The Joomla! Forum ™





Post new topic Reply to topic  [ 76 posts ]  Go to page 1, 2, 3  Next
Author Message
PostPosted: Thu Jul 19, 2007 4:24 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Tue Jun 06, 2006 7:41 am
Posts: 828
Location: California, Germany, Norway
If you have Expose Flash Gallery RC4 installed:

1. Remove the file, uploadimg.php from /administrator/components/com_expose.

NOTE: NOT the uploadimage.php file.

2. Manually (via FTP or JoomlaXplorer) inspect the directory, /components/com_expose/expose/img. There shouldn't be any .php files in this directory. If there are, delete them and begin full site recovery.

_________________
Home: http://www.ronliskey.com
Business http://www.communitygrove.com


Last edited by rliskey on Thu Jul 19, 2007 4:33 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Thu Jul 19, 2007 9:50 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Apr 14, 2006 2:24 pm
Posts: 14
Many thanks for that - I got hit overnight with a hack and the only thing that's new on my site is the Expose installation.  Looks like that's what's caused my problems.


Top
 Profile  
 
PostPosted: Thu Jul 19, 2007 11:35 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Thu Jul 19, 2007 11:30 am
Posts: 4
Addition to point no 2: I found in the img-directory a "r.php.jpg". Perhaps heavy camouflage?!


Top
 Profile  
 
PostPosted: Thu Jul 19, 2007 5:16 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sun Sep 04, 2005 4:42 am
Posts: 87
Location: San Francisco, CA, USA
I will work on a patch tonight. Thanks for the update. Please watch this page for updates: http://joomlacode.org/gf/project/expose/

_________________
Until Next Time,

Josh
http://www.gotgtek.net


Top
 Profile  
 
PostPosted: Thu Jul 19, 2007 7:06 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Aug 29, 2005 11:07 pm
Posts: 13
I got hit this morning also.  Thanks for highlighting the vulnerable file.  I also noted the following files that were created (at least for my attack):

/components/rr.php
/cc.php
/components/com_expose/img/aa.php.jpg
/index.php (modified)

Error logs located in root, /components, and /components/com_expose/img/ also indicate activity.


Top
 Profile  
 
PostPosted: Thu Jul 19, 2007 9:35 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sun Sep 04, 2005 4:42 am
Posts: 87
Location: San Francisco, CA, USA
Fix is posted here: http://joomlacode.org/gf/download/frsre ... _patch.zip

_________________
Until Next Time,

Josh
http://www.gotgtek.net


Top
 Profile  
 
PostPosted: Thu Jul 19, 2007 9:41 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Thu Jul 19, 2007 11:30 am
Posts: 4
Thanks for your work!


Top
 Profile  
 
PostPosted: Thu Jul 19, 2007 9:43 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sun Sep 04, 2005 4:42 am
Posts: 87
Location: San Francisco, CA, USA
Hackers sucks!! >:(  I dont understand why they hack people giving away free software? Go hack microsoft.... ???

_________________
Until Next Time,

Josh
http://www.gotgtek.net


Top
 Profile  
 
PostPosted: Thu Jul 19, 2007 10:06 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Apr 09, 2007 5:25 pm
Posts: 14
I´ve been defaced twice today. So many tks for the quick response with the patch.
Tony


Top
 Profile  
 
PostPosted: Thu Jul 19, 2007 11:24 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Aug 29, 2005 11:07 pm
Posts: 13
I was hacked on one site and saw evidence (a very suspicious .php file in the img directory) of a pending hack on another site.

Many thanks for the speedy response. 


Top
 Profile  
 
PostPosted: Fri Jul 20, 2007 12:36 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Aug 21, 2005 3:21 am
Posts: 24
Location: Lafayette, Indiana
IMPORTANT!  The added php files found in the image directory MAY be php shell access scripts.   The hacker, in our case, simply replaced the index.php file.  However, the damage could have been much worse.

In short, patching stops further hacks.  But leaving these added php scripts means your entire install is vulnerable until all are removed.

With hackers becoming smarter and sites with vulnerable files to be found easily using Google ... remember to backup your Joomla sites daily.

_________________
Dave
One Technologies, Inc.


Top
 Profile  
 
PostPosted: Fri Jul 20, 2007 1:02 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Oct 16, 2006 1:33 am
Posts: 10
Saw this too late and got hacked. Hackers do suck...it was caused by Expose...

