandy (1.1) | plg_system_remember (2.5.0) | System - MaQma Social Menu (1.2) | System - Zend Lib (1.11.4) | plg_system_redirect (2.5.0) | System - MissionControl Suppor (2.6) | plg_system_debug (2.5.0) | plg_system_languagefilter (2.5.0) | plg_system_p3p (2.5.0) | System - JoomBah Feeds (1.3.5) | Jomsocial Update (1.5) | System - JoomBah Cron (1.3.5) | System - RokGZipper (1.0) | System - RokBox (1.1) | plg_system_logout (2.5.0) | plg_system_languagecode (2.5.0) | System - osolCaptcha (1.0.6a) | Azrul System Mambot For Joomla (3.3) |
Templates Discovered :: wrote:
Templates :: SITE :: beez5 (2.5.0) | beez_20 (2.5.0) | atomic (2.5.0) | rt_camber (1.1) |
Templates :: ADMIN :: hathor (2.5.0) | bluestork (2.5.0) | rt_missioncontrol (2.6) |


Top
 Profile  
 
PostPosted: Thu Nov 15, 2012 1:16 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 1:36 pm
Posts: 42
Update regarding Joombah Version: 1.3.5 RC (and v 1.3.3)
No MIME Type check seems to be occurring. I was able to upload a PHP script with both a .doc & .jpg file extension without any difficulty using the Joombah Resumé upload feature.


Top
 Profile  
 
PostPosted: Thu Nov 15, 2012 8:20 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12474
Location: The Girly Side of Joomla in Sussex
I would sugest that you add a htaccess file to the upload directory
with the following code
# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

if you contunue to use the script, email your findings to vel@ joomla.org minus space

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Thu Nov 15, 2012 12:32 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 1:36 pm
Posts: 42
mandville,

I have implemented the htaccess file.

I have also been contacted by the software devs & I am working with them to sort this out. I will post an update here when I know more.

Thank you again.


Top
 Profile  
 
PostPosted: Thu Nov 15, 2012 7:14 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12474
Location: The Girly Side of Joomla in Sussex
please get the dev to follow the standard vel procedures. their listing has been unpublished from the jed

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Fri Nov 16, 2012 1:29 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Nov 16, 2012 1:25 am
Posts: 5
Hi,

Zaki here from JoomBah.com, may I get some more information how vulnerability is occuring. Any files that are uploaded are not runnable so if you can forward us any information on this I would greatly appreciate it.


Top
 Profile  
 
PostPosted: Fri Nov 16, 2012 3:17 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 1:36 pm
Posts: 42
Zaki-
I just emailed you a link with additional information (the initial email notification from my host and the chat log for the support ticket that I opened after I was notified of the hack). Perhaps this will help.

Mandville: please let me know if you would like this information sent to you as well.

Matt


Top
 Profile  
 
PostPosted: Fri Nov 16, 2012 3:37 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Nov 16, 2012 1:25 am
Posts: 5
I can upload the jpg and doc file. But how is it that you were able to upload the php file. The upload feature in joombah jobs only allows certain extensions that are configured from the backend and this only happens if you allow the php file extension.


Top
 Profile  
 
PostPosted: Fri Nov 16, 2012 3:45 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 1:36 pm
Posts: 42
My hosting provider has informed me that...
Quote:
The extension of the file is .jpg, so the script couldn't be executed as a PHP file. However, with the right rewrite rules in the .htaccess file, .jpg files can be handled by the PHP interpreter, so having such a file in your account is not recommended.

Note: I use the stock Joomla .htaccess file and the recommended PHP settings.

