[UPGRADE AVAIL.] ExtCalendar Vulnerability
Moderator: General Support Moderators
Forum rules
-
- Joomla! Apprentice
- Posts: 8
- Joined: Wed May 24, 2006 4:52 pm
[UPGRADE AVAIL.] ExtCalendar Vulnerability
anyone know how this component was hacked? Here are google results of other sites that have been hacked the same way: http://www.google.com/search?hl=en&lr=&q=irc.dal.nyet
Any info on this would be greatly appreciated!
MOD EDIT: Please see the link below for the post about the update. -RobS
http://forum.joomla.org/index.php/topic ... #msg402249
Any info on this would be greatly appreciated!
MOD EDIT: Please see the link below for the post about the update. -RobS
http://forum.joomla.org/index.php/topic ... #msg402249
Last edited by RobS on Wed Jul 19, 2006 7:47 pm, edited 1 time in total.
-
- Joomla! Guru
- Posts: 842
- Joined: Sat Sep 10, 2005 10:31 pm
Re: ExtCalendar
FYI:
edit: corrected url, don't know why last number was missing just by copy and pasteExtCalendar Module for Mambo "mosConfig_absolute_path" File Inclusion Vulnerability
http://www.frsirt.com/english/advisories/2006/2711
Last edited by friesengeist on Mon Jul 10, 2006 8:10 am, edited 1 time in total.
We may not be able to control the wind, but we can always adjust our sails
- albi
- Joomla! Explorer
- Posts: 273
- Joined: Fri Aug 19, 2005 12:47 pm
- Contact:
Re: ExtCalendar
Any news from the developer?
Demetris Dimarelis
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: ExtCalendar
THis issue has also been forwarded to the devs here.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
-
- Joomla! Apprentice
- Posts: 10
- Joined: Thu Apr 20, 2006 2:13 pm
Hacked site by ext calendar ?
A site that I built for a friend has just been hacked by someone claimed to necromance, they had basically replaced the configuration file with their own page. - I will look elsewhere but I will trash the site and rebuild rather than recover and run the risk that something else is there.
I was puzzled how, but fortunatly I run a number of web logging progams which may reveal the route
They used a search via Yahoo to look for the string "Powered By ExtCalendar" that is the only page I can track.
My method was to note the timestamp of the file and compare to my logs, that was the only entry. The text left on the site was Turkish and lo and behold a visitor left a Tuirkish IP and Hostname - not 100% sure where to go with this, but looks pretty convincing to me.
Any after a data of some stuff, its building a new site.
FYI
Joomla 1.0.10
Not sure on Ext Cal version
We have users on the site but no one is allowed to upload anything nor put entries into the calendar
Only user input is via a message board to registered users, I have removed the contac form as personally I believe there is a security issue with that (previously posted)
I was puzzled how, but fortunatly I run a number of web logging progams which may reveal the route
They used a search via Yahoo to look for the string "Powered By ExtCalendar" that is the only page I can track.
My method was to note the timestamp of the file and compare to my logs, that was the only entry. The text left on the site was Turkish and lo and behold a visitor left a Tuirkish IP and Hostname - not 100% sure where to go with this, but looks pretty convincing to me.
Any after a data of some stuff, its building a new site.
FYI
Joomla 1.0.10
Not sure on Ext Cal version
We have users on the site but no one is allowed to upload anything nor put entries into the calendar
Only user input is via a message board to registered users, I have removed the contac form as personally I believe there is a security issue with that (previously posted)
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: Hacked site by ext calendar ?
Toemik, could you please PM me the relevant log information for review. Please don't publish it here.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
-
- Joomla! Apprentice
- Posts: 10
- Joined: Thu Apr 20, 2006 2:13 pm
Re: Hacked site by ext calendar ?
sent va conact on your website
-
- Joomla! Apprentice
- Posts: 5
- Joined: Wed Dec 14, 2005 8:38 pm
Re: ExtCalendar
2 of my joomla sites were recently hacked via extcal2. Looks like some sort of code injection which allows modification of configuration.php???
