Possible security exploit in 2.5.6

[mandville]

A: set new user account activation to admin

[cheeseus]

Two hours ago I received an email from my hosting provider alerting me that the script in "httpdocs/administrator/templates/bluestork/stph.php" is causing the server disk to get overloaded and they had renamed it and wanted me to take immediate action.

Fount this topic and checked my Joomla installation - the newly added files I discovered in the "bluestork" folder are the following:
- error.php -- 5.08.2012
- get.pl -- 18.08.2012
- indx.php -- 5.08.2012
- pr.txt -- 18.08.2012
- rp.php -- 18.08.2012
- stph.php -- 18.08.2012

I had the same user registered - alexaalexa - with email [email protected] and Registered/Administrator rank.

I also noticed I cannot disactivate or delete this or any other user.

My Joomla is an old version - 1.7.1 but I can't update it right now.

I hope I can delete the above files and will try to update later because I have had to modify the site's index.php and some other changes in order to fit my design, so upgrading isn't a quick process.

[Tonie]

@cheeseus. Not really an option. By removing those files you remove the effect, not the cause. Your site will be hacked again the moment somebody (automatically) tries the same hack on your site.

[cheeseus]

@cheeseus. Not really an option. By removing those files you remove the effect, not the cause. Your site will be hacked again the moment somebody (automatically) tries the same hack on your site.

Yes, I realize that. I will update as soon as I can but from the above posts I see that the currently latest version is insecure too. I hope a newer version will roll out soon that will deal with this exploit. Is switching to a different admin template my only solution for the time being?

[mandville]

We have been following these posts and can m,ake a general assumption of what has happened for those that have not posted their FPA results and/or server settings.
please understand that a hacker will normally probe,hack,deface,run
what is apparently happening here is
malicious user creates a self activated account.
malicious user uploads a shell script
malicious user then may hack the default admin template
malicious user then comes back when they wish and reinfect or install a script (base64) that calls a reinfection script- often done by bot - when the admin logs in.
so to quote brian signature line "Exploited yesterday... Hacked tomorrow"

Normally you can not remove superuser, it must be done by going into the sqldb, it is also best to disable and not remove them immediately as they will not be able to reregister if they are blocked but could do if they are removed.
for file structure, follow checklist 7 safe route to recovery.

[cveile]

Ok...We were affected by this...

So I renamed the hacked admin files from bluestork (indx.php/error.php/stph.php/rp.php)...After examining the malicious files, it appeared that they used the php shell, exec, curl options, etc. options. I disabled those by default in php.ini server wide...

Will that help prevent further attacks? Do I need to take further action?

Further: I realize this may or may not be slightly off topic, but could be on topic if the exploit we've been discussing affected language files...Has anyone noticed when accessing the Joomla 2.5 sites (that were or were not) infected, the language files do not appear to be working correctly...I re-uploaded the J2.5.6 stable full/core package to a couple of sties and still no change...Any ideas? My J 1.5 sites seem to have been unaffected by the hack and attacks...

[AndriaD]

I experienced this hack this week (I discovered it Monday morning, 08/20), and fretted myself senseless all week trying to fix it -- it affected every single Joomla site I have on my shared-hosting acct at .... I did not see any of those files mentioned, but all my BlueStork folders were empty, and had been chmod'ed to '0000' so I could not even delete them -- finally I asked my server tech support to delete them for me, then re-uploaded BlueStork so I could login, and changed all my sites to an admin template which is NOT provided by Joomla.

Here's the thing: I run 2.5.6 on ALL my sites; ALL my extensions are up-to-date, I have an icon on my control panel to advise me at once when there's any update of anything, I watch the security feed on a regular basis -- have it too right on my control panel, along with the Vulnerable Extensions feed, but I knew NOTHING about this hack until it hit me and took out all my admin pages across five different sites -- the sites were unaffected, but without a default template, I could not login or see any admin pages. I do not have any unauthorized super users, nor any other users that I can't account for -- my main site, which sits in public_html and is thus a big fat target for hackers, doesn't even allow registration.

I'm a bit peeved that those who are supposed to be in charge of keeping Joomla updated to exclude this kind of exploit have really dropped the ball on this one. It took out god only knows how many admin pages across god only knows how many hosts and servers, and most of us who've suffered it have already fixed it, and there is STILL no security release to address this massive, outrageous hack? I'm shocked and appalled.

And still don't know if simply using a different template will protect me from a repeat performance.

Andria

[Webdongle]

Let me just clarify a few things here:

1) The topic clearly says Possible - not confirmed.
2) Some of the versions that were hacked are current 2.5.6.
3) These sites were in different hosting accounts, on different servers (all running suPHP, mod security, etc).
4) Complete removal of the bluestork template has stopped any further intrusions.

