The Joomla! Forum ™

Download

Demo


Board index » Joomla! 2.5 - Ask Support Questions Here » Security in Joomla! 2.5

Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  Page 1 of 1
  [ 9 posts ] 
  Print view Previous topic | Next topic 
Author Message
whitticm
 Post subject: Multiple Sites Hacked
PostPosted: Fri Apr 20, 2012 1:28 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Mar 15, 2010 2:05 pm
Posts: 11
I have several sites in a shared hosting setup. All of the sites have been hacked with a base64 hack. This hack seems to be effecting all of the php files on the site (Joomla and otherwise).

I know I need to delete each site's folder on the server and re-upload Joomla! from a fresh download. My problem is that I'm not sure how to properly re-upload any plugins, themes, module, etc. When I have tried to do this manually the site does not seem to work properly. I would really like to avoid rebuilding these sites from scratch since I have five or six sites infected and rebuilding from scratch would represent several hundred hours of work.

Sorry if this is a stupid question but I can seem to find any details either in these forums or on the Joomla! documentation. Thanks in advance for pointing me in the right direction.
Top
 Profile  
 
whitticm
PostPosted: Fri Apr 20, 2012 3:51 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Mar 15, 2010 2:05 pm
Posts: 11
Maybe this will help. This is from one of the infected sites.

Forum Post Assistant (v1.2.0) : 20th April 2012 wrote:
Basic Environment :: wrote:
Joomla! Instance :: Joomla! 2.5.4-Stable (Ember) 2-April-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: cmwhittington (uid: 11733379/gid: 525854) | Group: pg1938508 (gid: 525854) | Valid For: 2.5 and above
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32.8-grsec-2.1.14-modsign-xeon-64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/cmwhittington/testing.beamsvillechurchofchrist.ca/jupgrade | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.5 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: 1 | Error Reporting: 30711 | Log Errors To: | Last Known Error: | Register Globals: 0 | Magic Quotes: 0 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 7M | Max. POST Size: 7M | Max. Input Time: -1 | Max. Execution Time: 30 | Memory Limit: 90M

MySQL Configuration :: Version: 5.1.53-log (Client:5.0.51a) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 2.58 MiB | #of _FPA_TABLE: 184
Detailed Environment :: wrote:
PHP Extensions :: Core (5.3.5) | date (5.3.5) | ereg () | libxml () | pcre () | sqlite3 (0.7-dev) | filter (0.11.0) | mbstring () | SPL (0.2) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | Reflection ($Revision: 305605 $) | hash (1.0) | cgi-fcgi () | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | session () | ftp () | gd () | gettext () | standard (5.3.5) | iconv () | imap () | json (1.2.1) | mcrypt () | mysql (1.0) | mysqli (0.1) | openssl () | pcntl () | pdo_mysql (1.0.2) | posix () | pspell () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | suhosin (0.9.32.1) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.9.1) | zlib (1.1) | mhash () | Zend Engine (2.3.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:
Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
Templates Discovered :: wrote:
Templates :: SITE :: atomic (2.5.0) | rhuk_milkyway (1.0.2) | JA_Purity (1.2.0) | rt_enigma (1.1) | dj-agriculture (1.5) | beez_20 (2.5.0) | siteground-j15-18 (1.0.0) | beez5 (2.5.0) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |


Top
 Profile  
 
whitticm
PostPosted: Sun Apr 22, 2012 6:22 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Mar 15, 2010 2:05 pm
Posts: 11
If it helps clarify things I'm having the most difficulty with themes by www.rockettheme.com as well as some of the extensions that their themes use.
Top
 Profile  
 
mandville
PostPosted: Sun Apr 22, 2012 10:27 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 11644
Location: The Girly Side of Joomla in Sussex
initial reactions,
clarify what you mean by shared hosting - do you have a reseller account
htaccess file missing
location of files - jupgrade. - default settting is bad
using out of date/incompatible extensions (mp3browser)