Luckily I have regular site/db backups so just gotta delete/restore (and remove extcal I guess )
Dunno if its any use but some bits of the apache log relating to the hack (my site replaced with zzzzzz):
REMOVED FOR SECURITY.
Please do not post these calls publicly.
Luckily I have regular site/db backups so just gotta delete/restore (and remove extcal I guess )
Dunno if its any use but some bits of the apache log relating to the hack (my site replaced with zzzzzz):
REMOVED FOR SECURITY.
Please do not post these calls publicly.
Last edited by nathandiehl on Mon Jul 10, 2006 1:29 pm, edited 1 time in total.
- nathandiehl
- Joomla! Champion
- Posts: 6044
- Joined: Fri Aug 19, 2005 3:03 pm
- Location: Indiana, USA
- Contact:
Re: ExtCalendar
FYI,
ExtCal2 hasn't been developed in like 2 years. i wasn't expecting it to be ported to 1.5 anyway, so i am going to switch calendars.
and i got hacked, too. The hack was 6 server calls in a matter of 26 seconds, so it certainly seems to be automated, and probably widespread.
also FYI,
the root index.php file was replaced, but the fix was simply to re-upload a new index.php file (from a new install).
ExtCal2 hasn't been developed in like 2 years. i wasn't expecting it to be ported to 1.5 anyway, so i am going to switch calendars.
and i got hacked, too. The hack was 6 server calls in a matter of 26 seconds, so it certainly seems to be automated, and probably widespread.
also FYI,
the root index.php file was replaced, but the fix was simply to re-upload a new index.php file (from a new install).
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503
http://nathandiehl.com | Find out what makes me tick
http://nathandiehl.com | Find out what makes me tick
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: ExtCalendar
We are expecting a fix for ext_calendar as the developper is no more active.
We will post here.
We will post here.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- danialt
- Joomla! Intern
- Posts: 63
- Joined: Fri Aug 19, 2005 7:39 am
- Contact:
Re: ExtCalendar
Put the
defined('_VALID_MOS') or die('Direct Access to this location is not allowed.');
on the top of extcalendar.php..
It is a high level risk hole.
defined('_VALID_MOS') or die('Direct Access to this location is not allowed.');
on the top of extcalendar.php..
It is a high level risk hole.
Last edited by danialt on Mon Jul 10, 2006 3:02 pm, edited 1 time in total.
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: ExtCalendar
From the information I have received about the com_extcalendar (com_extcal2) vulnerabilities, there are currently two flavors of the exploit circling around. To make matters worse, this component is no longer actively developed hence we don't expect a proper patch to come around soon enough to be effective so I can only recommend that you migrate to a newer/more actively developed calendar component. For those that need time to do this type of thing, I have added another mod_rewrite condition to the ruleset I have been developing that will hopefully address the exploits that are going around (one version was actually already blocked by my mod_rewrite rule set, I like good surprises!)
If you would like to go this route, you can find the mod_rewrite rules in this thread http://forum.joomla.org/index.php/topic,75376.0.html
Also, Elpie noticed that the vulnerability is caused by a lack of valid component checking that all Joomla files are supposed to do before they execute any code. The code below should be in every 3rd party component file.
Another option for those of you that need time to migrate away from com_extCalender would be to manually insert those two lines of code toward the top (but underneat the first comment chunk that starts with /* and ends with */ ) of all the files that were installed by com_extCalender in the /path/to/Joomla/components/com_extcalender/ and /path/to/Joomla/administrator/components/com_extcalender/ directories. That will be a rather labor intensive project though because there are quite a few files and I cannot guarantee that addition will fix the problem all together.
If you would like to go this route, you can find the mod_rewrite rules in this thread http://forum.joomla.org/index.php/topic,75376.0.html
Also, Elpie noticed that the vulnerability is caused by a lack of valid component checking that all Joomla files are supposed to do before they execute any code. The code below should be in every 3rd party component file.
