Site hacked through extcalendar component

[tfuller]

For no apparent reason our site was hacked. After consulting this forum I determined that the hacker got in through the extCalendar component - which had disappeared off the Joomla Extensions pages and for good reason - it apparently didn't have the required security in it that checks for a valid MOS.

The hacker was able to replace our configuration.php file - and that enabled him/her to redirect the site to their own. Once I replaced the file with one from a backup the site was restored. I then got rid of extCalendar.

Here is the code used in case anyone is interested in stopping attacks like this in the future:

















[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]





BODY { SCROLLBAR-BASE-COLOR: #000000; SCROLLBAR-ARROW-COLOR: #336E01; }

.genmed { font-size : 11px; }

.genmed { color : #336E01; }

 







 

   

     

     

     

     

           

           

            by



           

            [MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

           

           



[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]







iskorpitx

|

eno7

|

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

|

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

|

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

| [MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

| [MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

ata1944|

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

|

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

|

[MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]

|

      [MOD EDIT: Script Kiddie reference removed. We prefer not to promote script kiddie egoboo]







   

 









 









Mod Edit: Links removed. -RobS

[Jenny]

Please read through the various postings http://forum.joomla.org/index.php/board ... html.  A number of extensions are insecure.  Please update any extensions you have on your site, either install a clean installation of Joomla with updated extensions and then restore your data from your database, or go through each and every folder and file in your current installation to make sure there are no hidden files buried in your current installation before making it live again.

Best practices for security are to subscribe to the Announcement forum regarding updates to Joomla!, but more importantly also keep an eye by subscribing (if available) to any annoucements from the extensions that you use.  Keep track of your versions to make sure you are running the most current and secure version of any of your extensions.

BACK UP your files and your database on a regular basis so that recovering from sudden problems isn't a heartache and a headache.  If you have good clean backups the restore and update process can be quite a lot less painful.

Make sure your hosting company is following best practices for security on their servers and more can be read about that in various posts throughout the security forum.

Permissions on your files should be 644 or for folders 755.  If you need to change or add anything, you can make both writable for the short period you are updating/changing - then set permissions back to unwritable.

There is no surefire way to be protected from all security issues, due to the fact that as a security issue is solved, the people that wish to crack/hack find ways around the fixes to do what they want to do.  Using good basic security practices will help protect you.

• Back up regularly and keep a local copy of your site on your local machine
• Make sure your permissions are the most secure you can make them
• Update any and all programs or extensions you may use to create your site, keep informed of security issues and update immediately
• Watch your log files for any suspicious activity or useage at your site

[davidrrm]

There is a new release of ExtCalendar that fixes the security problems -

Information about that is here - http://forum.mamboguru.com/showthread.php?t=318.

david

[amb_shah]

one of my sites was hacked too,
i just noticed it when someone overwrote the configuration file.
when i went through the logs i found that the attack had started on June 30 and continued till date.
thanks to the party that overwrote the configuration file i was able to notice it.

the culprit was the extcalendar component...
also i found a file called proxy.tgz i can neither delete it or rename it
so i downloaded it and extracted the contents it contains a folder
"pro "
and two files
prox
xh
these are executables (my cpanel says so )

i think this has something to do with a sleeper program waiting to obey its masters command.
have notified my hosting provider.

[rliskey]

Found trojan horse in the com_extcalendar directory: PHP.RSTBackdoor
Exposes files, and allows db dumps.

More info: http://www.symantec.com/security_respon ... 99&tabid=3