rt_enigma (1.1) | dj-agriculture (1.5) | siteground-j15-18 (1.0.0) looks like a collection from a template hosting site (make sure you get them from the source)

can you Pm me the base 64 code

if you havent got a clean back up, make an sql backup, then you will need to follow checklist 7 - safe route to recovery.
it is often needed to uninstall extensions first, but most often they leave their tables intact

can you do an extended version of the fpa showing your extensions

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}
Top
 Profile  
 
PhilD
PostPosted: Sun Apr 22, 2012 11:49 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2694
Location: Wisconsin USA
The latest version of the FPA (v1.2.1) is defaulted to both show and generate the additional requested (installed components, installed modules, installed plugins) information. Please download and use the new version.

Get the FPA here Forum Post Assistant / FPA Instructions available here and are also included in the download package.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Last edited by PhilD on Sun Apr 22, 2012 11:52 pm, edited 2 times in total.
addd fpa link


Top
 Profile  
 
whitticm
PostPosted: Mon Apr 23, 2012 12:36 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Mar 15, 2010 2:05 pm
Posts: 11
Thank-you both for your help. I'll try to clarify for you.
I am using DreamHost.com which allows for multiple sites under one user name. I'm beginning to think that this was a mistake and that I should have made new users for every site. This hack seem to be a problem for DreamHost and it is effecting Joomla, Wordpress, and other PHP based platforms. I'm not sure that it is specific to DreamHost. The FPA-assistant post above is from one of the six sites that I have in my account. Each one has been affected to varying degrees. I will move the above site from the jupgrade folder when I do the clean install.

Here is the new FPA for the same site as above:

Forum Post Assistant (v1.2.1) : 22nd April 2012 wrote:
Basic Environment :: wrote:
Joomla! Instance :: Joomla! 2.5.4-Stable (Ember) 2-April-2012
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: cmwhittington (uid: 11733379/gid: 525854) | Group: pg1938508 (gid: 525854) | Valid For: 2.5 and above
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: No | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32.8-grsec-2.1.14-modsign-xeon-64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/cmwhittington/testing.beamsvillechurchofchrist.ca/jupgrade | System TMP Writable: Yes

PHP Configuration :: Version: 5.3.5 | PHP API: cgi-fcgi | Session Path Writable: Unknown | Display Errors: 1 | Error Reporting: 30711 | Log Errors To: | Last Known Error: | Register Globals: 0 | Magic Quotes: 0 | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 7M | Max. POST Size: 7M | Max. Input Time: -1 | Max. Execution Time: 30 | Memory Limit: 90M

