[UPGRADE AVAIL.] Site Hacked through rs_gallery
Moderator: General Support Moderators
Forum rules
-
- Joomla! Fledgling
- Posts: 3
- Joined: Fri Jun 30, 2006 10:25 pm
[UPGRADE AVAIL.] Site Hacked through rs_gallery
Hi, one of my Joomla sites has been defaced twice in the last 24hours. The script replaces the index.php and configuration.php with a html file which says "Site hacked by Musab Cyberwar has begun"
How it works is by dropping a php and .htaccess payload into any directory that has 777 permissions (like rs_gallery's upload folder).
What the payload does is two fold: 1: the .htaccess sets the 404 page for the folder to be the php payload (which has various names - such as 'contacts.php', download.php, links.php, package.php, remote.php) 2: once the php file is triggered by the .htaccess it downloads additional copies of itself and the defaced index.php from http://user9.mshtml.ru.
I replaced the defaced files from a backup - but missed some of the payload files so I got hit again. Very annoying.
Hopefully this post can help others root this annoying script out of their servers.
Jeremy
update: the full list of payload files is:
common.php
configs.php
contacts.php
create.php
date.php
guest.php
include.php
includes.php
messages.php
properties.php
remote.php
time.php
system.php
layout.php
finfo.php
Which I got from here: http://freebunch.linux-labs.net/?p=35 (which has a lot of useful info on removing this exploit).
Also this exploit has been discussed here previously - sorry for the repost - http://forum.joomla.org/index.php/topic,29169.0.html
How it works is by dropping a php and .htaccess payload into any directory that has 777 permissions (like rs_gallery's upload folder).
What the payload does is two fold: 1: the .htaccess sets the 404 page for the folder to be the php payload (which has various names - such as 'contacts.php', download.php, links.php, package.php, remote.php) 2: once the php file is triggered by the .htaccess it downloads additional copies of itself and the defaced index.php from http://user9.mshtml.ru.
I replaced the defaced files from a backup - but missed some of the payload files so I got hit again. Very annoying.
Hopefully this post can help others root this annoying script out of their servers.
Jeremy
update: the full list of payload files is:
common.php
configs.php
contacts.php
create.php
date.php
guest.php
include.php
includes.php
messages.php
properties.php
remote.php
time.php
system.php
layout.php
finfo.php
Which I got from here: http://freebunch.linux-labs.net/?p=35 (which has a lot of useful info on removing this exploit).
Also this exploit has been discussed here previously - sorry for the repost - http://forum.joomla.org/index.php/topic,29169.0.html
Last edited by RobS on Wed Jul 19, 2006 7:32 am, edited 1 time in total.
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Site Hacked through rs_gallery
RSGallery has been updated yesterday to cope with this:
http://rsgallery2.net/
http://rsgallery2.net/
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
-
- Joomla! Enthusiast
- Posts: 205
- Joined: Thu May 25, 2006 11:08 pm
Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery
I see that their site has been hacked..
Should rsgallery be removed from our sites?
Should rsgallery be removed from our sites?
- hvanleeuwen
- Joomla! Enthusiast
- Posts: 161
- Joined: Thu Aug 18, 2005 8:08 am
- Location: The Netherlands
Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery
Personally I say YES! as should com_Joomlaboard and com_extcalendar which are also not safe at the moment.
-
- Joomla! Enthusiast
- Posts: 205
- Joined: Thu May 25, 2006 11:08 pm
Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery
O poo.
Do we know if anyone is working on getting these up to scratch cause they are very popular components.
Do we know if anyone is working on getting these up to scratch cause they are very popular components.
- hvanleeuwen
- Joomla! Enthusiast
- Posts: 161
- Joined: Thu Aug 18, 2005 8:08 am
- Location: The Netherlands
Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery
Check out the sites of the developers of those components, this situation is exactly why i started this;
http://forum.joomla.org/index.php/topic ... #msg391443
topic, I wish more people would join that discussion, maybe this new defacing/hacking spree will motivate more people though I would rather see it would motivate people without the need to.
