Joomla! Discussion Forums

It would be far too soon to jump to such a wild conjecture at this time.

I have every faith in the Team telling us the full story once they have cleared everything up and found out for themselves just what happened. Be patient, many of us are waiting for some news.

A search in Google shows it could be linked to a 3pd extension.

Investigations going on.

Merging threads.

Merging all these threads.

All downloads can be found here:
http://joomlacode.org/gf/project/joomla/frs/

Thank you!

Merrging all cracker's related topics on shop and main site.

Shop and main are back online atm.

Looks like cracking happens to the best of us

You can never be safe enough, I guess the best solution is to always keep fully updated backups!

Nice to see Joomla is back on-line.

Very curious to see what the whole story was, what exploit was used and how they cleaned the site up.

The same scumbag script kiddy took down one of my sites running an old version of Mambo and I had to rebuild the site from scratch after manually editing the SQL data I recovered.

It took me a lot longer that it took the Joomla Admin(s)! 

As soon as full investigation has been done, results will be posted here.

i looked at the image file they have put,
it had the same name as joomla image name at images
directory. The output under image was normal joomla message from the configuration file.
It seemed to be seen as attack to webserver files images directory rather than file system including root directory.
Perhaps supported by many DoS to show their image file.

sonvurus  means latest impact or latest hit in English
but i want to learn that why hacker has choosen joomla official site to hack?

Many [edit mod] people earn money from joomla.
Why didn"t he/she choosed [edit mod]joomla made sites instead of joomla official site?????????????

[Moderator note; this is an English board, non-English test removed]

i saw it too, i wonder what should i do if i have multiple sites... i cant just stit and worried..   

How silly to censor this thread and edit posts.

As if it wouldn't be all over the net already anyway...

If you want an unmoderated, uncensored discussion, better go here:

http://www.simplemachines.org/community ... c=189604.0

"Don't give them credit!" - what a stupid, stupid reason. 

You guys really make a fool of yourself...  o.O

i think their intention is nice  as long as they haven't fix this thing yet.. we shouldn't expose much about it unnecessarily, since these could attract more attackers to other joomla based sites..  but i believe it would be fixed in no time.. OH... where's Superman when u need one? 

I don't think so, it isn't Infrastructure issue for my personal opinion, a lot of Joomla! 1.0.13 sites has been hacked, all joomla's site are in the same server?

Nothing has been censored except name/urls of exploiters as we have always been doing for obvious reasons.
At reading your last posts, I see you are here fighting your own little flame war.
This is against forum rules, as you may not know. http://forum.joomla.org/index.php/topic,65.0.html
Consider this as a warning.

What happened is serious and taken seriously.
@ vistartony

This hacking cycle has hit a lot of servers worldwide and not specifically joomla sites.

As stated above, when investigations are doned, we will post the result here.

Nice, eh? It's a totally amateurish way to handle all this. "Hey, let's just censor our users posts!" 

A good way to deal with this would have been a quick official statement with a screenshot. Yup, you heard that right. My English is not the best, but something like "Yes, we got hacked. We’re investigating now and will inform you about what exactly happened once we know more. You are welcome to discuss this in [link to thread] but we'd be happy if you refrained from speculations. We will inform you as soon we know more. Your Joomla! Team" - THIS would have been a good and honest way to deal with this.

What you are doing now is totally ridiculing yourself, nothing else...

This is not a good way to deal with what happened, sorry guys.

What you say is true but you consider that every program like every server can have its bug, and how you says perhaps is better to wait for the results of your investigation, I believe that everyone of we is waited honesty, that's all. Thanks.

I am waiting also, as eagerly as you do.

Yup, I agree

Haha, great statement.

That's like saying "China doesn't censor anything, except the internet as it has always been doing for obvious reasons"

Call it whatever you want, but DELETING (!) names/urls/pics that are not against US law  =  censorship



Where exactly did I flame? I see nothing in my posts that is against the forum rules.

This is a civil discussion and I'm just stating my opinion on this...
You don't seem to like it, that's fine with me, but it can hardly be against the rules.

Not censor, sanitise. The standard in here has always been - and I have been here from the start - that there is never a link, a name, a screenshot or any other thing that might identify a hacker or their tools. There should never be any way for them to gain any credibility for their actions.A statement, yes, agree that it would have been appropriate.
A screenshot? Nope, nothing that could lead to them gaining any reference. Zip. Nada. Nothing.Now you are going off on a tangent without any facts to support your suggestion. The Team has led us wisely and I have no doubt they will be telling us the full story just as soon as they know what it is. They know that we all have sites out there that need to be protected and they are well aware of the need to advise us if there is an exploit that just might be heading our way.
Don't go off half-cocked, wait until they tell their story then see what is the most appropriate way to react.

Actually uncivil comments are against the rules stokedfish.  You seem to have neglected to read the rules from the link provided so I will quote them directly to you here in this post.



If you need further clarification on this I would be more than happy to explain it further to you, but I fear you won't understand it because you seem to not understand the concept of not giving hackers credibility or promotion for their deeds.  I find it odd that you advocate for hackers, I have never seen that done unless it is being done by the hacker themselves or someone that knows the hacker, or someone who has inside knowledge of the hack.  It certainly doesn't shine a very good light on you, and that is unfortunate.

Well, I don't agree with that decision and, as I said, I think it's a VERY amateurish way to deal with this. Anyway, if this is the policy here then I suggest at least adding it to the forum rules so that everyone knows.



The more secretive you treat this incident the more speculations, rumours and misinformation will spread on the web and this can be in no way good for the Joomla! project. A much better way would have been to make an offical statement as fast as possible instead of trying to hide things from the public.



I stated more than enough facts to support my opinion. You may not agree with it, that's fine. but accusing me of "going off on a tangent without any facts" certainly isn't accurate. Instead I am still waiting for YOUR arguments. All I have heard so far is a ridiculous "they should not get any credits!" - it's too late for that now anyway, face it. We're giving them credit with this thread right now and this could have been avoided, had you dealt with this differently.



Yes, I agree, they have indeed led us wisely. I've been reading the forums for quite some time and I agree. But now the Joomla! team didn't act clever at all and I think there's nothing wrong about speaking that out...

This morning (GMT+2) the shop.joomla.org got compromised. We countered this within 40 minutes by restoring some default setting on the servers, for research reasons the site was put into maintenance mode. An hour after that, the front-page  was compromised also (shop.joomla.org and http://www.joomla.org run on the same server).

We investigated, and going through several hundreds of megabytes of logfiles just takes a lot of time. We decided to move away the current site, and replace it with a plain .html file to be able to investigate further. In the mean while the total installation was restored to get the site back up and running, this is our current status.

At this time we still are going through the massive logfiles and try to find the way we were compromised. This is certainly not an easy task. As soon as we have more information on this, we will share it with the community.

p.s. I have not been able to read all posts here, so maybe you ask for more info, feel free to do so. Will try to answer as good and fast as possible here.

Please don't use the word "Hackers" they aren't Hackers who do that on this or on the other sites, the hacker are a great programmer and skiled averywhere on the pc and the net, the correct word for me is a cracker. Enough

Law really has nothing to do with it.
http://en.wikipedia.org/wiki/Netiquette