The Joomla! Forum ™





Post new topic Reply to topic  [ 32 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Wed Jun 28, 2006 5:37 pm 
User avatar
Joomla! Fledgling
Joomla! Fledgling

Joined: Sun Apr 30, 2006 11:59 pm
Posts: 3
Location: Paris - France
http://www.joomlafrance.org hacked the 28-06-2006  :'(


You do not have the required permissions to view the files attached to this post.


Last edited by stingrey on Sun Jul 02, 2006 4:05 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Wed Jun 28, 2006 7:44 pm 
Joomla! Intern
Joomla! Intern

Joined: Mon Aug 22, 2005 6:47 pm
Posts: 64
Can you tell Joomla version ?


Top
 Profile  
 
PostPosted: Wed Jun 28, 2006 7:54 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Thu Aug 25, 2005 5:48 pm
Posts: 2860
Location: Geneva mostly
It seems it was updated to .10 already, we're waiting for Lexel's confirmation..
None of the other parts are affected so far luckily.
But it's still scary.

_________________
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com


Top
 Profile  
 
PostPosted: Wed Jun 28, 2006 8:01 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Thu Aug 25, 2005 5:48 pm
Posts: 2860
Location: Geneva mostly
and what about Phil Taylors site, just a missing CSS or wrong link/ file name..?


You do not have the required permissions to view the files attached to this post.

_________________
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com


Top
 Profile  
 
PostPosted: Wed Jun 28, 2006 8:34 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1117
Location: Weymouth, UK
I am currently working on my site - I am playing with a new CSS file - I must stress I AM DOING THIS I have NOT been hacked :-)

Thanks for looking out for me though :-)

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Top
 Profile  
 
PostPosted: Wed Jun 28, 2006 8:55 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Thu Aug 25, 2005 5:48 pm
Posts: 2860
Location: Geneva mostly
Good!
Joomlafrance.org is fixed too.
Still waiting for lexel & hosting to tell us about this...

_________________
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com


Top
 Profile  
 
PostPosted: Thu Jun 29, 2006 1:57 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903
Remote command execution and cross-site scripting Joe :(
They usually only deface the index file but I would check that the site is not running with register_globals ON.

I can tell you what to look for in your logs so please email me if you want more info.

I PM'd you the information.

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Last edited by Elpie on Thu Jun 29, 2006 2:02 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Thu Jun 29, 2006 5:54 am 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Thu Aug 25, 2005 5:48 pm
Posts: 2860
Location: Geneva mostly
thx Elpie, will let Lexel know ;)

_________________
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com


Top
 Profile  
 
PostPosted: Thu Jun 29, 2006 9:57 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Dec 01, 2005 9:36 pm
Posts: 13
This d...g hacker group found something about joomla and mambo, they hack lots of sites with Joomla.  When you look http://www.[ ** removed hacker's list (kudos) **]/component/option, ... ers/page,2 you can see nearly all these sites were joomla or mambo made :( ... and if this joomlafrance.org hacked after r1.0.10, then what will we do?
Really scared.


Top
 Profile  
 
PostPosted: Thu Jun 29, 2006 10:08 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
I don't think it has been confirmed that Joomlafrance.org was running Joomla 1.0.10 at the time it was hacked.  1.0.10 had been available for less than 48 hours when antonin posted that the website has defaced.  Furthermore, just because the homepage was defaced does not necessarily mean that a vulnerability in the Joomla core was exploited, it could have easily come from a 3rd party component.  I don't want to seem like I am doing the "Deny, Deny, Deny" act, but, we don't seem to have any information available on this attack.  Freaking out is not yet justified.

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Top
 Profile  
 
PostPosted: Thu Jun 29, 2006 10:15 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 14, 2005 10:53 pm
Posts: 13
RobS wrote:
  1.0.10 had been available for less than 48 hours when antonin posted that the website has defaced.


If a vulernability isn't known and therefore fixed, then version number matters not, nor the time of release of the latest. I look forward to any further news though.


Top
 Profile  
 
PostPosted: Thu Jun 29, 2006 10:18 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
Chips wrote:
RobS wrote:
  1.0.10 had been available for less than 48 hours when antonin posted that the website has defaced.