I will get the FPA and log details and report back soon.

Thanks.

They may well be on different servers ... but if the non updated site got hacked and it infected computer that connects to admin(etc.) then it transferred the exploit to the other servers. Also if the computer is compromised then it will infected all the sites that computer connects to

As the administrating computer is the common denominator(not Joomla because they were different versions) then it is highly likely the computer is infected.

If you read Before you post : read and action this you will see that after it says to delete all files but before changing passwords and renewing files you will see

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

That is put in that order for a reason. That post by mandville was worked on by many people and is very accurate. Failure to follow it will cause hours of frustration because it is the only sure way to remove all the exploits.

The OP (as well meaning as they were) made incorrect assumptions that are full of misconceptions. Unfortunately you (like many others) failed to see the flaws in the reasoning.

My advice to you and others who have flaws in their reasoning of the hacks is ... read the Before you post : read and action this and read it again. Keep reading it until you understand why it is worded the way it is and why things are done in a specific order. If people read it and understood it properly before posting ... then they would not make post that were misleading.

[justme2012]

My host is [Mod Note: Removed Name] & I believe I have been affected as well. Can't access the back-end admin & my bluestork directory can't be deleted or overwritten. I must admit I didn't do all the security measures that I should've done...was getting there but guess they beat me to it. Just so I can go forward in the right direction was this my fault or was the web host attacked? Now I'm just trying to plug up the holes & pick up the pieces. Thx!

[minadreapta]

it is very possible that your host has chmod'ed 0000 the bluestork directory in order to stop the DDOS attack. i suggest you contact them and ask about it.
we also did this and then contacted every affected website owner and urge them to upgrade/secure website

[justme2012]

Yep, I believe that's exactly what they did but would've been nice if they would've notified me Finding out all this after the fact. All well, no harm no foul.

[minadreapta]

would've been nice if they would've notified me

i think it would've been also nice if you've kept Joomla up to date and secured it properly?

[mandville]

I'm a bit peeved that those who are supposed to be in charge of keeping Joomla updated to exclude this kind of exploit have really dropped the ball on this one.

i totally agree.

It took out god only knows how many admin pages across god only knows how many hosts and servers,

are you talking about your own server or the 10million plus joomla websites?

and most of us who've suffered it have already fixed it,

that may be true, if you didnt allow unstrusted users to uploaded shell script (usually hidden as gifs) then it would not have been needed

and there is STILL no security release to address this massive, outrageous hack? I'm shocked and appalled.

if there is no known bug or vulnerability then the jsst cant release a fix for it. Please send a message to the jsst enclosing what you posted above and pointing them to this topic for reference

And still don't know if simply using a different template will protect me from a repeat performance.

nor do most of us who have tried to investigate this. somewhere above it was mentioned that the default template is hacked as its the default template! now if you want to read these malicious scripts you will normally see how they do the hack.

[AndriaD]

are you talking about your own server or the 10million plus joomla websites?

The ten-million-plus. I only have 5.

that may be true, if you didnt allow unstrusted users to uploaded shell script (usually hidden as gifs) then it would not have been needed

I don't allow anyone to upload anything, but apparently some hacker(s) have wormed their way in, regardless of all my MANY efforts to keep them out -- AdminTools Plus, changing pw's all the time, and every other way I can find to try and keep them out -- they still get in.

And still don't know if simply using a different template will protect me from a repeat performance.

nor do most of us who have tried to investigate this. somewhere above it was mentioned that the default template is hacked as its the default template! now if you want to read these malicious scripts you will normally see how they do the hack.

Well it's almost a week now since I fixed it and started using a non-Joomla-provided admin template, and so far, so good; no hacks or other funny business that I can see. So perhaps just changing from BlueStork is sufficient to prevent re-occurrence.

I understand that the folks keeping Joomla stable and safe are human beings, and thus as prone to "woops" as any of us, but this looks like a mighty big hole, to allow this level of [removed] to this many users. They really do need to do something about it. I keep following the Joomla Security newsfeed, thinking surely I'll see something, but nothing has yet shown up AT ALL about this exploit. Really strange.

I'm sure that someone has notified JSST about this, and they don't need yet another memo on it from me, who is basically just shooting in the dark to keep the hacker fools out -- if I thought I had anything really valuable to offer JSST, I'd definitely offer it, but I'm just another hapless hacked webmaster, who's been hacked so often this summer, I no longer have the vapors when it happens -- just fix it, and move on. But this problem is HUGE.

Thx,
Andria

[mandville]

I'm sure that someone has notified JSST about this, and they don't need yet another memo on it from me, who is basically just shooting in the dark to keep the hacker fools out -

There was an important job to be done and Everyone was sure that Someone would do it.

