The Joomla! Forum ™

Hi Everyone:

Pulled up the site to check it and found it was hacked. The index.php page was changed. The message on the pages said, "Hacked by <deleted>".

Anyone else deal with these fools? I found a patch/upgrade to 1.5.22 and installed that, changed my password, and will start searching through the vulnerable extensions.

If anyone else has had this problem please let me know if you found their way in. This is my first time hacked so any advice would be greatly appreciated.

Thanks - Tim
http://www.bikercove.com

see this link viewtopic.php?f=432&t=475313

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

OK. Working on the link you sent. Here's some info. Hope I did it right.

JTS-post Problem Description wrote:

Hacked

JTS-post Actions Taken To Resolve wrote:

patched from 1.5.21 to 1.5.22, password changed, index.php backup loaded.

See the first and second sticky in this security forum. Especially the second one which describes how you yourself can insert a virus in your site.

Password changes needed for ftp and your hosting control panel, every access point needs at least a 14 - 16 digit password http://strongpasswordgenerator.com/

Besides a fully outdated PHP-version (current stable branch in PHP 5.2 = 5.2.14), old mySQL (today current is 5.1.51), no protection through disabled functions such as disabled: dl, show_source, system, passthru, popen, proc_open and very 'generous' memory and upload sizes (how to blow a server to the sky) all seems normal ........

Follow all steps as outlined by Mandville!

Leo

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---

Thanks Leo. I'll keep working on it. I changed my CP password with my host. Went to change the FTP password and when I did, I got locked out with a brute force attack. Wonder if the hackers were back. I also received a system email with a password change request and token. Went in and changed my admin username too.

Tell me, if I'm getting the system emails below, do you think they're cracking the admin username and PW, or, finding a backdoor? Below is the message I get. I deleted a portion of the token and link.

Thanks Leo - Tim

Hello,

a request has been made to reset your Biker News and Event Website account password. To reset your password, you will need to submit this token in order to verify that the request was legitimate.

The token is 2ae170e77ecd2eb29

Click on the URL below to enter the token and proceed with resetting your password.

http://bikercove.com/index.php?option=com_user&view=

Thank you.

That password reset message is so simple to generate......you have a mailto in your code and I just have to enter that mail in the password reset form and you get that message. Mailto is never clever and you should use a form with good protection such as recaptcha

You will need to follow all steps and the only way is to follow the steps as outlined in the Security Checklist #7 and to make sure that your own PC you use for ftp-access is clean

Check the extension vulnerability checklist http://feeds.joomla.org/JoomlaSecurityV ... Extensions and replace the extensions that are listed: Listbingo is listed for instance with multiple vulnerabilities

Make sure your raw access logs are active in cPanel. These will tell you who and with what IP which files and folders have been accessed by what user

Leo

Leo

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---

Listbingo is gone. I missed that one in the list. Thanks! Also, If i wanted to add "captcha" into the forgot password form, is there an extension for that?

Updating to 1.5.22 is saving you now, for sure - if you got those emails someone was using SQL Injection to read your reset token. Measures are in place to prevent this in 1.5.22...

_________________
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.

Thank you! Glad to hear it. I also have been checking my machine and have found issues which are corrected now. I only received one of the emails with token since upgrading to 1.5.22 ...Tim

A tip: If your site is defaced like yours was, I find that checking the timestamp on changed file in question, index.php, is helpful. If you know when the file was changed, you'll know when the hacker was having fun on your server.

You can then use this timestamp to easily narrow down the field in your log files in the search of suspicious activity, like dodgy requests targeting insecure extensions.

_________________
Torkil Johnsen
http://torkiljohnsen.com
http://twitter.com/torkilj

But it does not negate the fact that it is best to delete all the files then check your PC/Mac then change your passwords.

_________________
http://weblinksonline.co.uk/joomla-faq.html

Finding out *how* you got hacked is imperative to preventing it from happening again. That's just a small part of the job of course.

I had a case a while back where a hacker had a script check my site every 5 minutes or so to see if it was still hacked. Once I fixed my site he would hack it again in less than 5 minutes. So while I was figuring out how he got in and how he was doing it, I actually left the hacked files in place for requests coming from his IP address. Just to give me a few minutes of piece.

But yes, normally, it would be best to restore the site to a backup and change your passwords. If you don't know how the hacker got in though, he/she might just hack you again once your old and still vulnerable backup is back in place.

