The Joomla! Forum ™

My site was hacked today. Black page, skeleton, terrible music, promise of girls, the usual WTF!! moment. This is what greeted me when I loaded my browser.

Looking at the visit logs I noticed that for the past few days an unusual number of visits came from mod removed.
They would visit the same article over and over again and they were referred to my page from a google.tr search string that reads:
http://www.google.com.tr/search?q=inurl:%22/index.php%3Foption%3Dcom_content%22%20%22Choose%20a%20File%20to%20Upload%22&hl=tr&rlz=1T4GGLL_trTR394TR394&prmd=iv&ei=TZYlTb7ICIWn8QO_r5CJAw&start=70&sa=N

Well the article in question on my site is a page that allows users to upload a photo of themselves. I used the extension Easy File Uploader for this page. It can be found here: http://extensions.joomla.org/extensions/core-enhancements/file-management/11909.
This is the page the hackers from mod removed were repeatedly visited 3 and 4 times per day.

At first I though that they had trouble uploading their photos but after testing it and seeing that easy file uploader worked I had a sinking feeling that maybe they were up to no good.

But I get that feeling anytime I see a visit or new user registration from mod removed and or mod removed. Why do hackers from these places have to fulfill loathsome stereotypes. mod removed Do they have to own evil hackers too?
Apologies to any genuine people from mod removed. I know there are bad apples everywhere.

Anyway I have pretty much banned IP addresses from mod removedbut I wonder, did they hack my site through the "Choose file to Upload" interface? Is Easy File Uploader a backdoor for hackers now?

Watching my site like a hawk and waiting for some clues from 'youse.'
RustyDusty.

i think that installing a module that allows unlimited, none registered access to your images folder, without using captcha is just asking for trouble. i just tried the extensions and think the dev should have put a server hack warning on it.
like other extensions, in the wrong hands its dangerous

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

You're right. Didn't know that an images folder left a site that vulnerable. But now it makes perfect sense.

Anyway to finish the story...when I attempted to restore my site I ran into error messages...

My host support modified the php.ini and I tried it a few times myself but we both ended up with the same error message. Multiple restores later, using backups from three months ago, my site is now accessible. During this roller coaster ride the back end was fine but no front end. Hindsight.

I have now installed an IP ban extension and will go on to explore other security options while trying not to feel stupid.

Also, should I inform Easy File Uploader support about my experience or will Joomla do that?

P.S. My original post has been modified. I'm sorry for the mention of certain things. Today in this forum I just read about some quirky activities coming to a site from another NAMELESS COUNTRY. With the addition of having watched so many movies and video magazines reporting on the topic I assumed it was common knowledge.

you can inform the dev if you wish but they may just shrug their shoulders at you.

we do try and remove country references and hacker kudos.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

I would inform the developer anyway.

I would also look to place an htaccess file in the images directory with either of the following preventing execution of php and other files.


The -ExecCGI specifies that no files that are registered to be handled by the cgi-script handler are allowed. The AddHandler directive line registers all those file extensions as cgi-scripts, thus making any attempts to access them results in a 403 Forbidden - Access is Denied message.

or you can use something like:


Which prevents any files other than .jpeg, .jpg, .png. or .gif to be served from the directory.

Neither of these will prevent someone from uploading bad files to the images directory but should prevent them from being used.

Almost forgot. Many hacking issues come from the USA. They just go through many offshore servers before they attack your site. It's big money.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

I can confirm this extension is vulnerable to abuse - and can show anyone interested how to do it.

_________________
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.

.
Jeff,

I would definitely like to see how this extension can be compromised.

And even more interesting would be how to modify it to fix the vulnerability.
What to do vs. what not to do, and why.

Thanks.
.

_________________
██ AllMedia4Joomla Project
██ http://sourceforge.net/projects/allmedia4joomla/
██ AllMedia YouTube Feed Gallery module released
██ Download: http://sourceforge.net/projects/allmedia4joomla/files/

i managed it by uploading a shell gif to a test site.
i ams sure that jeffchannel can pass the info to the developer in private

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

@kenmcd email me.

_________________
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.

Sent to your "me" email address.

Thanks!

.

_________________
██ AllMedia4Joomla Project
██ http://sourceforge.net/projects/allmedia4joomla/
██ AllMedia YouTube Feed Gallery module released
██ Download: http://sourceforge.net/projects/allmedia4joomla/files/

Hi Everyone,

I didn't realize there was a vulnerability with my module. I sent an email to Jeff to get the details. I'll be working on it from today to get it fixed and updated.

@rustyDusty, I feel really bad that a vulnerability in my module caused so much trouble for you. Sorry about that. At the same time, I appreciate you bringing it to my attention.

Thanks for the forum response.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

More power to your secure EFU release.

Hi Everyone,

I just updated the Easy File Uploader module with Jeff's help. It is now at version 0.6. Please feel free to test it out. All the issues should be resolved now. Go to: http://michaelgilkes.info/joomla-plugin ... -uploader/

@mandville, I hope I can get the module republished soon. I resubmitted it at JED.

Thanks again for everyone's help and contributions.

Michael

thanks for the update,
for reference here are the rpocedures for being JED republished.
VEL adjustment usually depends on a link to a blog post etc.




http://docs.joomla.org/Vulnerable_Exten ... om_the_VEL

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Hi Everyone,

Thanks for the updated info mandville!

Here is a link to the resolution on my site: http://michaelgilkes.info/2011/01/11/mi ... lity-fixed

I also satisfied requirements 1 to 4 as you had them listed:



I will send an email reply in a minute.