[NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

User avatar
antonin
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sun Apr 30, 2006 11:59 pm
Location: Paris - France
Contact:

[NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked

Postby antonin » Wed Jun 28, 2006 5:37 pm

http://www.joomlafrance.org hacked the 28-06-2006  :'(
You do not have the required permissions to view the files attached to this post.
Last edited by stingrey on Sun Jul 02, 2006 4:05 pm, edited 1 time in total.

mauri
Joomla! Intern
Joomla! Intern
Posts: 64
Joined: Mon Aug 22, 2005 6:47 pm

Re: JoomlaFrance.org Hacked

Postby mauri » Wed Jun 28, 2006 7:44 pm

Can you tell Joomla version ?

User avatar
eyezberg
Joomla! Hero
Joomla! Hero
Posts: 2860
Joined: Thu Aug 25, 2005 5:48 pm
Location: Geneva mostly
Contact:

Re: JoomlaFrance.org Hacked

Postby eyezberg » Wed Jun 28, 2006 7:54 pm

It seems it was updated to .10 already, we're waiting for Lexel's confirmation..
None of the other parts are affected so far luckily.
But it's still scary.
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com

User avatar
eyezberg
Joomla! Hero
Joomla! Hero
Posts: 2860
Joined: Thu Aug 25, 2005 5:48 pm
Location: Geneva mostly
Contact:

Re: JoomlaFrance.org Hacked

Postby eyezberg » Wed Jun 28, 2006 8:01 pm

and what about Phil Taylors site, just a missing CSS or wrong link/ file name..?
You do not have the required permissions to view the files attached to this post.
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1122
Joined: Sat Aug 20, 2005 12:32 pm
Location: Weymouth, UK
Contact:

Re: JoomlaFrance.org Hacked

Postby PhilTaylor-Prazgod » Wed Jun 28, 2006 8:34 pm

I am currently working on my site - I am playing with a new CSS file - I must stress I AM DOING THIS I have NOT been hacked :-)

Thanks for looking out for me though :-)
Phil Taylor - Full Time Joomla/PHP Security Expert
Blue Flame IT Ltd.
-- https://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- https://www.phil-taylor.com/

User avatar
eyezberg
Joomla! Hero
Joomla! Hero
Posts: 2860
Joined: Thu Aug 25, 2005 5:48 pm
Location: Geneva mostly
Contact:

Re: JoomlaFrance.org Hacked

Postby eyezberg » Wed Jun 28, 2006 8:55 pm

Good!
Joomlafrance.org is fixed too.
Still waiting for lexel & hosting to tell us about this...
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: JoomlaFrance.org Hacked

Postby Elpie » Thu Jun 29, 2006 1:57 am

Remote command execution and cross-site scripting Joe :(
They usually only deface the index file but I would check that the site is not running with register_globals ON.

I can tell you what to look for in your logs so please email me if you want more info.

I PM'd you the information.
Last edited by Elpie on Thu Jun 29, 2006 2:02 am, edited 1 time in total.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
eyezberg
Joomla! Hero
Joomla! Hero
Posts: 2860
Joined: Thu Aug 25, 2005 5:48 pm
Location: Geneva mostly
Contact:

Re: JoomlaFrance.org Hacked

Postby eyezberg » Thu Jun 29, 2006 5:54 am

thx Elpie, will let Lexel know ;)
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com

thelightning
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Thu Dec 01, 2005 9:36 pm

Re: JoomlaFrance.org Hacked

Postby thelightning » Thu Jun 29, 2006 9:57 pm

This d...g hacker group found something about joomla and mambo, they hack lots of sites with Joomla.  When you look http://www.[ ** removed hacker's list (kudos) **]/component/option, ... ers/page,2 you can see nearly all these sites were joomla or mambo made :( ... and if this joomlafrance.org hacked after r1.0.10, then what will we do?
Really scared.

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: JoomlaFrance.org Hacked

Postby RobS » Thu Jun 29, 2006 10:08 pm

I don't think it has been confirmed that Joomlafrance.org was running Joomla 1.0.10 at the time it was hacked.  1.0.10 had been available for less than 48 hours when antonin posted that the website has defaced.  Furthermore, just because the homepage was defaced does not necessarily mean that a vulnerability in the Joomla core was exploited, it could have easily come from a 3rd party component.  I don't want to seem like I am doing the "Deny, Deny, Deny" act, but, we don't seem to have any information available on this attack.  Freaking out is not yet justified.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

Chips
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Wed Sep 14, 2005 10:53 pm

Re: JoomlaFrance.org Hacked

Postby Chips » Thu Jun 29, 2006 10:15 pm

RobS wrote:  1.0.10 had been available for less than 48 hours when antonin posted that the website has defaced.


