The Joomla! Forum ™

Download

Demo


Board index » Joomla! Older Version Support » Joomla! 1.0 » Extensions - 1.0.x » Components

Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  Page 1 of 1
  [ 14 posts ] 
  Print view Previous topic | Next topic 
Author Message
colin99
PostPosted: Thu Mar 30, 2006 3:55 am 
User avatar
Joomla! Intern
Joomla! Intern
Offline

Joined: Tue Nov 22, 2005 6:35 am
Posts: 77
Location: Victoria - Canada
I was browsing my Joomlaboard db tables via PhpMyAdmin and made an alarming discovery.

What I have discovered, today, after dropping JoomlaBoard, the database tables, data, everything - and reinstalling everything fresh...

That within 3 hours I have confirmed that script kiddies/hackers are writing URLs directly to joomlaboard forum completely circumventing all  the Joomlaboard security features.

They are writing referer URLS to Joomlaboard in such a way that they are flagged as unposted but are still visible by search engines and bots.

I am going to let this 'situation' develop in my database for a couple of days to gather more data -
I would urge all Joomlaboard users to look at their db's with PhpMyAdmin very carefully.

Colin Newell -

_________________
Editor-Creator http://www.coffeecrew.com | dxer.ca | BobHarris.Com
Top
 Profile  
 
infograf768
PostPosted: Thu Mar 30, 2006 6:27 am 
User avatar
Joomla! Master
Joomla! Master
Offline

Joined: Fri Aug 12, 2005 3:47 pm
Posts: 15413
Location: **Translation Matters**
I sent a mail to Jan de Graaf.
Thank you.

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 1.7/2.5: http://help.joomla.org/files/EN-GB_mult ... torial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group
Top
 Profile  
 
trompete
PostPosted: Thu Mar 30, 2006 6:55 am 
User avatar
Joomla! Explorer
Joomla! Explorer
Offline

Joined: Thu Sep 01, 2005 11:19 pm
Posts: 273
Location: Minneapolis, USA
colin99 wrote:
I am going to let this 'situation' develop in my database for a couple of days to gather more data -
I would urge all Joomlaboard users to look at their db's with PhpMyAdmin very carefully.


Have any useful SQL queries for us to run against our databases?

_________________
Developer, bsq_sitestats module.
www.bs-squared.com
Top
 Profile  
 
colin99
PostPosted: Thu Mar 30, 2006 4:57 pm 
User avatar
Joomla! Intern
Joomla! Intern
Offline

Joined: Tue Nov 22, 2005 6:35 am
Posts: 77
Location: Victoria - Canada
I am just switching over from Webalizer on my site to raw-logs so I can see the URLs they are pumping in.

Last night after installing the freshest copy of JoomlaBoard and locking everything down
I managed to stem the flow of "ads" into the database.

If you simply restrict the forums to registered guests, it does not stop the influx.
If you switch on review posts AND moderate, the hole seems to close up.

More from me later after I pick through my db dump.

Colin

_________________
Editor-Creator http://www.coffeecrew.com | dxer.ca | BobHarris.Com
Top
 Profile  
 
researchtoxic
PostPosted: Thu Mar 30, 2006 5:07 pm 
User avatar
Joomla! Ace
Joomla! Ace
Offline

Joined: Fri Mar 03, 2006 3:52 pm
Posts: 1023
Location: Macon, GA
bump so i can keep track of this

_________________
http://www.netentropy.com - Drupal, Joomla and whatever performance.
Top
 Profile  
 
colin99
PostPosted: Thu Mar 30, 2006 7:04 pm 
User avatar
Joomla! Intern
Joomla! Intern
Offline

Joined: Tue Nov 22, 2005 6:35 am
Posts: 77
Location: Victoria - Canada
Here is a snippet of a database table - that was infected.

I will dig through my raw logs tomorrow (after posting) to
see how they are doing this.

Colin -


You do not have the required permissions to view the files attached to this post.

_________________
Editor-Creator http://www.coffeecrew.com | dxer.ca | BobHarris.Com
Top
 Profile  
 
trompete
PostPosted: Thu Mar 30, 2006 7:12 pm 
User avatar
Joomla! Explorer
Joomla! Explorer
Offline

Joined: Thu Sep 01, 2005 11:19 pm
Posts: 273
Location: Minneapolis, USA
Here's a query to run against your DB to check if you have these posts:

Code:
SELECT COUNT( id ) FROM `mos_sb_messages` WHERE name LIKE ('%viagra%') OR subject LIKE ('%viagra%')


This will return a count > 0 if you have spammers that match this.