I could be wrong, but it would appear that this is why the Joomla Media Manager checks MIME Types with mime_magic or fileinfo. From the Joomla Docs on Global Configuration and the Media Manager: http://docs.joomla.org/Global_configuration
Quote:
Restrict Uploads. If set to “Yes” (the default and recommended setting) Joomla will restrict uploads to image file formats only. This restriction applies only to uploads by users with permission levels below Manager. The restriction only applies if the web server does not have installed either of the PHP modules Fileinfo or mime_magic. These modules are used to detect the type of a file independently of its name extension. They are used in Joomla – if available – to enhance site security by confirming that any uploads are not a file format that could be used for malicious purposes.


Top
 Profile  
 
PostPosted: Fri Nov 16, 2012 3:53 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Nov 16, 2012 1:25 am
Posts: 5
So even your host has recommended that you not use this rewrite rules that is able to handle jpg as if its a php file. JoomBah Jobs has no such file or .htaccess that can do this.

Again let us mentioned back that JoomBah Jobs has the upload feature that only allows certain extensions that are configured from the backend and the php file could only be uploaded if you allow the php file extension.


Top
 Profile  
 
PostPosted: Fri Nov 16, 2012 4:28 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 1:36 pm
Posts: 42
First: Understand that I am not a security expert, nor am I a programmer.

Second, regarding this:
Quote:
So even your host has recommended that you not use this rewrite rules that is able to handle jpg as if its a php file.
As previously mentioned, I am not implementing anything other than the standard joomla .htaccess file and the suggested Joomla server configurations.

At this point, it seems pointless for us to keep going on about this. I cannot with authority say that Joombah is or is not secure. You seem upset, rightfully so, and you seem to want to blame me for this. Again, that is understandable. Please note, however, that I have posted my FPAs & htaccess file above for everyone to scrutinize. Given this, unless you need me to provide additional information I won't be responding to these tit-for-tat postings. I'll let you sort this out with mandville.


Top
 Profile  
 
PostPosted: Fri Nov 16, 2012 5:15 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12474
Location: The Girly Side of Joomla in Sussex
Please screenshot your media upload settings page .
Did you say that a file.php.doc was uploaded and run? What were the full file names of the malicious uploads

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Fri Nov 16, 2012 6:27 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Nov 16, 2012 1:25 am
Posts: 5
Hi mandville,
attached is the upload configuration that is pre-configured in joombah jobs.


You do not have the required permissions to view the files attached to this post.


Top
 Profile  
 
PostPosted: Fri Nov 16, 2012 12:14 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 1:36 pm
Posts: 42
mandville wrote:
Please screenshot your media upload settings page .
Did you say that a file.php.doc was uploaded and run? What were the full file names of the malicious uploads

What Zaki (Joombah) has posted is the same as my configuration, except that since the hack I have removed the ability to upload image files from the Job Seeker Resume/CV configuration. Prior to this hack I saw no reason to change these settings, let alone to allow PHP scripts to be uploaded.

Regarding the uploads, I should clarify something: My host did delete 2 files from my site that were found in the Joombah Resume/CV upload folder...
/home/WEBSITE/www/www/jobs/images/jbjobs/pf/wp mail.php
/home/WEBSITE/www/www/jobs/images/jbjobs/pf/p_259_1351908403.php

While reviewing my site (after the hack) I found an additional PHP file, masquerading as an image file:
/home/WEBSITE/www/www/jobs/images/jbjobs/pf/p_259_1351908388.jpg

mandville,
About 9 hours ago I sent Zaki a link to download the initial notification from my host and the subsequent tech support chat, that may have more information that you would be interested in. I can also send you a link for the fake image file. Please let me know if you would like me to PM you this information.

Matt


Last edited by robertsm on Mon Nov 19, 2012 12:18 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Fri Nov 16, 2012 12:41 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12474
Location: The Girly Side of Joomla in Sussex
Please send relevant files and info to vel@joomla.org

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Fri Nov 16, 2012 2:49 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 1:36 pm
Posts: 42
mandville wrote:
Please send relevant files and info to vel@joomla.org

I just sent additional information to you and Zaki (Joombah). I hope it helps to sort this out.
Thank you again.


