delete file structure

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
smcguinness
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Sat Nov 07, 2009 2:07 am

delete file structure

Post by smcguinness » Wed Apr 28, 2010 1:37 am

There is another use with post "hacked again" which is closed. Originally I had my posted -- posted there. However, that one is closed and I do not believe this is a closed item.

On the same day as that original post 4/24 -- i had a similar problem which is described below.

I had this problem with a site that has been up for months. Started Sat. 4/24 the entire, or almost entire site was gone ... deleted ... all that remained was a portion of the administration panel ... We restored from a backup and encountered the same problem -- apparently the malicious code was backed up along with the site ... so we restored from an older version and restored our database and everything was fine. Database was not touched -- just the deleted file structure -- looks like something like "rm *" was the problem, but I can't say for sure because there wasn't anything left to look at.

I am hosting with hostmonster and I'm sure that it had nothing to do with them.

I changed all passwords, but I do not believe that they were directly connecting with the site and hostmonster I believed checked also.

However, i did change the passwords and I scanned my hard drive -- because it was making me nuts -- and I became paranoid -- which isn't really that hard to do to me ... laffs -- but the hard drive was clean.

anyway, i am using joomla version 1.5.15 and we have not installed any new components in months ... very stable until 4/24 ...

I will re-read the security recommendations of course and have taken several other measure, but again ... not clear yet what exactly caused this ...

shirley


Report this post -- not sure were this came from, but I am only attempting to warn others of a possible problem so I'm going with the re-post under a non-closed topic.

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9347
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: delete file structure

Post by RussW » Wed Apr 28, 2010 4:09 am

@Shirley
Effectively, we don't "close" posts in this forum, they can be made read only, if the post has been open for a long time with no response from the original poster. So I don't understand your statements about your previous post having been "closed"

[edit] Having now reviewed the other post mentioned, and determined that it was created by another user and that this user decided that the issue was solved, the post had been marked as [SOLVED] accordingly. Posts are marked solved by the user or at the users request, so I am guessing this is what you mean by "closed". On a similar note, but to one side, this does nto look to be the same type of issue, plus hijacking of other users posts is technically, not good for the forum and problem resolution finding and is against forum rules. You need to open your own post for you own issues.


As for this post, well, to be honest you don't provide enough information to determine whether this is anything new, old or a misconfiguration.

The duration that a site has been running is no indication of whether it is (or has been for a while ) vulnerable or not.

If somehow the rm -Rf command was issued to the shell, it would be easy enough for the host to trace back through logs or most likely "bash history". If it had been possible to execute this command, then the host server configuration and security measures must be considered suspect, as well as your site potentially having a vulnerable extension and/or elevated permissions in the first place.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: delete file structure

Post by mandville » Wed Apr 28, 2010 8:05 am

we have started locking posts that are apparently abandoned by the original poster within this security forum see http://forum.joomla.org/viewtopic.php?f=432&t=509319
as RussW states, if a bash command as issues, you should start badgering your host as to why and how and/or use a backup
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

smcguinness
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Sat Nov 07, 2009 2:07 am

Re: delete file structure

Post by smcguinness » Wed Apr 28, 2010 1:28 pm

Okay, I guess I didn't make myself clear enough. I'm not sure how it was done because there wasn't anything left to look at as everything was deleted.

However, because we restored from a backup done the night before and it happened again very soon after. I think it is safe to assume that the one of the scripts was modified that included some form of the "remove" command, but again I am assuming this since there wasn't any left to look at.

The hosting company (hostmmonster.com) didn't look and did not find any information in the logs that could explain this and I am sure that they did investigate.

Since the site had been up and running for months and we had not installed or modification any configuration and/or software in months. I do not believe it was a misconfiguration except that apparently my security isn't as tight as it should have be. So I'm not complaining here, but rather stating a fact somehoe my site was infected with some code that deleted the entire file structure.

Additionally, the other post was on the same day, with the exact problem. Two different sites, two different hosting companies -- it doesn't seem to me that this was just a coincidence, but i guess it might be possible.

We did have a backup and we were able to restore thet site. In fact this event wasn't more than pain, but that isn't the point either, or the reason I posted. I would like to help the community with any information that might help support everyone. If I can give you more specific information, please ask and I will try and answering any questions.

Shirley

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: delete file structure

Post by mandville » Wed Apr 28, 2010 8:02 pm

if you can run the extended forum post security tool, and compare it with the VEL and post here . that may help sort out any clues.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

smcguinness
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Sat Nov 07, 2009 2:07 am

Re: delete file structure

Post by smcguinness » Thu Apr 29, 2010 10:10 pm

oaky ... i will do that. Please give a few days I have an extremely heavy work load.

Thanks
Shirley

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12781
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: delete file structure

Post by brian » Thu Apr 29, 2010 10:31 pm

Just a couple of notes

1. Its certainly possible that your site was exploited with a malicious script a long time ago and the script only executed recently

2. There are many hacker tools that will let someone perform a "rm -rf" and leave no trace in the logs so you cannot rely on logs.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

smcguinness
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Sat Nov 07, 2009 2:07 am

Re: delete file structure

Post by smcguinness » Fri Apr 30, 2010 12:25 am

very much agree. apparently that was the case here ... and i certainly will take very step that i can to prevent it from occurring in the future ... just an FYI to the community -- and hopefully it is taken like that ...

smcguinness
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Sat Nov 07, 2009 2:07 am

Re: delete file structure

Post by smcguinness » Fri Apr 30, 2010 12:55 am

I guess this is what you need....

JTS-post Diagnostic Information wrote:Joomla! Version: Joomla! 1.5.15 Stable [ Wojmamni Ama Mamni ] 05-November-2009 04:00 GMT
configuration.php: Not Writable (Mode: 444 ) | Architecture/Platform: Linux 2.6.28-10.21.intel.E1000E.BHsmp ( x86_64) | Web Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8l DAV/2 mod_auth_passthrough/2.1 FrontPage/5.0.2.2635 | PHP Version: 5.2.11
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): Yes | iconv Support (1.5 or above): Yes | save.session_path: Not Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.1.45-log ( Localhost via UNIX socket )


I'm going back thru and remove whatever can be removed and locking down what I can .... but so far it's been very stable again ...

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: delete file structure

Post by PhilD » Fri Apr 30, 2010 3:37 pm

In addition to what your currently doing also take a look at the following:

[ ] Ensure you have the latest version of Joomla. Download the latest full version of Joomla and use it to replace the core files. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files.[/b]

[ ] Review Vulnerable Extensions List and update or remove (if no update is available and vulnerable extensions.

[ ] Review and action Security Checklist checklist 7 make sure you've gone through all of the steps, not just the easy ones!!

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] For the malicious code topic
PhilD

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: delete file structure

Post by mandville » Mon May 17, 2010 6:38 pm

topic locked due to no response from original poster and age/changed code of topic - see http://forum.joomla.org/viewtopic.php?f=432&t=509319
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}


Locked

Return to “Security in Joomla! 1.5”