Code: Select all
// no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );
Last edited by RobS on Mon Jul 10, 2006 3:05 pm, edited 1 time in total.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
-
- Joomla! Enthusiast
- Posts: 111
- Joined: Mon Apr 17, 2006 10:03 pm
Re: Hacked site by ext calendar ?
I have had a similar experience with a site that was hacked and defaced. It seems it was hacked via extcalendar.
- nathandiehl
- Joomla! Champion
- Posts: 6044
- Joined: Fri Aug 19, 2005 3:03 pm
- Location: Indiana, USA
- Contact:
Re: ExtCalendar
MOD NOTE: EXT Threads merged.
Please look for an existing thread before starting a new thread. Thanks!
Please look for an existing thread before starting a new thread. Thanks!
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503
http://nathandiehl.com | Find out what makes me tick
http://nathandiehl.com | Find out what makes me tick
- albi
- Joomla! Explorer
- Posts: 273
- Joined: Fri Aug 19, 2005 12:47 pm
- Contact:
Re: Hacked site by ext calendar ?
I sended logfilesRobS wrote: Toemik, could you please PM me the relevant log information for review. Please don't publish it here.
Last edited by albi on Mon Jul 10, 2006 7:10 pm, edited 1 time in total.
Demetris Dimarelis
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: ExtCalendar
That email address is not valid anymore. I have PMed you a new one.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
-
- Joomla! Apprentice
- Posts: 45
- Joined: Thu May 11, 2006 10:34 pm
Re: ExtCalendar
My version of extCalendar2 has a simliar "// no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );
" statement in the file.
What file has the "Powered by extCalendar" text? I can't find it and at least thought I should delete that reference.
Anyone know of a good calendaring program to change over to?
defined( '_VALID_MOS' ) or die( 'Restricted access' );
" statement in the file.
What file has the "Powered by extCalendar" text? I can't find it and at least thought I should delete that reference.
Anyone know of a good calendaring program to change over to?
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: ExtCalendar
Which file are you referring to? The component installs quite a few files.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- RobinH
- Joomla! Enthusiast
- Posts: 177
- Joined: Mon Sep 19, 2005 6:29 pm
- Location: Lake Norman, North Carolina, USA
Re: ExtCalendar
If extcalendar is dying out, will anyone be creating a com for a new calendar interface??? Would really like to have one up and running. So far I've been lucky and I think it's mainly because I'm on VPS, but others hosted by the same company on shared servers have been hacked via extcalendar, at least thats what they think was the point of entry.
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: ExtCalendar
There is a com_events and another calender that I have heard will be released tomorrow so stay tuned to the Extensions page and check that out.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- mom2nine
- Joomla! Intern
- Posts: 53
- Joined: Tue Aug 30, 2005 8:05 am
- Location: Virginia
- Contact:
Re: ExtCalendar
From what I've read, the exploit was posted online on Friday July 7th and the hack attacks began on Saturday the 8th. The hackers didn't seem to replace the index.php, they modified configuration.php. Seemed like two different hackers, however, one from Indonesia that posted a green "hacked" graphic with an "I'll be back" message, and one from Turkey (with some military type graphic and a musical background). Fortunately, they didn't damage any data, the database is still intact, it seemed like the access was limited to the equivalent of drive-by graffiti. But I spent about 24 hours over the weekend patching and upgrading and replacing stuff because of these creeps.
I saw a calendar component today called Thyme that appears to be ported for Joomla. Anyone have experience with it? I'm running news and information sites, we HAVE to have an events calendar. Never dreamed something like this would happen, especially since I'd upgraded to 1.10 in Joomla. Just goes to show, it can happen anytime, anywhere.
Anyone in favor of promoting some sort of severe penalty for hackers, like the amputation of a hand or something?