If a vulernability isn't known and therefore fixed, then version number matters not, nor the time of release of the latest. I look forward to any further news though.


I am not sure what you mean by that.  Could you please clarify?  Thanks in advance.

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Top
 Profile  
 
PostPosted: Thu Jun 29, 2006 10:30 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Dec 01, 2005 9:36 pm
Posts: 13
Chips wrote:
If a vulernability isn't known and therefore fixed, then version number matters not, nor the time of release of the latest. I look forward to any further news though.


Yes, I'm surfing some hacking sites to find some clues about the vulnerability they used. May be they're using some vulnerabilities that we don't know yet.


Top
 Profile  
 
PostPosted: Fri Jun 30, 2006 12:46 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903
Almost all Patriotic Hackers attacks get in the same way - through using cross-site scripting in an url and managing to find a site that is running with register_globals ON.  Most often they also use a file or directory that is set with full permissions of 777.

Of course Mambo and Joomla sites get hit - there are hundreds of thousands of them out there! The more popular a script is, the more chances there are for some installations of it to be left insecure. Simple.

The zone-h list is nothing more than a list of sites that have been reported as having been hacked. It does not say what version of any script the site was using when it was defaced, it does not say what the server setup was, nor what other scripts were being run on that site. Authoratative information comes from the security advisories and if you look at Secunia you will see that there have been very few confirmed vulnerabilities in either Mambo or Joomla over the lifetimes of these, and every single one of them has been fixed in later releases.

Edit: FWIW, Microsoft France was hit by a defacing attack from a Turkish cracker too this week - and they were NOT using Joomla!

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Last edited by Elpie on Fri Jun 30, 2006 3:03 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Fri Jun 30, 2006 9:11 am 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Thu Aug 25, 2005 5:48 pm
Posts: 2860
Location: Geneva mostly
Lexel hasn't given us the final conclusion on this, but apparently they would have gotten in via one of the joomla or mambo demo sites with all and every 3rd party component installed, so not easy to tell; at least not via the main site running .10

_________________
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com


Top
 Profile  
 
PostPosted: Fri Jun 30, 2006 9:18 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Dec 01, 2005 9:36 pm
Posts: 13
Elpie wrote:
Edit: FWIW, Microsoft France was hit by a defacing attack from a Turkish cracker too this week - and they were NOT using Joomla!


Small note:
Patriotic Hackers are not Turkish hackers, they're Kurdish rebels. MS France was defaced by another group.


Top
 Profile  
 
PostPosted: Fri Jun 30, 2006 9:47 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903
I think you will find that "patriotic hackers" has become a generic term meaning all those crackers who hack sites to upload patriotic messages or deface them ;)
I was using the expression iin the general term, not as one identifying any particular ethnic or idealogical group.

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Top
 Profile  
 
PostPosted: Fri Jun 30, 2006 7:18 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Thu Aug 25, 2005 5:48 pm
Posts: 2860
Location: Geneva mostly
It appears they got in via on older Mambo demo and went from there.. .10 should be ok ;)

_________________
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com


Top
 Profile  
 
PostPosted: Sat Jul 01, 2006 1:04 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 14, 2005 10:53 pm
Posts: 13
RobS wrote:
I am not sure what you mean by that.  Could you please clarify?  Thanks in advance.


Certainly:

I misread what you posted slightly! :(
I thought you inferred that it couldn't be .10 as it was only released 48 hours before, not giving enough time to be hacked - hence my post.

Reading it again, it's quite clear you actually say ".10 has only been available for 48, so has the site may actually not have updated yet".

Sorry for the confusion, should read things a bit more carefully in future  8)


Top
 Profile  
 
PostPosted: Sat Jul 01, 2006 4:11 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
Oh, okay.  Thanks for clarifying!  :D

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 1:54 pm 
Joomla! Intern
Joomla! Intern

Joined: Fri Oct 07, 2005 11:45 am
Posts: 80
I'm running 1.0.10 and was hacked over the weekend by

              Hacked By Neuromancer Maviates Hack Team
              Tim : Neuromancer ,OsSie ,CyBeR-HiJacKeR  ,NeGaTiFf ,Anatolian_Hacker

As far as my very quick initial investigation goes it looks like they just replaced the configuration.php with the code below. In retrospect I think that the file was 777 which wasn't too clever. It would be nice if there was some code which checked the security settings on a site and came back with recommendations. Should be pretty simple to check a load of files and directories for the correct rights.

