The Joomla! Forum ™

Two of my Joomla 1.0.13 sites have been hacked this week.  One exhibited "Not Found" for frontpage files, the other ended up with ringtone junk and nasty references to porn.

I've sent details to the security folks for this site, and I've read through two days of posts looking for background and "the way ahead".

Here's my info: Joomla! Version: Joomla! 1.0.13 Stable [ Sunglow ]
PHP Version: 5.2.4
MySQL client version: 4.1.22
Apache/2.2.6 (Unix)
Shared server
Raw logs (now enabled)
Plug-ins:
ANJEL (Not published yet)
JEvents
phpShop (Not published yet)
Verse of the Day
CoolHits Counter
JoomlaFCK

This hack spews forth .htaccess files in virtually every unlocked directory and sub, and those files call up a numbered php file - similar to what was posted in the threads below.  IMHO, it's all too similar to these posts:

http://forum.joomla.org/index.php/topic,11244.0.html

http://forum.joomla.org/index.php/topic ... #msg194500

In trying to remove them from the websites, I quickly noticed that - even though the cPanel indicated I had successfullly deleted the two files (.htaccess and its associated, numbered php), upon returning to any directory or sub - there they were, back again!

It's my own fault, I had left some permissions on 777, and I thereby opened the door to this headache.

Now I've downloaded a backup of one site's root directory, unzipped it, and have removed the offending files (using Windwoes Explorer to search and doublesearch the public_htiml directories and subs.  The offending files were dated 5 Jan. 2008.

Soon I'll wipe that affected site, zip the now cleaned files, upload that to the root, and unzip..., whilst praying and hoping for the best.

My latest sites are in Joomla 1.5; so far so good with them.

Let's be careful out there!

_________________
Onward and upward!

You will also need to check for ;

CRONTAB (cron) jobs that maybe re-creating these exploit (not hack!) files everytime you delete them, look for hidden directories (starting with a " . " dot) where the files can be recreatecd from and then delete all the files, or rebuild from a "known good" backup, ensure you do not have 777 permissions set on directories.

In this case, Joomla! was not actually exploited, but your 777 directories were.

_________________
Joomla! on the fabulous Sunshine Coast...
http://www.networksmarts.com.au/

sorry, in addition to all that,

Please review the following FAQ's ASAP, you will find a wealth of information related to your issues.

  Security & Performance FAQ

It is not recommended to leave your sites publicly available and exploited, as it will only serve to promote the offenders ego and kudos and potentially expose the rest of the server to attack.

The above mentioned FAQ will provide with more than enough information to assist you in further securing your sites.

Particular entries of note and to pay attention to, are;

  Joomla! Administrator's Security Checklist

  Help! My site's been compromised. Now what?

  Vulnerable Extension List

  Joomla! Tools Suite
  How can I check my Joomla! installation's overall security and health?

  What does Joomla! have to do with file permissions?

_________________
Joomla! on the fabulous Sunshine Coast...
http://www.networksmarts.com.au/

Thanks, Russ.  "I sit corrected", this was an exploit of sites, not a "hack" of Joomla.  Do you want to change the Subject accordingly?

That's a good guide - all the relevant links for folks iin my shoes.

In a sense, we continue to "do it" to ourselves; but I'm learning! 

_________________
Onward and upward!

In general, but there are eceptions to these rules, the safest permission Modes are;

    Directories : 755
    Files          : 644

But with some server configurations, this will mean that you will now be unable to upload media/files/images etc.

_________________
Joomla! on the fabulous Sunshine Coast...
http://www.networksmarts.com.au/

Hi Sorry if I'm teaching my granny to suck eggs here, but Ive had many sites hacked into over the past few weeks, about 12 to be exact and in the end found it was the hosting companies fault as the hacker hid a file that recreated files every time i deleted them in from tmp folder.

This is what i do now to check any sites.

Recreate the best you can on a test site the site you have, install the same components and modules, and then using dream weaver use synchronize looking for "Get new from server", it will list all files on the server that you don't have on your test site. Go through them, of course there may be a lot especially images in virtuemart or galleries, but i found most of the time the little Bas**rds hide the files in there, as you get bored of checking through all the files, but its well worth it.

You will more than likely find a simple file manager script or directory, they even named one of the directories on mine com_uk and added it to
public_html/components/com_uk
Clever sod!!

Then if you have shell access through PuTTY, run these 2 lines of code exactly as i type them from the public_html folder, so you only edit the Joomla files not the public_html folder itself

Command to change the permissions for all directories to 755

----
Command to change the permissions for all files to 644



That will change every single file and folder in your site to the correct permissions, you now need to change back the few you need to keep so Joomla will work. Well it will still work, you just wont be able to add images, components, modules etc. But at least you know you haven't missed any files, and it may be a good idea to leave it all locked up for a while, whilst you sort out the problems.

I produced this flash video this morning whilst waiting for a load of files to download of how to do that exact process.
http://www.joomlamagazine.com/tutorials ... sions.html
it shows you how to do it, very simple, it takes only a few seconds per site to secure up.

Hope this helps a little
regards
Ian

_________________
http://www.JoomlaSiteMonitor.com
Joomla Security and backup suite.
http://www.NewWorldDesigns.co.uk
Design - CMS - Ecommerce – SEO