Joomla Site Hacked - Link injection shown to only to Bots

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
BAC
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Jun 29, 2010 6:41 pm

Joomla Site Hacked - Link injection shown to only to Bots

Post by BAC » Tue Jun 29, 2010 7:35 pm

[quote="JTS-post Problem Description"]Joomla Site Hacked - Link injection shown to only to Bots, after FTP\'ing Site forms being submitted from my IP = Worm??[/quote][quote="JTS-post Actions Taken To Resolve"]Disabled forms, ran a CPanel virus scan - not sure what to do.[/quote]
JTS-post Diagnostic Information wrote:Joomla! Version: Joomla! 1.0.13 Stable [ Sunglow ] 21 July 2007 16:00 UTC
configuration.php: Not Writable (Mode: 555 ) | RG_EMULATION:
Architecture/Platform: Linux 2.6.18-92.el5 ( i686) | Web Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.13 | PHP Version: 5.2.13
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5 or above): Yes | iconv Support (1.5 or above): Yes | save.session_path: Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.0.90-community ( Localhost via UNIX socket )
Hi,

I have taken over the support of a site that will be migrated to a new platform in a few months. It's 1.1.3 joomla and has not been updated for a number of years, not suprisingly it's been hacked. I guess no one wants to support an old insecure installation here but I have to sort it out and I am brand new to Joomla and struggling... so would really appreciate your help.

Symtoms:

nearly 1000 links on most of the main pages at the bottom of the page, after google analitics - links only being served to search engine bots.

When I downloaded the site via FTP I caught a trojan - IROFFER which is a IRC FTP command line tool for downloading files via IRC chat - This was in the com_jobline folder.

FTP download stopped at 80% and I tried to connect again.
I then noticed a CMD window open and then close, 10 mins later I get a call from a client saying they just started getting an obsceen amount of contact form emails - over 2000 in 15 mins.

Using Facile Forms i think.

These emails came FROM MY IP ADDRESS!!! about an hour into my accessing the FTP for the first time The emails reported IE6 and Win200 as the host.

I guess I have contracted a worm on my laptop (ESET + Vista all uptodate) from either trying to take FTP copies for analysis or even just visiting the website maybe? First time ESET let me know (I hope). I have shut my laptop down.

The worm submitting forms from IP address was trying to submit forms with various XSS methods by the looks of it, trying to submit <scripts> in the contact from etc, and some of the mails that came through has attachments such as ffexport-12345.xml (maybe a Facile forms thing)

Error logs show stuff like
PHP Warning: mysql_connect() [<a href='function.mysql-connect'>function.mysql-connect</a>]: Access denied

and URL's with module repeated ie modules/modules/modules/modules/modules/modules/modules/modules/ X 10

Access logs
are stuffed (100's of entries today) with /registration/modules/modules/modules/modules/modules/modules/modules (module repeating 100's of time) - some sort of overflow vunrability thing?

I have diabled all forms on the website.

The webhost have just informed me that they only keep backups from 7 days ago, googles cache shows hidden links on the site is from 2 weeks ago.

We have a new site launching in 4-6 weeks so a rebuild is harmfull.

I think I should take the site down and serve a 502 header as there is a possibility that this worm is affecting visitors.

Any ideas on what this could be. I really would hate to do a reinstall on Joomla when I have never used it before and we have a new site being rolled out in 4-6 weeks.

I guess I susspect what the answer is here :(

Any help would be awesome.

Thanks
BAC

antihack
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 163
Joined: Sat Mar 15, 2008 9:45 pm
Contact:

Re: Joomla Site Hacked - Link injection shown to only to Bot

Post by antihack » Wed Jun 30, 2010 9:13 pm

Your correct. Your must either restore a good backup that your trust or install a new site and apply your changes that you need.

Other than that there is no safe way to do it.

BUT, after your done getting up and running.
Make sure your site is upgraded to the latest version. Then sign up for email alerts. That way when they update Joomla to fix a security issue, you get an email instantly and you can update a.s.a.p

Here is a link to vital information on how to prevent future attacks.
http://forum.joomla.org/viewtopic.php?f=432&t=335090

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla Site Hacked - Link injection shown to only to Bot

Post by mandville » Wed Jun 30, 2010 10:14 pm

some of this may sounds scary BUT as joomla 1.0.x is no longer supported or available for download from this site, i can not even suggest upgrading to the latest 1.0.15 vesion but someone may come along with a version for you

you are right in thinking that possibly the best way to go would be to trash the site, but if you look at our self help guidleines, concenctrate on checklist 7 safe route to recovery

i suggest running through this before you post checklist that has some tools to help us help you
both the extensions you mentioned are possibly out of date also and vulnerable.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla Site Hacked - Link injection shown to only to Bot

Post by mandville » Thu Jul 01, 2010 4:43 pm

you should be able to find copy of joomla 1.0.13 upgrade files here http://mirror.phil-taylor.com/ (thanks to Brian T)
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}


Locked

Return to “Security - 1.0.x”