Lee


Top
 Profile  
 
PostPosted: Fri Jul 20, 2007 6:05 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Tue Jun 06, 2006 7:41 am
Posts: 828
Location: California, Germany, Norway
The beauty of GNU/GPL :pop

1. July 18, 2007: Vulnerability discovered at ISP and quickly reported to the actual developer.

2. July 18, 2007, 09:24:54 PM: Full disclosure of vulnerability to the community.

3. July 19, 2007, 02:35:52 PM: Developer works overnight and releases a free patch.

4. Free patch is made available worldwide on a free community forum and a free developer forge.

No...
  ...top-level marketing meeting to discuss damage control,
  ...poor fall guy chosen to absorb internal blamestorming,
  ...executive approval required for CYA of upwardly mobile, gutless, brown nosers before real action begins,
  ...FUD or delaying tactics,
  ...secret bug fixes added to expensive "upgrades" to be released "sometime soon."

_________________
Home: http://www.ronliskey.com
Business http://www.communitygrove.com


Top
 Profile  
 
PostPosted: Fri Jul 20, 2007 6:17 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Oct 16, 2006 1:33 am
Posts: 10
Yeah, great stuff and nice work!


Top
 Profile  
 
PostPosted: Fri Jul 20, 2007 8:10 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Jul 20, 2007 8:09 pm
Posts: 9
Great thanks.

No offense to the Expose guys, but who the hell codes an upload php app and allows any file to go thru? especially php?? and doesnt even check image header info.. I mean come on guys..


Top
 Profile  
 
PostPosted: Fri Jul 20, 2007 9:45 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Dec 24, 2006 5:54 pm
Posts: 17
Location: Antwerp
... a piece of forgotten code from a earlier Joomla release...
Since not often used (only at configuration) by expose, I recommend to remove this script (/administrator/components/com_expose/uploadimg.php), together with an old uploadimage.php until this part of the code has been reviewed.

The hack places code in the /img folder and sometimes additional files in an album folder.


Top
 Profile  
 
PostPosted: Fri Jul 20, 2007 11:53 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Jul 20, 2007 1:07 am
Posts: 6
My site was hacked earlier this week, with another attempt today. The hackers had uploaded a cc.php file into my main web directory, allowing them to use the C99 shell, and browse freely through my server. I removed the file, and replaced the index.php. Up until now, I thought I had made everything secure and safe....

Checked my stats today, using statcounter, showed a hit to my site from Iasi Romania. The hacker was directed to my site after searching for the com_expose using the following search topic:

search.live.com/results.aspx?q=%22option%2Ccom_expose%22 site%3Acom&first=181&FORM=PORE

Unluckily for me, my site was #1.

However, this time, they uploaded 2 php files, masked as jpg files, aa,php.jpg and adx.php.jpg. After downloading from server, and renaming to aa.php and adx.php, it was made clear that this was an attempt to hack my site, again, as adx.php is a web-based file manager.

But now I'm stumped... I did not have the uploadimg.php or uploadimage.php files in my /administrator/com_expose/ folder, nor any other folder on my ftp.....

any suggestions? Maybe they deleted the files after getting into the site?


Top
 Profile  
 
PostPosted: Sat Jul 21, 2007 4:37 am 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sun Sep 04, 2005 4:42 am
Posts: 87
Location: San Francisco, CA, USA
For now make sure you remove both the uploadimg.php and the uploadimage.php We have a full blown packae replacement going up again later tonight. I will also update the security package again tonight. Sorry for the hassle this caused anyone. Sometimes you just overlook the small things.  :(

_________________
Until Next Time,

Josh
http://www.gotgtek.net


Top
 Profile  
 
PostPosted: Sat Jul 21, 2007 4:53 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Nov 12, 2006 5:52 pm
Posts: 38
hi so my site got hacked as well. am using expose. i removed the .php and one .jpg file from the components/com_expose/expose/img directory and replaced the index.php file (as mentioned above).

but i notice a fix was posted with a link. that link does not work. what else do i have to do to prevent a repeat of this problem?

thanks - i'm not a experience web manager so i appreciate any help.


Top
 Profile  
 
PostPosted: Sat Jul 21, 2007 6:42 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Thu Aug 18, 2005 1:16 am
Posts: 1015
Location: Glendale, CA, USA
I got hacked too.

Question, on same account as my expose domain I have 8 other domains hosted do you think they are effected too?

_________________
http://www.virtueshop.net


Top
 Profile  
 
PostPosted: Sat Jul 21, 2007 11:25 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Thu Jul 19, 2007 11:30 am
Posts: 4
Another domain, on which I use expoxé as well, was infected too. But fortunately the problem is solved now. I recommend immediate checkup of all domains where you use exposé.


Top
 Profile  
 
PostPosted: Sat Jul 21, 2007 4:52 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sun Sep 04, 2005 4:42 am
Posts: 87
Location: San Francisco, CA, USA
axl_fugazi wrote:
hi so my site got hacked as well. am using expose. i removed the .php and one .jpg file from the components/com_expose/expose/img directory and replaced the index.php file (as mentioned above).

but i notice a fix was posted with a link. that link does not work. what else do i have to do to prevent a repeat of this problem?

thanks - i'm not a experience web manager so i appreciate any help.


