The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 39 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Wed Aug 26, 2009 2:41 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Tue Aug 25, 2009 9:47 pm
Posts: 2
A few days ago one of my sites was hacked. I received a password reset request email and tried to login to my site, but couldn't because the admin password had changed. My index.php page had been replaced with a page saying it had been hacked by someone.

I went to the forums and documentation and was able to reset my password through the database. I changed the name of the admin user and created a stronger password. I also updated the site to 1.5.14 because it was at 1.5.7 and I had read in a post somewhere that this issue had been fixed.

Yesterday, I received an email again and the site had been hacked again. I found a post about someone else that had the same problem.

http://forum.joomla.org/viewtopic.php?f=432&t=419388&hilit=1.5.12+hacked

I followed the suggestion to remove the reset password directory in the com_user folder and that seems to have worked. However, it obviously removes the ability for a user to reset their password.

Is there another fix in place or in the works that will resolve this issue? I have other sites that actually involve user registration, which I will need the password reset component working.

Thanks,

Jonathan Jeter
MinistryWebs


Top
 Profile  
 
PostPosted: Wed Aug 26, 2009 2:59 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Fri Jul 25, 2008 12:27 am
Posts: 1216
Location: Bunker or a Hazard
The common suggestions are to follow the recommendations in the post you linked to (as well as other posts).

There is also a security checklist: http://docs.joomla.org/Category:Security_Checklist

Another recommendation is to disable the default 'admin' as the Super Administrator. Create a different Super Administrator with a tough username and a very strong password. Be sure there are no other logins that have access to the User Manager. Check your site's FTP access has a strong login as well (or disable it for the time being).

What it boils down to is the security on your side including folders, user database, the database tables, etc.

_________________
Even a blind squirrel finds a nut every once in a while.


Top
 Profile  
 
PostPosted: Wed Oct 07, 2009 4:43 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Fri Aug 28, 2009 4:33 pm
Posts: 3
is it possible that this hack is somehow occurring because the hacker is putting both a legitimate admin email as well as their own email into the Forgot your Password box? for example, entering "admin@mysite.com,hacker@hackersite.com"

my workaround for the time being is to append
Code:
. ' AND usertype NOT LIKE \'%Administrator%\'';

to \components\com_user\models\reset.php, ~line 65: $query in function requestReset

this will allow other users to reset their password, but not admins.

I just don't understand because in function confirmReset (same file) it checks that the token is 32 chars, and there's no way to make a SQL injection that small, even with a hash.

_________________
Signature Rules: viewtopic.php?f=8&t=65


Top
 Profile  
 
PostPosted: Thu Oct 22, 2009 4:39 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Thu Oct 22, 2009 4:30 pm
Posts: 2
I had exact the same problem with version 14. Aftger that i secured my template but the hacker came back and resetted again my paswrod. Is there a known leak in joomla or one of his extensions ? Which extensions you use ?


Top
 Profile  
 
PostPosted: Thu Oct 22, 2009 5:55 pm 
Joomla! Intern
Joomla! Intern

Joined: Sat Nov 24, 2007 8:13 pm
Posts: 64
I have been having exactly the same problem. They hacked in three times even after going through the security check list as suggested. I just gave up and started all over again with a clean install of everything. My site is small so it was not a lot of work. One thing that I did notice that when I downloaded the Rocket theme template that I was using, the latest version had a fix for a Low impact XSS vulnerability patch which, Wikipedia was describing was happening to me.

Maybe you need to update your template.

Hope that helps


Top
 Profile  
 
PostPosted: Mon Nov 02, 2009 9:31 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Thu Oct 22, 2009 4:30 pm
Posts: 2
it do not know if you all used sermonspeaker. But there was a problem which could cause this problem. They released a patch for it.


Top
 Profile  
 
PostPosted: Mon Nov 02, 2009 11:55 pm 
Joomla! Intern
Joomla! Intern

Joined: Sat Nov 24, 2007 8:13 pm
Posts: 64
iamjoomlauser wrote:
it do not know if you all used sermonspeaker. But there was a problem which could cause this problem. They released a patch for it.


I have been using sermon speaker and have since updated it. My site has been up for a week now without any hacking attempts.

Cheers


Top
 Profile  
 
PostPosted: Tue Nov 03, 2009 1:29 am 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2727
Location: Wisconsin USA
Could each of you post the following information?

* install and run the forum post tool; post the results
viewtopic.php?f=428&t=272481
* list your extensions/templates and versions of each
* list your folder/file permissions
* list your browser, it's version
* list your ftp program and version
* Do a full scan of the computer you normally use and report any virus detected by their computer system.

