Site Hacked through User Registration

[dlochner]

Over the past week or so I have had several "users" show up on the user list. The site requires Admin approval of all new registrants. The Admin never received notification.

On the site there have been new files installed. several beginning with ._FileName. One folder named Survey contained a folder with .png images that were not accessible. Another file was ._index located in public_html folder.

On the cPanel log, there was a call for the password reminder script at about the same time that the new person registered.

The IP traced back to China, so I blocked those IPs in the .htaccess file, deleted the inserted files, and deleted the user.

Is there anything I can do to prevent future attacks?

Using J2.5.9 with Community Builder

Thanks,

Dave

[paulera]

Do you use svn, or any other kind of code repository?

And could you provide your url? Can be by private message, if you do not want to expose your security issue.

[Webdongle]

Over the past week or so I have had several "users" show up on the user list. The site requires Admin approval of all new registrants. The Admin never received notification. ...

If your site has been compromised then you will not receive notification. Please follow the instructions on http://forum.joomla.org/viewtopic.php?f=621&t=582854

[dlochner]

As suggested I reviewed the posts recommended mandville.

This is what I know:

The hackers were able to register at the site with out admin approval or notification.

There were several instances of a file named ._index installed on the server; I saved a copy of this file.

There were a bunch of .png files installed in a folder that could not be read, deleted, or downloaded. Low level tech support at the host could not delete them either, issue kicked upstairs.

There are only 2 computers that have been used to access the admin panel or the server. One of them died (dead logic board) before the problem occurred. The other is virus free and a Mac.

I do have a backup of the site and hopefully it is clean. The bigger question is how can I prevent this problem in the future. I should add that I am self-taught and run the website as a volunteer for an organization.

Thanks for any help you can provide.

Here's the output from FPA;

[03-Apr-2013 12:46:58 America/Denver] PHP Warning: scandir(): (errno 13): Permission denied in /home1/oswegoya/public_html/jamss.php on line 179

Joomla! Instance :: Joomla! 2.5.9-Stable (Ember) 4-February-2013
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: oswegoya (uid: 1/gid: 1) | Group: oswegoya (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 1 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 1 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-20130307.60.9.bh6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home1/oswegoya/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.22 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 22527 | Log Errors To: error_log | Last Known Error: 03rd April 2013 12:46:58. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 15M | Max. POST Size: 10M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.30-log (Client:5.5.30) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 4.29 MiB | #of Tables:  160

PHP Extensions :: Core (5.3.22) | date (5.3.22) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7-dev) | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dba () | dom (20031129) | enchant (1.1.0) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gd () | gettext () | gmp () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | ldap () | mbstring () | mcrypt () | mysql (1.0) | mysqli (0.1) | odbc (1.0) | pcntl () | standard (5.3.22) | PDO (1.0.4dev) | pdo_dblib (1.0.1) | pdo_mysql (1.0.2) | PDO_ODBC (1.0.1) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | Phar (2.0.1) | posix () | pspell () | readline () | recode () | Reflection ($Id: 4af6c4c676864b1c0bfa693845af0688645c37cf $) | imap () | shmop () | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id$) | sysvmsg () | sysvsem () | sysvshm () | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | mhash () | Zend Guard Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::