The link is here http://joomlacode.org/gf/download/frsre ... 7.2007.zip it is best to always watch the root here: http://joomlacode.org/gf/project/expose/frs/  , the link changes every time I update the package. My apologies for that.

_________________
Until Next Time,

Josh
http://www.gotgtek.net


Last edited by doctorj on Sat Jul 21, 2007 5:00 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Jul 23, 2007 12:50 pm 
Joomla! Intern
Joomla! Intern

Joined: Wed May 02, 2007 7:34 am
Posts: 56
i've done everthing as explained and still seems the same...


what i've done:

removed all .php files in 'img' directory
removed the two .php files >uploadimg.php & uploadimage.php
installed the patch (overwrote the 4 files in the zip file)
removed old 'index.php' and uploaded a new one from the joomla download


I've done all the above and i still can't access my site, please help me.


Last edited by yazeft on Mon Jul 23, 2007 2:25 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Jul 23, 2007 4:28 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sun Sep 04, 2005 4:42 am
Posts: 87
Location: San Francisco, CA, USA
You might want to try to use JoomlaXplorer but chmod the main administrator/components/com_expose folder to 777 and check the box to recurse into sub-directories. Sometimes (depending on how your hosting provider configured the server) the files are upload and owned by "nobody" or "httpd" instead of your user account so you can remove them.

After you delete the files make sure you set the directory back to 755 and the files inside the folder to 644.

If this doesnt work contact your hosting provider and someone with root access can remove them for you.

_________________
Until Next Time,

Josh
http://www.gotgtek.net


Top
 Profile  
 
PostPosted: Mon Jul 23, 2007 4:41 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Mon Jul 23, 2007 4:36 pm
Posts: 2
I can't change the CHMOD via ftp "550 admin.expose.html.php: Operation not permitted"
I cannot connect to my site: www.wanderfreunde-edelweiss.net to use the joomlaexplorer...

I ve got a full Backup of the FTP Data - what files do I need to replace in order to get access to the site again?


Top
 Profile  
 
PostPosted: Mon Jul 23, 2007 4:43 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sun Sep 04, 2005 4:42 am
Posts: 87
Location: San Francisco, CA, USA
At this point you will need to contact your hosting provider so they can delete it using root access. JoomlaXplorer only works when you have Joomla =(

Sorry for the hassle.

_________________
Until Next Time,

Josh
http://www.gotgtek.net


Top
 Profile  
 
PostPosted: Mon Jul 23, 2007 4:46 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Mon Jul 23, 2007 4:36 pm
Posts: 2
nope im lucky - I had to replace my configuration.php & index.php

For all noobs like me - the CH MOD of the configuration.php needs to be set to: 444


Top
 Profile  
 
PostPosted: Mon Jul 23, 2007 5:00 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sun Sep 04, 2005 4:42 am
Posts: 87
Location: San Francisco, CA, USA
I would just make sure you dont have any other files (as mentioned above) laying around. If the infected file is still there you could be in a world of pain. I had this same issue with 3 other components. It sucks, but free software cant be perfect.

Let me know if you need anything.

-Josh

_________________
Until Next Time,

Josh
http://www.gotgtek.net


Top
 Profile  
 
PostPosted: Tue Jul 24, 2007 12:10 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Tue Mar 13, 2007 5:43 am
Posts: 2
Hi all,
I have applied the patch, deleted the two .php files, replaced the configuration.php and index.php and now the site is showing this error.

Warning: require_once(W:/www/louise/includes/version.php) [function.require-once]: failed to open stream: No such file or directory in /home/.ouida/tomhay/onelou.com/includes/joomla.php on line 71

Fatal error: require_once() [function.require]: Failed opening required 'W:/www/louise/includes/version.php' (include_path='.:/usr/local/php5/lib/php:/usr/local/lib/php') in /home/.ouida/tomhay/onelou.com/includes/joomla.php on line 71

I am a bit new to this so any help would be most appreciated.

Tom


Top
 Profile  
 
PostPosted: Tue Jul 24, 2007 12:21 am 
Joomla! Intern
Joomla! Intern

Joined: Wed May 02, 2007 7:34 am
Posts: 56
i've done everthing as explained and still seems the same...


what i've done:

removed all .php files in 'img' directory
removed the two .php files >uploadimg.php & uploadimage.php
installed the patch (overwrote the 4 files in the zip file)
removed old 'index.php' and uploaded a new one from the joomla download


I've done all the above and i still can't access my site, please help me.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 76 posts ]  Go to page 1, 2, 3  Next



Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group