If a vulernability isn't known and therefore fixed, then version number matters not, nor the time of release of the latest. I look forward to any further news though.

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: JoomlaFrance.org Hacked

Postby RobS » Thu Jun 29, 2006 10:18 pm

Chips wrote:
RobS wrote:  1.0.10 had been available for less than 48 hours when antonin posted that the website has defaced.


If a vulernability isn't known and therefore fixed, then version number matters not, nor the time of release of the latest. I look forward to any further news though.


I am not sure what you mean by that.  Could you please clarify?  Thanks in advance.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

thelightning
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Thu Dec 01, 2005 9:36 pm

Re: JoomlaFrance.org Hacked

Postby thelightning » Thu Jun 29, 2006 10:30 pm

Chips wrote:If a vulernability isn't known and therefore fixed, then version number matters not, nor the time of release of the latest. I look forward to any further news though.


Yes, I'm surfing some hacking sites to find some clues about the vulnerability they used. May be they're using some vulnerabilities that we don't know yet.

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: JoomlaFrance.org Hacked

Postby Elpie » Fri Jun 30, 2006 12:46 am

Almost all Patriotic Hackers attacks get in the same way - through using cross-site scripting in an url and managing to find a site that is running with register_globals ON.  Most often they also use a file or directory that is set with full permissions of 777.

Of course Mambo and Joomla sites get hit - there are hundreds of thousands of them out there! The more popular a script is, the more chances there are for some installations of it to be left insecure. Simple.

The zone-h list is nothing more than a list of sites that have been reported as having been hacked. It does not say what version of any script the site was using when it was defaced, it does not say what the server setup was, nor what other scripts were being run on that site. Authoratative information comes from the security advisories and if you look at Secunia you will see that there have been very few confirmed vulnerabilities in either Mambo or Joomla over the lifetimes of these, and every single one of them has been fixed in later releases.

Edit: FWIW, Microsoft France was hit by a defacing attack from a Turkish cracker too this week - and they were NOT using Joomla!
Last edited by Elpie on Fri Jun 30, 2006 3:03 am, edited 1 time in total.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
eyezberg
Joomla! Hero
Joomla! Hero
Posts: 2860
Joined: Thu Aug 25, 2005 5:48 pm
Location: Geneva mostly
Contact:

Re: JoomlaFrance.org Hacked

Postby eyezberg » Fri Jun 30, 2006 9:11 am

Lexel hasn't given us the final conclusion on this, but apparently they would have gotten in via one of the joomla or mambo demo sites with all and every 3rd party component installed, so not easy to tell; at least not via the main site running .10
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com

thelightning
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Thu Dec 01, 2005 9:36 pm

Re: JoomlaFrance.org Hacked

Postby thelightning » Fri Jun 30, 2006 9:18 am

Elpie wrote:Edit: FWIW, Microsoft France was hit by a defacing attack from a Turkish cracker too this week - and they were NOT using Joomla!


Small note:
Patriotic Hackers are not Turkish hackers, they're Kurdish rebels. MS France was defaced by another group.

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: JoomlaFrance.org Hacked

Postby Elpie » Fri Jun 30, 2006 9:47 am

I think you will find that "patriotic hackers" has become a generic term meaning all those crackers who hack sites to upload patriotic messages or deface them ;)
I was using the expression iin the general term, not as one identifying any particular ethnic or idealogical group.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
eyezberg
Joomla! Hero
Joomla! Hero
Posts: 2860
Joined: Thu Aug 25, 2005 5:48 pm
Location: Geneva mostly
Contact:

Re: JoomlaFrance.org Hacked

Postby eyezberg » Fri Jun 30, 2006 7:18 pm

It appears they got in via on older Mambo demo and went from there.. .10 should be ok ;)
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com

Chips
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Wed Sep 14, 2005 10:53 pm

Re: JoomlaFrance.org Hacked

Postby Chips » Sat Jul 01, 2006 1:04 pm

RobS wrote:I am not sure what you mean by that.  Could you please clarify?  Thanks in advance.


Certainly:

I misread what you posted slightly! :(
I thought you inferred that it couldn't be .10 as it was only released 48 hours before, not giving enough time to be hacked - hence my post.

Reading it again, it's quite clear you actually say ".10 has only been available for 48, so has the site may actually not have updated yet".

