The Joomla! Forum ™

Two of the sites I run have just been disabled by my web host with their reasons being that the sites were compromised.

I have no access to either account right now, and I haven't worked on either site in a little while, so specific details are going to have to be a bit sketchy. Obviously due to the lack of access I can't run the forum help tool.

Both sites were running Joomla 2.5. I believe this was the latest version (2.5.4) as I updated all my Joomla run sites a few weeks ago to the latest version.

I've checked the list of vulnerable extensions and don't have anything installed on the latest list (January 2012 onwards).

I've attached the relevant segments from messages from my web host below, with my domain name omitted. They say they can clean the site and restore it, however before I give them the okay I'd really appreciate some advice on how this could have happened so I can stop it just happening again.





I'm not sure if this will show up, but this is what the page was replaced with:


I appreciate I'm not giving you much to go on here... but I'd really appreciate some help.

Thanks,

Tom

[ ] Run the Forum Post Assistant / FPA Instructions available here and are also included in the download package.

[ ] Ensure you have the latest version of Joomla. Delete all files in your Joomla installation. Replace the deleted files with fresh copies of a current full version of Joomla, and fresh copies of extensions and templates used. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in files and directories

[ ] Review Vulnerable Extensions List

[ ] Review and action Security Checklist checklist 7 to make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc.

[ ] Change all passwords and if possible user names for the website host control panel and your Joomla site.

[ ] Use proper permissions on files and directories. They should never be 777, but ideal is 644 and 755

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

I currently do not have any access to the server. Account (FTP/cPanel/etc) disabled by web host until I give them the ok to either wipe the site, or clean it. Due to this I'm unable to do the above.



I've looked through the list and don't have any of the extensions installed that are listed under the heading 'January 2012 and onwards Reported Vulnerable Extensions'. As for the other extensions below that, I've listed some possibilities below. As I haven't worked on the sites in a long while, apart from updating them recently, and not currently having access to the sites, it's hard to say for certain.

FCKeditor - This may be installed. I'm fairly certain it's not, but I have installed a 3rd party editor whose name I can't recall, so I wouldn't want to rule this out as a possibility.

Akeeba - All my sites are running the latest version of Akeeba Backup Free. I've checked the vulnerability, and I believe it's both resolved and not a major threat in itself anyway.

flexicontent - This was installed on one of the sites a while ago. It wasn't used on the live site (I was trying out a few different content creation components) but was left installed from testing phases in error. However, it was uninstalled shortly after the site launched several months ago, so not likely an issue.

xmap 1.2.10 - Both affected sites were running a version of xmap. It may not have been the latest version, it was several months ago when the extension was installed, however I don't believe I updated the component. Could be a possibility...

They're the only extensions I recognise from that list.


[
As per first point, most of the steps in this check list require access to the account, which I don't have.


Working on a Mac with anti virus. Not bomb proof by any means but unlikely infected...


See first point...


I'm unable to say for certainty due to lack of access. However, looking at other (un-compromised) Joomla sites I run and were set up the same way, the permissions were set correctly. Files 644 and directories 755.


I can't access the .htaccess of the live sites, due to above reasons. However, my local version adds the following code to redirect all http://* requests to http://www.*.


There's also a section required for components using suhosin, and a further section which I'm not entirely sure of. I'm using custom fonts and this appears to relate to that. I'm not sure exactly what it does, though.



Unable to access.


Although unable to access now to confirm, by default anonymous FTP is disabled by my host. Whilst I think I can enable it, I have never done so and would assume that it is turned off.

Suggest one of two things to me

1. The server is badly configured and you set files 777 to install extensions.
   or
2. The host may just be making assumption because they found the ftp details in the configuration.php. It could be your computer is compromised and that is how the ftp was obtained.

Would you like to PM me the url and the name of your host ? I could do some digging.

Addendum

Was typing when you posted about the Mac.

_________________
http://weblinksonline.co.uk/joomla-faq.html

Thanks Webdongle. I've only just registered and apparently I am unable to send messages yet.

Is there any reason why I shouldn't just post the details here? I removed the affected domain name/s in previous posts as I was unsure.

Best not to name and shame when we don't know if they are one of the known hosts who get hacked frequently.

_________________
http://weblinksonline.co.uk/joomla-faq.html

@TomSel

I got your email and searched your Host. Couldn't find anything about their servers being victims of mass hacking.

_________________
http://weblinksonline.co.uk/joomla-faq.html

Thanks for looking. Referring to your earlier post, it may well be that my host has made the assumption regarding the config file.

I'm still very wary of putting the site back online, though. Is there anything information I could ask my host for that could shed some more light on this?

appending a "?-s" will show the actual php content instead of excuting it in certain php/cgi combinations.

for more details you might want to check this http://www.h-online.com/security/news/item/PHP-patch-quick-but-inadequate-1568454.html

Perhaps that's why my host puts a file called hide_config_files.php in the folder when they auto install Joomla ?

_________________
http://weblinksonline.co.uk/joomla-faq.html

viewtopic.php?f=621&t=716490

Cheers
Leo

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---

Arrakis / leolam:
I've checked a site running on the same server as the downed sites, and the server configuration for PHP is listed as:


I've tried going to a live site and using /index.php?-s and it did not show the PHP, just the normal, rendered website. I also tried it for /configuration.php?-s and just got a blank page.

Webdongle:
Would a file such as that only be relevant if the vulnerability pointed out by Arrakis was present on the server? By the looks of it my host isn't effected by it, so not sure if that file is needed.

Edit to add:
The PHP version is 5.3.10, not the current version. Not sure if this is relevant...

I tried without that file and my configuration.php did not show. All I know is they put that on when Joomla is installed from their CP.

_________________
http://weblinksonline.co.uk/joomla-faq.html

Does anyone have any ideas about what I can do to try to find out how this attack occurred? I've asked my host to not restore the site for the time being, as I'm concerned the same will just happen again.

I have other sites running presumably near identical setups though so I am obviously extremely concerned the same could happen to those.

The vulnerability affects servers that are running PHP in CGI mode; FastCGI for PHP installations are not affected. Reportedly, the vulnerability can be exploited in combination with components such as the lighttpd web server. so those sites hosted on a server that uses the lighttpd server may also be at risk. Appending a "?-s to the url may or may not mean anything at this point. Any exploit will surely try the easy way first, but among exploits taking advantage of the hole in php-cgi, there are Apache configuration directives that would put a server in a vulnerable state and these could possibly be applied to a hacked htaccess file. There are a number of attack vectors attempting to take advantage of the hole which I will not list. One of the major goals of these attacks are to try and download/install root webshells and backdoors in order to access the server and all site on it at will.

For your part Tom, follow what I post below to properly clean and repair your website. If you host refuses to allow you access to your site after you show them the plan to fix your site as outlined below, then change hosts. How can you fix something you can not access? Common ways of Initial hacking have been through an insecure or out of date extension or Joomla install, a permissions issue or possibly from another site on the host. These are not the only ways, just some common ones. The important thing now is to properly clean the website. Follow what is below:

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator