Admin password reset hack 1.5.14

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
MinistryWebs
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Aug 25, 2009 9:47 pm

Admin password reset hack 1.5.14

Postby MinistryWebs » Wed Aug 26, 2009 2:41 pm

A few days ago one of my sites was hacked. I received a password reset request email and tried to login to my site, but couldn't because the admin password had changed. My index.php page had been replaced with a page saying it had been hacked by someone.

I went to the forums and documentation and was able to reset my password through the database. I changed the name of the admin user and created a stronger password. I also updated the site to 1.5.14 because it was at 1.5.7 and I had read in a post somewhere that this issue had been fixed.

Yesterday, I received an email again and the site had been hacked again. I found a post about someone else that had the same problem.

http://forum.joomla.org/viewtopic.php?f=432&t=419388&hilit=1.5.12+hacked

I followed the suggestion to remove the reset password directory in the com_user folder and that seems to have worked. However, it obviously removes the ability for a user to reset their password.

Is there another fix in place or in the works that will resolve this issue? I have other sites that actually involve user registration, which I will need the password reset component working.

Thanks,

Jonathan Jeter
MinistryWebs

User avatar
SFGolfer
Joomla! Ace
Joomla! Ace
Posts: 1216
Joined: Fri Jul 25, 2008 12:27 am
Location: Bunker or a Hazard
Contact:

Re: Admin password reset hack 1.5.14

Postby SFGolfer » Wed Aug 26, 2009 2:59 pm

The common suggestions are to follow the recommendations in the post you linked to (as well as other posts).

There is also a security checklist: http://docs.joomla.org/Category:Security_Checklist

Another recommendation is to disable the default 'admin' as the Super Administrator. Create a different Super Administrator with a tough username and a very strong password. Be sure there are no other logins that have access to the User Manager. Check your site's FTP access has a strong login as well (or disable it for the time being).

What it boils down to is the security on your side including folders, user database, the database tables, etc.
Even a blind squirrel finds a nut every once in a while.

calenfretts
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Fri Aug 28, 2009 4:33 pm

Re: Admin password reset hack 1.5.14

Postby calenfretts » Wed Oct 07, 2009 4:43 pm

is it possible that this hack is somehow occurring because the hacker is putting both a legitimate admin email as well as their own email into the Forgot your Password box? for example, entering "[email protected],[email protected]"

my workaround for the time being is to append

Code: Select all

. ' AND usertype NOT LIKE \'%Administrator%\'';

to \components\com_user\models\reset.php, ~line 65: $query in function requestReset

this will allow other users to reset their password, but not admins.

I just don't understand because in function confirmReset (same file) it checks that the token is 32 chars, and there's no way to make a SQL injection that small, even with a hash.
Signature Rules: viewtopic.php?f=8&t=65

iamjoomlauser
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Thu Oct 22, 2009 4:30 pm

Re: Admin password reset hack 1.5.14

Postby iamjoomlauser » Thu Oct 22, 2009 4:39 pm

I had exact the same problem with version 14. Aftger that i secured my template but the hacker came back and resetted again my paswrod. Is there a known leak in joomla or one of his extensions ? Which extensions you use ?

nogindrill
Joomla! Intern
Joomla! Intern
Posts: 64
Joined: Sat Nov 24, 2007 8:13 pm

Re: Admin password reset hack 1.5.14

Postby nogindrill » Thu Oct 22, 2009 5:55 pm

I have been having exactly the same problem. They hacked in three times even after going through the security check list as suggested. I just gave up and started all over again with a clean install of everything. My site is small so it was not a lot of work. One thing that I did notice that when I downloaded the Rocket theme template that I was using, the latest version had a fix for a Low impact XSS vulnerability patch which, Wikipedia was describing was happening to me.

Maybe you need to update your template.

Hope that helps

iamjoomlauser
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Thu Oct 22, 2009 4:30 pm

Re: Admin password reset hack 1.5.14

Postby iamjoomlauser » Mon Nov 02, 2009 9:31 pm

it do not know if you all used sermonspeaker. But there was a problem which could cause this problem. They released a patch for it.

nogindrill
Joomla! Intern
Joomla! Intern
Posts: 64
Joined: Sat Nov 24, 2007 8:13 pm

Re: Admin password reset hack 1.5.14

Postby nogindrill » Mon Nov 02, 2009 11:55 pm

iamjoomlauser wrote:it do not know if you all used sermonspeaker. But there was a problem which could cause this problem. They released a patch for it.


I have been using sermon speaker and have since updated it. My site has been up for a week now without any hacking attempts.

Cheers

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2727
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Admin password reset hack 1.5.14

Postby PhilD » Tue Nov 03, 2009 1:29 am

Could each of you post the following information?

* install and run the forum post tool; post the results
viewtopic.php?f=428&t=272481
* list your extensions/templates and versions of each
* list your folder/file permissions
* list your browser, it's version
* list your ftp program and version
* Do a full scan of the computer you normally use and report any virus detected by their computer system.

Only by reporting common information can we can track down any common things and see if it is really a Joomla problem or a common extension.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: Admin password reset hack 1.5.14

Postby jeffchannell » Tue Nov 03, 2009 3:57 am

This is an SQLi vulnerability, likely in a 3rd party script. Here's how it works: the attacker finds a way to execute arbitrary SQL code, and somehow extracts the email of an admin. Then they reset the password, causing the reset token to be placed in the database and you getting that email. Then they exploit again, only this time they extract the token. Finally, the hacker pops the token into the input and resets your password.

I'll say it again: Joomla shouldn't store the reset hashes in plain text in the database... I posted about this a while back: viewtopic.php?p=1831944 and so far, 0 replies.
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

User avatar
fw116
Joomla! Ace
Joomla! Ace
Posts: 1365
Joined: Tue Sep 06, 2005 11:18 am
Location: Germany

Re: Admin password reset hack 1.5.14

Postby fw116 » Tue Nov 03, 2009 2:28 pm

as long as joomla do so, like jeff said, you should ask your hoster if he has installed apache mod_security with a filter, that strikes against such attacks...
like :

Code: Select all

REQUEST_URI|ARGS|XML:/*|!ARGS:/descr/|!ARGS:movie_brief|!ARGS:/text/|!ARGS:/message/|!ARGS:ncontent|!ARGS:/body/|!ARGS:/content/|!ARGS:searchword|!ARGS:comments|!ARGS:text|!ARGS:/description/|!ARGS:/^sql/|!ARGS:/products_description/|!ARGS:contactMessage|!ARGS:cts|!ARGS:meta_descr|!ARGS:text|!ARGS:edited|!ARGS:content|!ARGS:description|!ARGS:introtext|!ARGS:Post|!ARGS:sql_query|!ARGS:itembigtext|!ARGS:article_content|!ARGS:body|!ARGS:mytextarea|!ARGS:ll_content_message|!ARGS:page-content|!ARGS:reply|!ARGS:xml|!ARGS:content_en|!ARGS:filecontent|!ARGS:message|!ARGS:content_en|!ARGS:general[description]|!ARGS:response[14]|!ARGS:/article/ "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|union select.*[a-z0-9].*into.*from)"


or

Code: Select all

REQUEST_URI_RAW|XML:/*|ARGS|!ARGS:/sql/|!ARGS:/text/|!ARGS:/message/|!ARGS:/body/ "(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)" \
SecRule REQUEST_URI_RAW|XML:/*|ARGS|!ARGS:/sql/| "(?:union select.*php.*(?:system|eval\(|shell_exec|exec).*into)" \ SecRu_rules.conf:
SecRule REQUEST_URI_RAW|XML:/*|ARGS|!ARGS:/sql/| "(?:union select.*php.*(?:system|eval\(|shell_exec|exec).*into)" \         
SecRule REQUEST_URI_RAW|XML:/*|ARGS|!ARGS:/sql/| "(?:union select.*php.*(?:system|eval\(|shell_exec|exec).*into)" \


and there is much more to do then only those 2 generic example filters !

osexcel
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Wed Jul 22, 2009 7:51 am

Re: Admin password reset hack 1.5.14

Postby osexcel » Thu Dec 03, 2009 4:10 pm

Guys,

We modified the Joomla codes and make a patch to help you all, please see it the following. We contribute it to all J!1.5 users.

[MOD EDIT]
Exploit instructions removed.
[/MOD EDIT]

Hope this helps all Joomla admins.

Helix
Open Source Excellence

osexcel
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Wed Jul 22, 2009 7:51 am

Re: Admin password reset hack 1.5.14

Postby osexcel » Thu Dec 03, 2009 5:07 pm

Guys, also let you know that J1.5.15 does not deal with this matter, therefore upgrading from J1.5.14 to J1.5.15 does not help.

Helix
Open Source Excellence

darinh
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Tue Jun 30, 2009 10:25 pm

Re: Admin password reset hack 1.5.14

Postby darinh » Thu Dec 03, 2009 6:09 pm

I found one issue with the patch and installation procedure. The Intellispire Software Installer uses the same component name "com_updater" so when trying to install the patch downloaded the following error is produced.
* Component Install: Another Component is already using diirectory: "..../components/com_updater"

Any suggestions on a work-a-round for this conflict, other than removing the Intellispire Software?

osexcel
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Wed Jul 22, 2009 7:51 am

Re: Admin password reset hack 1.5.14

Postby osexcel » Thu Dec 03, 2009 7:50 pm

Hmm... interesting.. then I think we should change the name to com_oseupdater in the stable final version then. Sorry about the inconvenience.

Helix

darinh
Joomla! Apprentice
Joomla! Apprentice
Posts: 22
Joined: Tue Jun 30, 2009 10:25 pm

Re: Admin password reset hack 1.5.14

Postby darinh » Thu Dec 03, 2009 7:53 pm

if the name change could be done that would be great, it would help those of us that use the Intellspire software for software installation and updates.

Thanks.

osexcel
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Wed Jul 22, 2009 7:51 am

Re: Admin password reset hack 1.5.14

Postby osexcel » Thu Dec 03, 2009 9:39 pm

osexcel wrote:Guys,

We modified the Joomla codes and make a patch to help you all, please see it the following. We contribute it to all J!1.5 users.

[MOD EDIT]
Exploit instructions removed.
[/MOD EDIT]

Hope this helps all Joomla admins.

Helix
Open Source Excellence


Exploit instructions ??? Kidding?? We provide this patch to help Joomla users but this has marked as exploit instructions?? We are working on PHP security software, and we just want to help others, and this has been removed?? Shall we NOT share the codes??

Anyway, to those who wants to patch this security hole, please google "Open Source Excellence" and submit a request in the forum. We will NOT provide any links here any more.

Open Source Excellence

User avatar
jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: Admin password reset hack 1.5.14

Postby jeffchannell » Thu Dec 03, 2009 9:45 pm

Overzealous mod? Your software did something bad (not saying it did - I didn't test it)? Aliens?

Mods? :pop
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2727
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Admin password reset hack 1.5.14

Postby PhilD » Thu Dec 03, 2009 10:07 pm

I pick Aliens for 3
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

osexcel
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Wed Jul 22, 2009 7:51 am

Re: Admin password reset hack 1.5.14

Postby osexcel » Thu Dec 03, 2009 10:12 pm

Overzealous mod? possibly. Do not want to be negative on this, just want others know here:

One of the Joomla users who had the same scenario asked us about this issue today (as we do security software for PHP system), we then investigated this issue, and find that the hackers might go for some steps (NOT BEING DISCLOSED HERE for security reasons) to hack the admin account. We therefore find the method to restrict this behavior by modifying one Joomla file. Then share it with all OSE users + Joomla users here. Never thought that this would be tagged as Exploit instructions (honestly, moderators, please test the patch first before you moderate the post).

Anyway, as we said, for those who would need help with this, please google us and we will tell you where to download the patch.

Also, we will not replying any post here. For those who would like to know more about the patch, please go to our forum.

Open Source Excellence

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13820
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Admin password reset hack 1.5.14

Postby mandville » Thu Dec 03, 2009 11:40 pm

it could be that the post was being validated or checked or whatever before being spread around as a total fix as some people are advertising it.

As it also altered the core/code files then a beginner may have really messed up their site. A simple issue as the name being the same as many extensions may have caused it to be pulled.
At least you were left with the main contents of the post.
The mods were being cautious for the sake of the community, possibly over cautious, but the only way to find out is to contact the mods team who dealt with your post and see. Perhaps consider posting the file to the JED for validation and doing it that way?

If you feel so strongly about the way it was dealt with, then contacting the mods team is the only real way to go about it.

Its also unusal that there is not mods edit tag on the post, possibly went the same way as the avatar gallery did yesterday...weird

(get your silverfoil/alien protector hats here!!!)
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13820
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Admin password reset hack 1.5.14

Postby mandville » Fri Dec 04, 2009 11:05 am

re reading the original post, i think a slightly curious comment was
There is a security risk issue in the Joomla Password Reset System, please read the following:

if this was true then we would see a lot more sites being hacked. if you find a joomla core vulnerability or exploit, it should be reported to the Joomla Security Strike Team at http://developer.joomla.org/security.html
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
ooffick
Joomla! Master
Joomla! Master
Posts: 11075
Joined: Thu Jul 17, 2008 3:10 pm
Location: Ireland
Contact:

Re: Admin password reset hack 1.5.14

Postby ooffick » Fri Dec 04, 2009 1:55 pm

Mod Note: The post was edited by the Joomla Security Strike Team.
Olaf Offick - Global Moderator
http://learnskills.org

DavidBoggitt
Joomla! Guru
Joomla! Guru
Posts: 714
Joined: Wed Jan 09, 2008 9:16 pm
Contact:

Re: Admin password reset hack 1.5.14

Postby DavidBoggitt » Sun Dec 06, 2009 8:42 am

I've now patched my live sites with Helix's patch (after testing on local dev first, of course). Everything seems fine but I'm now a bit worried about upgrading.

Will this patch get over-written when 1.5.16 is released, or might 1.5.16 contain the 'same' patch if the vulnerability is found to be correct by the JSST, or...?

Thanks,

Dave.
My website: http://www.davidboggitt.com/
Love and hate both devastate you, but at least love takes you to dinner first.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13820
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Admin password reset hack 1.5.14

Postby mandville » Sun Dec 06, 2009 12:53 pm

Yes, if you make a change to a core code file, and then upgrade and that core file is replaced.
but not if osexcel wishes to put it in as a bug and enter it in the bug tracker , or the JSST see it as needed and make the change in the core code,
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
alexwalker
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 152
Joined: Thu Sep 15, 2005 3:54 pm
Location: Lancaster, UK (near the Lake District)
Contact:

Re: Admin password reset hack 1.5.14

Postby alexwalker » Wed Dec 09, 2009 6:32 pm

One of my sites was attacked today, an email was submitted stating a request has been made to reset your ****** account password. To reset your password, you will need to submit this token in order to verify that the request was legitimate.
I clicked on the link and as soon as I did that the attcahed page was rendered:

Thankfully I had a backup of the site and could restore quickly.

Problem Description:
Site asked for admin password reset via legitiate email.



Diagnostic Information
Joomla! Version: Joomla! 1.5.14 Stable [ Wojmamni Ama Naiki ] 30-July-2009 23:00 GMT
configuration.php: Writable (Mode: 644 ) | RG_EMULATION: N/A
Architecture/Platform: Linux 2.6.18-164.6.1.el5PAE ( i686) | Web Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 ( http://www.heyshamssp.org.uk ) | PHP Version: 5.2.9
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5): Yes | iconv Support (1.5): Yes | save.session_path: Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.0.85-community ( Localhost via UNIX socket )
Last edited by ooffick on Wed Dec 09, 2009 6:52 pm, edited 1 time in total.
Reason: Mod Note: Removed Hacker Names.
Alex Walker
"to assume is to make an ass of u and me"

User avatar
ooffick
Joomla! Master
Joomla! Master
Posts: 11075
Joined: Thu Jul 17, 2008 3:10 pm
Location: Ireland
Contact:

Re: Admin password reset hack 1.5.14

Postby ooffick » Wed Dec 09, 2009 6:53 pm

Hi, to learn how to reset the password, have a look here:
http://docs.joomla.org/How_you_reset_an ... assword%3F
http://docs.joomla.org/How_do_you_recov ... assword%3F

Please note that you might need to delete additional files which are inserted by the hacker, like webshells.

Please also note that your own computer might have been infected by a virus:
viewtopic.php?f=432&t=411735

You might want to consider to use an SFTP or SSH connection to your server (instead of an normal FTP connection)

Please change all your passwords as well.

Moreover, please read this List as well:
http://docs.joomla.org/Category:Security_Checklist

Olaf
Olaf Offick - Global Moderator
http://learnskills.org

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2727
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Admin password reset hack 1.5.14

Postby PhilD » Wed Dec 09, 2009 6:55 pm

Never EVER, EVER, click on a link like that when you did not specifically request your password to be reset! This goes for any site not just Joomla!

You now need to change all your ftp, mysql database, c-panel, Joomla administrator passwords, inspect for any newly created Joomla user(s) and delete any that may have been made and inspect you Joomla install (and site as a whole) for anything unusual. It might be best to just do a Restore of Joomla from a backup made before you clicked the link and change all your passwords like mentioned above.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

DavidBoggitt
Joomla! Guru
Joomla! Guru
Posts: 714
Joined: Wed Jan 09, 2008 9:16 pm
Contact:

Re: Admin password reset hack 1.5.14

Postby DavidBoggitt » Wed Dec 09, 2009 7:31 pm

Do we have any news as to whether this has been submitted as a bug to the JSST and if so, has it been confirmed?

Thanks again,

Dave.
My website: http://www.davidboggitt.com/
Love and hate both devastate you, but at least love takes you to dinner first.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13820
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Admin password reset hack 1.5.14

Postby mandville » Wed Dec 09, 2009 8:00 pm

The JSST deal with security issues and not with bugs.
Bugs are dealt with by the bugsquad at http://developer.joomla.org/bug-squad-blog.html

eddit to add ...
or here
viewforum.php?f=199
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

DavidBoggitt
Joomla! Guru
Joomla! Guru
Posts: 714
Joined: Wed Jan 09, 2008 9:16 pm
Contact:

Re: Admin password reset hack 1.5.14

Postby DavidBoggitt » Thu Dec 10, 2009 6:16 pm

Not wanting to sound rude, but wasn't that rather unnecessarily pedantic?

Besides, surely a bug could result in a security issue? Anyway, do you know whether this apparent security issue been reported to the JSST please?

Dave.
My website: http://www.davidboggitt.com/
Love and hate both devastate you, but at least love takes you to dinner first.


Return to “Security in Joomla! 1.5”

Who is online

Users browsing this forum: No registered users and 4 guests