Top
 Profile  
 
PostPosted: Fri Nov 16, 2012 3:39 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 1:36 pm
Posts: 42
Question: globally speaking, if the Media Manager blocks PHP scripts that are disguised as image files (such as by changing the file extension), wouldn't it be best practice for 3rd party extensions to do the same the same MIME Type check?


Top
 Profile  
 
PostPosted: Fri Nov 16, 2012 8:47 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12474
Location: The Girly Side of Joomla in Sussex
robertsm wrote:
wouldn't it be best practice for 3rd party extensions to do the same the same MIME Type check?

very logical

not sure why image files would be uploaded to a resume area.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Fri Nov 16, 2012 10:27 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 1:36 pm
Posts: 42
mandville - did you get the email from me regarding this issue, and if so is there any other information that I can provide?


Top
 Profile  
 
PostPosted: Sat Nov 17, 2012 1:38 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Nov 16, 2012 1:25 am
Posts: 5
Email that I have replied to vel@ joomla.org without the space
Quote:
Whilst the fake image file was found on your server and in the location of a joombah jobs directory I am still unable to repeat your findings. Uploading a php file onto the resume upload section is not possible nor will it be run if the extension is renamed to an allowed extension. The link to the fake image, will only be downloaded by a user (in this case the employer) or if someone knows the link. The image produced will be a broken link for Chrome and Mozilla. For Internet Explorer we have found that it shows the php text file but does not run it.

To our disadvantage I cannot prove that your joombah jobs upload configuration was not modified beforehand to allow php due to whatever reason that may have cause to allow someone access to your joomla admin site.

Thank you for your detailed report and for your host report, but unless we can repeat this or at least be shown how the upload (php file) was able to be uploaded with the joombah jobs upload configuration allowable list which does not include a php extension, we cannot deemed this to be a bug.

To be clear, a php file cannot be uploaded due to the allowed settings as per shown in the attachment. Nor can a fake image or document file can be made runnable on the server (it will only be downloadable).


End email


Top
 Profile  
 
PostPosted: Sat Nov 17, 2012 11:40 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 1:36 pm
Posts: 42
For those of you following this thread: The developer has acknowledged the vulnerability and is working on a patch/update.


Top
 Profile  
 
PostPosted: Sun Nov 18, 2012 12:21 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Nov 12, 2012 10:48 pm
Posts: 1148
Location: Winnipeg, MB
That's good! It's tough with Joomla, extensions, etc. too many wheels in motion...there's only so much you can do with a server so it's up to developers to address security issues and stay ahead of the curve.

I do believe there's security extensions in Joomla aimed at providing some added layers of protection which is nice. I also do all I can on our end to screen out as much as possible to at least limit threats to humans. But again, bad php code the humans will get right in there!


Last edited by mandville on Sun Nov 18, 2012 9:28 am, edited 1 time in total.
signature against forum rules http://forum.joomla.org/viewtopic.php?f=8&t=65


Top
 Profile  
 
PostPosted: Sun Nov 18, 2012 9:29 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12474
Location: The Girly Side of Joomla in Sussex
[topic locked as under investigation]

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Sun Nov 18, 2012 12:33 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2727
Location: Wisconsin USA
I understand locking the topic during investigation and to prevent unnecessary comments being posted during this time, but I feel the following issue has been ignored in the topic to this point and it is important enough to warrant an additional posting at this time.

An issue in this topic that I think has been ignored is the issue of the file permissions.

I have not seen where the OP has addressed the insecure 775 file permissions on the site(s). The existing permissions are practicality wide open to hackers. This may have been a side effect result (the hacker changed the permissions) of the reported insecurity that is being investigated. I suspect the permissions may have been set this way for some time. Regardless of how the permissions got this way, the permissions issue needs to be addressed properly or you will continue to have issues with the site. Incorrect file permissions may also skew any "tests" performed on the site providing incorrect results.

Giving execute permission to other is just about as good as being wide open (777) as it allows for execution of scripts placed within directories such as the one discussed.

