The Joomla! Forum ™

Download

Demo


Board index » Joomla! Older Version Support » Joomla! 1.5 » Security in Joomla! 1.5

Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  Page 1 of 1
  [ 9 posts ] 
  Print view Previous topic | Next topic 
Author Message
malojo01
PostPosted: Tue Mar 02, 2010 8:50 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Tue Mar 02, 2010 8:35 am
Posts: 1
Hi,
I've using 1.5.9 version for one year whitout any problem, but yesterday I couln't navigate my web: only a blank page was shown. The administrator page works partially.
I've found the following script in ALL the index .html and ,php, that means hundreds, located both in the program and extensions:

[Mod edit: removed hacker script]

I've have erased this script in dozen of files, but nothing happened. The permissions were set in 755.
Anybody knows what is this? Any suggestion?
Many thanks!


Last edited by PhilD on Tue Mar 02, 2010 3:46 pm, edited 3 times in total.
Hacker script has been removed


Top
 Profile  
 
moooh
PostPosted: Tue Mar 02, 2010 9:01 am 
Joomla! Explorer
Joomla! Explorer

Joined: Sat Aug 30, 2008 11:09 am
Posts: 382
You are using an older version of Joomla!. Many security vulnerabilities have since been fixed.

Removing the scripts will most often not solve the problem since if you have been hacked, there will quite likely exist other malicious files that are re-inserting the scripts everytime you load the page.

Quoting what mandville always says in these situations:

mandville wrote:
[ ] Run the forum post assistant and security tool Instructions available here Force a full install not an update. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files.

[ ] Ensure you have the latest version of Joomla. We recommend update manager

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should be max permissions of 644 for files & 755 for folders with no exceptions.
Top
 Profile  
 
togalounge
PostPosted: Thu Apr 08, 2010 10:33 am 
Joomla! Intern
Joomla! Intern

Joined: Fri Apr 25, 2008 10:22 am
Posts: 58
Location: Aarup, Denmark
Quoting mandville's solution is not an answer for this exact problem.

The problem is that all the files on the site (ALL index.htm and .php files) is hacked with a script that needs to be moved by hand.

MAndville is only usefull with this problem in the safety you need to put on your site after removel of the script.

I know, becouse 3 of my sites was hacked last week, more then 2000 files infiltrated with the virus....
Top
 Profile  
 
sucuri
PostPosted: Thu Apr 08, 2010 3:48 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Mar 30, 2010 5:20 pm
Posts: 13
Hey,

You can remove those with a simple find/sed script... I explain it a bit on this post:
http://blog.sucuri.net/2010/03/removing ... -case.html

Something like (please note that you have to modify the script to match the malware you found, this is just an example):
<<{mod deleted}>>

thanks,

_________________
http://sucuri.net


Last edited by mandville on Thu Apr 08, 2010 10:25 pm, edited 2 times in total.
script deleted to prevent itchy finger syndrome - it is available at link


Top
 Profile  
 
PhilD
PostPosted: Thu Apr 08, 2010 3:55 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2694
Location: Wisconsin USA
togalounge wrote:
Quoting mandville's solution is not an answer for this exact problem.

The problem is that all the files on the site (ALL index.htm and .php files) is hacked with a script that needs to be moved by hand.

You can do it the hard way and hope you actually removed ALL backdoors. Some hack code only assemble at runtime (page request) and so are very hard find to eliminate by hand or script. Some hacks are also good enough that the file time/date stamp is returned to the original after modification and record of the change is erased causing many scripts to miss altered files. Going through thousands of files line by line by hand is just dumb and would require one to be very well versed in php, mysql, and javascript aside from knowing exactly what files should actually be there in the first place.

Or you can follow A Safe Route to Disaster Relief and have your site(s) back in operation in a short time period and be assured the site is clean.

MAndville is only usefull with this problem in the safety you need to put on your site after removel of the script.

That is not true. The information given by mandville is relevant to BEFORE being hacked as well as after being hacked. Please read it. It was written to be preventative as well as recovery.

I know, becouse 3 of my sites was hacked last week, more then 2000 files infiltrated with the virus....


If you follow what is posted by mandville you will recover your site safely, efficiently, and without a lot of work. Following a few simple rules presented in the security documentation and keeping things updated will likely prevent being hacked in the first place.

The Op was on version 1.5.9 of Joomla. That is an old version and does have security holes. I would also be willing to bet that any extensions used were also outdated with at least one having security issues. Either or both likely resulted in the hack. Everyone should be using 1.5.15 version of Joomla and the latest secure version of any extensions and templates.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator
Top
 Profile  
 
PhilD
PostPosted: Thu Apr 08, 2010 4:03 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2694
Location: Wisconsin USA
sucuri wrote:
Hey,

You can remove those with a simple find/sed script... I explain it a bit on this post:
http://blog.sucuri.net/2010/03/removing ... -case.html

Something like:
<<{mod deleted}>>

thanks,


That's only good if you have shell access (or can run shell scripts from cron) and know what the script means which many do not have shell access, know what the script does, or have cron. Nor do they really care. This is why much hard work has gone into making the checklists, VEL, and other security documentation.

Disclaimer: If someone wishes to use a posted script, you do so at your own risk.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Last edited by mandville on Thu Apr 08, 2010 10:25 pm, edited 1 time in total.
script deleted to prevent itchy finger syndrome - it is available at link


Top
 Profile  
 
leolam
PostPosted: Thu Apr 08, 2010 4:20 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 11991
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
That script is useless in the particular case. Phil please remove it.....I know you posted a warning but sometimes people do not read that well......

The actual script we use to clean out sites is "a little longer" (line of 20 or so) and requires the insert of some specifics of the hacker's script to enable the cleaning (in Shell). The single line is useless as posted and could damage well a site very severely

Leo 8)

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---
Top
 Profile  
 
sucuri
PostPosted: Thu Apr 08, 2010 4:51 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Mar 30, 2010 5:20 pm
Posts: 13
Not really... they can download the site, run it locally and upload back to the server.

Prevention is always better, but sometimes you have to respond quickly to remove the malware...

*Also, this script is just a suggestion. He still needs to modify it to remove whatever he found.

PhilD wrote:
That's only good if you have shell access (or can run shell scripts from cron) and know what the script means which many do not have shell access, know what the script does, or have cron. Nor do they really care. This is why much hard work has gone into making the checklists, VEL, and other security documentation.

Disclaimer: If someone wishes to use a posted script, you do so at your own risk.

_________________
http://sucuri.net
Top
 Profile  
 
mandville
PostPosted: Thu Apr 08, 2010 10:30 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 11644
Location: The Girly Side of Joomla in Sussex
I have removed the script for sanity sake. an external link to the sample script with instructions has been provided in an earlier post.

Now waiting for original poster to come back with actions done so far

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 9 posts ] 


Board index » Joomla! Older Version Support » Joomla! 1.5 » Security in Joomla! 1.5

Who is online

Users browsing this forum: No registered users and 18 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group