I saw a calendar component today called Thyme that appears to be ported for Joomla. Anyone have experience with it? I'm running news and information sites, we HAVE to have an events calendar. Never dreamed something like this would happen, especially since I'd upgraded to 1.10 in Joomla. Just goes to show, it can happen anytime, anywhere.
Anyone in favor of promoting some sort of severe penalty for hackers, like the amputation of a hand or something?
- RobinH
- Joomla! Enthusiast
- Posts: 177
- Joined: Mon Sep 19, 2005 6:29 pm
- Location: Lake Norman, North Carolina, USA
Re: ExtCalendar
I asked the question before doing the research and found at least three or four components/mods for calendar functions, however I'm going to wait and see how the upgrades go for these new issues. I've still got extcalendar running fine for now.
- Chinaman
- Joomla! Guru
- Posts: 575
- Joined: Sun Aug 21, 2005 8:46 am
- Location: Perth, Western Australia
- Contact:
Re: ExtCalendar
Yes I had a visit on one of my sites, however, could only see the alteration to the component file and an additional html file installed in site root. Checked config file, no changes there. Have uninstalled calendar as well as associated mods, will await to see new replacements.
Joomla! - enjoying every minute of the journey!
- alamgir99
- Joomla! Explorer
- Posts: 324
- Joined: Sat Aug 20, 2005 1:44 pm
- Location: Melbourne, Australia
Re: ExtCalendar
Hi
Consolation for me, I am not alone.
Right midnight my site was hacked in front of me! They changed the admin password, and then dont know what did.
I had to request a site restore to my hosting, (I dont have the privilegde.)
Who can I blame!
alamgir
Consolation for me, I am not alone.
Right midnight my site was hacked in front of me! They changed the admin password, and then dont know what did.
I had to request a site restore to my hosting, (I dont have the privilegde.)
Who can I blame!
alamgir
-
- Joomla! Explorer
- Posts: 251
- Joined: Mon Sep 05, 2005 3:50 pm
Re: ExtCalendar
Has anyone tried Events Calendar? There's a fairly recent beta release.
david
david
-
- Joomla! Apprentice
- Posts: 10
- Joined: Thu Apr 20, 2006 2:13 pm
Re: ExtCalendar
HI RobS
Would like to PM the IP etc but unable to
You are not allowed to send personal messages
Am I missing a trick here on how to PMS
Would like to PM the IP etc but unable to
You are not allowed to send personal messages
Am I missing a trick here on how to PMS
-
- Joomla! Enthusiast
- Posts: 160
- Joined: Sun Mar 12, 2006 7:11 pm
Re: ExtCalendar
Is there a new secure version of ExtCalender we can use?
-
- Joomla! Apprentice
- Posts: 34
- Joined: Tue May 23, 2006 3:33 pm
Re: ExtCalendar
// no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );
insert this in extcal.php as far as i read this fiexes the problem? RIGHT?
defined( '_VALID_MOS' ) or die( 'Restricted access' );
insert this in extcal.php as far as i read this fiexes the problem? RIGHT?
- albi
- Joomla! Explorer
- Posts: 273
- Joined: Fri Aug 19, 2005 12:47 pm
- Contact:
Re: ExtCalendar
http://extensions.joomla.org/component/ ... Itemid,35/Floranett wrote: Is there a new secure version of ExtCalender we can use?
Last edited by albi on Tue Jul 11, 2006 12:26 pm, edited 1 time in total.
Demetris Dimarelis
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania
-
- Joomla! Enthusiast
- Posts: 160
- Joined: Sun Mar 12, 2006 7:11 pm
Re: ExtCalendar
Thanks alot albi m8, but can this be used with Mambo 4.5.3?albi wrote:Mod. note: Fixed end quote tag -RobSFloranett wrote: Is there a new secure version of ExtCalender we can use?
http://extensions.joomla.org/component/ ... Itemid,35/
Last edited by RobS on Thu Jul 13, 2006 9:06 am, edited 1 time in total.