The Joomla! Forum ™

We have just had a hacking attempt on some of my sites using an exploit with a numerical php file (random number like 105242.php) with a unique .htaccess file. Maybe this Pivot Web Forum thread will help explain the techniques used.      http://www.pivotlog.net/forum/viewtopic.php?t=11298&sid=ce8447cb5a8b2dcaf2bfa9349e1323e1

They cracked into a big server for one of my sites by some method we cant discover. Left 20 of these numeric.php files in 20 different directories plus a unique .htaccess file alongside the php file. The htaccess had just two lines like these;

Options -MultiViews
ErrorDocument 404 //administrator/backups/92328.php

The php file had content similar to that shown in the above-mentioned Forum thread.

The clue that folders had been hit was they they had been set to 777 instead of my usual 755 permissions and the date matched right through the site.

Let me close with a couple of quotes from the above-mentioned thread:
"The beauty of this setup is that the attacker, when he wants to run the uploaded PHP files, doesn't have to access the files directly. Rather he (or she) access a file that doesn't exist ... Hence, there is no trace at all of using there two PHP files in the webserver logs..."
...
"What does this mean? When these scripts are run, they include/download PHP code from one of two servers above and since this remote code can be anything, the attacker can do anything (that can be done within PHP)!!"

and lastly they said, "This type of attack, inclusion of remote PHP code, requires that allow_url_fopen is On. If it's off, you'll always be safe."

That's why I make certain that there are no "world" accessible directories that they can reach. Once they access a server then your site is owned, and every other site within the server.

_________________
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
Do Not PM me looking for Help! Un-requested Help PM's will be Deleted Unread, and your ID added to my Ignore List

In addition to "allow_url_fopen" there would still have had to have been at least one directory allowing external writes, otherwise the files could not be written in the first place.

This is a reasonably common style of compromise. So the usual suspects still apply......   

    Directory/File Permissions
    PHP register_globals ON
    RG_EMULATION ON
    Vulnerable Extensions

    Ensure that there are no hidden files
    ( On Unix they will start with a "." (dot), also check for ". " ( dot|space ) )

    Check your CRONTAB for unexpected cron tasks that call a hidden directory
    (These can regenerate the exploit, even if you delete the discovered files)

    Get your host to use "netstat -ae | grep [irc | 6667] looking for unexpected IRC bots
    Don't forget to also look for unexpected but common processes or daemons in wrong locations,
    they dont always call themselves IRC
    The "MultiViews" .htaccess entry is common to allow IRC access to your server

To ensure complete cleansing after this type of compromise, better to completely wipe out anything from "public_html/" (or whet-ever your webroot is named) and down.

_________________
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
Network SMARTS, Systems Engineering http://www.networksmarts.com.au/

could you please explain what
actually does and an exmaple of a cron tab we should be looking for?

it seems this numeric php/htaccess thing has been around since at least march.

if found, and this combination is deleted then any calls for odd files in this directory/s IP's should be blocked form your site

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Ok, lets check that list...
    Directory/File Permissions  All folders 755 / files 644
    PHP register_globals ON    Nope, OFF
    RG_EMULATION ON            Nope, OFF
    Vulnerable Extensions      Nope, not a one
    Ensure that there are no hidden files  Nope, not a one

Checking with the host I find that "irc bots are slammed, the netstat is also run.. the only two crons are the file change checking scripts". These crons have been set up on each site by the Host.

My guess is that they came through somebody else's compromised site.

Now, that being the case, is there anything we can do with our Joomla site that might protect against this "common" exploit?

_________________
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
Do Not PM me looking for Help! Un-requested Help PM's will be Deleted Unread, and your ID added to my Ignore List

@mandville
The netstat command shows the incoming and outgoing connections the -ae shows "all" & "extended" to show all the ports.  the grep option is looking the word "irc" and the port "6667" which are the most common ports that IRC Bots use.

As for the crontab, couldn't tell you what it is going to look like, this would depend on what (if anything) they have left behind......


@ilox
Nope nothing you can do at all if it came from internal......    except maybe get a dedicated server. You appear to have a large number of problems with your current hosting, especially recently.....

_________________
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
Network SMARTS, Systems Engineering http://www.networksmarts.com.au/

Thanks RussW, it was more for the "unkowledge" i was asking.

regarding Ilox problems, reading through his posts, there seem to have been 2/3 different servers involved, and different problems on each that culminate in one frustrated hot x - bunny!
one problem was solved using site backups which seem to have set the perms at nobody/99 and despite the chown being run doesnt seem to have an effect or the effect is being reversed somewhere.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Hello all.

My site was hacked today, how can i remove the hack? Just delete the files?
This hack has any effect to my mysql database or only my files was modified?
Please help me to correct my site.
 
Joomla! Register Globals Emulation: OFF
Register Globals: OFF
Magic Quotes:  ON
Safe Mode: OFF
File Uploads: ON
Session auto start: OFF

And: allow_url_fopen On

I cant change the allow_url_fopen to OFF? how can I defeat this hack?

Thenx.

was it hacked by the htaccess / 404 method? if so then you must currently have some folders set at 777 shut these to 755 NOW.
also apart from deleting the 404/hta files in the writeable folders (the htaccess files will all contain the obvious call to the numeric php file) keep an eye on your logs for a libwww trying to call the numeric file in any format , normally jpg) and then ban that IP. also notift your host about this and get them to deny the bad IP.
i can not say if your db is altered, scrub it and install from a back up.

On a side note, we notice that fantastico installs Joomla with 777 folders, where as the manual install does not so is much safer.
i have recently installed a fully workable site without having any folders set at 777

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Hi 2des, in every folder first look for those folders set to 777 and having the same timestamp, they will be the ones that the hacking script has changed. Inside these folders you will find a .php file and an altered .htaccess file.  the numeric file will be perhaps 156873.php or any random number like that, usually 6 digits. Alongside it will be the htaccess file, it will simply carry two lines pointing any 404 errors to whatever the filename of the numeric file is.

Just delete both of these files in every messed up directory. Look carefully, I found 20 sets of them in my site's folders. Reset your permissions back to a secure level, usually folders at 755, files at 644. Then make sure you have a strong .htaccess in the root of your site with a deny setting to the IP that comes looking for the hacked files.

And don't leave a folder at 777 except for the moments when you are making changes to it. Get into the habit of double-checking your permissions every time you have been making changes. These scum only need to find one 777 folder to get in and start causing you grief.

I have not noticed any events changed in the database.

_________________
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
Do Not PM me looking for Help! Un-requested Help PM's will be Deleted Unread, and your ID added to my Ignore List

does anyone know how this starts?

I've a feeling it came in from the host using an out of date hsphere platform rather than a vulnerability within Joomla 1.0.15 itself. The reason for this is that all writable folders had the .htaccess and 123456.php files, this included no Joomla folders.