Components :: SITE :: com_wrapper (2.5.0) | CB Mambo Author Tab (1.2) | CB Mamblog Tab (1.2) | Yanc Integration (1.2) | com_mailto (2.5.0) |
Components :: ADMIN :: com_cache (2.5.0) | com_languages (2.5.0) | com_phocamaps (2.0.6) | com_finder (2.5.0) | com_menus (2.5.0) | com_content (2.5.0) | PJ Installer (2.2.0) | swMenuFree (6.6) | Notice board (1.0) | com_messages (2.5.0) | com_redirect (2.5.0) | JoomGallery (2.1.3) | com_kunena (2.0.4) | mod_kunenamenu (2.0.4) | Kunena Menu (2.0.4) | plg_system_kunena (-) | plg_finder_kunena (2.0.4) | Kunena - Joomla Integration (2.0.4) | plg_kunena_kunena (2.0.4) | Kunena - Kunena Integration (2.0.4) | Kunena - AlphaUserPoints Integ (2.0.4) | plg_kunena_alphauserpoints (2.0.4) | Kunena - Gravatar Integration (2.0.4) | plg_kunena_gravatar (2.0.4) | plg_kunena_finder (2.0.1) | plg_quickicon_kunena (2.0.4) | plg_kunena_uddeim (2.0.4) | Kunena - UddeIM Integration (2.0.4) | plg_system_kunena (2.0.4) | System - Kunena Forum (2.0.4) | Kunena - JomSocial Integration (2.0.4) | plg_kunena_community (2.0.4) | plg_kunena_joomla (2.0.4) | plg_kunena_comprofiler (2.0.4) | Kunena - CommunityBuilder Inte (2.0.4) | com_cpanel (2.5.0) | com_joomlaupdate (2.5.0) | comprofiler (1.9) | comprofiler (1.9) | com_banners (2.5.0) | com_installer (2.5.0) | COM_GCALENDAR (2.6.2) | com_templates (2.5.0) | Photogallery For Cb (1.0) | com_login (2.5.0) | com_newsfeeds (2.5.0) | com_checkin (2.5.0) | com_categories (2.5.0) | jDownloads (1.9.0 Stable ) | com_plugins (2.5.0) | com_modules (2.5.0) | com_admin (2.5.0) | com_config (2.5.0) | com_media (2.5.0) | com_users (2.5.0) | Akeeba (3.7.4) | com_search (2.5.0) | Content - Hikashop Social Plug (1.0.0) | Search - Hikashop Categories/M (1) | Hikashop Bank Transfer Payment (1.0.0) | Hikashop History Plugin (1.0.0) | Hikashop Paypal Payment Plugin (1.0.0) | Hikashop eWAY Payment Plugin (1.0.0) | Hikashop Moneybookers Payment (1.0.0) | Hikashop Innovative Gateway Pa (1.0.0) | User - HikaShop (1.0.0) | Hikashop CyberMuth CIC Payment (1.0.0) | Hikashop Authorize.net Payment (1.0.0) | Hikashop iVeri Payment Plugin (1.0.0) | Hikashop Servired Payment Plug (1.0.0) | Hikashop WorldPay Business Gat (0.0.2) | Hikashop Paypal Pro Payment Pl (1.0.0) | Hikashop Check Payment Plugin (1.0.0) | Hikashop Alphauserpoints Payme (1.0.0) | Hikashop - VirtueMart Fallback (1.0.0) | Hikashop Google Analytics Plug (1.0.0) | Hikashop Manual Shipping Plugi (1.0.0) | Hikashop Collect On Delivery P (1.0.0) | Hikashop - Product Cron Update (1.0.0) | Hikashop Google Products Plugi (1.0.0) | Hikashop Cart Module (1.0.0) | Hikashop AcyMailing Plugin (1.0.0) | Hikashop AlertPay Payment Plug (1.0.0) | Hikashop ePay Payment Plugin (1.0.0) | Hikashop User account Plugin (1.0.0) | Hikashop Bluepaid Payment Plug (1.0.0) | Hikashop Google Checkout Payme (1.0.0) | Hikashop SIPS ATOS Payment Plu (1.0.0) | Hikashop Australia Post eDeliv (1.0.0) | Hikashop Currency Rates Plugin (1.0.0) | Hikashop Registration Redirect (1.0.0) | Hikashop HSBC Payment Plugin (1.0.0) | Hikashop Worldpay Global Gatew (0.0.7) | Hikashop Western Union Payment (1.0.0) | System - HikaShop Affiliate (1.0.0) | Hikashop out of order notifica (1.0.0) | Hikashop Orders Automatic Canc (1.0.0) | Hikashop SagePay Payment Plugi (1.0.0) | Hikashop Currency Switcher Mod (1.0.0) | Hikashop Credit Card Payment P (1.0.0) | Hikashop Validate free order P (1.0.0) | Hikashop WaitList notification (1.0.0) | Hikashop Group Plugin (1.0.0) | Search - Hikashop Products (1) | Hikashop Geolocation Plugin (1.0.0) | Hikashop Payment Express Payme (1.0.0) | Hikashop CardSave Payment Plug (1.0.0) | AcyMailing Tag : HikaShop cont (1.0.0) | Hikashop Filtering Module (1.0.0) | Hikashop PayJunction Payment P (1.0.0) | Hikashop Module (1.0.0) | Hikashop UPS Shipping Plugin (1.0.0) | Hikashop FirstData Payment Plu (1.0.0) | HikaShop (1.5.7) | com_weblinks (2.5.0) |