Only by reporting common information can we can track down any common things and see if it is really a Joomla problem or a common extension.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Tue Nov 03, 2009 3:57 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Tue Jun 09, 2009 2:21 am
Posts: 1964
Location: WV
This is an SQLi vulnerability, likely in a 3rd party script. Here's how it works: the attacker finds a way to execute arbitrary SQL code, and somehow extracts the email of an admin. Then they reset the password, causing the reset token to be placed in the database and you getting that email. Then they exploit again, only this time they extract the token. Finally, the hacker pops the token into the input and resets your password.

I'll say it again: Joomla shouldn't store the reset hashes in plain text in the database... I posted about this a while back: viewtopic.php?p=1831944 and so far, 0 replies.

_________________
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι


Top
 Profile  
 
PostPosted: Tue Nov 03, 2009 2:28 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Tue Sep 06, 2005 11:18 am
Posts: 1365
Location: Germany
as long as joomla do so, like jeff said, you should ask your hoster if he has installed apache mod_security with a filter, that strikes against such attacks...
like :
Code:
REQUEST_URI|ARGS|XML:/*|!ARGS:/descr/|!ARGS:movie_brief|!ARGS:/text/|!ARGS:/message/|!ARGS:ncontent|!ARGS:/body/|!ARGS:/content/|!ARGS:searchword|!ARGS:comments|!ARGS:text|!ARGS:/description/|!ARGS:/^sql/|!ARGS:/products_description/|!ARGS:contactMessage|!ARGS:cts|!ARGS:meta_descr|!ARGS:text|!ARGS:edited|!ARGS:content|!ARGS:description|!ARGS:introtext|!ARGS:Post|!ARGS:sql_query|!ARGS:itembigtext|!ARGS:article_content|!ARGS:body|!ARGS:mytextarea|!ARGS:ll_content_message|!ARGS:page-content|!ARGS:reply|!ARGS:xml|!ARGS:content_en|!ARGS:filecontent|!ARGS:message|!ARGS:content_en|!ARGS:general[description]|!ARGS:response[14]|!ARGS:/article/ "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|union select.*[a-z0-9].*into.*from)"


or

Code:
REQUEST_URI_RAW|XML:/*|ARGS|!ARGS:/sql/|!ARGS:/text/|!ARGS:/message/|!ARGS:/body/ "(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)" \
SecRule REQUEST_URI_RAW|XML:/*|ARGS|!ARGS:/sql/| "(?:union select.*php.*(?:system|eval\(|shell_exec|exec).*into)" \ SecRu_rules.conf:
SecRule REQUEST_URI_RAW|XML:/*|ARGS|!ARGS:/sql/| "(?:union select.*php.*(?:system|eval\(|shell_exec|exec).*into)" \         
SecRule REQUEST_URI_RAW|XML:/*|ARGS|!ARGS:/sql/| "(?:union select.*php.*(?:system|eval\(|shell_exec|exec).*into)" \


and there is much more to do then only those 2 generic example filters !

_________________
http://www.schrammen.net


Top
 Profile  
 
PostPosted: Thu Dec 03, 2009 4:10 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Jul 22, 2009 7:51 am
Posts: 24
Guys,

We modified the Joomla codes and make a patch to help you all, please see it the following. We contribute it to all J!1.5 users.

[MOD EDIT]
Exploit instructions removed.
[/MOD EDIT]

Hope this helps all Joomla admins.

Helix
Open Source Excellence


Top
 Profile  
 
PostPosted: Thu Dec 03, 2009 5:07 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Jul 22, 2009 7:51 am
Posts: 24
Guys, also let you know that J1.5.15 does not deal with this matter, therefore upgrading from J1.5.14 to J1.5.15 does not help.

Helix
Open Source Excellence


Top
 Profile  
 
PostPosted: Thu Dec 03, 2009 6:09 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Jun 30, 2009 10:25 pm
Posts: 22
I found one issue with the patch and installation procedure. The Intellispire Software Installer uses the same component name "com_updater" so when trying to install the patch downloaded the following error is produced.
* Component Install: Another Component is already using diirectory: "..../components/com_updater"

Any suggestions on a work-a-round for this conflict, other than removing the Intellispire Software?


Top
 Profile  
 
PostPosted: Thu Dec 03, 2009 7:50 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Jul 22, 2009 7:51 am
Posts: 24
Hmm... interesting.. then I think we should change the name to com_oseupdater in the stable final version then. Sorry about the inconvenience.

Helix


Top
 Profile  
 
PostPosted: Thu Dec 03, 2009 7:53 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Jun 30, 2009 10:25 pm
Posts: 22
if the name change could be done that would be great, it would help those of us that use the Intellspire software for software installation and updates.

Thanks.


Top
 Profile  
 
PostPosted: Thu Dec 03, 2009 9:39 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Jul 22, 2009 7:51 am
Posts: 24
osexcel wrote:
Guys,

We modified the Joomla codes and make a patch to help you all, please see it the following. We contribute it to all J!1.5 users.

[MOD EDIT]
Exploit instructions removed.
[/MOD EDIT]

Hope this helps all Joomla admins.

Helix
Open Source Excellence


Exploit instructions ??? Kidding?? We provide this patch to help Joomla users but this has marked as exploit instructions?? We are working on PHP security software, and we just want to help others, and this has been removed?? Shall we NOT share the codes??

Anyway, to those who wants to patch this security hole, please google "Open Source Excellence" and submit a request in the forum. We will NOT provide any links here any more.

Open Source Excellence


Top
 Profile  
 
PostPosted: Thu Dec 03, 2009 9:45 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Tue Jun 09, 2009 2:21 am
Posts: 1964
Location: WV
Overzealous mod? Your software did something bad (not saying it did - I didn't test it)? Aliens?

Mods? :pop

_________________
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι


Top
 Profile  
 
PostPosted: Thu Dec 03, 2009 10:07 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2727
Location: Wisconsin USA
I pick Aliens for 3

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Thu Dec 03, 2009 10:12 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Jul 22, 2009 7:51 am
Posts: 24
Overzealous mod? possibly. Do not want to be negative on this, just want others know here:

One of the Joomla users who had the same scenario asked us about this issue today (as we do security software for PHP system), we then investigated this issue, and find that the hackers might go for some steps (NOT BEING DISCLOSED HERE for security reasons) to hack the admin account. We therefore find the method to restrict this behavior by modifying one Joomla file. Then share it with all OSE users + Joomla users here. Never thought that this would be tagged as Exploit instructions (honestly, moderators, please test the patch first before you moderate the post).

Anyway, as we said, for those who would need help with this, please google us and we will tell you where to download the patch.

Also, we will not replying any post here. For those who would like to know more about the patch, please go to our forum.

Open Source Excellence


Top
 Profile  
 
PostPosted: Thu Dec 03, 2009 11:40 pm 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12513
Location: The Girly Side of Joomla in Sussex
it could be that the post was being validated or checked or whatever before being spread around as a total fix as some people are advertising it.

As it also altered the core/code files then a beginner may have really messed up their site. A simple issue as the name being the same as many extensions may have caused it to be pulled.
At least you were left with the main contents of the post.
The mods were being cautious for the sake of the community, possibly over cautious, but the only way to find out is to contact the mods team who dealt with your post and see. Perhaps consider posting the file to the JED for validation and doing it that way?

If you feel so strongly about the way it was dealt with, then contacting the mods team is the only real way to go about it.

Its also unusal that there is not mods edit tag on the post, possibly went the same way as the avatar gallery did yesterday...weird

(get your silverfoil/alien protector hats here!!!)

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Fri Dec 04, 2009 11:05 am 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12513
Location: The Girly Side of Joomla in Sussex
re reading the original post, i think a slightly curious comment was
Quote:
There is a security risk issue in the Joomla Password Reset System, please read the following:

if this was true then we would see a lot more sites being hacked. if you find a joomla core vulnerability or exploit, it should be reported to the Joomla Security Strike Team at http://developer.joomla.org/security.html

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Fri Dec 04, 2009 1:55 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Thu Jul 17, 2008 3:10 pm
Posts: 10948
Location: Ireland
Mod Note: The post was edited by the Joomla Security Strike Team.

_________________
Olaf Offick - Global Moderator
http://learnskills.org


Top
 Profile  
 
PostPosted: Sun Dec 06, 2009 8:42 am 
Joomla! Guru
Joomla! Guru

Joined: Wed Jan 09, 2008 9:16 pm
Posts: 631
I've now patched my live sites with Helix's patch (after testing on local dev first, of course). Everything seems fine but I'm now a bit worried about upgrading.

Will this patch get over-written when 1.5.16 is released, or might 1.5.16 contain the 'same' patch if the vulnerability is found to be correct by the JSST, or...?

Thanks,

Dave.