MySQL Configuration :: Version: 5.1.53-log (Client:5.0.51a) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 2.58 MiB | #of _FPA_TABLE: 184
Detailed Environment :: wrote:
PHP Extensions :: Core (5.3.5) | date (5.3.5) | ereg () | libxml () | pcre () | sqlite3 (0.7-dev) | filter (0.11.0) | mbstring () | SPL (0.2) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | Reflection ($Revision: 305605 $) | hash (1.0) | cgi-fcgi () | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | session () | ftp () | gd () | gettext () | standard (5.3.5) | iconv () | imap () | json (1.2.1) | mcrypt () | mysql (1.0) | mysqli (0.1) | openssl () | pcntl () | pdo_mysql (1.0.2) | posix () | pspell () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | suhosin (0.9.32.1) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.9.1) | zlib (1.1) | mhash () | Zend Engine (2.3.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:
Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: None
Extensions Discovered :: wrote:
Components :: SITE :: WF_SEARCHREPLACE_TITLE (2.0.21) | WF_CONTEXTMENU_TITLE (2.0.21) | WF_IMGMANAGER_TITLE (2.0.21) | WF_SPELLCHECKER_TITLE (2.0.21) | WF_FULLSCREEN_TITLE (2.0.21) | WF_ARTICLE_TITLE (2.0.21) | WF_INLINEPOPUPS_TITLE (2.0.21) | WF_PRINT_TITLE (2.0.21) | WF_TEXTCASE_TITLE (2.0.21) | WF_VISUALCHARS_TITLE (2.0.21) | WF_TABLE_TITLE (2.0.21) | WF_NONBREAKING_TITLE (2.0.21) | WF_LINK_TITLE (2.0.21) | WF_STYLE_TITLE (2.0.21) | WF_BROWSER_TITLE (2.0.21) | WF_PREVIEW_TITLE (2.0.21) | WF_LAYER_TITLE (2.0.21) | WF_DIRECTIONALITY_TITLE (2.0.21) | WF_MEDIA_TITLE (2.0.21) | WF_XHTMLXTRAS_TITLE (2.0.21) | WF_CLEANUP_TITLE (2.0.21) | WF_SOURCE_TITLE (2.0.21) | WF_PASTE_TITLE (2.0.21) | WF_AUTOSAVE_TITLE (2.0.21) | WF_AGGREGATOR_VIMEO_TITLE (2.0.21) | WF_AGGREGATOR_YOUTUBE_TITLE (2.0.21) | WF_FILESYSTEM_JOOMLA_TITLE (2.0.21) | WF_LINKS_JOOMLALINKS_TITLE (2.0.21) | WF_POPUPS_WINDOW_TITLE (2.0.21) | WF_POPUPS_JCEMEDIABOX_TITLE (2.0.21) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.0.21) | com_mailto (2.5.0) | com_wrapper (2.5.0) |
Components :: ADMIN :: RokGallery (2.3) | com_finder (2.5.0) | com_config (2.5.0) | com_search (2.5.0) | com_installer (2.5.0) | Akeeba (3.4.3) | com_plugins (2.5.0) | com_messages (2.5.0) | com_newsfeeds (2.5.0) | com_modules (2.5.0) | com_login (2.5.0) | com_media (2.5.0) | com_languages (2.5.0) | com_joomlaupdate (2.5.0) | com_cache (2.5.0) | com_categories (2.5.0) | com_weblinks (2.5.0) | com_banners (2.5.0) | Unknown (-) | JCE (2.0.21) | Editor - JCE (2.0.21) | com_admin (2.5.0) | com_templates (2.5.0) | com_checkin (2.5.0) | RokCandy (1.1) | com_users (2.5.0) | COM_GCALENDAR (2.3.0) | com_menus (2.5.0) | com_content (2.5.0) | Gantry (3.2.19) | com_redirect (2.5.0) | com_cpanel (2.5.0) |

Modules :: SITE :: mod_search (2.5.0) | mod_articles_category (2.5.0) | mod_articles_categories (2.5.0) | RokAjaxSearch (1.0) | mod_wrapper (2.5.0) | mod_menu (2.5.0) | mod_articles_popular (2.5.0) | JGMap - Google Map (0.15.5) | mod_random_image (2.5.0) | RokNavMenu (1.7) | mod_users_latest (2.5.0) | mod_login (2.5.0) | mod_feed (2.5.0) | mod_breadcrumbs (2.5.0) | mod_custom (2.5.0) | MOD_GCALENDAR (2.3.0) | mod_articles_archive (2.5.0) | mod_related_items (2.5.0) | mod_languages (2.5.0) | mod_whosonline (2.5.0) | MOD_GCALENDAR_NEXT (2.3.0) | mod_footer (2.5.0) | mod_finder (2.5.0) | mod_syndicate (2.5.0) | RokGallery Module (2.3) | RokTabs (1.5) | mod_articles_news (2.5.0) | mod_articles_latest (2.5.0) | mod_weblinks (2.5.0) | RokNewsflash (1.1) | mod_stats (2.5.0) | mod_banners (2.5.0) | MOD_GCALENDAR_UPCOMING (2.3.0) |
Modules :: ADMIN :: mod_status (2.5.0) | mod_menu (2.5.0) | mod_title (2.5.0) | mod_logged (2.5.0) | mod_login (2.5.0) | mod_feed (2.5.0) | mod_custom (2.5.0) | mod_quickicon (2.5.0) | mod_submenu (2.5.0) | mod_multilangstatus (2.5.0) | mod_popular (2.5.0) | mod_latest (2.5.0) | mod_version (2.5.0) | Akeeba Backup Notification Mod (3.4.3) | mod_toolbar (2.5.0) |