Anyone could have done it, but No-one did it.

Someone got angry about that because he thought that it was Everyone’s job.

Everyone thought that Anyone could do it, but No-one realised that Everyone wouldn’t do it.

It ended up that Everyone was angry with Someone because No-one did what Anyone could have done!

[AndriaD]

You make an excellent point, but it never fails, everytime I've ever said anything to anyone on any subject at the JSST, I'm shot down, treated like a total imbecile that shouldn't be wasting their valuable time with my amateur meanderings. So I won't. Ever again. Because I don't have a computer science degree and I'm unlikely to ever have one, so it's a safe bet that no one there will listen to anything I have to say. So I'll let the computer science majors argue with them; I have better things to do.

Andria

PS. This is, in fact, the first time I've posted HERE and not been shot down like a total imbecile who shouldn't be wasting the professionals' valuable time. So I do appreciate that.

[PhilD]

To address your original issue.
Just because some hack files were found within a default admin template directory does not mean that the template has an issue. It is very common to place hack files in various areas of a site and the template directory happens to be one of these popular spots. It is likely another issue on one of the hacked sites allowed the files to be placed in the BlueStork directory. Other popular spots for hack files are the media directory, the tmp directory and also outside of the public_html directory.

On accounts that control multiple sites from one main account (reseller, allowed multiple sites on standard sites, etc.) there is a high possibility that if one site has an issue, then all sites will have the same issue. This is cross site contamination and with the current hack tools, it is easy to hack multiple sites this way and will lead to installs that have no known security issues being hacked.

With the listing of site versions you provided it is quite possible that this is what happened. The out of date and insecure sites were hacked and then a cross site hack was done to infect the other secure site installs. It is also possible that multiple sites were hacked because they were simply out of date and contain security issues. The hack bots will try every hack on every site to see if one "sticks" and they do this quickly and efficiently.

If all the sites are on a different account and not under one master account, then a person or persons with access to all the sites has a computer or network infected that is allowing the hack.

As far as the JSST goes....
Mistakes and bad code happens sometimes and security issues do happen. Otherwise patches would not be needed to fix security issues.

If you provide the JSST with the method of intrusion (proof of concept) that can be replicated, then the issue can be properly identified and a patch or update issued. Collaborating information should also be provided.

You don't need a computer science degree to do this, but you do need to present a concise and coherent method to reproduce the issue along with any additional information such as server environment, specific log entries, etc. that would be helpful in determining if there is an issue should also be provided.

Failure to provide proper documentation and just saying that a bunch of client sites were hacked in a similar way and xyz file was found in the same directory, may not get a response or a proper response.

That said, almost all site security issues can ultimately be traced to an improper setup/maintenance of the host server, improper setup/maintenance of the domain by the domain owner, or a setup/maintenance issue by the Joomla administrator/designer who operates the site.


It is common for hosts to disable a site or disable certain parts of a site if it is determined that a site is using excessive resources in order to protect the server and attempt to keep other clients on the same server happy. Most will inform you of this and if you can present a plan of action will allow access to fix the issue. This also means that you were hacked and should be following the before you post read this forum post

[hareslade]

more to the point, does 2.5.7 cure this upgrading of user, hack?
presumably once the user is a superadmin they can replace the bluestork template with their naughty one. why always only bluestork?

[hareslade]

i now know the exploit, user registers, by manipulating the registration form or some other method, the user can upgrade himself to admin. its then a simple matter to log in as admin and reinstall or modify the admin bluestork template so it contains code which performs the denial of service attack.

in the hack i had on my site, administrator/templates/bluestork had files index.php, error.php and rp.php containing non-joomla code

rp.php does not appear in the normal joomla 2.5.4 fileset, so either its written by the other two, or a modified module is installed that just adds the appropriate ddos files.

i have copies of the hacked files. the code is nasty.

my host confirmed that there were no other breaches of security in the shared server, to their knowledge, supporting my view that the breach was indeed at user level. Specially as i saw the alexaa.. user in my user list as an admin, i deleted it hoping for the best, but by that time the damage was done.

[greenjellyalex]

Currently have a client's website running 2.5.7 - I'm sorry to say that this version is still vulnerable to the hack. Removed the offending files (indx.php, stph.php and error.php) and also removed the user alexaalexa, but as for a long term fix or prevention I have no clue. I'll need to contact my hosting provider and inform them that I've done all I can, hopefully there'll be a patch to fix this in the near future before I get re-attacked.

Good luck guys.

[Webdongle]

Currently have a client's website running 2.5.7 - I'm sorry to say that this version is still vulnerable to the hack. ...

If you could contact one of the moderators ... with proof of how you know that for certain ... then that would be helpful.