_________________
My website: http://www.davidboggitt.com/
Love and hate both devastate you, but at least love takes you to dinner first.


Top
 Profile  
 
PostPosted: Sun Dec 06, 2009 12:53 pm 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12513
Location: The Girly Side of Joomla in Sussex
Yes, if you make a change to a core code file, and then upgrade and that core file is replaced.
but not if osexcel wishes to put it in as a bug and enter it in the bug tracker , or the JSST see it as needed and make the change in the core code,

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Wed Dec 09, 2009 6:32 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Sep 15, 2005 3:54 pm
Posts: 147
Location: Lancaster, UK (near the Lake District)
One of my sites was attacked today, an email was submitted stating a request has been made to reset your ****** account password. To reset your password, you will need to submit this token in order to verify that the request was legitimate.
I clicked on the link and as soon as I did that the attcahed page was rendered:

Thankfully I had a backup of the site and could restore quickly.

Problem Description:
Site asked for admin password reset via legitiate email.



Diagnostic Information
Joomla! Version: Joomla! 1.5.14 Stable [ Wojmamni Ama Naiki ] 30-July-2009 23:00 GMT
configuration.php: Writable (Mode: 644 ) | RG_EMULATION: N/A
Architecture/Platform: Linux 2.6.18-164.6.1.el5PAE ( i686) | Web Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 ( http://www.heyshamssp.org.uk ) | PHP Version: 5.2.9
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5): Yes | iconv Support (1.5): Yes | save.session_path: Writable | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.0.85-community ( Localhost via UNIX socket )

_________________
Alex Walker
"to assume is to make an ass of u and me"


Last edited by ooffick on Wed Dec 09, 2009 6:52 pm, edited 1 time in total.
Mod Note: Removed Hacker Names.


Top
 Profile  
 
PostPosted: Wed Dec 09, 2009 6:53 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Thu Jul 17, 2008 3:10 pm
Posts: 10948
Location: Ireland
Hi, to learn how to reset the password, have a look here:
http://docs.joomla.org/How_you_reset_an ... assword%3F
http://docs.joomla.org/How_do_you_recov ... assword%3F

Please note that you might need to delete additional files which are inserted by the hacker, like webshells.

Please also note that your own computer might have been infected by a virus:
viewtopic.php?f=432&t=411735

You might want to consider to use an SFTP or SSH connection to your server (instead of an normal FTP connection)

Please change all your passwords as well.

Moreover, please read this List as well:
http://docs.joomla.org/Category:Security_Checklist

Olaf

_________________
Olaf Offick - Global Moderator
http://learnskills.org


Top
 Profile  
 
PostPosted: Wed Dec 09, 2009 6:55 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2727
Location: Wisconsin USA
Never EVER, EVER, click on a link like that when you did not specifically request your password to be reset! This goes for any site not just Joomla!

You now need to change all your ftp, mysql database, c-panel, Joomla administrator passwords, inspect for any newly created Joomla user(s) and delete any that may have been made and inspect you Joomla install (and site as a whole) for anything unusual. It might be best to just do a Restore of Joomla from a backup made before you clicked the link and change all your passwords like mentioned above.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Wed Dec 09, 2009 7:31 pm 
Joomla! Guru
Joomla! Guru

Joined: Wed Jan 09, 2008 9:16 pm
Posts: 631
Do we have any news as to whether this has been submitted as a bug to the JSST and if so, has it been confirmed?

Thanks again,

Dave.

_________________
My website: http://www.davidboggitt.com/
Love and hate both devastate you, but at least love takes you to dinner first.


Top
 Profile  
 
PostPosted: Wed Dec 09, 2009 8:00 pm 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12513
Location: The Girly Side of Joomla in Sussex
The JSST deal with security issues and not with bugs.
Bugs are dealt with by the bugsquad at http://developer.joomla.org/bug-squad-blog.html

eddit to add ...
or here
viewforum.php?f=199

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Thu Dec 10, 2009 6:16 pm 
Joomla! Guru
Joomla! Guru

Joined: Wed Jan 09, 2008 9:16 pm
Posts: 631
Not wanting to sound rude, but wasn't that rather unnecessarily pedantic?

Besides, surely a bug could result in a security issue? Anyway, do you know whether this apparent security issue been reported to the JSST please?

Dave.

_________________
My website: http://www.davidboggitt.com/
Love and hate both devastate you, but at least love takes you to dinner first.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 39 posts ]  Go to page 1, 2  Next



Who is online

Users browsing this forum: No registered users and 14 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group