Personally I think users of the mentioned components are in trouble if they want to keep using them for a.f.a.i.k. none of them are actively supported, even Joomlaboards development is very slow, well at least that's how I see it.
http://forum.joomla.org/index.php/topic ... #msg391443
topic, I wish more people would join that discussion, maybe this new defacing/hacking spree will motivate more people though I would rather see it would motivate people without the need to.
Personally I think users of the mentioned components are in trouble if they want to keep using them for a.f.a.i.k. none of them are actively supported, even Joomlaboards development is very slow, well at least that's how I see it.
-
- Joomla! Explorer
- Posts: 251
- Joined: Mon Sep 05, 2005 3:50 pm
Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery
To be clear - JoomlaBoard is not affected by the recent security problems.
SimpleBoard does have a security issue and I believe the developers are working on an update (though if you are running Joomla!, you really should update to JoomlaBoard).
Extcalendar is not currently under development but we may be able to pull a patch together shortly.
david
SimpleBoard does have a security issue and I believe the developers are working on an update (though if you are running Joomla!, you really should update to JoomlaBoard).
Extcalendar is not currently under development but we may be able to pull a patch together shortly.
david
-
- Joomla! Enthusiast
- Posts: 205
- Joined: Thu May 25, 2006 11:08 pm
Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery
the people who make joomlaboard cant even get their site working
Is there a way to go over to another board with out losing everything?
Is there a way to go over to another board with out losing everything?
- hvanleeuwen
- Joomla! Enthusiast
- Posts: 161
- Joined: Thu Aug 18, 2005 8:08 am
- Location: The Netherlands
Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery
I do not agree with that, I had Joomlaboard installed and it looks very likely they used that and extcallendar to hack and deface one of my sites, a friends site was hacked and defaced via simpleboard.davidrrm wrote: To be clear - JoomlaBoard is not affected by the recent security problems.
SimpleBoard does have a security issue and I believe the developers are working on an update (though if you are running Joomla!, you really should update to JoomlaBoard).
Extcalendar is not currently under development but we may be able to pull a patch together shortly.
david
-
- Joomla! Explorer
- Posts: 251
- Joined: Mon Sep 05, 2005 3:50 pm
Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery
If you have ExtCalendar on your site, it would be hard to know whether or not JoomlaBoard had a vulnerability since we know ExtCalendar has a problem. Do you have the logfile from the attack? I'd be interested in looking at it as would the JoomlaBoard developers I'm sure. PM me if you have it.hvanleeuwen wrote:I do not agree with that, I had Joomlaboard installed and it looks very likely they used that and extcallendar to hack and deface one of my sites, a friends site was hacked and defaced via simpleboard.davidrrm wrote: To be clear - JoomlaBoard is not affected by the recent security problems.
SimpleBoard does have a security issue and I believe the developers are working on an update (though if you are running Joomla!, you really should update to JoomlaBoard).
Extcalendar is not currently under development but we may be able to pull a patch together shortly.
david
We also know there is a simpleboard vulnerabilty which is not in JoomlaBoard.
The joomlaboard site is http://www.tsmf.net. It seems to be running fine right now.
david
-
- Joomla! Explorer
- Posts: 374
- Joined: Thu Aug 18, 2005 8:54 pm
Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery
The simpleboard and extcalendar vulnerabilities are confirmed.hvanleeuwen wrote: Personally I say YES! as should com_Joomlaboard and com_extcalendar which are also not safe at the moment.
At same time investigations were done if joomlaboard is also affected, and it turned out not to be so. If you have real information such as a server log for proof that there is another exploit affecting joomlaboard, please make it available by PM so it can be reviewed.
- hvanleeuwen
- Joomla! Enthusiast
- Posts: 161
- Joined: Thu Aug 18, 2005 8:08 am
- Location: The Netherlands
Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery
I haven't seen a forum that supports import of joomlaboard data, but there could be one of course.jasonrhl wrote: the people who make joomlaboard cant even get their site working
Is there a way to go over to another board with out losing everything?
