The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Sat Jan 28, 2012 1:35 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Apr 01, 2009 9:20 am
Posts: 34
I am running WAMP server on Windows 2003
(Apache 2.058, PHP 5.2.8 and MYSQL 5.1.36)
We are hosting Joomla, Contado and other CMS system all using PHP/MYSQL

The 16th our server was hacked. We Restored and Now the 27th if was hacked again
We have about 30 websites.
25 of them are Joomla sites from version 1.5.23-.1.7
Customers are adding modules and plugins all the time and we have no control over this

What I found out is the following:
All joomla sites running 1.5.23 up to 1.7 have all got all index.php and Default.php modified and a php code has been added to the bottom of all of this files.
The code causes the browser not to read the <jdoc:include ...> statement
Here some examples:
[removed]

I have checked the apache log files. no "POST" in loggs
I have checked FTP and there are nothing comming from there
Mysql are OK. not touched

I therefore thing they must use a vonurability in Joomla or one extention

So here some questions
1. Anyone agrees with this?
2. How can I narrow down to whats causing the problem?
3. Can anyone use a vonurability in Joomla/Extention and manage to write to php files?
4. Can I make a contra script that delete a php code from all index and default.php

I am just alittle stuck on where to start looking

any help would be much appresiated

Thanks in advance

Brann


Last edited by alikon on Sat Jan 28, 2012 11:11 am, edited 1 time in total.
removed hacked link


Top
 Profile  
 
PostPosted: Sat Jan 28, 2012 11:02 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Wed Jun 11, 2008 11:12 pm
Posts: 448
Location: Washington State
I've been hacked before too. >:( Quite annoying. No traces of the code since I migrated to joomla 2.5. 8)

Be sure to be using the latest versions of the extensions on the sites. I did some searching around for site protection in the joomla directory which after getting some I have never been hacked since. Now this was last year when I used joomla 1.5, now that I use joomla 2.5 it seems more secure even without the additional security.

_________________
www.alpineascent.com | www.alpinejosh.com


Top
 Profile  
 
PostPosted: Sun Feb 19, 2012 7:11 am 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Fri Oct 14, 2011 8:15 am
Posts: 166
Even tough i want to help you, however i don't have so much of experience with this kind of issues....

I hope this online article may help you... I bet, this is the perfect article over internet i have found so far...
http://25yearsofprogramming.com/blog/20070705.htm

this online tool will help you identify which kind of penetration attempts have been tried on your server by analyzing your raw access logs.
http://25yearsofprogramming.com/javascr ... tifier.htm

Once i had a "Hacker's favorite" website, which was hacked over 15times.. then i came across that article, did whatever was explained, and bingo, it was never hacked again.... hope this might help!

and yes, the experts says that Linux based servers are more stable than windows based servers, for you are at mercy by one company for all the bug fixes and security releases, which are often delayed... you may also ask for support from Microsoft at this point of time...

_________________
http://z9it.com....Bringing the best of www, in a gist...


Top
 Profile  
 
PostPosted: Sun Feb 19, 2012 11:58 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12440
Location: The Girly Side of Joomla in Sussex
brann wrote:
1. Anyone agrees with this?
how did you sort the hack last time?
Quote:
2. How can I narrow down to whats causing the problem?
see the checklist below
Quote:
3. Can anyone use a vonurability in Joomla/Extention and manage to write to php files?
yes
Quote:
4. Can I make a contra script that delete a php code from all index and default.php
yes,BUT you dont know what else they used/installed

[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories

[ ] Review Vulnerable Extensions List
another issue is you said you have ther cms etc installed, were they altered?

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Sun Feb 19, 2012 1:12 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Apr 01, 2009 9:20 am
Posts: 34
Hi
Thanks for all reply
I think i have resolved it
As by restoring the php files only it resolved it untill next time, i was sure it had nothing to do with mysql database itself

I then through it has to be folder permission or php setting
I used default folder permission as on windows

I then started to look into PHP Setting

I found phpsecinfo http://phpsec.org/projects/phpsecinfo/index.html
I downloaded and put folder on webserver

I got 2 or 3 red fields stating critical

The first one was
allow_url_fopen=on
I changed this to =off

Restarted wamp server

Ever since I have not had this problem
I think its resolved

As an additional security I have invested in RSFirewall!
http://www.rsjoomla.com/joomla-extensio ... urity.html
With this I can lock Joomla down 100% and open for edeting again with 1 click
I am now running this on half of the websites and monitoring

The Firewall is just an extra thing. The fix was the PHP.ini setting mentioned above

Thanks for all who has contributed

Regards
Brann


Top
 Profile  
 
PostPosted: Mon Feb 20, 2012 6:51 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 13, 2011 6:27 am
Posts: 612
With the security plugin JHackGuard it is possible to make allow_url_fopen=off, which is very good as my web host did not have that option for me.


Top
 Profile  
 
PostPosted: Tue Feb 21, 2012 1:18 am 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2727
Location: Wisconsin USA
This security forum is to assist in security of Joomla itself and not designed to help securely set up a server.

Blaming Joomla and your clients for issues of hacking when the server appears to be very poorly setup is just not right. That does not exonerate them, and mandville gave sound advice. No one else has to this point.

XAMPP is not secure at all as downloaded. XAMPP is designed to create unix style development server environments on windows and actually requires much work to properly secure for live use such as hosting. php settings are just one small area that has to be hardened. There are much better options that have already been hardened enough for hosting. Once everything is hardened, then the server has to be tuned properly or it will die under the slightest real load.

The fact that you are not very familiar with server settings and basic permissions as related to hosting suggests that out of consideration for your clients, you should hire someone to properly setup and manage your server(s). Local technical colleges also usually have courses in I.T. that will help you gain the knowledge you are lacking.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 



Who is online

Users browsing this forum: No registered users and 28 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group