Code:
<title> Hacked By Maviates Hack Team | Neuromancer </title>


<head>
<STYLE>BODY {
   scrollbar-face-color: #000000;
   scrollbar-highlight-color: #000000;
   scrollbar-shadow-color: #000000;
   scrollbar-3dlight-color: #000000;
   scrollbar-arrow-color: #CC0000;
   scrollbar-track-color: #000000;
   scrollbar-darkshadow-color: #000000;
}
.page
{
   background-color: #EDEDED;
   color: #41444C;
}
TABLE.bit {
border-right: 1px solid #CFCFCF;
border-left: 1px solid #CFCFCF;
border-bottom: 1px solid #CFCFCF;
<title> Hacked By MaviAtes Hack Team ' Neuromancer '

}

td
{
   font: 8pt verdana, geneva, lucida, 'lucida grande', arial, helvetica, sans-serif;
}
.alt1
{
   background-color: #F7F7F7;
   color: #41444C;
}
</STYLE>

<meta http-equiv="Content-Language" content="tr">
</head>

<BODY bgColor=#000000 onload=teclear();>

<p align="center"></p>
<p align="center"><font face="Times New Roman"><b>
<font color="#FFFFFF" size="7">Hacked By
   Neuromancer</font></b></font></p>

<p align="center"><b><font face="Times New Roman" size="7" color="#FF0000">
<span lang="en-us"> </span>"<span lang="en-us"> </span><span lang="en-us"></span>Maviates Hack Team "


<span lang="en-us"></span></font></b></p>

<p align="center"><b><font color="#FFFFFF" size="5" face="Times New Roman">
Tim : Neuromancer ,OsSie ,CyBeR-HiJacKeR  ,NeGaTiFf ,Anatolian_Hacker
</font></b></p>
<P align=center><SPAN class=style1><img src="http://home.earthlink.net/~monsterbox/newsite/Images/jpgs/skeletonwitch%20copy.jpg" width="350" height="255"></SPAN>
<p align="center">
<b><font color="#FFFFFF" face="Times New Roman" size="6">
Turkish Hackers Group ' Maviates Hack Team '</font></b></p>
<p align="center">
<b><font color="#FFFFFF" face="Times New Roman" size="6">
Benim Ülkemde  Ezan Susmaz ,Bayrak İnmez</font></b></p>

<EMBED src=http://www.ulkuocaklari.org.tr/muzik/mehter/14.asf width=20 height=15 hidden=true type=audio/mpeg true autostart="true" loop="-1">


<br />
<b>Warning</b>:  main(): open_basedir restriction in effect. File(/includes/version.php) is not within the allowed path(s): (/home/bertie/:/usr/lib/php:/usr/local/lib/php:/tmp) in <b>/home/bertie/public_html/includes/joomla.php</b> on line <b>71</b><br />
<br />
<b>Warning</b>:  main(/includes/version.php): failed to open stream: Operation not permitted in <b>/home/bertie/public_html/includes/joomla.php</b> on line <b>71</b><br />

<br />
<b>Fatal error</b>:  main(): Failed opening required '/includes/version.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in <b>/home/bertie/public_html/includes/joomla.php</b> on line <b>71</b><br />


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 4:24 pm 
Joomla! Intern
Joomla! Intern

Joined: Fri Oct 07, 2005 11:45 am
Posts: 80
On further investigation it looks like I was hacked via an exploit in the ExtCalendar component. This replaced the configuration.php as listed above and added a ... directory to the component. This directory contained avi files for 5 films and a number of files (xh, http and error_log) which are idenitified by Symantec as hacking tools.