_________________
Torkil Johnsen
http://torkiljohnsen.com
http://twitter.com/torkilj

I think they are still trying and possible compromised my admin username and password. They were pretty simple and I've changed them to something a lot more complicated. My hit counter is more than double the norm for yesterday and today. I'm going to study my log viles next.

Did you check your PC for Trojans etc. before changing the passwords ? use every program that you can to check it.

Did you delete ALL THE FILES on the server ?

Did you did you use the files from a fresh copy of the latest Joomla installation zip to write to the Server?

Are your Permissions correct ? 755 folders and 644 files(configuration.php file may be 444)

Did you install the newest versions of the 3rd party Extensions and check for them in the VEL

If you can not answer YES to ALL those questions in that order then perform those steps in that order. If you still have problems then do it again but delete the database as well as the files and reinstall completely.

_________________
http://weblinksonline.co.uk/joomla-faq.html

Got him. 188.72.250.163 Frankfurt, Germany. ISP is http://www.netdirekt.de Hacker goes by <deleted>

Came in through the jeajaxeventcalendar module.

I let the ISP know. Wonder if they’ll do anything.

Hundreds of these:

JE Ajax event calendar SQL Vulnerable was reported vulnerable from june this year..

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Thanks Mandville. I've been using Joomla about 8 months now and have been learning every step of the way. Nothing gets you studying like a hacker I have to say. Didn't know I shouldn't post the code. Guess it makes sense though.

Thanks to everyone that responded and guided me. I think the problem is fixed and I'll let you know if the ISP responds with any action taken. Of course they would just pop back with another ISP but I'd like to be a pain in the A$$ back.

Respect to all of you. You know your stuff.

Thanks

[removed signature]

You shouldn't use the default DB prefix jos_ either, among other things. Check the security checklist too, I sent you a link on a private message.

_________________
Torkil Johnsen
http://torkiljohnsen.com
http://twitter.com/torkilj

Yes, I'll be studying that more in depth. Figures this would go on during a holiday. Also have to go out and cover an event for the website. If I change the jos_ prefix, will that mess everything up on the site? Users, stories, etc. I believe I saw something on changing it. Maybe on your page.....Thanks again for all your help. Tim

The security checklist I sent you a link to has a link in it to a page that explains in depth how to change your DB prefix. No, it will not mess up your site, unless some component has the jos_ prefix hardcoded somewhere.

_________________
Torkil Johnsen
http://torkiljohnsen.com
http://twitter.com/torkilj

Heee Torkil,

No disrespect, but woulden't it be great if you also send the
security checklist 2 the ppl who are now busy with Joomla 1.6.
That way they KNOW what 2 set as default. This is not an attack 2 you our any one working on Joomla, but if we keep working in the fashion that a site is being hacked
and the person who got hacked gets a "PRIVATE MESSAGE" it's still gonna be a walk in the park for hackers. Hackers know what 2 google 2 find joomla sites
so basically we are just sitting ducks

And please don't block my account cause I'm making a point, because the thing that should be making us angry, is that we keep walking around in circles with this joomla security thing and want 2 be so secretive about it. Open source I think means open minded
Don't do things in the background because every Joomla user should have your security checklist. It's no problem if all the things on your checklist can't be implemented at once, but those who can should be. I love joomla because it's the first software which allowed me 2 make my own website.

I would post the link to the security checklist if I could, but the forum rules prevent me from doing so, since it's considered self-promotion if I post a link to my own blog, and therefore against the forum rules.

… even though I run a non-profit blog and am just trying to help.

I have a link to my blog in my signature, that's all I can do for you, sorry.

_________________
Torkil Johnsen
http://torkiljohnsen.com
http://twitter.com/torkilj

@ torkil

I have looked at your site and the security info, most of it appears to focus on hiding the fact a site is Joomla. Personal opinion is that doing such is just cosmetic and no real security value. There are so many ways to identify a Joomla site that spending time trying to do so will take time away from other (more effective measures). For example ?tp =1, ?template=xxx and administrator appended to the end shows a site to be Joomla. Also index.php?option=com_user&view=login will as well.

You have updating near the bottom of the list and I see no mention of security of local machines that have direct access to the Server or Joomla admin. Those two are (IMHO) the most important of all.

You mention about changing the Admin ID

But are there not 3 Tables (not two) that need to be altered ?

I stress this is a personal op pinion and not a Judgement.