Modules :: SITE :: mod_related_items (2.5.0) | jDownloads Latest (2.0.1) | mod_phocagallery_tree (3.1.2) | Notice board general (1.0) | jDownloads Stats (2.0.1) | mod_phocagallery_menu (3.2.0) | mod_articles_category (2.5.0) | mod_users_latest (2.5.0) | mod_finder (2.5.0) | jDownloads Top (2.0.3) | mod_weblinks (2.5.0) | mod_stats (2.5.0) | mod_login (2.5.0) | swMenuFree (6.6) | jDownloads Rated (2.0) | CB Login (1.9) | Hikashop Cart Module (1.0.0) | mod_breadcrumbs (2.5.0) | CB Workflows (1.9) | mod_menu (2.5.0) | CB Online (1.9) | mod_articles_news (2.5.0) | mod_custom (2.5.0) | mod_languages (2.5.0) | mod_whosonline (2.5.0) | MOD_GCALENDAR_UPCOMING (2.6.2) | mod_search (2.5.0) | Hikashop Currency Switcher Mod (1.0.0) | mod_articles_archive (2.5.0) | MOD_GCALENDAR (2.6.2) | mod_articles_latest (2.5.0) | mod_feed (2.5.0) | mod_articles_popular (2.5.0) | mod_random_image (2.5.0) | mod_wrapper (2.5.0) | mod_banners (2.5.0) | MOD_GCALENDAR_NEXT (2.6.2) | mod_articles_categories (2.5.0) | jDownloads Last Updated (2.0) | ProJoom Multi Rotator (2.0.6) | Hikashop Filtering Module (1.0.0) | Hikashop Module (1.0.0) | mod_footer (2.5.0) | mod_syndicate (2.5.0) |
Modules :: ADMIN :: mod_status (2.5.0) | mod_latest (2.5.0) | jDownloads Admin Icon (2.0) | mod_logged (2.5.0) | mod_quickicon (2.5.0) | mod_login (2.5.0) | mod_popular (2.5.0) | mod_multilangstatus (2.5.0) | mod_title (2.5.0) | mod_menu (2.5.0) | mod_submenu (2.5.0) | mod_custom (2.5.0) | mod_version (2.5.0) | mod_feed (2.5.0) | mod_toolbar (2.5.0) |