Personally I decided to go for a more generic and more well known forum and am trying http://www.simplemachines.org now. There is a bridge to have it integrated with Joomla that works just fine.
My theory behind this choice is that a forum is a much used item and should be safe and full of features. If in a worse case scenario when for instance the bridge is broken or no longer developed I can always wrap the forum until there is a better solution. If that better solution turns out to be that I should switch to another forum, I would like it if my forum is well known enough that it is possible to import my data into the new forum via some kind of conversion system.
I think Simplemachines might just be the right choice for me.
- hvanleeuwen
- Joomla! Enthusiast
- Posts: 161
- Joined: Thu Aug 18, 2005 8:08 am
- Location: The Netherlands
Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery
All my log files have already been sent to Joomla security yesterday.
Peter Koch wrote:The simpleboard and extcalendar vulnerabilities are confirmed.hvanleeuwen wrote: Personally I say YES! as should com_Joomlaboard and com_extcalendar which are also not safe at the moment.
At same time investigations were done if joomlaboard is also affected, and it turned out not to be so. If you have real information such as a server log for proof that there is another exploit affecting joomlaboard, please make it available by PM so it can be reviewed.
- Elpie
- Joomla! Guru
- Posts: 903
- Joined: Wed Aug 17, 2005 11:26 pm
- Contact:
Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery
Whether you agree with it or not hvanleeuwen, David's comment just happens to be true. I have run the current exploits against Joomlaboard and failed to get in. (Before you ask, yes, I do know how to use the exploits).
RSGallery2 1.11.4 has been out for two weeks and there were security announcements on many sites to alert users of the need to upgrade. RSG found the vulnerabilities before they became exploits, so acted quickly and responsibly. Sure, their site has been hacked, but nobody should be jumping to any conclusions about how it was hacked.
I appreciate your concern over what you feel are discontinued extensions, however, this is open source and all code is developed and given to the community voluntarily. What may appear to someone as an abandoned extension may be some developers contribution that just has to take a step into the background while real life goes on. One sure way to guarantee that it becomes abandonware is if the projects are removed from the forge because no dev is going to bother coming back to work on something that has been thrown away.
RSGallery2 1.11.4 has been out for two weeks and there were security announcements on many sites to alert users of the need to upgrade. RSG found the vulnerabilities before they became exploits, so acted quickly and responsibly. Sure, their site has been hacked, but nobody should be jumping to any conclusions about how it was hacked.
I appreciate your concern over what you feel are discontinued extensions, however, this is open source and all code is developed and given to the community voluntarily. What may appear to someone as an abandoned extension may be some developers contribution that just has to take a step into the background while real life goes on. One sure way to guarantee that it becomes abandonware is if the projects are removed from the forge because no dev is going to bother coming back to work on something that has been thrown away.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info
Open Source Research & Best Practice: http://osprojects.info
-
- Joomla! Enthusiast
- Posts: 205
- Joined: Thu May 25, 2006 11:08 pm
Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery
Thanks for everyones responses. It has put me at ease for now. I hope to see what the problem was with the rsgallery site and that they get on their feet again.
Thankyou
Thankyou
- hvanleeuwen
- Joomla! Enthusiast
- Posts: 161
- Joined: Thu Aug 18, 2005 8:08 am
- Location: The Netherlands
Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery
I have no intention to question your capabilaties Elpie, I am not hostile.
I am fully aware that developers have a life and thank god for that hehehe I don't want to go into the discontinued discussion here for I started that discussion with another forum topic already a while back.
I decided to remove Joomlaboard not only on the basis of this exploit only, if I happen to be wrong about Joomlaboards safety I truly apologize, at the moment I simply don't trust it and will only keep it running on two of my sites that are very low profile.
I am fully aware that developers have a life and thank god for that hehehe I don't want to go into the discontinued discussion here for I started that discussion with another forum topic already a while back.
I decided to remove Joomlaboard not only on the basis of this exploit only, if I happen to be wrong about Joomlaboards safety I truly apologize, at the moment I simply don't trust it and will only keep it running on two of my sites that are very low profile.
