[UPGRADE AVAIL.] Site Hacked through rs_gallery

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Forum rules
Locked
jdwl
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Fri Jun 30, 2006 10:25 pm

[UPGRADE AVAIL.] Site Hacked through rs_gallery

Post by jdwl » Fri Jun 30, 2006 11:23 pm

Hi,  one of my Joomla sites has been defaced twice in the last 24hours.  The script replaces the index.php and configuration.php with a html file which says "Site hacked by Musab Cyberwar has begun"

How it works is by dropping a php and .htaccess payload into any directory that has 777 permissions (like rs_gallery's upload folder).

What the payload does is two fold: 1: the .htaccess sets the 404 page for the folder to be the php payload (which has various names - such as 'contacts.php', download.php, links.php, package.php, remote.php) 2: once the php file is triggered by the .htaccess it downloads additional copies of itself and the defaced index.php from http://user9.mshtml.ru.

I replaced the defaced files from a backup - but missed some of the payload files so I got hit again.  Very annoying.

Hopefully this post can help others root this annoying script out of their servers.

Jeremy

update:  the full list of payload files is:
common.php
configs.php
contacts.php
create.php
date.php
guest.php
include.php
includes.php
messages.php
properties.php
remote.php
time.php
system.php
layout.php
finfo.php

Which I got from here: http://freebunch.linux-labs.net/?p=35 (which has a lot of useful info on removing this exploit).

Also this exploit has been discussed here previously - sorry for the repost - http://forum.joomla.org/index.php/topic,29169.0.html
Last edited by RobS on Wed Jul 19, 2006 7:32 am, edited 1 time in total.

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Site Hacked through rs_gallery

Post by infograf768 » Sat Jul 01, 2006 4:30 am

RSGallery has been updated yesterday to cope with this:
http://rsgallery2.net/
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

jasonrhl
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 205
Joined: Thu May 25, 2006 11:08 pm

Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery

Post by jasonrhl » Wed Jul 12, 2006 12:08 pm

I see that their site has been hacked..

Should rsgallery be removed from our sites?

User avatar
hvanleeuwen
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 161
Joined: Thu Aug 18, 2005 8:08 am
Location: The Netherlands

Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery

Post by hvanleeuwen » Wed Jul 12, 2006 12:23 pm

Personally I say YES! as should com_Joomlaboard and com_extcalendar which are also not safe at the moment.

jasonrhl
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 205
Joined: Thu May 25, 2006 11:08 pm

Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery

Post by jasonrhl » Wed Jul 12, 2006 12:26 pm

O poo.

Do we know if anyone is working on getting these up to scratch cause they are very popular components.

User avatar
hvanleeuwen
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 161
Joined: Thu Aug 18, 2005 8:08 am
Location: The Netherlands

Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery

Post by hvanleeuwen » Wed Jul 12, 2006 12:39 pm

Check out the sites of the developers of those components, this situation is exactly why i started this;

http://forum.joomla.org/index.php/topic ... #msg391443

topic, I wish more people would join that discussion, maybe this new defacing/hacking spree will motivate more people though I would rather see it would motivate people without the need to.

Personally I think users of the mentioned components are in trouble if they want to keep using them for a.f.a.i.k. none of them are actively supported, even Joomlaboards development is very slow, well at least that's how I see it.

davidrrm
Joomla! Explorer
Joomla! Explorer
Posts: 251
Joined: Mon Sep 05, 2005 3:50 pm

Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery

Post by davidrrm » Wed Jul 12, 2006 12:40 pm

To be clear - JoomlaBoard is not affected by the recent security problems.

SimpleBoard does have a security issue and I believe the developers are working on an update (though if you are running Joomla!, you really should update to JoomlaBoard).

Extcalendar is not currently under development but we may be able to pull a patch together shortly.

david

jasonrhl
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 205
Joined: Thu May 25, 2006 11:08 pm

Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery

Post by jasonrhl » Wed Jul 12, 2006 12:41 pm

the people who make joomlaboard cant even get their site working  ???

Is there a way to go over to another board with out losing everything?

User avatar
hvanleeuwen
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 161
Joined: Thu Aug 18, 2005 8:08 am
Location: The Netherlands

Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery

Post by hvanleeuwen » Wed Jul 12, 2006 12:45 pm

davidrrm wrote: To be clear - JoomlaBoard is not affected by the recent security problems.

SimpleBoard does have a security issue and I believe the developers are working on an update (though if you are running Joomla!, you really should update to JoomlaBoard).