Plugins :: SITE :: Hikashop WaitList notification (1.0.0) | Hikashop - Product Cron Update (1.0.0) | Hikashop User account Plugin (1.0.0) | Hikashop AcyMailing Plugin (1.0.0) | Hikashop Orders Automatic Canc (1.0.0) | Hikashop History Plugin (1.0.0) | Hikashop Currency Rates Plugin (1.0.0) | Hikashop Google Products Plugi (1.0.0) | Hikashop Group Plugin (1.0.0) | Hikashop out of order notifica (1.0.0) | Hikashop Validate free order P (1.0.0) | plg_content_pagenavigation (2.5.0) | plg_content_vote (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_joomla (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_geshi (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_finder (2.5.0) | PLG_CONTENT_JDOWNLOADFILELIST (2.1) | plg_gcalendar_next (2.6.2) | Content - jDownloads (2.0.6) | Content - Hikashop Social Plug (1.0.0) | ProJoom Multi Rotator (2.0.5) | Phoca Maps Plugin (2.0.5) | plg_search_content (2.5.0) | plg_search_contacts (2.5.0) | Search - Hikashop Products (1) | Search - Hikashop Categories/M (1) | plg_search_weblinks (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_gcalendar (2.6.2) | plg_search_jdownloads (2.0.1) | plg_search_categories (2.5.0) | plg_quickicon_kunena (2.0.4) | plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | plg_kunena_kunena (2.0.4) | plg_kunena_gravatar (2.0.4) | plg_kunena_uddeim (2.0.4) | plg_kunena_community (2.0.4) | plg_kunena_joomla (2.0.4) | plg_kunena_comprofiler (2.0.4) | plg_kunena_alphauserpoints (2.0.4) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) | plg_captcha_recaptcha (2.5.0) | AcyMailing Tag : HikaShop cont (1.0.0) | plg_system_remember (2.5.0) | plg_system_kunena (2.0.4) | Hikashop Google Analytics Plug (1.0.0) | plg_system_languagefilter (2.5.0) | plg_system_redirect (2.5.0) | plg_system_sef (2.5.0) | plg_system_debug (2.5.0) | Hikashop Geolocation Plugin (1.0.0) | System - HikaShop Affiliate (1.0.0) | User - HikaShop (1.0.0) | Hikashop - VirtueMart Fallback (1.0.0) | plg_system_p3p (2.5.0) | plg_system_cache (2.5.0) | plg_system_languagecode (2.5.0) | plg_system_log (2.5.0) | plg_system_jdownloads (2.0.1) | Hikashop Registration Redirect (1.0.0) | plg_system_logout (2.5.0) | plg_system_highlight (2.5.0) | plg_user_contactcreator (2.5.0) | plg_user_joomla (2.5.0) | plg_user_profile (2.5.0) | plg_finder_content (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_categories (2.5.0) | Hikashop Manual Shipping Plugi (1.0.0) | Hikashop Australia Post eDeliv (1.0.0) | Hikashop UPS Shipping Plugin (1.0.0) | plg_authentication_ldap (2.5.0) | plg_authentication_gmail (2.5.0) | plg_authentication_joomla (2.5.0) | Authentication - Master User (1.1.1) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.5.4.1) | Hikashop Credit Card Payment P (1.0.0) | Hikashop eWAY Payment Plugin (1.0.0) | Hikashop Payment Express Payme (1.0.0) | Hikashop Paypal Payment Plugin (1.0.0) | Hikashop Bank Transfer Payment (1.0.0) | Hikashop CyberMuth CIC Payment (1.0.0) | Hikashop iVeri Payment Plugin (1.0.0) | Hikashop Innovative Gateway Pa (1.0.0) | Hikashop SIPS ATOS Payment Plu (1.0.0) | Hikashop HSBC Payment Plugin (1.0.0) | Hikashop Check Payment Plugin (1.0.0) | Hikashop Collect On Delivery P (1.0.0) | Hikashop Paypal Pro Payment Pl (1.0.0) | Hikashop Worldpay Global Gatew (0.0.7) | Hikashop Western Union Payment (1.0.0) | Hikashop WorldPay Business Gat (0.0.2) | Hikashop Servired Payment Plug (1.0.0) | Hikashop FirstData Payment Plu (1.0.0) | Hikashop Moneybookers Payment (1.0.0) | Hikashop PayJunction Payment P (1.0.0) | Hikashop AlertPay Payment Plug (1.0.0) | Hikashop Alphauserpoints Payme (1.0.0) | Hikashop Bluepaid Payment Plug (1.0.0) | Hikashop CardSave Payment Plug (1.0.0) | Hikashop SagePay Payment Plugi (1.0.0) | Hikashop Authorize.net Payment (1.0.0) | Hikashop ePay Payment Plugin (1.0.0) | Hikashop Google Checkout Payme (1.0.0) | plg_editors-xtd_pagebreak (2.5.0) | Button - jDownloads Content (2.0.1) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_readmore (2.5.0) | plg_extension_joomla (2.5.0) |

