[solved] Finding the entry point of the hack

[Webdongle]

c99, c57, c100, and other variants are all server root kit shells.

They enable the hacker in most cases to browse the entire server without any passwords required as if it were a hard drive on his computer. ...

Yes but methinks the OP is trying to establish how the files were placed on the server. Rather than the fact they allow server access like legitimate files do.

...
Log files are mostly useless if the person knows how to use the shell as the times and entries can be altered....

Yes but many hackers just know how to use scripts to insert the the files and then use the corresponding software on their PC to connect to the file(s). So it is perhaps worth a look at the logs ?

[rodajr]

about logs, we had a few tentatives to reach folder with the hack script. Few entries from google bots and others IP we checking.

But this script not seem the one they used.

[PhilD]

The OP still has not after repeated requests provided any information on the server environment or the Joomla environment by the JTS-Post Tool. As Webdongle has said, the tool will work on a Joomla site that is offline. PHP does have to be active on the server though.


Entry can be any one of these
SQLi - SQL injection

LFI - Local File Inclusion

RFI - Remote file inclusion

DT - Directory Traversal (incl 777 folders)

ID = Information Disclosure: account information or sensitive information publicly viewable, or passed to 3rd party without knowledge

Full information is available for most of these above methods on wikipedia.

Any one of the above can provide an entry point and any one of the above can be found in outdated, insecure, poorly written website software. This includes but is not limited to Joomla and Joomla extensions and templates. Web Software such as OsCommerce, Wordpress, other CMS systems, forums, etc. all have vulnerabilities that can allow a hacker to gain access to a site, domain, and/or server. Once a c99, c57 or one of their variant scripts is placed on a domain, then you have complete server access (in many cases) at the fingertips of the hacker. There are also non free scripts that are extremely good at getting into sites unnoticed, though they still require at least one of the above ways of entry.

One can also watch on [youtube] video of c99 etc. in action.

I suggest that whoever the host company is (stated as rodajr) hire a competent server administrator that is versed in proper server security to clean up the mess, secure their servers and to help prevent the issue again. If that is not affordable then changing to a fully managed server where hopefully proper secure server management can be had is the best option.

The client should also find a new webmaster that knows the basics of site management and site security if the clients website is still offline at this point in time.

[rodajr]

Hellos guys,

Yesterday our server was down again. Spams going out still happen. Our client IP is

I suggest that whoever the host company is (stated as rodajr) hire a competent server administrator that is versed in proper server security to clean up the mess, secure their servers and to help prevent the issue again. If that is not affordable then changing to a fully managed server where hopefully proper secure server management can be had is the best option.

The client should also find a new webmaster that knows the basics of site management and site security if the clients website is still offline at this point in time.

Yes. Well our server administrator is facing for the first time this kinda of problem, actually we are facing for the first time.
One big problem was the webmaster wasnt accepting the hack point in the website, so we lost a lot time to understand the thread, we should work together since the beginning, but...
We are working "alone" on this, anyway.

Ah and if is a best thing to close this thread, I'll do. But this conversation, discussion that I what like and look forward to learn and help others.
All you guys are helping me.

Wish I could tell you the real names /infos and to make this not so evasive.
But for sure, when we get a conclusion. I'll post it with details, what we found, what we did ... (I'll do my best).

I will update this soon, is going to be a long monday.

[rodajr]

Guys, I just found this on the error_log file in the website root folder:

08-Ago-2011 11:29:53] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:30:04] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:30:05] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:30:13] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:34:00] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:38:52] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:39:06] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:39:39] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:39:53] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:40:04] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:44:49] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20
[08-Ago-2011 11:45:03] PHP Fatal error: Class 'HsConfigController../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ' not found in /home/*******/public_html/components/com_hsconfig/hsconfig.php on line 20

What you guys say about this?

I found 2-3 more hack files in the root folder. Diferent code than the other from last week.

[mandville]

Highslide JS Local File Inclusion Vulnerability April 06 2010April 06 2010
any more suprises?
also there is a htaccess code to cut down on proc environ vulnerabilities

[rodajr]

hmmmm

Thanks mandville.

[rodajr]

Ok, technically, we had our 2nd attack.

Diferent code, already reading, but the code is using or pointing to IRC chat. There is a channel name, port, etc...
I found that entry on the log (post before) and the server log.
So, the first attack open a door. Someone found the vulnerability and the door open and attacked.
Not same code, probably the same person(s) to exploit.

and So?!
Last weekend we did our best to solve a few vulnerabilites issues on our server, we asked to the webmaster a "clean" website and he did. Same joomla but clean. hehehe
Now my boss will do another "approach".
Can I really say this is some kinda of proof? One of the entry points was found?
If we take it off (component) will prevent other attack?

[mandville]

ok. been to the park and played on the roundabouts

1. delete the entire account, boot your client off for causing you so much hassle and putting the entire server and other customers at risk
2. delete the entire account, recreate it with a brand new set up of joomla that you unzipped into the host space - no back ups, no old extensions.
3. get your client to prove to you that all the extensions are the latest versions (you do have a "compromise" and "uptodate" clause in your hosting t&c dont you????
4. i prefer point 1.

[rodajr]

Totally number 1.

[rodajr]

First, thank you, for all the replies and this whole thread. I learned something new.

I can't say "Ok, we solve the problem", too soon. But I will close this thread.

We followed the checklists, tips and suggestion posted in this thread by moderators and experienced users.
Our server had the security majors re-check and set a new ones. E.g.: Brute force protection.
We did a htaccess file with parameters to provent future "tries" of php injection.
The website was deleted and upload a clean vesion, yet not a updated one, because this is the webmaster responsability.
The Joomla version is old, such the components on it. This was the door for the attack, file injection.
So, wasnt a new thing. Same of the same thing , like we say here.

Again, thanks guys.