Sorry for the confusion, should read things a bit more carefully in future  8)

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: JoomlaFrance.org Hacked

Postby RobS » Sat Jul 01, 2006 4:11 pm

Oh, okay.  Thanks for clarifying!  :D
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

speleo
Joomla! Intern
Joomla! Intern
Posts: 80
Joined: Fri Oct 07, 2005 11:45 am

Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked

Postby speleo » Mon Jul 10, 2006 1:54 pm

I'm running 1.0.10 and was hacked over the weekend by

              Hacked By Neuromancer Maviates Hack Team
              Tim : Neuromancer ,OsSie ,CyBeR-HiJacKeR  ,NeGaTiFf ,Anatolian_Hacker

As far as my very quick initial investigation goes it looks like they just replaced the configuration.php with the code below. In retrospect I think that the file was 777 which wasn't too clever. It would be nice if there was some code which checked the security settings on a site and came back with recommendations. Should be pretty simple to check a load of files and directories for the correct rights.

Code: Select all

<title> Hacked By Maviates Hack Team | Neuromancer </title>


<head>
<STYLE>BODY {
   scrollbar-face-color: #000000;
   scrollbar-highlight-color: #000000;
   scrollbar-shadow-color: #000000;
   scrollbar-3dlight-color: #000000;
   scrollbar-arrow-color: #CC0000;
   scrollbar-track-color: #000000;
   scrollbar-darkshadow-color: #000000;
}
.page
{
   background-color: #EDEDED;
   color: #41444C;
}
TABLE.bit {
border-right: 1px solid #CFCFCF;
border-left: 1px solid #CFCFCF;
border-bottom: 1px solid #CFCFCF;
<title> Hacked By MaviAtes Hack Team ' Neuromancer '

}

td
{
   font: 8pt verdana, geneva, lucida, 'lucida grande', arial, helvetica, sans-serif;
}
.alt1
{
   background-color: #F7F7F7;
   color: #41444C;
}
</STYLE>

<meta http-equiv="Content-Language" content="tr">
</head>

<BODY bgColor=#000000 onload=teclear();>

<p align="center"></p>
<p align="center"><font face="Times New Roman"><b>
<font color="#FFFFFF" size="7">Hacked By
   Neuromancer</font></b></font></p>

<p align="center"><b><font face="Times New Roman" size="7" color="#FF0000">
<span lang="en-us"> </span>"<span lang="en-us"> </span><span lang="en-us"></span>Maviates Hack Team "


<span lang="en-us"></span></font></b></p>

<p align="center"><b><font color="#FFFFFF" size="5" face="Times New Roman">
Tim : Neuromancer ,OsSie ,CyBeR-HiJacKeR  ,NeGaTiFf ,Anatolian_Hacker
</font></b></p>
<P align=center><SPAN class=style1><img src="http://home.earthlink.net/~monsterbox/newsite/Images/jpgs/skeletonwitch%20copy.jpg" width="350" height="255"></SPAN>
<p align="center">
<b><font color="#FFFFFF" face="Times New Roman" size="6">
Turkish Hackers Group ' Maviates Hack Team '</font></b></p>
<p align="center">
<b><font color="#FFFFFF" face="Times New Roman" size="6">
Benim Ülkemde  Ezan Susmaz ,Bayrak İnmez</font></b></p>

<EMBED src=http://www.ulkuocaklari.org.tr/muzik/mehter/14.asf width=20 height=15 hidden=true type=audio/mpeg true autostart="true" loop="-1">


<br />
<b>Warning</b>:  main(): open_basedir restriction in effect. File(/includes/version.php) is not within the allowed path(s): (/home/bertie/:/usr/lib/php:/usr/local/lib/php:/tmp) in <b>/home/bertie/public_html/includes/joomla.php</b> on line <b>71</b><br />
<br />
<b>Warning</b>:  main(/includes/version.php): failed to open stream: Operation not permitted in <b>/home/bertie/public_html/includes/joomla.php</b> on line <b>71</b><br />

<br />
<b>Fatal error</b>:  main(): Failed opening required '/includes/version.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in <b>/home/bertie/public_html/includes/joomla.php</b> on line <b>71</b><br />

speleo
Joomla! Intern
Joomla! Intern
Posts: 80
Joined: Fri Oct 07, 2005 11:45 am

Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked

Postby speleo » Mon Jul 10, 2006 4:24 pm

On further investigation it looks like I was hacked via an exploit in the ExtCalendar component. This replaced the configuration.php as listed above and added a ... directory to the component. This directory contained avi files for 5 films and a number of files (xh, http and error_log) which are idenitified by Symantec as hacking tools.

oplaza
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Sat May 27, 2006 11:28 pm

Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked

Postby oplaza » Mon Jul 10, 2006 9:57 pm

Hi I have been hacked during the weekend, and today, and im still receiving attacks :(

its curious because the only affected is http://www.rinconconsolas.net which is joomla 1.0.10
in rinconportatil.net which is joomla 1.0.4 i havent received attack ... yet :(

any1 can help?

