Here is little story with my host (now old host).
It sims my site was hacked, and hacker have placed his files deep inside my site folder. THe files are from some UK Bank, and my host got email and tey immediately suspend my page. THe file site contains this:
Quote:
RSA Cyota, an anti-fraud and security company, acting on behalf of Barclays Bank PLC (a leading UK bank) has been made aware that you appear to be providing Internet Services to a fraudulent site, which is part of a “phishing scam”**, and which violates Barclays’ copyright, trade marks and other intellectual property rights.
E-mails have been sent to individuals by a fraudster pretending to be Barclays Bank, requesting them to verify and submit sensitive details related to their Barclays bank accounts.
These files was not mine, so someone have upload them somehow, i asked my host about this and here is they respond.
Replay on Ticked support:
Quote:
Your client is using numerous 777 permissions all over his account. This allows people to upload whatever they want, including phishing scams. I must insist that you changes these permissions immediately to stop this from ever happening again. If not, the client risks getting suspended for the same thing again. If there is anything else I can do to help, please let me know.
Then Another:
Quote:
oomla 1.0.7 does have a security vulnerability in it.
-------------
http://secunia.com/advisories/19105/-------------
This does allow an attacker to create an arbitrary file in the cache directory. If they create a small shell script to wget the phishing site and writing it to a known 777 directory, like images, then they can upload a phishing scam. I would highly recommend you notify your current users to upgrade to prevent the same from happening again.
If you have any more questions on this issue, please feel free to reply to this ticket to open it back up and I will be happy to assist you further.
Last one:
Quote:
The location of the 777 folder is not the issue. Without the security hole in the Joomla script, there would be no need to worry about the 777 permissions in another folder.
The scripts can write to folders outside of its own folder if the permissions allow. They can load a php shell, then look for a suitable folder (i.e. 777) and then load the files there. As an attacker, if you know the scripts you are exploiting, you will also know which folders are world write by default. So you load a script to load a php shell to that dir. Then you either stay in that dir, or move somewhere more 'private' on the server where nobody will notice extra files.
Because these php scripts are running as the web user (i.e. 'nobody'), they need to find folders with 777 permissions as the nobody user does not have his own place to keep files for web execution. Thus, he searches for folders with 777 permissions, via PHP shells.
The 777 is not a security hole in the sense that you should not use. Sometimes, you cannot avoid it, as with the case of Joomla. But it is recommended that you do not use it unless you absolutely need it.
As always, if you ensure your scripts are secure, you remove the risk of being compromised and having these files put on your site, via your site.
Do you have any more questions on this issue?
Site was using Joomla 1.0.7 (untill 1.0.8 was relesed, i have immediately update to 1.0.8.)
First file in this "ilegal contents" was file with name: ziby.php and his header is:
Quote:
/*
******************************************************************************************************
*
* c99shell.php v.1.0 pre-release build #11
* Freeware license.
* © CCTeaM.
* c99shell - ôàéë-ìåíåäæåð ÷åðåç www-áðîóçåð, "çàòî÷åíûé" äëÿ âçëîìà.
* Âû ìîæåòå áåñïëàòíî ñêà÷àòü ïîñëåäíþþ âåðñèþ íà äîìàøíåé ñòðàíè÷êå ïðîäóêòà:
http://ccteam.ru/releases/c99shell*
* WEB:
http://ccteam.ru* ICQ UIN #: 656555
*
* Îñîáåííîñòè:
Code is not in Russian language. The i think this script was upload rest of site with folder name: barclays which contain these files:
Quote:
02.03.2006 06:16 4.658 ibank.css
02.03.2006 06:16 138 index.html
02.03.2006 06:16 9.126 LoginMember.html
02.03.2006 06:16 17.038 LoginMembers.php
02.03.2006 06:16 1.212 LoginPasscode.php
I was talking whole way to my host that Joomla couldnt do this, and you see his replay.....
Just to inform that some host dont belive Joomla CMS; (i already changed these host) because suspend time was 14h without letting me know WHY page was suspended..
Thnx
Login
Register
Rules
FAQ
The team