Extcalendar is not currently under development but we may be able to pull a patch together shortly.

david
I do not agree with that, I had Joomlaboard installed and it looks very likely they used that and extcallendar to hack and deface one of my sites, a friends site was hacked and defaced via simpleboard.

davidrrm
Joomla! Explorer
Joomla! Explorer
Posts: 251
Joined: Mon Sep 05, 2005 3:50 pm

Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery

Post by davidrrm » Wed Jul 12, 2006 12:52 pm

hvanleeuwen wrote:
davidrrm wrote: To be clear - JoomlaBoard is not affected by the recent security problems.

SimpleBoard does have a security issue and I believe the developers are working on an update (though if you are running Joomla!, you really should update to JoomlaBoard).

Extcalendar is not currently under development but we may be able to pull a patch together shortly.

david
I do not agree with that, I had Joomlaboard installed and it looks very likely they used that and extcallendar to hack and deface one of my sites, a friends site was hacked and defaced via simpleboard.
If you have ExtCalendar on your site, it would be hard to know whether or not JoomlaBoard had a vulnerability since we know ExtCalendar has a problem. Do you have the logfile from the attack? I'd be interested in looking at it as would the JoomlaBoard developers I'm sure. PM me if you have it.

We also know there is a simpleboard vulnerabilty which is not in JoomlaBoard.

The joomlaboard site is http://www.tsmf.net. It seems to be running fine right now.

david

Peter Koch
Joomla! Explorer
Joomla! Explorer
Posts: 374
Joined: Thu Aug 18, 2005 8:54 pm

Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery

Post by Peter Koch » Wed Jul 12, 2006 12:53 pm

hvanleeuwen wrote: Personally I say YES! as should com_Joomlaboard and com_extcalendar which are also not safe at the moment.
The simpleboard and extcalendar vulnerabilities are confirmed.

At same time investigations were done if joomlaboard is also affected, and it turned out not to be so. If you have real information such as a server log for proof that there is another exploit affecting joomlaboard, please make it available by PM so it can be reviewed.

User avatar
hvanleeuwen
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 161
Joined: Thu Aug 18, 2005 8:08 am
Location: The Netherlands

Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery

Post by hvanleeuwen » Wed Jul 12, 2006 12:54 pm

jasonrhl wrote: the people who make joomlaboard cant even get their site working  ???

Is there a way to go over to another board with out losing everything?
I haven't seen a forum that supports import of joomlaboard data, but there could be one of course.

Personally I decided to go for a more generic and more well known forum and am trying http://www.simplemachines.org now. There is a bridge to have it integrated with Joomla that works just fine.

My theory behind this choice is that a forum is a much used item and should be safe and full of features. If in a worse case scenario when for instance the bridge is broken or no longer developed I can always wrap the forum until there is a better solution. If that better solution turns out to be that I should switch to another forum, I would like it if my forum is well known enough that it is possible to import my data into the new forum via some kind of conversion system.

I think Simplemachines might just be the right choice for me.

User avatar
hvanleeuwen
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 161
Joined: Thu Aug 18, 2005 8:08 am
Location: The Netherlands

Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery

Post by hvanleeuwen » Wed Jul 12, 2006 12:56 pm

All my log files have already been sent to Joomla security yesterday.
Peter Koch wrote:
hvanleeuwen wrote: Personally I say YES! as should com_Joomlaboard and com_extcalendar which are also not safe at the moment.
The simpleboard and extcalendar vulnerabilities are confirmed.

At same time investigations were done if joomlaboard is also affected, and it turned out not to be so. If you have real information such as a server log for proof that there is another exploit affecting joomlaboard, please make it available by PM so it can be reviewed.

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery

Post by Elpie » Wed Jul 12, 2006 12:56 pm

Whether you agree with it or not hvanleeuwen, David's comment just happens to be true. I have run the current exploits against Joomlaboard and failed to get in. (Before you ask, yes, I do know how to use the exploits).

RSGallery2 1.11.4 has been out for two weeks and there were security announcements on many sites to alert users of the need to upgrade. RSG found the vulnerabilities before they became exploits, so acted quickly and responsibly. Sure, their site has been hacked, but nobody should be jumping to any conclusions about how it was hacked.