i hace deleted com_weblinks and dont have ext_calendar :(

plkease help

Peter Koch
Joomla! Explorer
Joomla! Explorer
Posts: 374
Joined: Thu Aug 18, 2005 8:54 pm

Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked

Postby Peter Koch » Mon Jul 10, 2006 10:00 pm

oplaza wrote:Hi I have been hacked during the weekend, and today, and im still receiving attacks :(

its curious because the only affected is http://www.rinconconsolas.net which is joomla 1.0.10
in rinconportatil.net which is joomla 1.0.4 i havent received attack ... yet :(

any1 can help?

i hace deleted com_weblinks and dont have ext_calendar :(

plkease help


You are running phpBB which is also targeted by the current attacks.

oplaza
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Sat May 27, 2006 11:28 pm

Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked

Postby oplaza » Mon Jul 10, 2006 10:02 pm

Peter Koch wrote:
oplaza wrote:Hi I have been hacked during the weekend, and today, and im still receiving attacks :(

its curious because the only affected is http://www.rinconconsolas.net which is joomla 1.0.10
in rinconportatil.net which is joomla 1.0.4 i havent received attack ... yet :(

any1 can help?

i hace deleted com_weblinks and dont have ext_calendar :(

plkease help


You are running phpBB which is also targeted by the current attacks.


yes, but is versio 21 of phpbb which is latest so i dont understand :(

i think is something related with error_log exploit

gaspero1
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Mon Jul 10, 2006 10:00 pm

Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked

Postby gaspero1 » Mon Jul 10, 2006 10:15 pm

"On further investigation it looks like I was hacked via an exploit in the ExtCalendar component. This replaced the configuration.php as listed above and added a ... directory to the component. This directory contained avi files for 5 films and a number of files (xh, http and error_log) which are idenitified by Symantec as hacking tools."

Speleo,

One of my clients' sites was attacked over the weekend as well, and it appears to be the same exploit.  Unfortunately, the client's host lied to them about doing backups and they don't have redundant servers.  Have you figured out how to solve the problem?  I've been able to remove at least some of the malicious code, but I haven't been able to fully restore the configuration.php or get the site back up and running yet.

Any ideas would be greatly appreciated by me and my client.

Thank you in advance.

OskarMaria
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Wed Sep 28, 2005 11:56 am

Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked

Postby OskarMaria » Wed Jul 12, 2006 11:43 am

==>oplaza
It's not phpbb but the attachment-mod in the component.
See here:
http://www.joomlastuff.org/component/option,com_forum/Itemid,81/page,viewtopic/t,2937/

OM

oplaza
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Sat May 27, 2006 11:28 pm

Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked

Postby oplaza » Wed Jul 12, 2006 6:50 pm

thanks !!

I have receibed today the error_log from my host...
and the error is in download.php as the post u sent says,
I have deleted the forum waiting for a solution.

thanks!!

User avatar
ahwoogamac
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Mon Sep 12, 2005 9:41 pm
Location: Atlanta, GA
Contact:

Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked

Postby ahwoogamac » Wed Jul 12, 2006 8:26 pm

I design sites and I have had 3 clients attacked this weekend.  All three had ExtCalendar on them.  Two of them didn't have the "Direct Access Denied" fix added to them, but one did. However, none of them had the .htaccess fix mentioned in another thread about hacking Extcalendar, so this may solve the problem.  I have added both of these fixes on all my sites that use ExtCalendar.

For gaspero1:
It wasn't too hard at at all to restore the config file.  I just used one from anther one of my sites and changed the information (or there should be a configuration.php-dist file in your root folder that has a list of empty settings for you to fill in) .  As for the database info, I couldn't remember it, so I logged into cpanel, deleted the user, created a new username and password, and then gave them full permissions to the database.  This allowed me to copy the new info into the config file.  With all those changes made, the config file worked as good as new.
http://www.planetbobstudios.com

Akima: You can't call a planet "Bob."
Cale: So now you're the boss. You're the King of Bob.... No one said you have to live on Bob.

Cheetzy
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Wed Aug 13, 2008 11:30 am

Re: [NOT JOOMLA VULNERABILITY] JoomlaFrance.org Hacked

Postby Cheetzy » Wed Aug 13, 2008 11:31 am

I have been hacked by this during the night and am not experienced at web hosting and wondering what to do. Can anybody guide me through this?


Return to “3rd Party/Non Joomla! Security Issues”

Who is online

Users browsing this forum: No registered users and 2 guests