Giving full (777) permissions to Group is just as bad if not worse.

Here is the number system in unix
Quote:
r w x
4 2 1

This is what the OP site has for file permissions
Quote:
775 = rwx rwx r-x
Owner has Read, Write and Execute
Group has Read, Write and Execute
Other has Read and Execute only

The permissions on files should be:
Quote:
644 = rw- r-- r--
Owner has Read and Write
Group has Read only
Other has Read only

Permissions on directories should be:
Quote:
755 = rwx r-x r-x
Owner has Read, Write and Execute
Group has Read and Execute only
Other has Read and Execute only


I of course would also recommend to the OP that the site be cleaned and repaired properly following the documentation posted here: viewtopic.php?f=621&t=582854

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Sun Nov 18, 2012 2:46 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 07, 2005 1:36 pm
Posts: 42
PhilD wrote:
An issue in this topic that I think has been ignored is the issue of the file permissions.

I have not seen where the OP has addressed the insecure 775 file permissions on the site(s). The existing permissions are practicality wide open to hackers. This may have been a side effect result (the hacker changed the permissions) of the reported insecurity that is being investigated. I suspect the permissions may have been set this way for some time. Regardless of how the permissions got this way, the permissions issue needs to be addressed properly or you will continue to have issues with the site. Incorrect file permissions may also skew any "tests" performed on the site providing incorrect results.

PhilD wrote:
I of course would also recommend to the OP that the site be cleaned and repaired properly following the documentation posted here: viewtopic.php?f=621&t=582854

PhilD,
Thank you for this. Yes, this is an issue that needs to be addressed. When it first came up I thought it might be a Joombah installation issue, but I just installed a test/clean install of Joomla 2.5.8 with current release of Joombah. I then ran the FPA on this test install and I received no report of any elevated permissions. It would be exceedingly stupid of me to have set those permissions manually (there would be no reason to and I assure you I did not), so I'm left to assume that it is left over from the hacker.

Regarding the Security Checklist: I have gone over them, but obviously not addressed the file permissions. I did not change those items prior to running the FPA because I wanted to show as close as possible what the system environment was at the time of the hack (with the exception that I did upgrade Joomla ASAP after the event). Post-event I have also been working with my hosting tech support (ICDSoft) and they have been wonderful at assisting with the scanning & clean up.

Mea Culpa for the above. Those were my issues and not the developers.

Now to the meat & potatoes of the issue: Approximately 35 hours ago (9:30PM CST on Nov 16, 2012) the dev & I exchanged emails regarding this issue, on which vel@joomla.org was CC'd. Have you seen or reviewed those emails? They are relevant to this issue.

Thanks again for bringing the file permission issue to my attention.


Top
 Profile  
 
PostPosted: Mon Nov 19, 2012 6:21 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 13981
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
I do disagree completely indeed so good you retracted the Joombah finger pointing. Class!. We have multiple sites with Joombah on our owned servers and that extension has not been hacked. (I have send this morning a PMB to Mandville btw related to another huge attack on all Joomla sites).

This described particular hack attempt we see on hourly basis to all servers and it is a very well known exploit (php.hide). We have mechanism in place that intercepts these attempts and quarantines these exploits before they even reach the server.

Simple fact is that if you have the frontdoor wide open and you go out for shopping do not be amazed that the house is empty upon return. Still though with a good hosting setup even with 755-permissions it would not have reached the server if your host would have proper security in place. Phil is 100% right here btw.

Leo 8)

_________________
-- Joomla Professional Support Services : http://gws-desk.com --
-- Good & Cheap Joomla Sites Ready To Roll : http://gws-deals.today --
-- Joomla Specialized Hosting Solutions : www.gws-host.com --
-- Member Joomla Bug Squad --


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 31 posts ]  Go to page 1, 2  Next



Who is online

Users browsing this forum: No registered users and 27 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group