My site is currently unaffected, but I'm running an older version of JoomlaBoard.

Brent

_________________
Developer, bsq_sitestats module.
www.bs-squared.com
Top
 Profile  
 
colin99
PostPosted: Thu Mar 30, 2006 10:18 pm 
User avatar
Joomla! Intern
Joomla! Intern
Offline

Joined: Tue Nov 22, 2005 6:35 am
Posts: 77
Location: Victoria - Canada
I spent all of my lunch hour deleting the entries by hand today -- :-[

I am not a MySQL expert -- but I could probably come up with
a command to DELETE any line that contains the terms viagra, levitra, phentermine
or the like... or, ah.. online casino..

Oh - how I have learned how to dread these names!

_________________
Editor-Creator http://www.coffeecrew.com | dxer.ca | BobHarris.Com
Top
 Profile  
 
researchtoxic
PostPosted: Fri Mar 31, 2006 12:27 am 
User avatar
Joomla! Ace
Joomla! Ace
Offline

Joined: Fri Mar 03, 2006 3:52 pm
Posts: 1023
Location: Macon, GA
what have the peeps at joomlaboard said about this?

_________________
http://www.netentropy.com - Drupal, Joomla and whatever performance.
Top
 Profile  
 
kenmcd
PostPosted: Fri Mar 31, 2006 9:01 am 
User avatar
Joomla! Virtuoso
Joomla! Virtuoso
Offline

Joined: Thu Aug 18, 2005 2:09 am
Posts: 4805
Location: California
bjraines wrote:
what have the peeps at joomlaboard said about this?


Nothing yet.
Under review.
http://www.tsmf.net/component/option,co ... /catid,18/

_________________
██ AllMedia4Joomla Project
██ http://sourceforge.net/projects/allmedia4joomla/
██ AllMedia YouTube Feed Gallery module released
██ Download: http://sourceforge.net/projects/allmedia4joomla/files/
Top
 Profile  
 
progster
PostPosted: Fri Mar 31, 2006 1:30 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast
Offline

Joined: Thu Aug 18, 2005 7:34 pm
Posts: 213
Location: Belgium
I'm working with colin to get this solved as soon as possible, if everything goes well a fix should be released within days.

_________________
See joomlaboard in action: http://www.tsmf.net/component/option,co ... /Itemid,32
More information: http://www.tsmf.net/content/view/24/38/
Top
 Profile  
 
colin99
PostPosted: Fri Mar 31, 2006 7:17 pm 
User avatar
Joomla! Intern
Joomla! Intern
Offline

Joined: Tue Nov 22, 2005 6:35 am
Posts: 77
Location: Victoria - Canada
progster wrote:
I'm working with colin to get this solved as soon as possible, if everything goes well a fix should be released within days.


Yes - this is in the very capable hands of the "Two-Shoes" development team.

As I have studied my Raw logs this morning, I can see what they are doing and how they are
doing it -- and, in fact, the situation is more of a nuisance than a security threat.

Colin in Canada

_________________
Editor-Creator http://www.coffeecrew.com | dxer.ca | BobHarris.Com
Top
 Profile  
 
progster
PostPosted: Fri Mar 31, 2006 9:43 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast
Offline

Joined: Thu Aug 18, 2005 7:34 pm
Posts: 213
Location: Belgium
it is indeed not a security thread, though a bug that should be fixed. I'll discuss it with the team if we need an extra release for this or if we just include the fix in 1.2. We will release more details about the nature of this bug in due time.

I repeat again, for the quick readers, it's not a security threat!

I'd like to thank colin for his cooparation in this, the information he provided to us was complete and very usefull.

_________________
See joomlaboard in action: http://www.tsmf.net/component/option,co ... /Itemid,32
More information: http://www.tsmf.net/content/view/24/38/
Top
 Profile  
 
dankaschroeder
PostPosted: Thu May 04, 2006 9:17 am 
Joomla! Fledgling
Joomla! Fledgling
Offline

Joined: Mon Sep 19, 2005 8:52 am
Posts: 1
I share the same problems, using sb 1.0.4-Beta1 with mambo 4.5.1a - I know: rather old. But never change a running horse. only the spamming of sb is what bugs.
here I read, that collin got informations which revealed the way they spam. Is it possible to get informations how I can fix this bug in this old version?
Would be great!

danka
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 14 posts ] 


Board index » Joomla! Older Version Support » Joomla! 1.0 » Extensions - 1.0.x » Components

Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group