If you don't know that for certain please run the http://forum.joomla.org/viewtopic.php?f=621&t=582860 and post the results here.

... Removed the offending files (indx.php, stph.php and error.php) and also removed the user alexaalexa, but as for a long term fix or prevention I have no clue. ....

If you have no clue how to prevent it then how can you be so sure you know what actually caused it ? There is a stick post in this forum Before you post : read and action this that should help you. It explains that removing the offending files (that you find) is not enough. And may help you find out why you let a user get more permissions than you wanted.

...hopefully there'll be a patch to fix this in the near future before I get re-attacked.
...

There is no patch to fix the users failure to secure their sites. Nearly all websites(not just Joomla sites) get attacked frequently.to use the word "re-attcked" shows a flaw in your thinking process of the issue. The issue is not that your site got attacked but that an attack got through. That may appear pedantic but it is(in fact) an important difference. It shows that you make assumption without fully analysing things accurately.

... Removed the offending files (indx.php, stph.php and error.php) and also removed the user alexaalexa, but as for a long term fix or prevention I have no clue. I'll need to contact my hosting provider and inform them that I've done all I can, hopefully there'll be a patch to fix this in the near future before I get re-attacked.

Good luck guys.

[PhilD]

There are no known vulnerabilities in 2.5.6 as of this posting.

If you believe you have found a possible vulnerability in Joomla, please report it to the Joomla Security Strike Team first. You can contact the team via email at
security @ joomla .org (remove spaces).

Include as much supporting information on the vulnerability as possible.
Examples would include a log file entry snipit (not the whole log file)
Include the environment information. You can get the necessary information from the FPA script or you can list it.
Though FPA designed for forum reporting, Include the generated report results within your email as this will provide the environment information.

[PhilD]

Now that I have made the post again (mandville posted on page 1 about how) about how to contact the JSST.....

I do not believe the issue is with 2.5.6, but rather with the individual sites and how they were updated, not updated or otherwise improperly cleaned after a previous hack.

Earlier in this thread Brian stated:

.........you really need to understand the basics of web site security

1. The original poster was running out of date, unsupported versions of Joomla with known security issues
2. A hacker after finding a hole needs to place a file on your site so they can do even more nasty things. It makes the hackers life much much easier if they always put their file i the same place on every site that they exploit. So clearly any folder which is part of the core installation of joomla is a good place for them to place their files.

The location of the file does not have any relevance to the location of the hack. In fact it almost certainly means that the folder is not the source of the hole. Think about it if you can write to any folder on the server why would you chose the one with the hole in it. Thats just too obvious

Finally any webhost that says "they have had lots of sites with the same issue" is clearly indicating that their server was exploited and through that a file was placed in every site.

This exploit is therefore either at a server level or most likely through one of the old software version on one of the site and the host doesnt understand how to setup a secure web server where one exploited site doesnt mean that all the sites on the server will e exploited.

Time to get a new host who does understand the basics of secure web hosting and make sure that you keep your own web site up to date.

It is far too easy to blame others when the problem is staring you in the mirror each morning

What Brian has said would apply to everyone posting about 2.5 issues here.
As stated by both Brian and webdongle, locating a few files that don't belong will not get rid of the exploit. By not properly cleaning and repairing a hacked site you will cause an up to date Joomla install to be hacked as you never actually got rid of the backdoor files.

Everything I have read here so far has pointed to improper cleaning of sites/domains after being hacked. No one person has posted the results of running the FPA script from a hacked site. There is no magic pill, you must follow the proper procedures (all of them) or it is very likely the site(s) will remain hacked.

To assist with properly fixing your site(s) I am posting a copy of the before you post checklist http://forum.joomla.org/viewtopic.php?f=621&t=582854
following all of the checklist is important. Following what is convenient or taking shortcuts will probably leave the site hacked. I won't get into the why/how, but If there is more than one domain or site under a master account, then all must be cleaned, repaired properly as they are likely all infected.

Before you post your security/been hacked topic, it is suggested to do all of the following. Failure to follow the suggestions below may leave your site vulnerable to being hacked again in the future.

You must state what version of Joomla you were using when when the site first became hacked. This can make a difference as to how we approach your individual situation.

[ ] Download and RUN the Forum Post Assistant / FPA Instructions available here and are also included in the download package. Post the generated results in your security/been hacked topic. Use these links to download the FPA:
Download .tar.gz version or Download the .zip version NOTE: Do not download the FPA from any other website or links found on the Internet.

[ ] Ensure you have the latest version of Joomla for your 1.5 or 2.5 version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.

[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.

[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories More detailed information can be found in the security Checklist 7 link below.

Note: The forum post tool will work with all versions of Joomla. The FPA is written and maintained by the Joomla Security forum moderators.