Hi,JTS-post Diagnostic Information wrote:Joomla! Version: Joomla! 1.0.13 Stable [ Sunglow ] 21 July 2007 16:00 UTC
configuration.php: Not Writable (Mode: 555 ) | RG_EMULATION:
Architecture/Platform: Linux 2.6.18-92.el5 ( i686) | Web Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.13 | PHP Version: 5.2.13
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): Yes | iconv Support (1.5 or above): Yes | save.session_path: Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.0.90-community ( Localhost via UNIX socket )
I have taken over the support of a site that will be migrated to a new platform in a few months. It's 1.1.3 joomla and has not been updated for a number of years, not suprisingly it's been hacked. I guess no one wants to support an old insecure installation here but I have to sort it out and I am brand new to Joomla and struggling... so would really appreciate your help.
Symtoms:
nearly 1000 links on most of the main pages at the bottom of the page, after google analitics - links only being served to search engine bots.
When I downloaded the site via FTP I caught a trojan - IROFFER which is a IRC FTP command line tool for downloading files via IRC chat - This was in the com_jobline folder.
FTP download stopped at 80% and I tried to connect again.
I then noticed a CMD window open and then close, 10 mins later I get a call from a client saying they just started getting an obsceen amount of contact form emails - over 2000 in 15 mins.
Using Facile Forms i think.
These emails came FROM MY IP ADDRESS!!! about an hour into my accessing the FTP for the first time The emails reported IE6 and Win200 as the host.
I guess I have contracted a worm on my laptop (ESET + Vista all uptodate) from either trying to take FTP copies for analysis or even just visiting the website maybe? First time ESET let me know (I hope). I have shut my laptop down.
The worm submitting forms from IP address was trying to submit forms with various XSS methods by the looks of it, trying to submit <scripts> in the contact from etc, and some of the mails that came through has attachments such as ffexport-12345.xml (maybe a Facile forms thing)
Error logs show stuff like
PHP Warning: mysql_connect() [<a href='function.mysql-connect'>function.mysql-connect</a>]: Access denied
and URL's with module repeated ie modules/modules/modules/modules/modules/modules/modules/modules/ X 10
Access logs
are stuffed (100's of entries today) with /registration/modules/modules/modules/modules/modules/modules/modules (module repeating 100's of time) - some sort of overflow vunrability thing?
I have diabled all forms on the website.
The webhost have just informed me that they only keep backups from 7 days ago, googles cache shows hidden links on the site is from 2 weeks ago.
We have a new site launching in 4-6 weeks so a rebuild is harmfull.
I think I should take the site down and serve a 502 header as there is a possibility that this worm is affecting visitors.
Any ideas on what this could be. I really would hate to do a reinstall on Joomla when I have never used it before and we have a new site being rolled out in 4-6 weeks.
I guess I susspect what the answer is here
Any help would be awesome.
Thanks
BAC