_________________
http://weblinksonline.co.uk/joomla-faq.html

Hi, and thanks for your feedback I wish you would do it on the blogs comments, since there are a lot of similar good comments there, but okay, this works too.

About fingerprinting: Sure, if a potential attacker is at a site wanting to find out if it's Joomla or not, it's probably not possible to prevent that. The points outlined though, are the ones that keep you under the script kiddies' radar, those who prevent your site from appearing in simple Google searches for instance.

Among the 58 points mentioned, I can at first glance see the following ones touching on the matter of fingeprinting:
#5: Don't install sample content. This is a bad idea to begin with, as it has no place on a live site anyways.
#6: Remove the generator tag.
#7: Replace default Joomla meta information with your own data. The default metadata has no place on a live site either.
#14: Use SEF (user friendly) urls. Which is a good idea anyways.
#17: Make fingerprinting your site harder. The title here should really be "make fingerprinting your server harder", so I don't know if it should really count.
#41: Developers: Don't show off the names and version number in your extension.

So I can find 6(?) out of 58 points being partially about preventing easy Google-fingerprinting, so I'd object to the list being "mostly" about this topic.

These measures are not about sticking your head into the sand and hoping for the best. It is mostly about dodging your average script kiddie who's just searching around, or having spiders search around, for easy targets in the form of fingerprinting sites which have known security holes.

Consider the official security checklist and you'll see that they also recommend you consider removing "welcome to the front page" to reduce search engine attacks.

If you ask me, this list would be 5 or 6 points shorter if Joomla just had a decent automatic upgrading system, like Wordpress

Concerning the queries for changing the user id; I think that part is correct. Which table is missing? If you want to be really hardcore about it, you could update any matching userid in the sessions table too of course. Then again, if you have actually used your admin user to create content and stuff like that, you would break any links to the created_by column in the articles table of course. The same goes for any component which uses userid as a foreign key of course.

Btw, the part you mention about ?tp= ?template= etc, is all covered in the improved .htaccess-file (by @nikosdion) that I link to in #13: Enhance the .htaccess-file.

And one more thing: Do you have anything you'd like me to add to the list? I'd like it to be as good a resource as possible for all that needs it, and I am far from all-knowing, so any input is appreciated.

_________________
Torkil Johnsen
http://torkiljohnsen.com
http://twitter.com/torkilj

The reason I made the comments here is because reference was made to it here

"most of it appears to focus on hiding the fact a site is Joomla." will rephrase 'Too much priority and to high in the list. Above more important factors'.

There is a list on these forums viewtopic.php?p=1988191#p1988191 in which mandville has obviously spent a lot of time. It is a concise list with comprehensive information and links to further information.

The list in your blog (although accurate in it's points) is just a list and appears(to me) to focus on preventions in the wrong and in a disorientated order. My comments are not an attack on your blog. Rather it is an attempt to point out that (although informative) it is perhaps confusing to newer users of Joomla.

The viewtopic.php?p=1988191#p1988191 post by mandville is in (IMHO) more relevant and approaches the matter in a way that better suits newer Joomla users. And after all it is the newer Joomla users that have the most problems with security is it not ?

_________________
http://weblinksonline.co.uk/joomla-faq.html

Mod comment: - please try and keep this topic in order and helpful to the the original poster without comapring sizes. thank you

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

To whom is that directed ? I hope not me because -- by pointing out what I did was not "comapring sizes" but was helpful to the OP by guiding him from confusing and badly arranged info to something that is useful.

_________________
http://weblinksonline.co.uk/joomla-faq.html

Mandville's post is probably one of the sources I used for the blog post in the first place, among many others. Her post concerns what to do *after* your site has been hacked, while my blog post touches on security issues other than that too. Her post is probably of greater value to the creator of this thread in that regard.

The only reason preventing fingerprinting is high on the list in the blog post, is because it is something you should consider when installing and setting up your site, and that is the first part of the list. It does not in any way mean that it's the most important part of the list. I never intended it to be a complete newbies guide either, so I see the point that it may appear confusing to newbies.

I should mention that the blog post received an overhaul in the past two days, actually following the discussion in this thread on what to do after being hacked, so it may have changed since you last saw it.

You call it "confusing and badly arranged", and I'd really like some feedback on how I can improve that. It won't be very on topic in this thread, so if you would send me your opinion by PM or post it in the blog comments, I'd be very grateful.

_________________
Torkil Johnsen
http://torkiljohnsen.com
http://twitter.com/torkilj