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 9:57 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sat May 27, 2006 11:28 pm
Posts: 12
Hi I have been hacked during the weekend, and today, and im still receiving attacks :(

its curious because the only affected is http://www.rinconconsolas.net which is joomla 1.0.10
in rinconportatil.net which is joomla 1.0.4 i havent received attack ... yet :(

any1 can help?

i hace deleted com_weblinks and dont have ext_calendar :(

plkease help


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 10:00 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 8:54 pm
Posts: 374
oplaza wrote:
Hi I have been hacked during the weekend, and today, and im still receiving attacks :(

its curious because the only affected is http://www.rinconconsolas.net which is joomla 1.0.10
in rinconportatil.net which is joomla 1.0.4 i havent received attack ... yet :(

any1 can help?

i hace deleted com_weblinks and dont have ext_calendar :(

plkease help


You are running phpBB which is also targeted by the current attacks.


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 10:02 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sat May 27, 2006 11:28 pm
Posts: 12
Peter Koch wrote:
oplaza wrote:
Hi I have been hacked during the weekend, and today, and im still receiving attacks :(

its curious because the only affected is http://www.rinconconsolas.net which is joomla 1.0.10
in rinconportatil.net which is joomla 1.0.4 i havent received attack ... yet :(

any1 can help?

i hace deleted com_weblinks and dont have ext_calendar :(

plkease help


You are running phpBB which is also targeted by the current attacks.


yes, but is versio 21 of phpbb which is latest so i dont understand :(

i think is something related with error_log exploit


Top
 Profile  
 
PostPosted: Mon Jul 10, 2006 10:15 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Jul 10, 2006 10:00 pm
Posts: 6
"On further investigation it looks like I was hacked via an exploit in the ExtCalendar component. This replaced the configuration.php as listed above and added a ... directory to the component. This directory contained avi files for 5 films and a number of files (xh, http and error_log) which are idenitified by Symantec as hacking tools."

Speleo,

One of my clients' sites was attacked over the weekend as well, and it appears to be the same exploit.  Unfortunately, the client's host lied to them about doing backups and they don't have redundant servers.  Have you figured out how to solve the problem?  I've been able to remove at least some of the malicious code, but I haven't been able to fully restore the configuration.php or get the site back up and running yet.

Any ideas would be greatly appreciated by me and my client.

Thank you in advance.


Top
 Profile  
 
PostPosted: Wed Jul 12, 2006 11:43 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 28, 2005 11:56 am
Posts: 14
==>oplaza
It's not phpbb but the attachment-mod in the component.
See here:
http://www.joomlastuff.org/component/option,com_forum/Itemid,81/page,viewtopic/t,2937/

OM


Top
 Profile  
 
PostPosted: Wed Jul 12, 2006 6:50 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sat May 27, 2006 11:28 pm
Posts: 12
thanks !!

I have receibed today the error_log from my host...
and the error is in download.php as the post u sent says,
I have deleted the forum waiting for a solution.

thanks!!


Top
 Profile  
 
PostPosted: Wed Jul 12, 2006 8:26 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Sep 12, 2005 9:41 pm
Posts: 23
Location: Atlanta, GA
I design sites and I have had 3 clients attacked this weekend.  All three had ExtCalendar on them.  Two of them didn't have the "Direct Access Denied" fix added to them, but one did. However, none of them had the .htaccess fix mentioned in another thread about hacking Extcalendar, so this may solve the problem.  I have added both of these fixes on all my sites that use ExtCalendar.

For gaspero1:
It wasn't too hard at at all to restore the config file.  I just used one from anther one of my sites and changed the information (or there should be a configuration.php-dist file in your root folder that has a list of empty settings for you to fill in) .  As for the database info, I couldn't remember it, so I logged into cpanel, deleted the user, created a new username and password, and then gave them full permissions to the database.  This allowed me to copy the new info into the config file.  With all those changes made, the config file worked as good as new.

_________________
http://www.planetbobstudios.com

Akima: You can't call a planet "Bob."
Cale: So now you're the boss. You're the King of Bob.... No one said you have to live on Bob.


Top
 Profile  
 
PostPosted: Wed Aug 13, 2008 11:31 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Wed Aug 13, 2008 11:30 am
Posts: 1
I have been hacked by this during the night and am not experienced at web hosting and wondering what to do. Can anybody guide me through this?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 32 posts ]  Go to page 1, 2  Next



Who is online

Users browsing this forum: Baidu [Spider] and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group