Elpie wrote: Whether you agree with it or not hvanleeuwen, David's comment just happens to be true. I have run the current exploits against Joomlaboard and failed to get in. (Before you ask, yes, I do know how to use the exploits).
RSGallery2 1.11.4 has been out for two weeks and there were security announcements on many sites to alert users of the need to upgrade. RSG found the vulnerabilities before they became exploits, so acted quickly and responsibly. Sure, their site has been hacked, but nobody should be jumping to any conclusions about how it was hacked.
I appreciate your concern over what you feel are discontinued extensions, however, this is open source and all code is developed and given to the community voluntarily. What may appear to someone as an abandoned extension may be some developers contribution that just has to take a step into the background while real life goes on. One sure way to guarantee that it becomes abandonware is if the projects are removed from the forge because no dev is going to bother coming back to work on something that has been thrown away.
- jonas37
- Joomla! Apprentice
- Posts: 12
- Joined: Fri Aug 19, 2005 4:48 pm
- Location: Portugal
Re: [UPGRADE AVAIL.] Site Hacked through rs_gallery
Letterman has same problem. My site was hacked using same exploid in letterman component
- hvanleeuwen
- Joomla! Enthusiast
- Posts: 161
- Joined: Thu Aug 18, 2005 8:08 am
- Location: The Netherlands
Re: [UPGRADE AVAIL.] Site Hacked through rs_gallery
Letterman has good suport, i'm sure the developer will help you out, you should at least tell him about it.
I am still getting hack attempts on extcalendar but they are useless because I have removed that component and am looking for a good replacement.
The other attempts I get are on com_pollxt, but they won't work since the developer already updated his component to deal with this exploit, praise for him!!
I have now switched the Register Globals off and applied the htaccess rules as explained in the security section of this forum, and have a strong feeling that so far I have done everything I can to prevent easy script kiddy defacements.
I am still getting hack attempts on extcalendar but they are useless because I have removed that component and am looking for a good replacement.
The other attempts I get are on com_pollxt, but they won't work since the developer already updated his component to deal with this exploit, praise for him!!
I have now switched the Register Globals off and applied the htaccess rules as explained in the security section of this forum, and have a strong feeling that so far I have done everything I can to prevent easy script kiddy defacements.
- jonas37
- Joomla! Apprentice
- Posts: 12
- Joined: Fri Aug 19, 2005 4:48 pm
- Location: Portugal
Re: [UPGRADE AVAIL.] Site Hacked through rs_gallery
After a better look I'm not sure if was by letterman.
I've found the .htacess files on letterman, JCE, mambots (on jce editor related folders) , and flash rotator (witch needs 777 CMOD on images folder)
So might be hard to find where this starts.
Any way ... Huston we got a problem
I've found the .htacess files on letterman, JCE, mambots (on jce editor related folders) , and flash rotator (witch needs 777 CMOD on images folder)
So might be hard to find where this starts.
Any way ... Huston we got a problem
-
- I've been banned!
- Posts: 21
- Joined: Wed Dec 19, 2007 10:36 pm
Re: [UPGRADE AVAIL.] Site Hacked through rs_gallery
how do hacker know this stuff? its astonishing.
smile
-
- Joomla! Apprentice
- Posts: 33
- Joined: Sun Mar 30, 2008 2:59 pm
- Location: egypt
- Contact:
Re: [UPGRADE AVAIL.] Site Hacked through rs_gallery
hello ..
I Read All Replies ,, But I Do Not Understand Somethings..
My Site hacked Last Week .. And I have Rs gallery 2 Com ...
I Do Not Know How TO Update It ? And Is It Not Secure Or Not ?
I Can Not Open My Site Again .. The Hacker Cause Many Problems To My site .. I Do NOt Know What To DO
I Read All Replies ,, But I Do Not Understand Somethings..
My Site hacked Last Week .. And I have Rs gallery 2 Com ...
I Do Not Know How TO Update It ? And Is It Not Secure Or Not ?
I Can Not Open My Site Again .. The Hacker Cause Many Problems To My site .. I Do NOt Know What To DO