I appreciate your concern over what you feel are discontinued extensions, however, this is open source and all code is developed and given to the community voluntarily. What may appear to someone as an abandoned extension may be some developers contribution that just has to take a step into the background while real life goes on. One sure way to guarantee that it becomes abandonware is if the projects are removed from the forge because no dev is going to bother coming back to work on something that has been thrown away.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

jasonrhl
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 205
Joined: Thu May 25, 2006 11:08 pm

Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery

Post by jasonrhl » Wed Jul 12, 2006 1:03 pm

Thanks for everyones responses. It has put me at ease for now. I hope to see what the problem was with the rsgallery site and that they get on their feet again.

Thankyou

User avatar
hvanleeuwen
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 161
Joined: Thu Aug 18, 2005 8:08 am
Location: The Netherlands

Re: [NOT JOOMLA VULNERABILITY] Site Hacked through rs_gallery

Post by hvanleeuwen » Wed Jul 12, 2006 1:05 pm

I have no intention to question your capabilaties Elpie, I am not hostile.

I am fully aware that developers have a life and thank god for that hehehe I don't want to go into the discontinued discussion here for I started that discussion with another forum topic already a while back.

I decided to remove Joomlaboard not only on the basis of this exploit only, if I happen to be wrong about Joomlaboards safety I truly apologize, at the moment I simply don't trust it and will only keep it running on two of my sites that are very low profile.
Elpie wrote: Whether you agree with it or not hvanleeuwen, David's comment just happens to be true. I have run the current exploits against Joomlaboard and failed to get in. (Before you ask, yes, I do know how to use the exploits).

RSGallery2 1.11.4 has been out for two weeks and there were security announcements on many sites to alert users of the need to upgrade. RSG found the vulnerabilities before they became exploits, so acted quickly and responsibly. Sure, their site has been hacked, but nobody should be jumping to any conclusions about how it was hacked.

I appreciate your concern over what you feel are discontinued extensions, however, this is open source and all code is developed and given to the community voluntarily. What may appear to someone as an abandoned extension may be some developers contribution that just has to take a step into the background while real life goes on. One sure way to guarantee that it becomes abandonware is if the projects are removed from the forge because no dev is going to bother coming back to work on something that has been thrown away.

User avatar
jonas37
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Fri Aug 19, 2005 4:48 pm
Location: Portugal

Re: [UPGRADE AVAIL.] Site Hacked through rs_gallery

Post by jonas37 » Thu Jul 20, 2006 10:17 am

Letterman has same problem. My site was hacked using same exploid in letterman component

User avatar
hvanleeuwen
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 161
Joined: Thu Aug 18, 2005 8:08 am
Location: The Netherlands

Re: [UPGRADE AVAIL.] Site Hacked through rs_gallery

Post by hvanleeuwen » Thu Jul 20, 2006 11:54 am

Letterman has good suport, i'm sure the developer will help you out, you should at least tell him about it.

I am still getting hack attempts on extcalendar but they are useless because I have removed that component and am looking for a good replacement.

The other attempts I get are on com_pollxt, but they won't work since the developer already updated his component to deal with this exploit, praise for him!!

I have now switched the Register Globals off and applied the htaccess rules as explained in the security section of this forum, and have a strong feeling that so far I have done everything I can to prevent easy script kiddy defacements.

User avatar
jonas37
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Fri Aug 19, 2005 4:48 pm
Location: Portugal

Re: [UPGRADE AVAIL.] Site Hacked through rs_gallery

Post by jonas37 » Thu Jul 20, 2006 6:01 pm

After a better look I'm not sure if was by letterman.
I've found the .htacess files on letterman, JCE, mambots (on jce editor related folders) , and flash rotator (witch needs 777 CMOD on images folder)
So might be hard to find where this starts.

Any way ... Huston we got a problem

karryberry
I've been banned!
Posts: 21
Joined: Wed Dec 19, 2007 10:36 pm

Re: [UPGRADE AVAIL.] Site Hacked through rs_gallery

Post by karryberry » Thu Dec 20, 2007 4:41 pm

how do hacker know this stuff? its astonishing.
smile

alyaa
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Sun Mar 30, 2008 2:59 pm
Location: egypt
Contact:

Re: [UPGRADE AVAIL.] Site Hacked through rs_gallery

Post by alyaa » Mon Mar 31, 2008 1:54 pm

hello ..

I Read All Replies ,, But I Do Not Understand Somethings..

My Site hacked Last Week :'( .. And I have Rs gallery 2 Com ...

I Do Not Know How TO Update It ? And Is It Not Secure Or Not ?

I Can Not Open My Site Again :'( .. The Hacker Cause Many Problems To My site .. I Do NOt Know What To DO


Locked

Return to “3rd Party/Non Joomla! Security Issues”