Templates :: SITE :: atomic (2.5.0) | beez5 (2.5.0) | beez_20 (2.5.0) | js_studio_free (1.0.0) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |

[Webdongle]

Mac's don't get viruses is a fallacy. When you have deleted everything then replace with fresh files. The images not being able to be deleted by you possibly suggests a breach of security server side ? Is it shared or dedicated Hosting ? Try Googling for your Host's name with words like 'Hacked' ... it may show other users of that Host have been hacked. Did you check the VEL ? http://docs.joomla.org/Vulnerable_Exten ... oticeboard may be of interest.

[leolam]

So you "reviewed" the post of Mandville: Did you actually follow up on all including Security Checklist 7? You did http://docs.joomla.org/Security_Checklist_7 and especially:

* save the configuration.php file and your images and personal files one by one, (not the folder as it may contain unwanted files)
* wipe the entire folder where Joomla! is installed
* upload a new clean full package latest version of joomla 1.5.x or Joomla 2.5.x (minus the install folder)[2]
* reupload your configuration file & images.
* reupload or reinstall the latest versions of your extensions , templates (even better is to use original clean copies to ensure that the hacker/defacer did not leave any shell script files in your site)

all in less than 24-hours? It looks like you think that these steps are not needed since you cannot remove and reinstall all what is posted in the 'FPA' imho? You need to do it you have no choice (!!!)

Also read this: http://forum.joomla.org/viewtopic.php?f=621&t=784054

Also look at this excellent script by Bernard: http://forum.joomla.org/viewtopic.php?f=621&t=777957

Leo

[dlochner]

Leo,

I have what I believe is a clean backup file from a couple of weeks ago, before there was evidence of being hacked. So, I deleted all files from the server.

Once I install the back up I will look for evidence that this back up has been hacked, i.e., are there unknown users in the user list, is there a ._index file, and a folder of .png files that I can't open or delete. If any of these conditions exist, then I will reinstall Joomla, the template and the components from fresh downloads. I already have clean copies of the images stored on my computer that can installed. Finding the ._index file was the key to knowing that I had been hacked.

Webdongle:

Yes, there are some Mac viruses and malware, but as a probability statement having mac means that you are less likely to have one. I do run antivirus on my mac and it is clean.

I googled "Hostname Hacked" and found very few complaints directed towards the company. So, as a probability statement, it seems unlikely that the problem is the host company. Generally I've found this company to be pretty responsive to my concerns.

The most important concern I have is how to prevent this from happening again.

Thanks for your help.

Dave

[Webdongle]

...
I have what I believe is a clean backup file from a couple of weeks ago, before there was evidence of being hacked. ....

Hacks can be on the server months before they are noticed. Checking that your back is clean takes longer than doing the job properly.

I googled "Hostname Hacked" and found very few complaints directed towards the company. So, as a probability statement, it seems unlikely that the problem is the host company.

Then the hack was, as a probability statement, your fault not theirs.

Generally I've found this company to be pretty responsive to my concerns.

Have they explained why there are files on the server that you can not delete ?

The most important concern I have is how to prevent this from happening again

All that information has been provided for you ... directly and by links pointing to the information. leolam has also (in is last post) emphasised the importance of the importance of the information given.

[santiago2927]

I have the same problem. I had hundreds of new users. I deleted all the users. I upgraded joomla from 2.5.28 to 3.4
Unfortunately that didn't help the problem.
Can someone please give me some advice. There are new users being added every minute.

[toivo]

I deleted all the users. I upgraded joomla from 2.5.28 to 3.4
Unfortunately that didn't help the problem.

If you read carefully the posts of mandville, webdongle and leolam, you should follow those recommendations.