Plugins :: SITE :: plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_gmail (2.5.0) | plg_authentication_joomla (2.5.0) | Button - RokGallery (2.3) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_readmore (2.5.0) | Button - RokCandy (1.1) | plg_user_contactcreator (2.5.0) | plg_user_profile (2.5.0) | plg_user_joomla (2.5.0) | plg_system_remember (2.5.0) | plg_system_p3p (2.5.0) | plg_system_cache (2.5.0) | Google Maps (2.15) | Akeeba Backup Lazy Scheduling (3.3) | plg_system_languagecode (2.5.0) | System - RokBox (1.2) | plg_system_log (2.5.0) | System - RokExtender (1.0) | plg_system_debug (2.5.0) | System - Gantry (3.2.19) | System - RokGZipper (1.0) | plg_system_languagefilter (2.5.0) | plg_system_logout (2.5.0) | plg_system_highlight (2.5.0) | plg_system_sef (2.5.0) | plg_system_redirect (2.5.0) | System - RokCandy (1.1) | plg_extension_joomla (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_vote (2.5.0) | plg_content_emailcloak (2.5.0) | Content - RokBox (1.2) | plg_content_finder (2.5.0) | plg_content_pagebreak (2.5.0) | plg_gcalendar_next (2.3.0) | plg_content_geshi (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_joomla (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_content (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_newsfeeds (2.5.0) | Editor - JCE (2.0.21) | plg_editors_tinymce (3.4.9) | Editor - RokPad (1.0) | plg_editors_codemirror (1.0) | plg_search_categories (2.5.0) | plg_search_contacts (2.5.0) | plg_search_content (2.5.0) | plg_search_weblinks (2.5.0) | plg_search_gcalendar (2.3.0) | plg_search_newsfeeds (2.5.0) | plg_captcha_recaptcha (2.5.0) |
Templates Discovered :: wrote:
Templates :: SITE :: atomic (2.5.0) | rhuk_milkyway (1.0.2) | JA_Purity (1.2.0) | rt_enigma (1.1) | dj-agriculture (1.5) | beez_20 (2.5.0) | siteground-j15-18 (1.0.0) | beez5 (2.5.0) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |


Top
 Profile  
 
PhilD
PostPosted: Mon Apr 23, 2012 12:45 am 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2694
Location: Wisconsin USA
Generally, most hosts allow multiple domains under a master account. These domains are susceptible to cross site contamination as you have seen. One site got hacked and all sites are now affected because of the way the hack works. The type of site hosted (html, other php, wordpress, Joomla etc.) does not really matter as the htaccess files are rewritten with added redirects. There is generally also an htaccess file hidden outside of the public_html directory.

If the server is insecure in some way then the hack may also affect other sites on the server or the server itself.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator
Top
 Profile  
 
whitticm
PostPosted: Mon Apr 23, 2012 12:54 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Mar 15, 2010 2:05 pm
Posts: 11
How do I go about cleaning this up? I've spent days searching the web and trying various things. I've followed the 7 steps except the clean install part because when I do a clean install it makes some of my sites stop working. As I've managed to get a site clean I've made a backup of the clean install so that once I have all of them clean I can clear my web folder out completely and do new clean installs from the backups.
Top
 Profile  
 
mandville
PostPosted: Mon Apr 23, 2012 2:21 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 11644
Location: The Girly Side of Joomla in Sussex
i got your base64, sent a copy ot phild - intersting!
rok gallery - ood
rokcandy - ood etc

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 9 posts ] 


Board index » Joomla! 2.5 - Ask Support Questions Here » Security in Joomla! 2.5

Who is online

Users browsing this forum: No registered users and 16 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group